From e0064df4ffac264c0b11ba93d6ee3f0d5e798c4e Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sun, 2 Apr 2017 16:09:16 -0300 Subject: [PATCH 001/818] build: Add missing object dependency for extract_extradata bitstream filter Cherry-picked from libav commit cfee5e1a0fa892fadd19b8848545d62f2386a6e7 Signed-off-by: James Almer (cherry picked from commit f8e29a371622316c68db7017ab04dd447b0114ba) --- libavcodec/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/Makefile b/libavcodec/Makefile index 7414d93424..0dd0c7b1bb 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -973,7 +973,8 @@ OBJS-$(CONFIG_AAC_ADTSTOASC_BSF) += aac_adtstoasc_bsf.o aacadtsdec.o \ OBJS-$(CONFIG_CHOMP_BSF) += chomp_bsf.o OBJS-$(CONFIG_DUMP_EXTRADATA_BSF) += dump_extradata_bsf.o OBJS-$(CONFIG_DCA_CORE_BSF) += dca_core_bsf.o -OBJS-$(CONFIG_EXTRACT_EXTRADATA_BSF) += extract_extradata_bsf.o +OBJS-$(CONFIG_EXTRACT_EXTRADATA_BSF) += extract_extradata_bsf.o \ + h2645_parse.o OBJS-$(CONFIG_H264_MP4TOANNEXB_BSF) += h264_mp4toannexb_bsf.o OBJS-$(CONFIG_HEVC_MP4TOANNEXB_BSF) += hevc_mp4toannexb_bsf.o OBJS-$(CONFIG_IMX_DUMP_HEADER_BSF) += imx_dump_header_bsf.o From b1377b2d281ce72cb830093c57d848f88063c126 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 2 Apr 2017 18:39:47 -0300 Subject: [PATCH 002/818] Changelog: add 3.3 --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog b/Changelog index ad53c9dd55..e7620d680b 100644 --- a/Changelog +++ b/Changelog @@ -1,7 +1,7 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. -version : +version 3.3: - CrystalHD decoder moved to new decode API - add internal ebur128 library, remove external libebur128 dependency - Pro-MPEG CoP #3-R2 FEC protocol From 2ff93effb3754a4da6ded33738b2f6babbf384ec Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 2 Apr 2017 18:39:01 -0300 Subject: [PATCH 003/818] Changelog: add missing entry for VP8 QSV decoder (cherry picked from commit 7ab9d3f341016b76927d0876a47a13137369eb40) --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index e7620d680b..e4fedefdd3 100644 --- a/Changelog +++ b/Changelog @@ -32,6 +32,7 @@ version 3.3: - Removed the legacy X11 screen grabber, use XCB instead - MPEG-7 Video Signature filter - Removed asyncts filter (use af_aresample instead) +- Intel QSV-accelerated VP8 video decoding version 3.2: From 3c9e1b89a1084cfd9d5eb4e810047aaf36d9b381 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sun, 2 Apr 2017 22:55:33 +0100 Subject: [PATCH 004/818] Changelog: fix position of VAAPI MPEG-2/VP8 encode entry This was merged in the wrong place. (cherry picked from commit 3cbf717425b68ef1a731147748edd5c087af15a1) --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog b/Changelog index e4fedefdd3..6f023a9caf 100644 --- a/Changelog +++ b/Changelog @@ -22,6 +22,7 @@ version 3.3: - threshold filter - midequalizer filter - Optimal Huffman tables for (M)JPEG encoding +- VAAPI-accelerated MPEG-2 and VP8 encoding - FM Screen Capture Codec decoder - native Opus encoder - ScreenPressor decoder @@ -120,7 +121,6 @@ version 3.1: - libutvideo wrapper removed - YUY2 Lossless Codec decoder - VideoToolbox H.264 encoder -- VAAPI-accelerated MPEG-2 and VP8 encoding version 3.0: From c9c977be2761dc48c7595c9483282b9a12011771 Mon Sep 17 00:00:00 2001 From: Thierry Foucu Date: Wed, 5 Apr 2017 13:23:31 -0700 Subject: [PATCH 005/818] libavformat/mov: Fix memory leak, need to free the chapter tracks array Signed-off-by: Michael Niedermayer (cherry picked from commit ac24a8202a6fdfb469af1fa68d537fb2f8d1ba6a) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4550cf0ad4..1d30a73a44 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5788,6 +5788,7 @@ static int mov_read_close(AVFormatContext *s) av_freep(&mov->fragment_index_data); av_freep(&mov->aes_decrypt); + av_freep(&mov->chapter_tracks); return 0; } From 1833ec53349ca1b1b1d21f1f8a3c63373e19123d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Mar 2017 23:46:14 +0100 Subject: [PATCH 006/818] avcodec/h264: Check weight values to be within the specs limits. Fixes: integer overflows Fixes: 911/clusterfuzz-testcase-5415105606975488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 08117a40157464f8a9dcc2df393fa5fe299c1e98) Signed-off-by: Michael Niedermayer --- libavcodec/h264_parse.c | 9 +++++++++ libavcodec/h264_slice.c | 7 +++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c index 0c873196dc..ea202e759c 100644 --- a/libavcodec/h264_parse.c +++ b/libavcodec/h264_parse.c @@ -59,6 +59,9 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, if (luma_weight_flag) { pwt->luma_weight[i][list][0] = get_se_golomb(gb); pwt->luma_weight[i][list][1] = get_se_golomb(gb); + if ((int8_t)pwt->luma_weight[i][list][0] != pwt->luma_weight[i][list][0] || + (int8_t)pwt->luma_weight[i][list][1] != pwt->luma_weight[i][list][1]) + goto out_range_weight; if (pwt->luma_weight[i][list][0] != luma_def || pwt->luma_weight[i][list][1] != 0) { pwt->use_weight = 1; @@ -76,6 +79,9 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, for (j = 0; j < 2; j++) { pwt->chroma_weight[i][list][j][0] = get_se_golomb(gb); pwt->chroma_weight[i][list][j][1] = get_se_golomb(gb); + if ((int8_t)pwt->chroma_weight[i][list][j][0] != pwt->chroma_weight[i][list][j][0] || + (int8_t)pwt->chroma_weight[i][list][j][1] != pwt->chroma_weight[i][list][j][1]) + goto out_range_weight; if (pwt->chroma_weight[i][list][j][0] != chroma_def || pwt->chroma_weight[i][list][j][1] != 0) { pwt->use_weight_chroma = 1; @@ -104,6 +110,9 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, } pwt->use_weight = pwt->use_weight || pwt->use_weight_chroma; return 0; +out_range_weight: + avpriv_request_sample(logctx, "Out of range weight\n"); + return AVERROR_INVALIDDATA; } /** diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index fa1e9ae829..44a0b9fb17 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1778,9 +1778,12 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl, } if ((pps->weighted_pred && sl->slice_type_nos == AV_PICTURE_TYPE_P) || (pps->weighted_bipred_idc == 1 && - sl->slice_type_nos == AV_PICTURE_TYPE_B)) - ff_h264_pred_weight_table(&sl->gb, sps, sl->ref_count, + sl->slice_type_nos == AV_PICTURE_TYPE_B)) { + ret = ff_h264_pred_weight_table(&sl->gb, sps, sl->ref_count, sl->slice_type_nos, &sl->pwt, h->avctx); + if (ret < 0) + return ret; + } sl->explicit_ref_marking = 0; if (nal->ref_idc) { From a430ba99251e34c5f4965955f506ffda21b8d34a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Apr 2017 03:36:17 +0200 Subject: [PATCH 007/818] avcodec/dvdsubdec: Fixes 2 runtime error: left shift of 170 by 24 places cannot be represented in type 'int' Fixes: 619/clusterfuzz-testcase-5803914534322176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 61ee2ca7758672128e30b3e87908b6845e006d71) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 22ce728ea6..4e9c0580f4 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -189,12 +189,12 @@ static void guess_palette(DVDSubContext* ctx, r = (((subtitle_color >> 16) & 0xff) * level) >> 8; g = (((subtitle_color >> 8) & 0xff) * level) >> 8; b = (((subtitle_color >> 0) & 0xff) * level) >> 8; - rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17) << 24); + rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17U) << 24); color_used[colormap[i]] = (i + 1); j++; } else { rgba_palette[i] = (rgba_palette[color_used[colormap[i]] - 1] & 0x00ffffff) | - ((alpha[i] * 17) << 24); + ((alpha[i] * 17U) << 24); } } } From f4400a92f58fbe19b14eb675c241f7df310758fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Apr 2017 19:18:36 +0200 Subject: [PATCH 008/818] avformat/mov: Check creation_time for overflow Fixes integer overflow Fixes: 701640 Found-by: Found-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 39ee3ddff87a12e108fc4e0d36f756d0ca080472) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 1d30a73a44..f2296f8917 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1186,6 +1186,12 @@ static void mov_metadata_creation_time(AVDictionary **metadata, int64_t time) if (time) { if(time >= 2082844800) time -= 2082844800; /* seconds between 1904-01-01 and Epoch */ + + if ((int64_t)(time * 1000000ULL) / 1000000 != time) { + av_log(NULL, AV_LOG_DEBUG, "creation_time is not representable\n"); + return; + } + avpriv_dict_set_timestamp(metadata, "creation_time", time * 1000000); } } From 37fcf089b4a29aa90e4a1ce6a54b4fcc75063f78 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 8 Apr 2017 15:44:53 -0300 Subject: [PATCH 009/818] avformat/matroskaenc: don't try to update flac extradata if live streaming (cherry picked from commit a8b5f375010912abd9d41bde0992c63a548d56a6) --- libavformat/matroskaenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index af941ceb8f..9c7a213db9 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -2223,7 +2223,7 @@ static int mkv_check_new_extra_data(AVFormatContext *s, AVPacket *pkt) switch (par->codec_id) { case AV_CODEC_ID_FLAC: - if (side_data_size && (s->pb->seekable & AVIO_SEEKABLE_NORMAL)) { + if (side_data_size && (s->pb->seekable & AVIO_SEEKABLE_NORMAL) && !mkv->is_live) { AVCodecParameters *codecpriv_par; int64_t curpos; if (side_data_size != par->extradata_size) { From 6c9574e490218683a302f3814036bf6b9bbc37df Mon Sep 17 00:00:00 2001 From: Rostislav Pehlivanov Date: Mon, 3 Apr 2017 21:13:28 +0100 Subject: [PATCH 010/818] mjpegenc_common: check for codec ID before using avctx->priv_data When coding lossless jpeg the priv context will be pointing to LJpegEncContext rather than MpegEncContext, which the function expects. Signed-off-by: Rostislav Pehlivanov (cherry picked from commit 2c9be3882a03823413945bd9e2d9af33e6e322d5) Signed-off-by: Rostislav Pehlivanov --- libavcodec/mjpegenc_common.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/mjpegenc_common.c b/libavcodec/mjpegenc_common.c index 83a9e95766..6d9c982726 100644 --- a/libavcodec/mjpegenc_common.c +++ b/libavcodec/mjpegenc_common.c @@ -91,13 +91,17 @@ static void jpeg_table_header(AVCodecContext *avctx, PutBitContext *p, { int i, j, size; uint8_t *ptr; - MpegEncContext *s = avctx->priv_data; + MpegEncContext *s = NULL; + + /* Since avctx->priv_data will point to LJpegEncContext in this case */ + if (avctx->codec_id != AV_CODEC_ID_LJPEG) + s = avctx->priv_data; if (avctx->codec_id != AV_CODEC_ID_LJPEG) { int matrix_count = 1 + !!memcmp(luma_intra_matrix, chroma_intra_matrix, sizeof(luma_intra_matrix[0]) * 64); - if (s->force_duplicated_matrix) + if (s && s->force_duplicated_matrix) matrix_count = 2; /* quant matrixes */ put_marker(p, DQT); @@ -134,7 +138,7 @@ static void jpeg_table_header(AVCodecContext *avctx, PutBitContext *p, // Only MJPEG can have a variable Huffman variable. All other // formats use the default Huffman table. - if (s->out_format == FMT_MJPEG && s->huffman == HUFFMAN_TABLE_OPTIMAL) { + if (s && s->huffman == HUFFMAN_TABLE_OPTIMAL) { size += put_huffman_table(p, 0, 0, s->mjpeg_ctx->bits_dc_luminance, s->mjpeg_ctx->val_dc_luminance); size += put_huffman_table(p, 0, 1, s->mjpeg_ctx->bits_dc_chrominance, From 7034009f625dd042234fe90c2a2a8b8fcf8dcb6c Mon Sep 17 00:00:00 2001 From: Rostislav Pehlivanov Date: Mon, 3 Apr 2017 21:13:29 +0100 Subject: [PATCH 011/818] mjpegenc: disable huffman coding with AMV Isn't supported. Signed-off-by: Rostislav Pehlivanov (cherry picked from commit 7f9b492d544ccef36f1d5d97a76d22502623d3c8) Signed-off-by: Rostislav Pehlivanov --- libavcodec/mpegvideo_enc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 71a858fc72..882cf09c0a 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -399,6 +399,9 @@ FF_ENABLE_DEPRECATION_WARNINGS return AVERROR(EINVAL); } + if (s->huffman && avctx->codec_id == AV_CODEC_ID_AMV) + s->huffman = 0; + if (s->intra_dc_precision > (avctx->codec_id == AV_CODEC_ID_MPEG2VIDEO ? 3 : 0)) { av_log(avctx, AV_LOG_ERROR, "intra dc precision too large\n"); return AVERROR(EINVAL); From 0b4d87fad122831206cf600a801d118d1b517a54 Mon Sep 17 00:00:00 2001 From: Steven Liu Date: Tue, 11 Apr 2017 08:05:54 +0800 Subject: [PATCH 012/818] Revert "avutil/avstring: add av_strreplace API into avstring" This reverts commit 99e5d81ef997cb88b1a40e6f253f37f7cbf251d9. --- libavutil/avstring.c | 77 -------------------------------------------- libavutil/avstring.h | 5 --- 2 files changed, 82 deletions(-) diff --git a/libavutil/avstring.c b/libavutil/avstring.c index 52e6e6cd13..1787a1ef54 100644 --- a/libavutil/avstring.c +++ b/libavutil/avstring.c @@ -231,83 +231,6 @@ int av_strncasecmp(const char *a, const char *b, size_t n) return c1 - c2; } -char *av_strreplace(const char *str, const char *from, const char *to) -{ - /* Adjust each of the below values to suit your needs. */ - /* Increment positions cache size initially by this number. */ - size_t cache_sz_inc = 16; - /* Thereafter, each time capacity needs to be increased, - * multiply the increment by this factor. */ - const size_t cache_sz_inc_factor = 3; - /* But never increment capacity by more than this number. */ - const size_t cache_sz_inc_max = 1048576; - - char *pret, *ret = NULL; - const char *pstr2, *pstr = str; - size_t i, count = 0; - uintptr_t *pos_cache_tmp, *pos_cache = NULL; - size_t cache_sz = 0; - size_t cpylen, orglen, retlen, tolen, fromlen = strlen(from); - - /* Find all matches and cache their positions. */ - while ((pstr2 = av_stristr(pstr, from))) { - count++; - /* Increase the cache size when necessary. */ - if (cache_sz < count) { - cache_sz += cache_sz_inc; - pos_cache_tmp = av_realloc(pos_cache, sizeof(*pos_cache) * cache_sz); - if (!pos_cache_tmp) { - goto end_strreplace; - } else pos_cache = pos_cache_tmp; - cache_sz_inc *= cache_sz_inc_factor; - if (cache_sz_inc > cache_sz_inc_max) { - cache_sz_inc = cache_sz_inc_max; - } - } - - pos_cache[count-1] = pstr2 - str; - pstr = pstr2 + fromlen; - } - orglen = pstr - str + strlen(pstr); - /* Allocate memory for the post-replacement string. */ - if (count > 0) { - tolen = strlen(to); - retlen = orglen + (tolen - fromlen) * count; - } else { - retlen = orglen; - } - ret = av_malloc(retlen + 1); - if (!ret) { - goto end_strreplace; - } - - if (!count) { - /* If no matches, then just duplicate the string. */ - av_strlcpy(ret, str, retlen + 1); - } else { - /* Otherwise, duplicate the string whilst performing - * the replacements using the position cache. */ - pret = ret; - memcpy(pret, str, pos_cache[0]); - pret += pos_cache[0]; - for (i = 0; i < count; i++) { - memcpy(pret, to, tolen); - pret += tolen; - pstr = str + pos_cache[i] + fromlen; - cpylen = (i == count-1 ? orglen : pos_cache[i+1]) - pos_cache[i] - fromlen; - memcpy(pret, pstr, cpylen); - pret += cpylen; - } - ret[retlen] = '\0'; - } - -end_strreplace: - /* Free the cache and return the post-replacement string, - * which will be NULL in the event of an error. */ - av_free(pos_cache); - return ret; -} - const char *av_basename(const char *path) { char *p = strrchr(path, '/'); diff --git a/libavutil/avstring.h b/libavutil/avstring.h index 33be8bf484..dd2876990f 100644 --- a/libavutil/avstring.h +++ b/libavutil/avstring.h @@ -266,11 +266,6 @@ int av_strcasecmp(const char *a, const char *b); */ int av_strncasecmp(const char *a, const char *b, size_t n); -/** - * Locale-independent strings replace. - * @note This means only ASCII-range characters are replace - */ -char *av_strreplace(const char *str, const char *from, const char *to); /** * Thread safe basename. From 7182fbc47182c613331b254cc57f5ae9a41c8269 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Apr 2017 23:05:57 +0200 Subject: [PATCH 013/818] doc/examples/decode_video: Fix format string vulnerability Fixes: CID1404843 Signed-off-by: Michael Niedermayer (cherry picked from commit 23edd41a0d6994cb5d9983d8f035e8eef78960ad) Signed-off-by: Michael Niedermayer --- doc/examples/decode_video.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/examples/decode_video.c b/doc/examples/decode_video.c index dd1177b8b0..3413ad9312 100644 --- a/doc/examples/decode_video.c +++ b/doc/examples/decode_video.c @@ -64,7 +64,7 @@ static int decode_write_frame(const char *outfilename, AVCodecContext *avctx, fflush(stdout); /* the picture is allocated by the decoder, no need to free it */ - snprintf(buf, sizeof(buf), outfilename, *frame_count); + snprintf(buf, sizeof(buf), "%s-%d", outfilename, *frame_count); pgm_save(frame->data[0], frame->linesize[0], frame->width, frame->height, buf); (*frame_count)++; From 83e6a4a32b75f7160b543d4a54d24b3d02adad8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Apr 2017 21:51:33 +0200 Subject: [PATCH 014/818] Revert "mjpegenc: disable huffman coding with AMV" This was the wrong patch This reverts commit 7f9b492d544ccef36f1d5d97a76d22502623d3c8. (cherry picked from commit 724bb805ef8a6de0d9ef27a083ef501bdef2d453) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 882cf09c0a..71a858fc72 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -399,9 +399,6 @@ FF_ENABLE_DEPRECATION_WARNINGS return AVERROR(EINVAL); } - if (s->huffman && avctx->codec_id == AV_CODEC_ID_AMV) - s->huffman = 0; - if (s->intra_dc_precision > (avctx->codec_id == AV_CODEC_ID_MPEG2VIDEO ? 3 : 0)) { av_log(avctx, AV_LOG_ERROR, "intra dc precision too large\n"); return AVERROR(EINVAL); From 72e038acaf4df21e7a37f6e20ecd69b8f47f4c28 Mon Sep 17 00:00:00 2001 From: Rostislav Pehlivanov Date: Tue, 4 Apr 2017 10:58:37 +0100 Subject: [PATCH 015/818] mpegvideo_enc: disable optimized huffman coding with AMV or slice threads Doesn't work yet with slice threading and won't work with AMV. Signed-off-by: Michael Niedermayer (cherry picked from commit 03eb0515c12637dbd20c2e3ca8503d7b47cf583a) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 71a858fc72..db241c82f0 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -399,6 +399,9 @@ FF_ENABLE_DEPRECATION_WARNINGS return AVERROR(EINVAL); } + if (avctx->codec_id == AV_CODEC_ID_AMV || (avctx->active_thread_type & FF_THREAD_SLICE)) + s->huffman = 0; + if (s->intra_dc_precision > (avctx->codec_id == AV_CODEC_ID_MPEG2VIDEO ? 3 : 0)) { av_log(avctx, AV_LOG_ERROR, "intra dc precision too large\n"); return AVERROR(EINVAL); From 0c188bc595c1ebcfaf3e0314df1cad30446851d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Apr 2017 03:34:44 +0200 Subject: [PATCH 016/818] avcodec/mjpegenc_huffman: Assert length in ff_mjpegenc_huffman_compute_bits() This should help coverity see that the issues this leads to cannot occur Signed-off-by: Michael Niedermayer (cherry picked from commit 8dd0c12648d838bb982ca10f384ee1f0107dfece) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegenc_huffman.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mjpegenc_huffman.c b/libavcodec/mjpegenc_huffman.c index ebf1311466..0e63f8066b 100644 --- a/libavcodec/mjpegenc_huffman.c +++ b/libavcodec/mjpegenc_huffman.c @@ -87,6 +87,8 @@ void ff_mjpegenc_huffman_compute_bits(PTable *prob_table, HuffTable *distincts, int min; + av_assert0(max_length > 0); + to->nitems = 0; from->nitems = 0; to->item_idx[0] = 0; From c30d0ace656dfa1dbe7a6e14f72a68a36762167d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Apr 2017 03:34:45 +0200 Subject: [PATCH 017/818] avcodec/pixlet: Reorder rlen check This changes nothing but is nicer looking as this checks rlen Maybe this helps coverity remove CID1397743 Signed-off-by: Michael Niedermayer (cherry picked from commit c94d551ea7b39c4e467e146cd347c407e8eb38ee) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 4aa59f8f33..c4f7597866 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -173,7 +173,7 @@ static int read_low_coeffs(AVCodecContext *avctx, int16_t *dst, int size, int wi } } - if (i + rlen > size) + if (rlen > size - i) return AVERROR_INVALIDDATA; i += rlen; From 707d4c7fb5cee9f97fce848e8c3175c4a22ecdfb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Apr 2017 15:06:21 +0200 Subject: [PATCH 018/818] avformat/oggparseogm: Check available data before reading global header Fixes use of uninitialized data Found-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 170d864d2c508ca8111b1d108e1e964007dab712) Signed-off-by: Michael Niedermayer --- libavformat/oggparseogm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index f8e656dcb1..cdbdfd66e0 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -108,6 +108,8 @@ ogm_header(AVFormatContext *s, int idx) if (size > 52) { av_assert0(AV_INPUT_BUFFER_PADDING_SIZE <= 52); size -= 52; + if (bytestream2_get_bytes_left(&p) < size) + return AVERROR_INVALIDDATA; ff_alloc_extradata(st->codecpar, size); bytestream2_get_buffer(&p, st->codecpar->extradata, st->codecpar->extradata_size); } From 4f325589f95c0758d9624122bd00ec2897cc903d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Apr 2017 15:08:07 +0200 Subject: [PATCH 019/818] avformat/oggparseogm: Check ff_alloc_extradata() for failure Signed-off-by: Michael Niedermayer (cherry picked from commit 9eff4b0d2b5013e1ede86cf1a152dce164217d52) Signed-off-by: Michael Niedermayer --- libavformat/oggparseogm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index cdbdfd66e0..e7a501b5a7 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -110,7 +110,8 @@ ogm_header(AVFormatContext *s, int idx) size -= 52; if (bytestream2_get_bytes_left(&p) < size) return AVERROR_INVALIDDATA; - ff_alloc_extradata(st->codecpar, size); + if (ff_alloc_extradata(st->codecpar, size) < 0) + return AVERROR(ENOMEM); bytestream2_get_buffer(&p, st->codecpar->extradata, st->codecpar->extradata_size); } } From ad37fb86d79f982f9775d10f1c46b72ea864dce3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Apr 2017 02:01:37 +0200 Subject: [PATCH 020/818] doc/APIchanges: Fill in missing fields Signed-off-by: Michael Niedermayer (cherry picked from commit 5b441d2981f35e6183b0ac29fa89e089c91cf7ba) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index adff133855..b344e098c8 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -15,11 +15,11 @@ libavutil: 2015-08-28 API changes, most recent first: -2017-03-31 - xxxxxxx - lavu 55.57.100 - spherical.h +2017-03-31 - 9033e8723c - lavu 55.57.100 - spherical.h Add av_spherical_projection_name(). Add av_spherical_from_name(). -2017-03-30 - xxxxxxx - lavu 55.53.100 / 55.27.0 - hwcontext.h +2017-03-30 - 4cda23f1f1 - lavu 55.53.100 / 55.27.0 - hwcontext.h Add av_hwframe_map() and associated AV_HWFRAME_MAP_* flags. Add av_hwframe_ctx_create_derived(). @@ -44,7 +44,7 @@ API changes, most recent first: Add AVCodecContext.hwaccel_flags field. This will control some hwaccels at a later point. -2017-03-21 - xxxxxxx - lavf 57.67.100 / 57.08.0 - avio.h +2017-03-21 - fc9f14c7de - lavf 57.67.100 / 57.08.0 - avio.h Add AVIO_SEEKABLE_TIME flag. 2017-03-21 - d682ae70b4 - lavf 57.66.105, lavc 57.83.101 - avformat.h, avcodec.h @@ -52,7 +52,7 @@ API changes, most recent first: bump, and libavformat will behave as if it were always set. Deprecate av_packet_merge_side_data() and av_packet_split_side_data(). -2016-03-20 - xxxxxxx - lavu 55.50.100 / 55.21.0 - imgutils.h +2016-03-20 - 8200b16a9c - lavu 55.50.100 / 55.21.0 - imgutils.h Add av_image_copy_uc_from(), a version of av_image_copy() for copying from GPU mapped memory. @@ -63,7 +63,7 @@ API changes, most recent first: Deprecate AVFilterGraph.resample_lavr_opts It's never been used by avfilter nor passed to anything. -2017-02-10 - xxxxxxx - lavu 55.48.100 / 55.33.0 - spherical.h +2017-02-10 - 1b7ffddb3a - lavu 55.48.100 / 55.33.0 - spherical.h Add AV_SPHERICAL_EQUIRECTANGULAR_TILE, av_spherical_tile_bounds(), and projection-specific properties (bound_left, bound_top, bound_right, bound_bottom, padding) to AVSphericalMapping. @@ -83,7 +83,7 @@ API changes, most recent first: 2017-02-11 - e3af49b14b - lavu 55.47.100 - frame.h Add AVFrame.opaque_ref. -2017-01-31 - xxxxxxx - lavu 55.46.100 / 55.20.0 - cpu.h +2017-01-31 - 2eab48177d - lavu 55.46.100 / 55.20.0 - cpu.h Add AV_CPU_FLAG_SSSE3SLOW. 2017-01-24 - c4618f842a - lavu 55.45.100 - channel_layout.h @@ -96,20 +96,20 @@ API changes, most recent first: Deprecate struct vaapi_context and the vaapi.h installed header. Callers should set AVCodecContext.hw_frames_ctx instead. -2017-01-12 - dbe9dbed31 - lavfi 6.69.100- buffersink.h +2017-01-12 - dbe9dbed31 - lavfi 6.69.100 - buffersink.h Add av_buffersink_get_*() functions. -2017-01-06 - 9488032e10 - lavf 57.62.100- avio.h +2017-01-06 - 9488032e10 - lavf 57.62.100 - avio.h Add avio_get_dyn_buf() -2016-12-10 - xxxxxxx - lavu xx.xx.100- imgutils.h +2016-12-10 - f542b152aa - lavu 55.43.100 - imgutils.h Add av_image_check_size2() -2016-xx-xx - xxxxxxx - lavc 57.67.100 / 57.29.0 - avcodec.h +2016-12-07 - e7a6f8c972 - lavc 57.67.100 / 57.29.0 - avcodec.h Add AV_PKT_DATA_SPHERICAL packet side data to export AVSphericalMapping information from containers. -2016-xx-xx - xxxxxxx - lavu 55.42.100 / 55.30.0 - spherical.h +2016-12-07 - 8f58ecc344 - lavu 55.42.100 / 55.30.0 - spherical.h Add AV_FRAME_DATA_SPHERICAL value, av_spherical_alloc() API and AVSphericalMapping type to export and describe spherical video properties. From 37589e64435d2293d99bb70bb8ab1a672f89b0e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Apr 2017 02:24:58 +0200 Subject: [PATCH 021/818] Update for 3.3 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index 48ea63d180..eb39e5382f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.3.git +3.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index 0891899505..f1899c74f5 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 3.3 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 07e7ebf52de9257fef1398c1dc5edb847b78ab21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Apr 2017 02:26:45 +0200 Subject: [PATCH 022/818] add release notes based on release 3.2 Name suggestion was from Tobias Rapp and Bodecs Bela Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 RELEASE_NOTES diff --git a/RELEASE_NOTES b/RELEASE_NOTES new file mode 100644 index 0000000000..2c16f4a58d --- /dev/null +++ b/RELEASE_NOTES @@ -0,0 +1,15 @@ + + ┌────────────────────────────────────────┐ + │ RELEASE NOTES for FFmpeg 3.3 "Hilbert" │ + └────────────────────────────────────────┘ + + The FFmpeg Project proudly presents FFmpeg 3.3 "Hilbert", about 5 + months after the release of FFmpeg 3.2. + + A complete Changelog is available at the root of the project, and the + complete Git history on http://source.ffmpeg.org. + + We hope you will like this release as much as we enjoyed working on it, and + as usual, if you have any questions about it, or any FFmpeg related topic, + feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask + on the mailing-lists. From ecdf52745f8d1fc1f3b06b527c47f0ceb565610b Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Wed, 5 Apr 2017 01:41:15 +0200 Subject: [PATCH 023/818] avfilter/vf_framerate: always request input if no output is provided in request_frame Fixes ticket #6285. Signed-off-by: Marton Balint --- libavfilter/vf_framerate.c | 42 +++++++++++++++++++++++--------------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/libavfilter/vf_framerate.c b/libavfilter/vf_framerate.c index b4a74f7f7d..dc8b05f40f 100644 --- a/libavfilter/vf_framerate.c +++ b/libavfilter/vf_framerate.c @@ -440,7 +440,7 @@ copy_done: s->pending_end_frame = 0; s->last_dest_frame_pts = s->work->pts; - return ff_filter_frame(ctx->outputs[0], s->work); + return 1; } static void set_srce_frame_dest_pts(AVFilterContext *ctx) @@ -586,6 +586,7 @@ static int config_input(AVFilterLink *inlink) static int filter_frame(AVFilterLink *inlink, AVFrame *inpicref) { + int ret; AVFilterContext *ctx = inlink->dst; FrameRateContext *s = ctx->priv; @@ -606,7 +607,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *inpicref) set_srce_frame_dest_pts(ctx); } - return process_work_frame(ctx, 1); + ret = process_work_frame(ctx, 1); + if (ret < 0) + return ret; + return ret ? ff_filter_frame(ctx->outputs[0], s->work) : 0; } static int config_output(AVFilterLink *outlink) @@ -658,23 +662,13 @@ static int request_frame(AVFilterLink *outlink) { AVFilterContext *ctx = outlink->src; FrameRateContext *s = ctx->priv; - int val, i; + int ret, i; ff_dlog(ctx, "request_frame()\n"); // if there is no "next" frame AND we are not in flush then get one from our input filter - if (!s->srce[s->frst] && !s->flush) { - ff_dlog(ctx, "request_frame() call source's request_frame()\n"); - val = ff_request_frame(outlink->src->inputs[0]); - if (val < 0 && (val != AVERROR_EOF)) { - ff_dlog(ctx, "request_frame() source's request_frame() returned error:%d\n", val); - return val; - } else if (val == AVERROR_EOF) { - s->flush = 1; - } - ff_dlog(ctx, "request_frame() source's request_frame() returned:%d\n", val); - return 0; - } + if (!s->srce[s->frst] && !s->flush) + goto request; ff_dlog(ctx, "request_frame() REPEAT or FLUSH\n"); @@ -695,7 +689,23 @@ static int request_frame(AVFilterLink *outlink) } set_work_frame_pts(ctx); - return process_work_frame(ctx, 0); + ret = process_work_frame(ctx, 0); + if (ret < 0) + return ret; + if (ret) + return ff_filter_frame(ctx->outputs[0], s->work); + +request: + ff_dlog(ctx, "request_frame() call source's request_frame()\n"); + ret = ff_request_frame(ctx->inputs[0]); + if (ret < 0 && (ret != AVERROR_EOF)) { + ff_dlog(ctx, "request_frame() source's request_frame() returned error:%d\n", ret); + return ret; + } else if (ret == AVERROR_EOF) { + s->flush = 1; + } + ff_dlog(ctx, "request_frame() source's request_frame() returned:%d\n", ret); + return 0; } static const AVFilterPad framerate_inputs[] = { From af43c7092cf2da189c912220f19b132d62a9699f Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 8 Apr 2017 14:55:51 +0200 Subject: [PATCH 024/818] tests/fate/filter-video: fix framerate filter tests Signed-off-by: Marton Balint --- tests/fate/filter-video.mak | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/fate/filter-video.mak b/tests/fate/filter-video.mak index b067cc146f..9186593c10 100644 --- a/tests/fate/filter-video.mak +++ b/tests/fate/filter-video.mak @@ -78,7 +78,7 @@ fate-filter-lavd-scalenorm: tests/data/filtergraphs/scalenorm fate-filter-lavd-scalenorm: CMD = framecrc -f lavfi -graph_file $(TARGET_PATH)/tests/data/filtergraphs/scalenorm -i dummy -FATE_FILTER-$(call ALLYES FRAMERATE_FILTER TESTSRC2_FILTER) += fate-filter-framerate-up fate-filter-framerate-down +FATE_FILTER-$(call ALLYES, FRAMERATE_FILTER TESTSRC2_FILTER) += fate-filter-framerate-up fate-filter-framerate-down fate-filter-framerate-up: CMD = framecrc -lavfi testsrc2=r=2:d=10,framerate=fps=10 -t 1 fate-filter-framerate-down: CMD = framecrc -lavfi testsrc2=r=2:d=10,framerate=fps=1 -t 1 From 69e35db80d0f066aff401390afbf114a027d7817 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Wed, 5 Apr 2017 20:17:48 +0200 Subject: [PATCH 025/818] ffprobe: only use custom logging callback if -show_log is set The custom callback can cause significant CPU usage on Windows for some large files with many index entries for some reason. v2: Move check after parsing options. Signed-off-by: Marton Balint --- ffprobe.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ffprobe.c b/ffprobe.c index 356746870e..a219fc10b0 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -3442,8 +3442,6 @@ int main(int argc, char **argv) goto end; } #endif - av_log_set_callback(log_callback); - av_log_set_flags(AV_LOG_SKIP_REPEATED); register_exit(ffprobe_cleanup); @@ -3459,6 +3457,9 @@ int main(int argc, char **argv) show_banner(argc, argv, options); parse_options(NULL, argc, argv, options, opt_input_file); + if (do_show_log) + av_log_set_callback(log_callback); + /* mark things to show, based on -show_entries */ SET_DO_SHOW(CHAPTERS, chapters); SET_DO_SHOW(ERROR, error); From 0ed4f26cf20ab865826c23d63dc1510e71bdc7f4 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 12 Apr 2017 22:49:06 +0200 Subject: [PATCH 026/818] configure: Fix decklink license dependency. (cherry picked from commit a081acc44082e4124a11747139b9a329fe01736e) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index adaf1a35f7..9b5789ab83 100755 --- a/configure +++ b/configure @@ -1513,6 +1513,7 @@ EXTERNAL_LIBRARY_GPL_LIST=" " EXTERNAL_LIBRARY_NONFREE_LIST=" + decklink libfdk_aac openssl " @@ -1536,7 +1537,6 @@ EXTERNAL_LIBRARY_LIST=" $EXTERNAL_LIBRARY_GPLV3_LIST chromaprint crystalhd - decklink gcrypt gnutls jni From 1830b0a6c7dc00874caa5a121296840241a678eb Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 10 Apr 2017 01:32:18 -0300 Subject: [PATCH 027/818] avformat/movenc: auto insert vp9_superframe bsf when needed Experimental VP9 support was added to the muxer recently. Reviewed-by: Ronald S. Bultje Signed-off-by: James Almer (cherry picked from commit d36a3f5a78bb1e15bbaffc7b92dbeb6a50c28ca9) --- libavformat/movenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index a54aa879e9..9280dc8d23 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -6352,6 +6352,8 @@ static int mov_check_bitstream(struct AVFormatContext *s, const AVPacket *pkt) if (st->codecpar->codec_id == AV_CODEC_ID_AAC) { if (pkt->size > 2 && (AV_RB16(pkt->data) & 0xfff0) == 0xfff0) ret = ff_stream_add_bitstream_filter(st, "aac_adtstoasc", NULL); + } else if (st->codecpar->codec_id == AV_CODEC_ID_VP9) { + ret = ff_stream_add_bitstream_filter(st, "vp9_superframe", NULL); } return ret; From 414d11fff6453b3d3af75734292f8d16edeba940 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 6 Apr 2017 11:47:03 -0400 Subject: [PATCH 028/818] h264: don't re-call ff_h264_direct_ref_list_init() w/ frame-mt. I'm hoping that this will address the remaining tsan fate-h264 issues: WARNING: ThreadSanitizer: data race (pid=24478) Read of size 8 at 0x7dbc0001c828 by main thread (mutexes: write M3243): #0 ff_h264_ref_picture src/libavcodec/h264_picture.c:107 (ffmpeg+0x0000013b78d8) [..] Previous write of size 1 at 0x7dbc0001c82e by thread T2 (mutexes: write M3245): #0 ff_h264_direct_ref_list_init src/libavcodec/h264_direct.c:137 (ffmpeg+0x000001382c93) But I'm not sure because I haven't been able to reproduce locally. (cherry picked from commit 7f05c5cea04112471d8147487aa3b44141922d09) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 44a0b9fb17..70ad05f640 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1889,7 +1889,8 @@ static int h264_slice_init(H264Context *h, H264SliceContext *sl, if (sl->slice_type_nos == AV_PICTURE_TYPE_B && !sl->direct_spatial_mv_pred) ff_h264_direct_dist_scale_factor(h, sl); - ff_h264_direct_ref_list_init(h, sl); + if (!h->setup_finished) + ff_h264_direct_ref_list_init(h, sl); if (h->avctx->skip_loop_filter >= AVDISCARD_ALL || (h->avctx->skip_loop_filter >= AVDISCARD_NONKEY && From e9fc7a90ba21f2fb2953f24375db2b81e891a6f2 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 3 Apr 2017 09:25:15 -0400 Subject: [PATCH 029/818] h264: don't sync pic_id between threads. This is how the ref list manager links bitstream IDs to H264Picture/Ref objects, and is local to the producer thread. There is no need for the consumer thread to know the bitstream IDs of its references in their respective producer threads. In practice, this fixes tsan warnings when running fate-h264: WARNING: ThreadSanitizer: data race (pid=19295) Read of size 4 at 0x7dbc0000e614 by main thread (mutexes: write M1914): #0 ff_h264_ref_picture src/libavcodec/h264_picture.c:112 (ffmpeg+0x0000013b3709) [..] Previous write of size 4 at 0x7dbc0000e614 by thread T2 (mutexes: write M1917): #0 build_def_list src/libavcodec/h264_refs.c:91 (ffmpeg+0x0000013b46cf) (cherry picked from commit e72690b18da064f6c0f04f09ccde72b6636e3159) Signed-off-by: Michael Niedermayer --- libavcodec/h264_picture.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/h264_picture.c b/libavcodec/h264_picture.c index db9673793a..2dbe5ee40b 100644 --- a/libavcodec/h264_picture.c +++ b/libavcodec/h264_picture.c @@ -109,7 +109,6 @@ int ff_h264_ref_picture(H264Context *h, H264Picture *dst, H264Picture *src) dst->poc = src->poc; dst->frame_num = src->frame_num; dst->mmco_reset = src->mmco_reset; - dst->pic_id = src->pic_id; dst->long_ref = src->long_ref; dst->mbaff = src->mbaff; dst->field_picture = src->field_picture; From f5f0b2f44ce9df08f7a79b32d9209b23ba6b3447 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 31 Mar 2017 11:27:20 -0400 Subject: [PATCH 030/818] ffmpeg: make transcode_init_done atomic. Should fix tsan warnings in fate-fifo-muxer-h264/wav: WARNING: ThreadSanitizer: data race (pid=26552) Write of size 4 at 0x000001e0d7c0 by main thread: #0 transcode_init src/ffmpeg.c:3761 (ffmpeg+0x00000050ca1c) [..] Previous read of size 4 at 0x000001e0d7c0 by thread T1: #0 decode_interrupt_cb src/ffmpeg.c:460 (ffmpeg+0x0000004fde19) (cherry picked from commit 76d8c77430e9e0110623705bfb54d922cc2ac3ea) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 11faf0d4a8..ea03179c21 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #if HAVE_IO_H @@ -319,7 +320,7 @@ void term_exit(void) static volatile int received_sigterm = 0; static volatile int received_nb_signals = 0; -static volatile int transcode_init_done = 0; +static atomic_int transcode_init_done = ATOMIC_VAR_INIT(0); static volatile int ffmpeg_exited = 0; static int main_return_code = 0; @@ -457,7 +458,7 @@ static int read_key(void) static int decode_interrupt_cb(void *ctx) { - return received_nb_signals > transcode_init_done; + return received_nb_signals > atomic_load(&transcode_init_done); } const AVIOInterruptCB int_cb = { decode_interrupt_cb, NULL }; @@ -612,7 +613,7 @@ static void ffmpeg_cleanup(int ret) if (received_sigterm) { av_log(NULL, AV_LOG_INFO, "Exiting normally, received signal %d.\n", (int) received_sigterm); - } else if (ret && transcode_init_done) { + } else if (ret && atomic_load(&transcode_init_done)) { av_log(NULL, AV_LOG_INFO, "Conversion failed!\n"); } term_exit(); @@ -3758,7 +3759,7 @@ static int transcode_init(void) return ret; } - transcode_init_done = 1; + atomic_store(&transcode_init_done, 1); return 0; } From b51217381dd748fd831ba9403cdcdc8277bd63d5 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 3 Apr 2017 09:48:53 -0400 Subject: [PATCH 031/818] pthread_frame: call update_context_from_user() after acquiring lock. Otherwise the thread may still be in the middle of decoding a previous frame, which would effectively trigger a race condition on any field concurrently read and written. In practice, this fixes tsan warnings like the following: WARNING: ThreadSanitizer: data race (pid=17380) Write of size 4 at 0x7d64000160fc by main thread: #0 update_context_from_user src/libavcodec/pthread_frame.c:335 (ffmpeg+0x000000dca515) [..] Previous read of size 4 at 0x7d64000160fc by thread T2 (mutexes: write M1821): #0 ff_thread_report_progress src/libavcodec/pthread_frame.c:565 (ffmpeg+0x000000dcb08a) (cherry picked from commit 1269cd5b6f540bef5913bf134d2f461aac50d70b) Signed-off-by: Michael Niedermayer --- libavcodec/pthread_frame.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c index 4e1ad9d686..9a6b83ac45 100644 --- a/libavcodec/pthread_frame.c +++ b/libavcodec/pthread_frame.c @@ -380,7 +380,8 @@ static void release_delayed_buffers(PerThreadContext *p) } } -static int submit_packet(PerThreadContext *p, AVPacket *avpkt) +static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx, + AVPacket *avpkt) { FrameThreadContext *fctx = p->parent; PerThreadContext *prev_thread = fctx->prev_thread; @@ -392,6 +393,12 @@ static int submit_packet(PerThreadContext *p, AVPacket *avpkt) pthread_mutex_lock(&p->mutex); + ret = update_context_from_user(p->avctx, user_avctx); + if (ret) { + pthread_mutex_unlock(&p->mutex); + return ret; + } + release_delayed_buffers(p); if (prev_thread) { @@ -480,10 +487,7 @@ int ff_thread_decode_frame(AVCodecContext *avctx, */ p = &fctx->threads[fctx->next_decoding]; - err = update_context_from_user(p->avctx, avctx); - if (err) - goto finish; - err = submit_packet(p, avpkt); + err = submit_packet(p, avctx, avpkt); if (err) goto finish; From d1cae50a046763bf14d74e899d90e4ef0be5b551 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 3 Apr 2017 09:51:10 -0400 Subject: [PATCH 032/818] hevc: only write to max_ra and pocTid0 in the first slice. Values from subsequent values are guaranteed to be identical (since poc and nal_unit_type are checked to be the same between slices), so this doesn't affect output in any way, but does resolve the remaining reported race conditions (by tsan) in fate-hevc. In practice, this fixes tsan warnings like this: WARNING: ThreadSanitizer: data race (pid=25334) Read of size 4 at 0x7d9c0001adcc by main thread (mutexes: write M1386): #0 hevc_update_thread_context src/libavcodec/hevcdec.c:3310 (ffmpeg+0x000000b41c7c) [..] Previous write of size 4 at 0x7d9c0001adcc by thread T1 (mutexes: write M1383): #0 hls_slice_header src/libavcodec/hevcdec.c:596 (ffmpeg+0x000000b43a22) (cherry picked from commit 1f50baa2b2da7fdbfccf0662883f38a763ff6619) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index ef21595c44..f9e8ff0c9f 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -585,7 +585,7 @@ static int hls_slice_header(HEVCContext *s) } /* 8.3.1 */ - if (s->temporal_id == 0 && + if (sh->first_slice_in_pic_flag && s->temporal_id == 0 && s->nal_unit_type != HEVC_NAL_TRAIL_N && s->nal_unit_type != HEVC_NAL_TSA_N && s->nal_unit_type != HEVC_NAL_STSA_N && @@ -2771,25 +2771,25 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) if (ret < 0) return ret; - if (s->max_ra == INT_MAX) { - if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) { - s->max_ra = s->poc; + if (s->sh.first_slice_in_pic_flag) { + if (s->max_ra == INT_MAX) { + if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) { + s->max_ra = s->poc; + } else { + if (IS_IDR(s)) + s->max_ra = INT_MIN; + } + } + + if ((s->nal_unit_type == HEVC_NAL_RASL_R || s->nal_unit_type == HEVC_NAL_RASL_N) && + s->poc <= s->max_ra) { + s->is_decoded = 0; + break; } else { - if (IS_IDR(s)) + if (s->nal_unit_type == HEVC_NAL_RASL_R && s->poc > s->max_ra) s->max_ra = INT_MIN; } - } - if ((s->nal_unit_type == HEVC_NAL_RASL_R || s->nal_unit_type == HEVC_NAL_RASL_N) && - s->poc <= s->max_ra) { - s->is_decoded = 0; - break; - } else { - if (s->nal_unit_type == HEVC_NAL_RASL_R && s->poc > s->max_ra) - s->max_ra = INT_MIN; - } - - if (s->sh.first_slice_in_pic_flag) { ret = hevc_frame_start(s); if (ret < 0) return ret; From 51ca6fda0500da24e3d365c9dfce31bad42e8723 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 3 Apr 2017 10:08:29 -0400 Subject: [PATCH 033/818] png: split header state and data state in two separate variables. Fixes a reported (but false) race condition in tsan for fate-apng: WARNING: ThreadSanitizer: data race (pid=6274) Read of size 4 at 0x7d680001ec78 by main thread (mutexes: write M1338): #0 update_thread_context src/libavcodec/pngdec.c:1456 (ffmpeg+0x000000dacf0c) [..] Previous write of size 4 at 0x7d680001ec78 by thread T1 (mutexes: write M1335): #0 decode_idat_chunk src/libavcodec/pngdec.c:737 (ffmpeg+0x000000dae951) (cherry picked from commit 478f1c3d5e5463a284ea7efecfc62d47ba3be11a) Signed-off-by: Michael Niedermayer --- libavcodec/png.h | 5 ---- libavcodec/pngdec.c | 65 +++++++++++++++++++++++++++------------------ 2 files changed, 39 insertions(+), 31 deletions(-) diff --git a/libavcodec/png.h b/libavcodec/png.h index 948c2f714f..e967fcf38f 100644 --- a/libavcodec/png.h +++ b/libavcodec/png.h @@ -42,11 +42,6 @@ #define PNG_FILTER_VALUE_PAETH 4 #define PNG_FILTER_VALUE_MIXED 5 -#define PNG_IHDR 0x0001 -#define PNG_IDAT 0x0002 -#define PNG_ALLIMAGE 0x0004 -#define PNG_PLTE 0x0008 - #define NB_PASSES 7 #define PNGSIG 0x89504e470d0a1a0a diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index c08665be7c..d184c34b81 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -36,6 +36,16 @@ #include +enum PNGHeaderState { + PNG_IHDR = 1 << 0, + PNG_PLTE = 1 << 1, +}; + +enum PNGImageState { + PNG_IDAT = 1 << 0, + PNG_ALLIMAGE = 1 << 1, +}; + typedef struct PNGDecContext { PNGDSPContext dsp; AVCodecContext *avctx; @@ -45,7 +55,8 @@ typedef struct PNGDecContext { ThreadFrame last_picture; ThreadFrame picture; - int state; + enum PNGHeaderState hdr_state; + enum PNGImageState pic_state; int width, height; int cur_w, cur_h; int last_w, last_h; @@ -334,7 +345,7 @@ static void png_handle_row(PNGDecContext *s) } s->y++; if (s->y == s->cur_h) { - s->state |= PNG_ALLIMAGE; + s->pic_state |= PNG_ALLIMAGE; if (s->filter_type == PNG_FILTER_TYPE_LOCO) { if (s->bit_depth == 16) { deloco_rgb16((uint16_t *)ptr, s->row_size / 2, @@ -369,7 +380,7 @@ static void png_handle_row(PNGDecContext *s) memset(s->last_row, 0, s->row_size); for (;;) { if (s->pass == NB_PASSES - 1) { - s->state |= PNG_ALLIMAGE; + s->pic_state |= PNG_ALLIMAGE; goto the_end; } else { s->pass++; @@ -404,7 +415,7 @@ static int png_decode_idat(PNGDecContext *s, int length) return AVERROR_EXTERNAL; } if (s->zstream.avail_out == 0) { - if (!(s->state & PNG_ALLIMAGE)) { + if (!(s->pic_state & PNG_ALLIMAGE)) { png_handle_row(s); } s->zstream.avail_out = s->crow_size; @@ -541,12 +552,12 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, if (length != 13) return AVERROR_INVALIDDATA; - if (s->state & PNG_IDAT) { + if (s->pic_state & PNG_IDAT) { av_log(avctx, AV_LOG_ERROR, "IHDR after IDAT\n"); return AVERROR_INVALIDDATA; } - if (s->state & PNG_IHDR) { + if (s->hdr_state & PNG_IHDR) { av_log(avctx, AV_LOG_ERROR, "Multiple IHDR\n"); return AVERROR_INVALIDDATA; } @@ -569,7 +580,7 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, s->filter_type = bytestream2_get_byte(&s->gb); s->interlace_type = bytestream2_get_byte(&s->gb); bytestream2_skip(&s->gb, 4); /* crc */ - s->state |= PNG_IHDR; + s->hdr_state |= PNG_IHDR; if (avctx->debug & FF_DEBUG_PICT_INFO) av_log(avctx, AV_LOG_DEBUG, "width=%d height=%d depth=%d color_type=%d " "compression_type=%d filter_type=%d interlace_type=%d\n", @@ -585,7 +596,7 @@ error: static int decode_phys_chunk(AVCodecContext *avctx, PNGDecContext *s) { - if (s->state & PNG_IDAT) { + if (s->pic_state & PNG_IDAT) { av_log(avctx, AV_LOG_ERROR, "pHYs after IDAT\n"); return AVERROR_INVALIDDATA; } @@ -605,11 +616,11 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, int ret; size_t byte_depth = s->bit_depth > 8 ? 2 : 1; - if (!(s->state & PNG_IHDR)) { + if (!(s->hdr_state & PNG_IHDR)) { av_log(avctx, AV_LOG_ERROR, "IDAT without IHDR\n"); return AVERROR_INVALIDDATA; } - if (!(s->state & PNG_IDAT)) { + if (!(s->pic_state & PNG_IDAT)) { /* init image info */ avctx->width = s->width; avctx->height = s->height; @@ -734,7 +745,7 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, s->zstream.next_out = s->crow_buf; } - s->state |= PNG_IDAT; + s->pic_state |= PNG_IDAT; /* set image to non-transparent bpp while decompressing */ if (s->has_trns && s->color_type != PNG_COLOR_TYPE_PALETTE) @@ -770,7 +781,7 @@ static int decode_plte_chunk(AVCodecContext *avctx, PNGDecContext *s, } for (; i < 256; i++) s->palette[i] = (0xFFU << 24); - s->state |= PNG_PLTE; + s->hdr_state |= PNG_PLTE; bytestream2_skip(&s->gb, 4); /* crc */ return 0; @@ -781,18 +792,18 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s, { int v, i; - if (!(s->state & PNG_IHDR)) { + if (!(s->hdr_state & PNG_IHDR)) { av_log(avctx, AV_LOG_ERROR, "trns before IHDR\n"); return AVERROR_INVALIDDATA; } - if (s->state & PNG_IDAT) { + if (s->pic_state & PNG_IDAT) { av_log(avctx, AV_LOG_ERROR, "trns after IDAT\n"); return AVERROR_INVALIDDATA; } if (s->color_type == PNG_COLOR_TYPE_PALETTE) { - if (length > 256 || !(s->state & PNG_PLTE)) + if (length > 256 || !(s->hdr_state & PNG_PLTE)) return AVERROR_INVALIDDATA; for (i = 0; i < length; i++) { @@ -906,7 +917,7 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, if (length != 26) return AVERROR_INVALIDDATA; - if (!(s->state & PNG_IHDR)) { + if (!(s->hdr_state & PNG_IHDR)) { av_log(avctx, AV_LOG_ERROR, "fctl before IHDR\n"); return AVERROR_INVALIDDATA; } @@ -1122,13 +1133,13 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, } if (CONFIG_APNG_DECODER && avctx->codec_id == AV_CODEC_ID_APNG && length == 0) { - if (!(s->state & PNG_IDAT)) + if (!(s->pic_state & PNG_IDAT)) return 0; else goto exit_loop; } av_log(avctx, AV_LOG_ERROR, "%d bytes left\n", length); - if ( s->state & PNG_ALLIMAGE + if ( s->pic_state & PNG_ALLIMAGE && avctx->strict_std_compliance <= FF_COMPLIANCE_NORMAL) goto exit_loop; ret = AVERROR_INVALIDDATA; @@ -1228,9 +1239,9 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, break; } case MKTAG('I', 'E', 'N', 'D'): - if (!(s->state & PNG_ALLIMAGE)) + if (!(s->pic_state & PNG_ALLIMAGE)) av_log(avctx, AV_LOG_ERROR, "IEND without all image\n"); - if (!(s->state & (PNG_ALLIMAGE|PNG_IDAT))) { + if (!(s->pic_state & (PNG_ALLIMAGE|PNG_IDAT))) { ret = AVERROR_INVALIDDATA; goto fail; } @@ -1330,7 +1341,9 @@ static int decode_frame_png(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } - s->y = s->state = s->has_trns = 0; + s->y = s->has_trns = 0; + s->hdr_state = 0; + s->pic_state = 0; /* init the zlib */ s->zstream.zalloc = ff_png_zalloc; @@ -1377,7 +1390,7 @@ static int decode_frame_apng(AVCodecContext *avctx, FFSWAP(ThreadFrame, s->picture, s->last_picture); p = s->picture.f; - if (!(s->state & PNG_IHDR)) { + if (!(s->hdr_state & PNG_IHDR)) { if (!avctx->extradata_size) return AVERROR_INVALIDDATA; @@ -1397,14 +1410,14 @@ static int decode_frame_apng(AVCodecContext *avctx, goto end; } s->y = 0; - s->state &= ~(PNG_IDAT | PNG_ALLIMAGE); + s->pic_state = 0; bytestream2_init(&s->gb, avpkt->data, avpkt->size); if ((ret = decode_frame_common(avctx, s, p, avpkt)) < 0) goto end; - if (!(s->state & PNG_ALLIMAGE)) + if (!(s->pic_state & PNG_ALLIMAGE)) av_log(avctx, AV_LOG_WARNING, "Frame did not contain a complete image\n"); - if (!(s->state & (PNG_ALLIMAGE|PNG_IDAT))) { + if (!(s->pic_state & (PNG_ALLIMAGE|PNG_IDAT))) { ret = AVERROR_INVALIDDATA; goto end; } @@ -1453,7 +1466,7 @@ static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src) memcpy(pdst->palette, psrc->palette, sizeof(pdst->palette)); - pdst->state |= psrc->state & (PNG_IHDR | PNG_PLTE); + pdst->hdr_state |= psrc->hdr_state; ff_thread_release_buffer(dst, &pdst->last_picture); if (psrc->last_picture.f->data[0] && From e90de50195d4b4b61f3c2c4ea3bb8a09b433de8e Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 3 Apr 2017 14:43:40 -0400 Subject: [PATCH 034/818] png: set AVFrame flags/fields before calling setup_finished(). Fixes tsan warnings in fate-apng: WARNING: ThreadSanitizer: data race (pid=51230) Read of size 4 at 0x7d50000042fc by main thread (mutexes: write M1000): #0 frame_copy_props frame.c:302 (ffmpeg:x86_64+0x1019a35d6) [..] Previous write of size 4 at 0x7d50000042fc by thread T1 (mutexes: write M997): #0 decode_idat_chunk pngdec.c:708 (ffmpeg:x86_64+0x100f5562a) (cherry picked from commit eff2861a757b8a46398e6fcb844b960b4775daad) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index d184c34b81..102551972e 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -701,12 +701,12 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, if ((ret = ff_thread_get_buffer(avctx, &s->previous_picture, AV_GET_BUFFER_FLAG_REF)) < 0) return ret; } - ff_thread_finish_setup(avctx); - p->pict_type = AV_PICTURE_TYPE_I; p->key_frame = 1; p->interlaced_frame = !!s->interlace_type; + ff_thread_finish_setup(avctx); + /* compute the compressed row size */ if (!s->interlace_type) { s->crow_size = s->row_size + 1; From 5e84c94f6962e23b552809280bd89c70d4a7ef5e Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 3 Apr 2017 22:28:22 -0400 Subject: [PATCH 035/818] huffyuv: assign correct per-thread avctx pointer to HYuvContext::avctx. Fixes the following tsan warning when running fate-vsynth_lena-ffvhuff: WARNING: ThreadSanitizer: data race (pid=6484) Write of size 8 at 0x7d64000154b8 by main thread (mutexes: write M1331): #0 update_context_from_user src/libavcodec/pthread_frame.c:331 (ffmpeg+0x000000dca887) [..] Previous read of size 8 at 0x7d64000154b8 by thread T2 (mutexes: write M1334): #0 draw_slice src/libavcodec/huffyuvdec.c:857 (ffmpeg+0x000000bcc86f) (cherry picked from commit 7c7e7c44a6eb68eca861e45cb2ce78f582b12c69) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 5572b9819f..979c4b9d5c 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -579,6 +579,8 @@ static av_cold int decode_init_thread_copy(AVCodecContext *avctx) HYuvContext *s = avctx->priv_data; int i, ret; + s->avctx = avctx; + if ((ret = ff_huffyuv_alloc_temp(s)) < 0) { ff_huffyuv_common_end(s); return ret; From 9d742f774a85fa82cbfd667f69b0ba4d14556d54 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 5 Apr 2017 16:18:54 -0400 Subject: [PATCH 036/818] vp8: make wait/thread_mb_pos atomic. Fixes tsan warnings like this in fate-vp8-test-vector-007: WARNING: ThreadSanitizer: data race (pid=3590) Write of size 4 at 0x7d8c0000e07c by thread T2: #0 decode_mb_row_no_filter src/libavcodec/vp8.c:2330 (ffmpeg+0x000000ffb59e) [..] Previous write of size 4 at 0x7d8c0000e07c by thread T1: #0 decode_mb_row_no_filter src/libavcodec/vp8.c:2330 (ffmpeg+0x000000ffb59e) (cherry picked from commit 9a54c6f243412f62bae498ddcac337cb18ae6290) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 29 ++++++++++++++--------------- libavcodec/vp8.h | 6 ++++-- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 1e8808c46f..9bc1d95220 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2247,15 +2247,15 @@ static void vp8_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *cur_frame, #define check_thread_pos(td, otd, mb_x_check, mb_y_check) \ do { \ int tmp = (mb_y_check << 16) | (mb_x_check & 0xFFFF); \ - if (otd->thread_mb_pos < tmp) { \ + if (atomic_load(&otd->thread_mb_pos) < tmp) { \ pthread_mutex_lock(&otd->lock); \ - td->wait_mb_pos = tmp; \ + atomic_store(&td->wait_mb_pos, tmp); \ do { \ - if (otd->thread_mb_pos >= tmp) \ + if (atomic_load(&otd->thread_mb_pos) >= tmp) \ break; \ pthread_cond_wait(&otd->cond, &otd->lock); \ } while (1); \ - td->wait_mb_pos = INT_MAX; \ + atomic_store(&td->wait_mb_pos, INT_MAX); \ pthread_mutex_unlock(&otd->lock); \ } \ } while (0) @@ -2266,12 +2266,10 @@ static void vp8_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *cur_frame, int sliced_threading = (avctx->active_thread_type == FF_THREAD_SLICE) && \ (num_jobs > 1); \ int is_null = !next_td || !prev_td; \ - int pos_check = (is_null) ? 1 \ - : (next_td != td && \ - pos >= next_td->wait_mb_pos) || \ - (prev_td != td && \ - pos >= prev_td->wait_mb_pos); \ - td->thread_mb_pos = pos; \ + int pos_check = (is_null) ? 1 : \ + (next_td != td && pos >= atomic_load(&next_td->wait_mb_pos)) || \ + (prev_td != td && pos >= atomic_load(&prev_td->wait_mb_pos)); \ + atomic_store(&td->thread_mb_pos, pos); \ if (sliced_threading && pos_check) { \ pthread_mutex_lock(&td->lock); \ pthread_cond_broadcast(&td->cond); \ @@ -2288,7 +2286,7 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void { VP8Context *s = avctx->priv_data; VP8ThreadData *prev_td, *next_td, *td = &s->thread_data[threadnr]; - int mb_y = td->thread_mb_pos >> 16; + int mb_y = atomic_load(&td->thread_mb_pos) >> 16; int mb_x, mb_xy = mb_y * s->mb_width; int num_jobs = s->num_jobs; VP8Frame *curframe = s->curframe, *prev_frame = s->prev_frame; @@ -2428,7 +2426,7 @@ static av_always_inline void filter_mb_row(AVCodecContext *avctx, void *tdata, { VP8Context *s = avctx->priv_data; VP8ThreadData *td = &s->thread_data[threadnr]; - int mb_x, mb_y = td->thread_mb_pos >> 16, num_jobs = s->num_jobs; + int mb_x, mb_y = atomic_load(&td->thread_mb_pos) >> 16, num_jobs = s->num_jobs; AVFrame *curframe = s->curframe->tf.f; VP8Macroblock *mb; VP8ThreadData *prev_td, *next_td; @@ -2507,7 +2505,7 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr, td->thread_nr = threadnr; for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) { - td->thread_mb_pos = mb_y << 16; + atomic_store(&td->thread_mb_pos, mb_y << 16); ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); if (ret < 0) { update_pos(td, s->mb_height, INT_MAX & 0xFFFF); @@ -2667,8 +2665,9 @@ int vp78_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, s->mv_min.y = -MARGIN; s->mv_max.y = ((s->mb_height - 1) << 6) + MARGIN; for (i = 0; i < MAX_THREADS; i++) { - s->thread_data[i].thread_mb_pos = 0; - s->thread_data[i].wait_mb_pos = INT_MAX; + VP8ThreadData *td = &s->thread_data[i]; + atomic_init(&td->thread_mb_pos, 0); + atomic_init(&td->wait_mb_pos, INT_MAX); } if (is_vp7) avctx->execute2(avctx, vp7_decode_mb_row_sliced, s->thread_data, NULL, diff --git a/libavcodec/vp8.h b/libavcodec/vp8.h index 3910b5c0dd..d7e7680276 100644 --- a/libavcodec/vp8.h +++ b/libavcodec/vp8.h @@ -26,6 +26,8 @@ #ifndef AVCODEC_VP8_H #define AVCODEC_VP8_H +#include + #include "libavutil/buffer.h" #include "libavutil/thread.h" @@ -114,8 +116,8 @@ typedef struct VP8ThreadData { pthread_mutex_t lock; pthread_cond_t cond; #endif - int thread_mb_pos; // (mb_y << 16) | (mb_x & 0xFFFF) - int wait_mb_pos; // What the current thread is waiting on. + atomic_int thread_mb_pos; // (mb_y << 16) | (mb_x & 0xFFFF) + atomic_int wait_mb_pos; // What the current thread is waiting on. #define EDGE_EMU_LINESIZE 32 DECLARE_ALIGNED(16, uint8_t, edge_emu_buffer)[21 * EDGE_EMU_LINESIZE]; From 6557ea8e2bd768f5d82bce0fab28262437a292bf Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 5 Apr 2017 16:19:55 -0400 Subject: [PATCH 037/818] vp8: make mv_min/max thread-local if using partition threading. Fixes tsan warnings like this in fate-vp8-test-vector-007: WARNING: ThreadSanitizer: data race (pid=65909) Write of size 4 at 0x7d8c0000e088 by thread T1: #0 vp8_decode_mb_row_sliced vp8.c:2519 (ffmpeg:x86_64+0x100995ede) [..] Previous write of size 4 at 0x7d8c0000e088 by thread T2: #0 vp8_decode_mb_row_sliced vp8.c:2519 (ffmpeg:x86_64+0x100995ede) (cherry picked from commit fed92adbb3fc6cbf735e3df9a2f7d0a2917fcfbd) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 53 +++++++++++++++++++++++++----------------------- libavcodec/vp8.h | 19 ++++++++++------- 2 files changed, 40 insertions(+), 32 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 9bc1d95220..fe7aa23491 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -772,7 +772,7 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si } static av_always_inline -void clamp_mv(VP8Context *s, VP56mv *dst, const VP56mv *src) +void clamp_mv(VP8mvbounds *s, VP56mv *dst, const VP56mv *src) { dst->x = av_clip(src->x, av_clip(s->mv_min.x, INT16_MIN, INT16_MAX), av_clip(s->mv_max.x, INT16_MIN, INT16_MAX)); @@ -1031,7 +1031,7 @@ void vp7_decode_mvs(VP8Context *s, VP8Macroblock *mb, } static av_always_inline -void vp8_decode_mvs(VP8Context *s, VP8Macroblock *mb, +void vp8_decode_mvs(VP8Context *s, VP8mvbounds *mv_bounds, VP8Macroblock *mb, int mb_x, int mb_y, int layout) { VP8Macroblock *mb_edge[3] = { 0 /* top */, @@ -1102,7 +1102,7 @@ void vp8_decode_mvs(VP8Context *s, VP8Macroblock *mb, if (vp56_rac_get_prob_branchy(c, vp8_mode_contexts[cnt[CNT_NEAREST]][1])) { if (vp56_rac_get_prob_branchy(c, vp8_mode_contexts[cnt[CNT_NEAR]][2])) { /* Choose the best mv out of 0,0 and the nearest mv */ - clamp_mv(s, &mb->mv, &near_mv[CNT_ZERO + (cnt[CNT_NEAREST] >= cnt[CNT_ZERO])]); + clamp_mv(mv_bounds, &mb->mv, &near_mv[CNT_ZERO + (cnt[CNT_NEAREST] >= cnt[CNT_ZERO])]); cnt[CNT_SPLITMV] = ((mb_edge[VP8_EDGE_LEFT]->mode == VP8_MVMODE_SPLIT) + (mb_edge[VP8_EDGE_TOP]->mode == VP8_MVMODE_SPLIT)) * 2 + (mb_edge[VP8_EDGE_TOPLEFT]->mode == VP8_MVMODE_SPLIT); @@ -1116,11 +1116,11 @@ void vp8_decode_mvs(VP8Context *s, VP8Macroblock *mb, mb->bmv[0] = mb->mv; } } else { - clamp_mv(s, &mb->mv, &near_mv[CNT_NEAR]); + clamp_mv(mv_bounds, &mb->mv, &near_mv[CNT_NEAR]); mb->bmv[0] = mb->mv; } } else { - clamp_mv(s, &mb->mv, &near_mv[CNT_NEAREST]); + clamp_mv(mv_bounds, &mb->mv, &near_mv[CNT_NEAREST]); mb->bmv[0] = mb->mv; } } else { @@ -1166,7 +1166,8 @@ void decode_intra4x4_modes(VP8Context *s, VP56RangeCoder *c, VP8Macroblock *mb, } static av_always_inline -void decode_mb_mode(VP8Context *s, VP8Macroblock *mb, int mb_x, int mb_y, +void decode_mb_mode(VP8Context *s, VP8mvbounds *mv_bounds, + VP8Macroblock *mb, int mb_x, int mb_y, uint8_t *segment, uint8_t *ref, int layout, int is_vp7) { VP56RangeCoder *c = &s->c; @@ -1230,7 +1231,7 @@ void decode_mb_mode(VP8Context *s, VP8Macroblock *mb, int mb_x, int mb_y, if (is_vp7) vp7_decode_mvs(s, mb, mb_x, mb_y, layout); else - vp8_decode_mvs(s, mb, mb_x, mb_y, layout); + vp8_decode_mvs(s, mv_bounds, mb, mb_x, mb_y, layout); } else { // intra MB, 16.1 mb->mode = vp8_rac_get_tree(c, vp8_pred16x16_tree_inter, s->prob->pred16x16); @@ -2205,8 +2206,8 @@ void vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe, VP8Context *s = avctx->priv_data; int mb_x, mb_y; - s->mv_min.y = -MARGIN; - s->mv_max.y = ((s->mb_height - 1) << 6) + MARGIN; + s->mv_bounds.mv_min.y = -MARGIN; + s->mv_bounds.mv_max.y = ((s->mb_height - 1) << 6) + MARGIN; for (mb_y = 0; mb_y < s->mb_height; mb_y++) { VP8Macroblock *mb = s->macroblocks_base + ((s->mb_width + 1) * (mb_y + 1) + 1); @@ -2214,20 +2215,20 @@ void vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe, AV_WN32A(s->intra4x4_pred_mode_left, DC_PRED * 0x01010101); - s->mv_min.x = -MARGIN; - s->mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; + s->mv_bounds.mv_min.x = -MARGIN; + s->mv_bounds.mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { if (mb_y == 0) AV_WN32A((mb - s->mb_width - 1)->intra4x4_pred_mode_top, DC_PRED * 0x01010101); - decode_mb_mode(s, mb, mb_x, mb_y, curframe->seg_map->data + mb_xy, + decode_mb_mode(s, &s->mv_bounds, mb, mb_x, mb_y, curframe->seg_map->data + mb_xy, prev_frame && prev_frame->seg_map ? prev_frame->seg_map->data + mb_xy : NULL, 1, is_vp7); - s->mv_min.x -= 64; - s->mv_max.x -= 64; + s->mv_bounds.mv_min.x -= 64; + s->mv_bounds.mv_max.x -= 64; } - s->mv_min.y -= 64; - s->mv_max.y -= 64; + s->mv_bounds.mv_min.y -= 64; + s->mv_bounds.mv_max.y -= 64; } } @@ -2325,8 +2326,8 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void if (!is_vp7 || mb_y == 0) memset(td->left_nnz, 0, sizeof(td->left_nnz)); - s->mv_min.x = -MARGIN; - s->mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; + td->mv_bounds.mv_min.x = -MARGIN; + td->mv_bounds.mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { if (c->end <= c->buffer && c->bits >= 0) @@ -2350,7 +2351,7 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void dst[2] - dst[1], 2); if (!s->mb_layout) - decode_mb_mode(s, mb, mb_x, mb_y, curframe->seg_map->data + mb_xy, + decode_mb_mode(s, &td->mv_bounds, mb, mb_x, mb_y, curframe->seg_map->data + mb_xy, prev_frame && prev_frame->seg_map ? prev_frame->seg_map->data + mb_xy : NULL, 0, is_vp7); @@ -2397,8 +2398,8 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void dst[0] += 16; dst[1] += 8; dst[2] += 8; - s->mv_min.x -= 64; - s->mv_max.x -= 64; + td->mv_bounds.mv_min.x -= 64; + td->mv_bounds.mv_max.x -= 64; if (mb_x == s->mb_width + 1) { update_pos(td, mb_y, s->mb_width + 3); @@ -2504,6 +2505,8 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr, int ret; td->thread_nr = threadnr; + td->mv_bounds.mv_min.y = -MARGIN - 64 * threadnr; + td->mv_bounds.mv_max.y = ((s->mb_height - 1) << 6) + MARGIN - 64 * threadnr; for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) { atomic_store(&td->thread_mb_pos, mb_y << 16); ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); @@ -2515,8 +2518,8 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr, s->filter_mb_row(avctx, tdata, jobnr, threadnr); update_pos(td, mb_y, INT_MAX & 0xFFFF); - s->mv_min.y -= 64; - s->mv_max.y -= 64; + td->mv_bounds.mv_min.y -= 64 * num_jobs; + td->mv_bounds.mv_max.y -= 64 * num_jobs; if (avctx->active_thread_type == FF_THREAD_FRAME) ff_thread_report_progress(&curframe->tf, mb_y, 0); @@ -2662,8 +2665,8 @@ int vp78_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, s->num_jobs = num_jobs; s->curframe = curframe; s->prev_frame = prev_frame; - s->mv_min.y = -MARGIN; - s->mv_max.y = ((s->mb_height - 1) << 6) + MARGIN; + s->mv_bounds.mv_min.y = -MARGIN; + s->mv_bounds.mv_max.y = ((s->mb_height - 1) << 6) + MARGIN; for (i = 0; i < MAX_THREADS; i++) { VP8ThreadData *td = &s->thread_data[i]; atomic_init(&td->thread_mb_pos, 0); diff --git a/libavcodec/vp8.h b/libavcodec/vp8.h index d7e7680276..8263997e3f 100644 --- a/libavcodec/vp8.h +++ b/libavcodec/vp8.h @@ -93,6 +93,16 @@ typedef struct VP8Macroblock { VP56mv bmv[16]; } VP8Macroblock; +typedef struct VP8intmv { + int x; + int y; +} VP8intmv; + +typedef struct VP8mvbounds { + VP8intmv mv_min; + VP8intmv mv_max; +} VP8mvbounds; + typedef struct VP8ThreadData { DECLARE_ALIGNED(16, int16_t, block)[6][4][16]; DECLARE_ALIGNED(16, int16_t, block_dc)[16]; @@ -122,6 +132,7 @@ typedef struct VP8ThreadData { #define EDGE_EMU_LINESIZE 32 DECLARE_ALIGNED(16, uint8_t, edge_emu_buffer)[21 * EDGE_EMU_LINESIZE]; VP8FilterStrength *filter_strength; + VP8mvbounds mv_bounds; } VP8ThreadData; typedef struct VP8Frame { @@ -129,11 +140,6 @@ typedef struct VP8Frame { AVBufferRef *seg_map; } VP8Frame; -typedef struct VP8intmv { - int x; - int y; -} VP8intmv; - #define MAX_THREADS 8 typedef struct VP8Context { VP8ThreadData *thread_data; @@ -152,8 +158,7 @@ typedef struct VP8Context { uint8_t deblock_filter; uint8_t mbskip_enabled; uint8_t profile; - VP8intmv mv_min; - VP8intmv mv_max; + VP8mvbounds mv_bounds; int8_t sign_bias[4]; ///< one state [0, 1] per ref frame type int ref_count[3]; From f4f3bf3c94a9aa485c09d0c03d68ca79a4785866 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 3 Apr 2017 10:24:05 -0400 Subject: [PATCH 038/818] pthread_frame: allow per-field ThreadFrame owners. This tries to handle cases where separate invocations of decode_frame() (each running in separate threads) write to respective fields in the same AVFrame->data[]. Having per-field owners makes interaction between readers (the referencing thread) and writers (the decoding thread) slightly more optimal if both accesses are field-based, since they will use the respective producer's thread objects (mutex/cond) instead of sharing the thread objects of the first field's producer. In practice, this fixes the following tsan-warning in fate-h264: WARNING: ThreadSanitizer: data race (pid=21615) Read of size 4 at 0x7d640000d9fc by thread T2 (mutexes: write M1006): #0 ff_thread_report_progress pthread_frame.c:569 (ffmpeg:x86_64+0x100f7cf54) [..] Previous write of size 4 at 0x7d640000d9fc by main thread (mutexes: write M1004): #0 update_context_from_user pthread_frame.c:335 (ffmpeg:x86_64+0x100f81abb) (cherry picked from commit 083300bea935d125b83f60d7030f78a7ffb0f3df) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 8 +++++--- libavcodec/pthread_frame.c | 18 ++++++++++-------- libavcodec/thread.h | 2 +- libavcodec/utils.c | 7 ++++--- 4 files changed, 20 insertions(+), 15 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 70ad05f640..acf6a73f60 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1423,14 +1423,14 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl, * We have to do that before the "dummy" in-between frame allocation, * since that can modify h->cur_pic_ptr. */ if (h->first_field) { + int last_field = last_pic_structure == PICT_BOTTOM_FIELD; av_assert0(h->cur_pic_ptr); av_assert0(h->cur_pic_ptr->f->buf[0]); assert(h->cur_pic_ptr->reference != DELAYED_PIC_REF); /* Mark old field/frame as completed */ - if (h->cur_pic_ptr->tf.owner == h->avctx) { - ff_thread_report_progress(&h->cur_pic_ptr->tf, INT_MAX, - last_pic_structure == PICT_BOTTOM_FIELD); + if (h->cur_pic_ptr->tf.owner[last_field] == h->avctx) { + ff_thread_report_progress(&h->cur_pic_ptr->tf, INT_MAX, last_field); } /* figure out if we have a complementary field pair */ @@ -1568,7 +1568,9 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl, return AVERROR_INVALIDDATA; } } else { + int field = h->picture_structure == PICT_BOTTOM_FIELD; release_unused_pictures(h, 0); + h->cur_pic_ptr->tf.owner[field] = h->avctx; } /* Some macroblocks can be accessed before they're available in case * of lost slices, MBAFF or threading. */ diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c index 9a6b83ac45..c246c2fded 100644 --- a/libavcodec/pthread_frame.c +++ b/libavcodec/pthread_frame.c @@ -564,10 +564,11 @@ void ff_thread_report_progress(ThreadFrame *f, int n, int field) atomic_load_explicit(&progress[field], memory_order_relaxed) >= n) return; - p = f->owner->internal->thread_ctx; + p = f->owner[field]->internal->thread_ctx; - if (f->owner->debug&FF_DEBUG_THREADS) - av_log(f->owner, AV_LOG_DEBUG, "%p finished %d field %d\n", progress, n, field); + if (f->owner[field]->debug&FF_DEBUG_THREADS) + av_log(f->owner[field], AV_LOG_DEBUG, + "%p finished %d field %d\n", progress, n, field); pthread_mutex_lock(&p->progress_mutex); @@ -586,10 +587,11 @@ void ff_thread_await_progress(ThreadFrame *f, int n, int field) atomic_load_explicit(&progress[field], memory_order_acquire) >= n) return; - p = f->owner->internal->thread_ctx; + p = f->owner[field]->internal->thread_ctx; - if (f->owner->debug&FF_DEBUG_THREADS) - av_log(f->owner, AV_LOG_DEBUG, "thread awaiting %d field %d from %p\n", n, field, progress); + if (f->owner[field]->debug&FF_DEBUG_THREADS) + av_log(f->owner[field], AV_LOG_DEBUG, + "thread awaiting %d field %d from %p\n", n, field, progress); pthread_mutex_lock(&p->progress_mutex); while (atomic_load_explicit(&progress[field], memory_order_relaxed) < n) @@ -882,7 +884,7 @@ static int thread_get_buffer_internal(AVCodecContext *avctx, ThreadFrame *f, int PerThreadContext *p = avctx->internal->thread_ctx; int err; - f->owner = avctx; + f->owner[0] = f->owner[1] = avctx; ff_init_buffer_info(avctx, f->f); @@ -986,7 +988,7 @@ void ff_thread_release_buffer(AVCodecContext *avctx, ThreadFrame *f) av_log(avctx, AV_LOG_DEBUG, "thread_release_buffer called on pic %p\n", f); av_buffer_unref(&f->progress); - f->owner = NULL; + f->owner[0] = f->owner[1] = NULL; if (can_direct_free) { av_frame_unref(f->f); diff --git a/libavcodec/thread.h b/libavcodec/thread.h index c848d7ae8b..90864b59d9 100644 --- a/libavcodec/thread.h +++ b/libavcodec/thread.h @@ -34,7 +34,7 @@ typedef struct ThreadFrame { AVFrame *f; - AVCodecContext *owner; + AVCodecContext *owner[2]; // progress->data is an array of 2 ints holding progress for top/bottom // fields AVBufferRef *progress; diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 3e8677d0f4..0c6883686e 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -3971,7 +3971,8 @@ int ff_thread_ref_frame(ThreadFrame *dst, ThreadFrame *src) { int ret; - dst->owner = src->owner; + dst->owner[0] = src->owner[0]; + dst->owner[1] = src->owner[1]; ret = av_frame_ref(dst->f, src->f); if (ret < 0) @@ -3981,7 +3982,7 @@ int ff_thread_ref_frame(ThreadFrame *dst, ThreadFrame *src) if (src->progress && !(dst->progress = av_buffer_ref(src->progress))) { - ff_thread_release_buffer(dst->owner, dst); + ff_thread_release_buffer(dst->owner[0], dst); return AVERROR(ENOMEM); } @@ -3997,7 +3998,7 @@ enum AVPixelFormat ff_thread_get_format(AVCodecContext *avctx, const enum AVPixe int ff_thread_get_buffer(AVCodecContext *avctx, ThreadFrame *f, int flags) { - f->owner = avctx; + f->owner[0] = f->owner[1] = avctx; return ff_get_buffer(avctx, f->f, flags); } From 1968a1eef1cae22e162259d7082c2eea98d81e32 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 6 Apr 2017 13:58:59 -0400 Subject: [PATCH 039/818] pthread_frame: make accesses to debug field be protected by owner lock. The av_log() is done outside the lock, but this way the accesses to the field (reads and writes) are always protected by a mutex. The av_log() is not run inside the lock context because it may involve user callbacks and doing that in performance-sensitive code is probably not a good idea. This should fix occasional tsan warnings when running fate-h264, like: WARNING: ThreadSanitizer: data race (pid=10916) Write of size 4 at 0x7d64000174fc by main thread (mutexes: write M2313): #0 update_context_from_user src/libavcodec/pthread_frame.c:335 (ffmpeg+0x000000df7b06) [..] Previous read of size 4 at 0x7d64000174fc by thread T1 (mutexes: write M2311): #0 ff_thread_await_progress src/libavcodec/pthread_frame.c:592 (ffmpeg+0x000000df8b3e) (cherry picked from commit 2e664b9c1e73c80aab91070c1eb7676f04bdd12d) Signed-off-by: Michael Niedermayer --- libavcodec/pthread_frame.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c index c246c2fded..0ba87b5929 100644 --- a/libavcodec/pthread_frame.c +++ b/libavcodec/pthread_frame.c @@ -566,12 +566,11 @@ void ff_thread_report_progress(ThreadFrame *f, int n, int field) p = f->owner[field]->internal->thread_ctx; + pthread_mutex_lock(&p->progress_mutex); if (f->owner[field]->debug&FF_DEBUG_THREADS) av_log(f->owner[field], AV_LOG_DEBUG, "%p finished %d field %d\n", progress, n, field); - pthread_mutex_lock(&p->progress_mutex); - atomic_store_explicit(&progress[field], n, memory_order_release); pthread_cond_broadcast(&p->progress_cond); @@ -589,11 +588,10 @@ void ff_thread_await_progress(ThreadFrame *f, int n, int field) p = f->owner[field]->internal->thread_ctx; + pthread_mutex_lock(&p->progress_mutex); if (f->owner[field]->debug&FF_DEBUG_THREADS) av_log(f->owner[field], AV_LOG_DEBUG, "thread awaiting %d field %d from %p\n", n, field, progress); - - pthread_mutex_lock(&p->progress_mutex); while (atomic_load_explicit(&progress[field], memory_order_relaxed) < n) pthread_cond_wait(&p->progress_cond, &p->progress_mutex); pthread_mutex_unlock(&p->progress_mutex); From ed2ed4ac0f05c4139a3149cb59bf1717c797a620 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 15 Apr 2017 20:30:51 +0200 Subject: [PATCH 040/818] ffmpeg; check return code of avcodec_send_frame when flushing encoders Fixes Coverity CID 1404841. Signed-off-by: Marton Balint (cherry picked from commit c037f2f1ba3a2d3114575323550f456e66695edf) --- ffmpeg.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index ea03179c21..a7524d94cf 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1904,8 +1904,6 @@ static void flush_encoders(void) if (enc->codec_type != AVMEDIA_TYPE_VIDEO && enc->codec_type != AVMEDIA_TYPE_AUDIO) continue; - avcodec_send_frame(enc, NULL); - for (;;) { const char *desc = NULL; AVPacket pkt; @@ -1927,7 +1925,17 @@ static void flush_encoders(void) pkt.size = 0; update_benchmark(NULL); - ret = avcodec_receive_packet(enc, &pkt); + + while ((ret = avcodec_receive_packet(enc, &pkt)) == AVERROR(EAGAIN)) { + ret = avcodec_send_frame(enc, NULL); + if (ret < 0) { + av_log(NULL, AV_LOG_FATAL, "%s encoding failed: %s\n", + desc, + av_err2str(ret)); + exit_program(1); + } + } + update_benchmark("flush_%s %d.%d", desc, ost->file_index, ost->index); if (ret < 0 && ret != AVERROR_EOF) { av_log(NULL, AV_LOG_FATAL, "%s encoding failed: %s\n", From da693f8daa62cb76a2aa05021d6c8d53a1b816b2 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 23 Apr 2017 11:53:57 +0200 Subject: [PATCH 041/818] avcodec/dnxhd_parser: fix parsing interlaced video, simplify code There appears to be no need to treat interlaced videos differently, also that code is flawed, as for at least one input cur_field would be always 0. Fixes ticket #6344. Signed-off-by: Paul B Mahol (cherry picked from commit ac30754a148df58822a272555d1f6f860e42037e) --- libavcodec/dnxhd_parser.c | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c index 4f9bbceeeb..a1f632a620 100644 --- a/libavcodec/dnxhd_parser.c +++ b/libavcodec/dnxhd_parser.c @@ -29,8 +29,6 @@ typedef struct { ParseContext pc; - int interlaced; - int cur_field; /* first field is 0, second is 1 */ int cur_byte; int remaining; int w, h; @@ -56,8 +54,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx, uint64_t state = pc->state64; int pic_found = pc->frame_start_found; int i = 0; - int interlaced = dctx->interlaced; - int cur_field = dctx->cur_field; if (!pic_found) { for (i = 0; i < buf_size; i++) { @@ -65,8 +61,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx, if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) { i++; pic_found = 1; - interlaced = (state&2)>>1; /* byte following the 5-byte header prefix */ - cur_field = state&1; dctx->cur_byte = 0; dctx->remaining = 0; break; @@ -97,13 +91,11 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx, if (dctx->remaining <= 0) return dctx->remaining; } - if (buf_size - i >= dctx->remaining && (!dctx->interlaced || dctx->cur_field)) { + if (buf_size - i + 47 >= dctx->remaining) { int remaining = dctx->remaining; pc->frame_start_found = 0; pc->state64 = -1; - dctx->interlaced = interlaced; - dctx->cur_field = 0; dctx->cur_byte = 0; dctx->remaining = 0; return remaining; @@ -120,8 +112,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx, pc->frame_start_found = 0; pc->state64 = -1; - dctx->interlaced = interlaced; - dctx->cur_field = 0; dctx->cur_byte = 0; dctx->remaining = 0; return remaining; @@ -129,8 +119,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx, } pc->frame_start_found = pic_found; pc->state64 = state; - dctx->interlaced = interlaced; - dctx->cur_field = cur_field; return END_NOT_FOUND; } From cfca0b91399bfc72218bd47412bc8e57c19742b9 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 25 Apr 2017 20:23:12 -0300 Subject: [PATCH 042/818] avformat/concatdec: fix the h264 annexb extradata check The start code can be either in the first three or four bytes. (cherry picked from commit b4330a0e02fcbef61d630a369abe5f4421ced659) --- libavformat/concatdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 8649916ff2..dd52e4d366 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -199,8 +199,11 @@ static int detect_stream_specific(AVFormatContext *avf, int idx) AVBitStreamFilterContext *bsf; int ret; - if (cat->auto_convert && st->codecpar->codec_id == AV_CODEC_ID_H264 && - (st->codecpar->extradata_size < 4 || AV_RB32(st->codecpar->extradata) != 1)) { + if (cat->auto_convert && st->codecpar->codec_id == AV_CODEC_ID_H264) { + if (!st->codecpar->extradata_size || + (st->codecpar->extradata_size >= 3 && AV_RB24(st->codecpar->extradata) == 1) || + (st->codecpar->extradata_size >= 4 && AV_RB32(st->codecpar->extradata) == 1)) + return 0; av_log(cat->avf, AV_LOG_INFO, "Auto-inserting h264_mp4toannexb bitstream filter\n"); if (!(bsf = av_bitstream_filter_init("h264_mp4toannexb"))) { From 58a8e4733ae0b597aa0c92bdc73462a9fe8114cc Mon Sep 17 00:00:00 2001 From: Muhammad Faiz Date: Tue, 2 May 2017 07:22:31 +0700 Subject: [PATCH 043/818] ffmpeg: count packets when queued Because write_packet() fakely writes packets to muxer by queueing them when muxer hasn't been initialized, it should also increment frame_number fakely. This is required because code in do_streamcopy() rely on frame_number. Should fix Ticket6227 Reviewed-by: James Almer Reviewed-by: Michael Niedermayer Signed-off-by: Muhammad Faiz (cherry picked from commit c4be288fdbe1993110f1abd28ea57587cb2bc221) --- ffmpeg.c | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index a7524d94cf..4b4dae47fe 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -669,12 +669,28 @@ static void close_all_output_streams(OutputStream *ost, OSTFinished this_stream, } } -static void write_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost) +static void write_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost, int unqueue) { AVFormatContext *s = of->ctx; AVStream *st = ost->st; int ret; + /* + * Audio encoders may split the packets -- #frames in != #packets out. + * But there is no reordering, so we can limit the number of output packets + * by simply dropping them here. + * Counting encoded video frames needs to be done separately because of + * reordering, see do_video_out(). + * Do not count the packet when unqueued because it has been counted when queued. + */ + if (!(st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && ost->encoding_needed) && !unqueue) { + if (ost->frame_number >= ost->max_frames) { + av_packet_unref(pkt); + return; + } + ost->frame_number++; + } + if (!of->header_written) { AVPacket tmp_pkt = {0}; /* the muxer is not initialized yet, buffer the packet */ @@ -703,20 +719,6 @@ static void write_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost) (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO && audio_sync_method < 0)) pkt->pts = pkt->dts = AV_NOPTS_VALUE; - /* - * Audio encoders may split the packets -- #frames in != #packets out. - * But there is no reordering, so we can limit the number of output packets - * by simply dropping them here. - * Counting encoded video frames needs to be done separately because of - * reordering, see do_video_out() - */ - if (!(st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && ost->encoding_needed)) { - if (ost->frame_number >= ost->max_frames) { - av_packet_unref(pkt); - return; - } - ost->frame_number++; - } if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { int i; uint8_t *sd = av_packet_get_side_data(pkt, AV_PKT_DATA_QUALITY_STATS, @@ -861,10 +863,10 @@ static void output_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost) goto finish; idx++; } else - write_packet(of, pkt, ost); + write_packet(of, pkt, ost, 0); } } else - write_packet(of, pkt, ost); + write_packet(of, pkt, ost, 0); finish: if (ret < 0 && ret != AVERROR_EOF) { @@ -2971,7 +2973,7 @@ static int check_init_output_file(OutputFile *of, int file_index) while (av_fifo_size(ost->muxing_queue)) { AVPacket pkt; av_fifo_generic_read(ost->muxing_queue, &pkt, sizeof(pkt), NULL); - write_packet(of, &pkt, ost); + write_packet(of, &pkt, ost, 1); } } From 4f19268eee12053ee7f7dc451e5a7b5b7bcbfa28 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 22 Apr 2017 13:25:32 -0300 Subject: [PATCH 044/818] avcodec/options: factorize avcodec_copy_context() cleanup code Reviewed-by: Aaron Levinson Tested-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 54a4c9b4e9a1524b1ac5d2be97c8042272402d0a) --- libavcodec/options.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/libavcodec/options.c b/libavcodec/options.c index 7bdb0be5af..b98da9378a 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -188,6 +188,19 @@ void avcodec_free_context(AVCodecContext **pavctx) } #if FF_API_COPY_CONTEXT +static void copy_context_reset(AVCodecContext *avctx) +{ + av_opt_free(avctx); + av_freep(&avctx->rc_override); + av_freep(&avctx->intra_matrix); + av_freep(&avctx->inter_matrix); + av_freep(&avctx->extradata); + av_freep(&avctx->subtitle_header); + av_buffer_unref(&avctx->hw_frames_ctx); + avctx->subtitle_header_size = 0; + avctx->extradata_size = 0; +} + int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src) { const AVCodec *orig_codec = dest->codec; @@ -200,12 +213,7 @@ int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src) return AVERROR(EINVAL); } - av_opt_free(dest); - av_freep(&dest->rc_override); - av_freep(&dest->intra_matrix); - av_freep(&dest->inter_matrix); - av_freep(&dest->extradata); - av_freep(&dest->subtitle_header); + copy_context_reset(dest); memcpy(dest, src, sizeof(*dest)); av_opt_copy(dest, src); @@ -264,15 +272,7 @@ FF_ENABLE_DEPRECATION_WARNINGS return 0; fail: - av_freep(&dest->subtitle_header); - av_freep(&dest->rc_override); - av_freep(&dest->intra_matrix); - av_freep(&dest->inter_matrix); - av_freep(&dest->extradata); - av_buffer_unref(&dest->hw_frames_ctx); - dest->subtitle_header_size = 0; - dest->extradata_size = 0; - av_opt_free(dest); + copy_context_reset(dest); return AVERROR(ENOMEM); } #endif From 8119efdbec1fa3d10031a83ad5a43bd4999ae7c2 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 24 Apr 2017 14:53:47 -0300 Subject: [PATCH 045/818] avcodec/options: do a more thorough clean up in avcodec_copy_context() Free coded_frame, coded_side_data and unref hw_device_ctx to prevent potential leaks. Reviewed-by: Aaron Levinson Tested-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit cac8de2da5c4935773128335c11b806faa73e19d) --- libavcodec/options.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/libavcodec/options.c b/libavcodec/options.c index b98da9378a..82e12179a6 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -190,14 +190,26 @@ void avcodec_free_context(AVCodecContext **pavctx) #if FF_API_COPY_CONTEXT static void copy_context_reset(AVCodecContext *avctx) { + int i; + av_opt_free(avctx); +#if FF_API_CODED_FRAME +FF_DISABLE_DEPRECATION_WARNINGS + av_frame_free(&avctx->coded_frame); +FF_ENABLE_DEPRECATION_WARNINGS +#endif av_freep(&avctx->rc_override); av_freep(&avctx->intra_matrix); av_freep(&avctx->inter_matrix); av_freep(&avctx->extradata); av_freep(&avctx->subtitle_header); av_buffer_unref(&avctx->hw_frames_ctx); + av_buffer_unref(&avctx->hw_device_ctx); + for (i = 0; i < avctx->nb_coded_side_data; i++) + av_freep(&avctx->coded_side_data[i].data); + av_freep(&avctx->coded_side_data); avctx->subtitle_header_size = 0; + avctx->nb_coded_side_data = 0; avctx->extradata_size = 0; } @@ -238,11 +250,14 @@ FF_ENABLE_DEPRECATION_WARNINGS /* reallocate values that should be allocated separately */ dest->extradata = NULL; + dest->coded_side_data = NULL; dest->intra_matrix = NULL; dest->inter_matrix = NULL; dest->rc_override = NULL; dest->subtitle_header = NULL; dest->hw_frames_ctx = NULL; + dest->hw_device_ctx = NULL; + dest->nb_coded_side_data = 0; #define alloc_and_copy_or_fail(obj, size, pad) \ if (src->obj && size > 0) { \ From 329176adc52c51878160530a655f9c787fa338b3 Mon Sep 17 00:00:00 2001 From: Aaron Levinson Date: Thu, 20 Apr 2017 23:30:13 -0700 Subject: [PATCH 046/818] avformat/utils: free AVStream.codec properly in free_stream() Fixes memory leaks. Signed-off-by: James Almer (cherry picked from commit b9d2005ea5d6837917a69bc2b8e98f5695f54e39) --- libavformat/utils.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index a059046a2c..a82bbc702d 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4146,9 +4146,7 @@ static void free_stream(AVStream **pst) av_freep(&st->index_entries); #if FF_API_LAVF_AVCTX FF_DISABLE_DEPRECATION_WARNINGS - av_freep(&st->codec->extradata); - av_freep(&st->codec->subtitle_header); - av_freep(&st->codec); + avcodec_free_context(&st->codec); FF_ENABLE_DEPRECATION_WARNINGS #endif av_freep(&st->priv_data); From 059db2204046c502f946ad6a80c6d76e428627fd Mon Sep 17 00:00:00 2001 From: wm4 Date: Fri, 5 May 2017 00:15:15 +0200 Subject: [PATCH 047/818] ffmpeg: check for unconnected outputs Fixes e.g.: ffmpeg -f lavfi -i testsrc -f lavfi -i testsrc -filter_complex "[0:v][1:v]psnr[out]" -f null none Fixes ticket #6323. (cherry picked from commit 974ee16d6a71c31d0b5db4f139a40831c2f45776) --- ffmpeg.h | 1 + ffmpeg_filter.c | 15 +++++++++++++++ ffmpeg_opt.c | 2 ++ 3 files changed, 18 insertions(+) diff --git a/ffmpeg.h b/ffmpeg.h index 4d0456c1fb..d34561275a 100644 --- a/ffmpeg.h +++ b/ffmpeg.h @@ -638,6 +638,7 @@ void choose_sample_fmt(AVStream *st, AVCodec *codec); int configure_filtergraph(FilterGraph *fg); int configure_output_filter(FilterGraph *fg, OutputFilter *ofilter, AVFilterInOut *out); +void check_filter_outputs(void); int ist_in_filtergraph(FilterGraph *fg, InputStream *ist); int filtergraph_is_simple(FilterGraph *fg); int init_simple_filtergraph(InputStream *ist, OutputStream *ost); diff --git a/ffmpeg_filter.c b/ffmpeg_filter.c index 219e473f69..4d425eaff2 100644 --- a/ffmpeg_filter.c +++ b/ffmpeg_filter.c @@ -678,6 +678,21 @@ int configure_output_filter(FilterGraph *fg, OutputFilter *ofilter, AVFilterInOu } } +void check_filter_outputs(void) +{ + int i; + for (i = 0; i < nb_filtergraphs; i++) { + int n; + for (n = 0; n < filtergraphs[i]->nb_outputs; n++) { + OutputFilter *output = filtergraphs[i]->outputs[n]; + if (!output->ost) { + av_log(NULL, AV_LOG_FATAL, "Filter %s has an unconnected output\n", output->name); + exit_program(1); + } + } + } +} + static int sub2video_prepare(InputStream *ist, InputFilter *ifilter) { AVFormatContext *avf = input_files[ist->file_index]->ctx; diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index d1fe8742ff..e73a61059f 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -3260,6 +3260,8 @@ int ffmpeg_parse_options(int argc, char **argv) goto fail; } + check_filter_outputs(); + fail: uninit_parse_context(&octx); if (ret < 0) { From 508e410d348e598bdd1624e1fb685c123222dc4e Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 6 May 2017 01:12:24 +0200 Subject: [PATCH 048/818] lavfi/avfiltergraph: only return EOF in avfilter_graph_request_oldest if all sinks EOFed Fixes a regression introduced in 32c59a115d3cc757676b5384a5ea44b5a7a7b872, becoming effective in 912969a33e313c57c906e87a7e2367b78a2160f4. Fixes trimmed output of ffmpeg -f lavfi -i "sine=d=0.01" -f lavfi -i "sine=d=1" -filter_complex "[0:a]anull[a1];[1:a]anull[a2]" -map "[a1]" -f null none -map "[a2]" -f framecrc - Reviewed-by: Nicolas George Signed-off-by: Marton Balint (cherry picked from commit c0443c1af1a772daf33731da7262f3aa6b28dc8e) --- libavfilter/avfiltergraph.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index f7fbf119eb..598e50a077 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -1399,10 +1399,13 @@ int avfilter_graph_request_oldest(AVFilterGraph *graph) oldest = graph->sink_links[0]; if (oldest->dst->filter->activate) { /* For now, buffersink is the only filter implementing activate. */ - return av_buffersink_get_frame_flags(oldest->dst, NULL, - AV_BUFFERSINK_FLAG_PEEK); + r = av_buffersink_get_frame_flags(oldest->dst, NULL, + AV_BUFFERSINK_FLAG_PEEK); + if (r != AVERROR_EOF) + return r; + } else { + r = ff_request_frame(oldest); } - r = ff_request_frame(oldest); if (r != AVERROR_EOF) break; av_log(oldest->dst, AV_LOG_DEBUG, "EOF on sink link %s:%s.\n", From 9eb0d76e25c6a7c7ee18f8895fa73338697851f6 Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Thu, 20 Apr 2017 13:14:42 +0100 Subject: [PATCH 049/818] avformat/webmdashenc: Require the 'adaptation_sets' option to be set This seems to be non-optional, and if the muxer is run without it, strlen() is run on NULL, causing a segfault. Signed-off-by: Michael Niedermayer (cherry picked from commit cbd3a68f3e1c2d1679370301eb5e1a32a2df64fe) Signed-off-by: Michael Niedermayer --- libavformat/webmdashenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index d4b3146790..740fd8eb01 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -428,6 +428,10 @@ static int parse_adaptation_sets(AVFormatContext *s) char *p = w->adaptation_sets; char *q; enum { new_set, parsed_id, parsing_streams } state; + if (!w->adaptation_sets) { + av_log(s, AV_LOG_ERROR, "The 'adaptation_sets' option must be set.\n"); + return AVERROR(EINVAL); + } // syntax id=0,streams=0,1,2 id=1,streams=3,4 and so on state = new_set; while (p < w->adaptation_sets + strlen(w->adaptation_sets)) { From 2ff9e21f7fcecbda36669b95ff8b30b5c34bd371 Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Thu, 20 Apr 2017 16:17:44 +0100 Subject: [PATCH 050/818] avformat/webmdashenc: Validate the 'streams' adaptation sets parameter It should not be a value larger than the number of streams we have, or it will cause invalid reads and/or SIGSEGV. Signed-off-by: Michael Niedermayer (cherry picked from commit ec07efa70012845e8642df67a4a773f510a17088) Signed-off-by: Michael Niedermayer --- libavformat/webmdashenc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 740fd8eb01..9dc9b36d31 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -462,7 +462,11 @@ static int parse_adaptation_sets(AVFormatContext *s) if (as->streams == NULL) return AVERROR(ENOMEM); as->streams[as->nb_streams - 1] = to_integer(p, q - p + 1); - if (as->streams[as->nb_streams - 1] < 0) return -1; + if (as->streams[as->nb_streams - 1] < 0 || + as->streams[as->nb_streams - 1] >= s->nb_streams) { + av_log(s, AV_LOG_ERROR, "Invalid value for 'streams' in adapation_sets.\n"); + return AVERROR(EINVAL); + } if (*q == '\0') break; if (*q == ' ') state = new_set; p = ++q; From 3ffde707dfa3cf240bb61cf91a74c2129a0489db Mon Sep 17 00:00:00 2001 From: Martin Vignali Date: Tue, 25 Apr 2017 22:52:50 +0200 Subject: [PATCH 051/818] libavcodec/exr : fix float to uint16 conversion for negative float value Signed-off-by: Michael Niedermayer (cherry picked from commit e46d63745215c04637e7797228bad36bce49d881) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index e5dea0756d..ec940222b2 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -220,9 +220,9 @@ static union av_intfloat32 exr_half2float(uint16_t hf) * * @return normalized 16-bit unsigned int */ -static inline uint16_t exr_flt2uint(uint32_t v) +static inline uint16_t exr_flt2uint(int32_t v) { - unsigned int exp = v >> 23; + int32_t exp = v >> 23; // "HACK": negative values result in exp< 0, so clipping them to 0 // is also handled by this condition, avoids explicit check for sign bit. if (exp <= 127 + 7 - 24) // we would shift out all bits anyway From 87dcc7502dc6c893c34eb9b63b3ad22f2c146a67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 02:08:54 +0200 Subject: [PATCH 052/818] avcodec/x86/vc1dsp_init: Fix build failure with --disable-optimizations and clang compilers doing DCE at -O0 do not necessarily understand "complex" boolean expressions Build succeeds with this change, this was the only failure Signed-off-by: Michael Niedermayer (cherry picked from commit fa8fd0808f1086fc85abba5cf123faf41da49305) Signed-off-by: Michael Niedermayer --- libavcodec/x86/vc1dsp_init.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/x86/vc1dsp_init.c b/libavcodec/x86/vc1dsp_init.c index 79d22a294f..0b00f8ac11 100644 --- a/libavcodec/x86/vc1dsp_init.c +++ b/libavcodec/x86/vc1dsp_init.c @@ -106,10 +106,12 @@ av_cold void ff_vc1dsp_init_x86(VC1DSPContext *dsp) { int cpu_flags = av_get_cpu_flags(); - if (HAVE_6REGS && INLINE_MMX(cpu_flags) && EXTERNAL_MMX(cpu_flags)) + if (HAVE_6REGS && INLINE_MMX(cpu_flags)) + if (EXTERNAL_MMX(cpu_flags)) ff_vc1dsp_init_mmx(dsp); - if (HAVE_6REGS && INLINE_MMXEXT(cpu_flags) && EXTERNAL_MMXEXT(cpu_flags)) + if (HAVE_6REGS && INLINE_MMXEXT(cpu_flags)) + if (EXTERNAL_MMXEXT(cpu_flags)) ff_vc1dsp_init_mmxext(dsp); #define ASSIGN_LF(EXT) \ From 51f24cb3f59b78336f4f669669a82c026227359f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 02:27:16 +0200 Subject: [PATCH 053/818] avcodec/mdec: Fix runtime error: left shift of negative value -127 Fixes undefined behavior Fixes: 1275/clusterfuzz-testcase-minimized-6718162017976320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ca82975b7a8eaf676a52738ec8e7e36732327cc) Signed-off-by: Michael Niedermayer --- libavcodec/mdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c index 1cc4ca4742..42bd561cd7 100644 --- a/libavcodec/mdec.c +++ b/libavcodec/mdec.c @@ -73,7 +73,7 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) if (diff >= 0xffff) return AVERROR_INVALIDDATA; a->last_dc[component] += diff; - block[0] = a->last_dc[component] << 3; + block[0] = a->last_dc[component] * (1 << 3); } i = 0; From 681ca7ecd08a28e0fd87b6d0e882eb078f0441c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 May 2017 17:53:11 +0200 Subject: [PATCH 054/818] avcodec/bmp: Use ff_set_dimensions() Fixes out of memory Fixes: 1282/clusterfuzz-testcase-minimized-5400131681648640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 63b8d4146d78595638417e431ea390aaf01f560f) Signed-off-by: Michael Niedermayer --- libavcodec/bmp.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/bmp.c b/libavcodec/bmp.c index 72957499d3..65d239e4f8 100644 --- a/libavcodec/bmp.c +++ b/libavcodec/bmp.c @@ -133,8 +133,11 @@ static int bmp_decode_frame(AVCodecContext *avctx, alpha = bytestream_get_le32(&buf); } - avctx->width = width; - avctx->height = height > 0 ? height : -(unsigned)height; + ret = ff_set_dimensions(avctx, width, height > 0 ? height : -(unsigned)height); + if (ret < 0) { + av_log(avctx, AV_LOG_ERROR, "Failed to set dimensions %d %d\n", width, height); + return AVERROR_INVALIDDATA; + } avctx->pix_fmt = AV_PIX_FMT_NONE; From 0875b2651dad34ed30e17ce12c2334ee64c7cd23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Apr 2017 02:50:42 +0200 Subject: [PATCH 055/818] doc/developer: Add terse documentation of assumed C implementation defined behavior Suggested-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit b706ddbae3f4a11c58560b914807931556108b55) Signed-off-by: Michael Niedermayer --- doc/developer.texi | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/developer.texi b/doc/developer.texi index dbe1f5421f..98540c8f99 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -131,6 +131,11 @@ designated struct initializers (@samp{struct s x = @{ .i = 17 @};}); @item compound literals (@samp{x = (struct s) @{ 17, 23 @};}). + +@item +Implementation defined behavior for signed integers is assumed to match the +expected behavior for two's complement. Non representable values in integer +casts are binary truncated. Shift right of signed values uses sign extension. @end itemize These features are supported by all compilers we care about, so we will not From b6a4aeb2f6359eb33d650ae9eb2941425aa855ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 May 2017 18:46:27 +0200 Subject: [PATCH 056/818] avcodec/vp3: Check remaining bits in unpack_dct_coeffs() Decreases the time spend decoding junk. May fix: 1283/clusterfuzz-testcase-minimized-6221126759874560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f00300b779e7b247c85db0d7daef448225105ff) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 86e5852e32..b10cb39f8a 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1071,6 +1071,9 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) s->dct_tokens[0][0] = s->dct_tokens_base; + if (get_bits_left(gb) < 16) + return AVERROR_INVALIDDATA; + /* fetch the DC table indexes */ dc_y_table = get_bits(gb, 4); dc_c_table = get_bits(gb, 4); @@ -1080,6 +1083,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) 0, residual_eob_run); if (residual_eob_run < 0) return residual_eob_run; + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; /* reverse prediction of the Y-plane DC coefficients */ reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]); @@ -1102,6 +1107,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) s->fragment_width[1], s->fragment_height[1]); } + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; /* fetch the AC table indexes */ ac_y_table = get_bits(gb, 4); ac_c_table = get_bits(gb, 4); From b1fc2c5c2560913c01b91550d8fb2f21bf601a02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 May 2017 18:53:52 +0200 Subject: [PATCH 057/818] avcodec/indeo2: Check remaining bits in ir2_decode_plane() Fixes: 1290/clusterfuzz-testcase-minimized-5815578902134784 Fixes: timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b29feec9829cfab2523c8d95e35bd69e689ea4af) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index c89845233e..f1324e4635 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -77,6 +77,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (j = 1; j < height; j++) { out = 0; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; while (out < width) { int c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ @@ -116,6 +118,8 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_ for (j = 0; j < height; j++) { out = 0; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; while (out < width) { c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ From 65a9d0c66c31caa36f41860f80c33c811c75e7f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 15:10:25 +0200 Subject: [PATCH 058/818] avcodec/svq3: Increase offsets to prevent integer overflows Fixes: 1280/clusterfuzz-testcase-minimized-6102353767825408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 382b4fc9b5f3102f59743bf9c8619b31dd8ede1b) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 06e3d37590..3e35fd73d6 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -562,8 +562,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, int fx, fy; mx = (mx + 1 >> 1) + dx; my = (my + 1 >> 1) + dy; - fx = (unsigned)(mx + 0x3000) / 3 - 0x1000; - fy = (unsigned)(my + 0x3000) / 3 - 0x1000; + fx = (unsigned)(mx + 0x30000) / 3 - 0x10000; + fy = (unsigned)(my + 0x30000) / 3 - 0x10000; dxy = (mx - 3 * fx) + 4 * (my - 3 * fy); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -571,8 +571,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, mx += mx; my += my; } else if (mode == HALFPEL_MODE || mode == PREDICT_MODE) { - mx = (unsigned)(mx + 1 + 0x3000) / 3 + dx - 0x1000; - my = (unsigned)(my + 1 + 0x3000) / 3 + dy - 0x1000; + mx = (unsigned)(mx + 1 + 0x30000) / 3 + dx - 0x10000; + my = (unsigned)(my + 1 + 0x30000) / 3 + dy - 0x10000; dxy = (mx & 1) + 2 * (my & 1); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -580,8 +580,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, mx *= 3; my *= 3; } else { - mx = (unsigned)(mx + 3 + 0x6000) / 6 + dx - 0x1000; - my = (unsigned)(my + 3 + 0x6000) / 6 + dy - 0x1000; + mx = (unsigned)(mx + 3 + 0x60000) / 6 + dx - 0x10000; + my = (unsigned)(my + 3 + 0x60000) / 6 + dy - 0x10000; svq3_mc_dir_part(s, x, y, part_width, part_height, mx, my, 0, 0, dir, avg); From 78fd652af442fd14156a1bdaec4741e79511b9ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 15:10:26 +0200 Subject: [PATCH 059/818] avcodec/svq3: Reject dx/dy beyond 16bit The code does use 16bit sized arrays later so larger deltas would not work Signed-off-by: Michael Niedermayer (cherry picked from commit 48b3117844177d8442bc9fa3ede1d31ce82ae6fc) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 3e35fd73d6..76a465b9c0 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -551,7 +551,7 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, dy = get_interleaved_se_golomb(&s->gb_slice); dx = get_interleaved_se_golomb(&s->gb_slice); - if (dx == INVALID_VLC || dy == INVALID_VLC) { + if (dx != (int16_t)dx || dy != (int16_t)dy) { av_log(s->avctx, AV_LOG_ERROR, "invalid MV vlc\n"); return -1; } From 44eabc5d5d9ed479cad1df0acc8f172093e44364 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Apr 2017 22:27:50 +0200 Subject: [PATCH 060/818] avcodec/dcadsp: Fix runtime error: signed integer overflow Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9244b839b788e4677019041907ff5a4378a23490) Signed-off-by: Michael Niedermayer --- libavcodec/dcadsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dcadsp.c b/libavcodec/dcadsp.c index 4f1e933cfb..fade1a6c02 100644 --- a/libavcodec/dcadsp.c +++ b/libavcodec/dcadsp.c @@ -320,7 +320,7 @@ static void dmix_sub_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t le int i; for (i = 0; i < len; i++) - dst[i] -= mul15(src[i], coeff); + dst[i] -= (unsigned)mul15(src[i], coeff); } static void dmix_add_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t len) From 927ff67ab44b08fa0f57ac73faa2b438cbf740ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Apr 2017 21:59:29 +0200 Subject: [PATCH 061/818] avcodec/h264_cavlc: Fix undefined behavior on qscale overflow Fixes: 1214/clusterfuzz-testcase-minimized-6130606599569408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fc8cff96ed45dfdb91ed03e9942845f28be0e770) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cavlc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 069b52129c..72dfaaab45 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -1112,7 +1112,7 @@ decode_intra_mb: dquant= get_se_golomb(&sl->gb); - sl->qscale += dquant; + sl->qscale += (unsigned)dquant; if (((unsigned)sl->qscale) > max_qp){ if (sl->qscale < 0) sl->qscale += max_qp + 1; From dfda395b2f0151568d5080c8e14a0df9edfa04aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 May 2017 15:24:46 +0200 Subject: [PATCH 062/818] avcodec/msvideo1: Check buffer size before re-getting the frame Fixes timeout Fixes: 1306/clusterfuzz-testcase-minimized-6152296217968640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cabfed6895fcc679cd6a6244a12d800e0f3f2d20) Signed-off-by: Michael Niedermayer --- libavcodec/msvideo1.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/msvideo1.c b/libavcodec/msvideo1.c index a49b9be364..29700f54b6 100644 --- a/libavcodec/msvideo1.c +++ b/libavcodec/msvideo1.c @@ -301,6 +301,12 @@ static int msvideo1_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; + // Discard frame if its smaller than the minimum frame size + if (buf_size < (avctx->width/4) * (avctx->height/4) / 512) { + av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); + return AVERROR_INVALIDDATA; + } + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; From 142c65ba9ca65674f0227c70e82f3c9a2a0d16fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 May 2017 18:40:46 +0200 Subject: [PATCH 063/818] avcodec/pngdec: Use ff_set_dimensions() Fixes OOM Fixes: 1314/clusterfuzz-testcase-minimized-4621997222920192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0296fc056f0d86943c697c505a181744b07dd45) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 102551972e..c2359b8a4d 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -622,8 +622,9 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, } if (!(s->pic_state & PNG_IDAT)) { /* init image info */ - avctx->width = s->width; - avctx->height = s->height; + ret = ff_set_dimensions(avctx, s->width, s->height); + if (ret < 0) + return ret; s->channels = ff_png_get_nb_channels(s->color_type); s->bits_per_pixel = s->bit_depth * s->channels; From a5bcb36874eb174bfee4e141f2f50343e447a17a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 May 2017 05:21:51 +0200 Subject: [PATCH 064/818] libavcodec/mpeg4videodec: Convert sprite_offset to 64bit This avoids intermediates from overflowing (the final values are checked) Fixes: runtime error: signed integer overflow: -167712 + -2147352576 cannot be represented in type 'int' Fixes: 1298/clusterfuzz-testcase-minimized-5955580877340672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c1c3a14073b33f790075f2884ea5c64451a6c876) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 102 ++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 52 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 791a07bbbb..39f177f8d0 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -178,6 +178,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int min_ab, i, w2, h2, w3, h3; int sprite_ref[4][2]; int virtual_ref[2][2]; + int64_t sprite_offset[2][2]; // only true for rectangle shapes const int vop_ref[4][2] = { { 0, 0 }, { s->width, 0 }, @@ -257,10 +258,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g switch (ctx->num_sprite_warping_points) { case 0: - s->sprite_offset[0][0] = - s->sprite_offset[0][1] = - s->sprite_offset[1][0] = - s->sprite_offset[1][1] = 0; + sprite_offset[0][0] = + sprite_offset[0][1] = + sprite_offset[1][0] = + sprite_offset[1][1] = 0; s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = s->sprite_delta[1][0] = 0; @@ -269,11 +270,11 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 1: // GMC only - s->sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0]; - s->sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1]; - s->sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) - + sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0]; + sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1]; + sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) - a * (vop_ref[0][0] / 2); - s->sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - + sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - a * (vop_ref[0][1] / 2); s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = @@ -283,22 +284,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 2: - s->sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) + + sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-vop_ref[0][0]) + (r * sprite_ref[0][1] - virtual_ref[0][1]) * (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) + + sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) + (-r * sprite_ref[0][1] + virtual_ref[0][1]) * (-vop_ref[0][0]) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * + sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-2 * vop_ref[0][0] + 1) + (r * sprite_ref[0][1] - virtual_ref[0][1]) * (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); - s->sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * + sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * (-2 * vop_ref[0][0] + 1) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * @@ -315,30 +316,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g min_ab = FFMIN(alpha, beta); w3 = w2 >> min_ab; h3 = h2 >> min_ab; - s->sprite_offset[0][0] = (sprite_ref[0][0] * (1<<(alpha + beta + rho - min_ab))) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - h3 * (-vop_ref[0][0]) + - (-r * sprite_ref[0][0] + virtual_ref[1][0]) * - w3 * (-vop_ref[0][1]) + - (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + - (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - h3 * (-vop_ref[0][0]) + - (-r * sprite_ref[0][1] + virtual_ref[1][1]) * - w3 * (-vop_ref[0][1]) + - (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[1][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - h3 * (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][0] + virtual_ref[1][0]) * - w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 * - r * sprite_ref[0][0] - 16 * w2 * h3 + - (1 << (alpha + beta + rho - min_ab + 1)); - s->sprite_offset[1][1] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - h3 * (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][1] + virtual_ref[1][1]) * - w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 * - r * sprite_ref[0][1] - 16 * w2 * h3 + - (1 << (alpha + beta + rho - min_ab + 1)); + sprite_offset[0][0] = ((int64_t)sprite_ref[0][0] * (1 << (alpha + beta + rho - min_ab))) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-vop_ref[0][0]) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-vop_ref[0][1]) + + ((int64_t)1 << (alpha + beta + rho - min_ab - 1)); + sprite_offset[0][1] = ((int64_t)sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-vop_ref[0][0]) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-vop_ref[0][1]) + + ((int64_t)1 << (alpha + beta + rho - min_ab - 1)); + sprite_offset[1][0] = ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-2 * vop_ref[0][1] + 1) + + (int64_t)2 * w2 * h3 * r * sprite_ref[0][0] - 16 * w2 * h3 + + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); + sprite_offset[1][1] = ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-2 * vop_ref[0][1] + 1) + + (int64_t)2 * w2 * h3 * r * sprite_ref[0][1] - 16 * w2 * h3 + + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3; s->sprite_delta[0][1] = (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3; s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3; @@ -353,10 +346,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[0][1] == 0 && s->sprite_delta[1][0] == 0 && s->sprite_delta[1][1] == a << ctx->sprite_shift[0]) { - s->sprite_offset[0][0] >>= ctx->sprite_shift[0]; - s->sprite_offset[0][1] >>= ctx->sprite_shift[0]; - s->sprite_offset[1][0] >>= ctx->sprite_shift[1]; - s->sprite_offset[1][1] >>= ctx->sprite_shift[1]; + sprite_offset[0][0] >>= ctx->sprite_shift[0]; + sprite_offset[0][1] >>= ctx->sprite_shift[0]; + sprite_offset[1][0] >>= ctx->sprite_shift[1]; + sprite_offset[1][1] >>= ctx->sprite_shift[1]; s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = 0; s->sprite_delta[1][0] = 0; @@ -369,18 +362,18 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int shift_c = 16 - ctx->sprite_shift[1]; if (shift_c < 0 || shift_y < 0 || - FFABS(s->sprite_offset[0][0]) >= INT_MAX >> shift_y || - FFABS(s->sprite_offset[1][0]) >= INT_MAX >> shift_c || - FFABS(s->sprite_offset[0][1]) >= INT_MAX >> shift_y || - FFABS(s->sprite_offset[1][1]) >= INT_MAX >> shift_c + FFABS(sprite_offset[0][0]) >= INT_MAX >> shift_y || + FFABS(sprite_offset[1][0]) >= INT_MAX >> shift_c || + FFABS(sprite_offset[0][1]) >= INT_MAX >> shift_y || + FFABS(sprite_offset[1][1]) >= INT_MAX >> shift_c ) { avpriv_request_sample(s->avctx, "Too large sprite shift or offset"); goto overflow; } for (i = 0; i < 2; i++) { - s->sprite_offset[0][i] *= 1 << shift_y; - s->sprite_offset[1][i] *= 1 << shift_c; + sprite_offset[0][i] *= 1 << shift_y; + sprite_offset[1][i] *= 1 << shift_c; s->sprite_delta[0][i] *= 1 << shift_y; s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; @@ -392,16 +385,16 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[i][1] - a * (1LL<<16) }; - if (llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + if (llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX || llabs(sd[0]) >= INT_MAX || llabs(sd[1]) >= INT_MAX || - llabs(s->sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX + llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX ) { avpriv_request_sample(s->avctx, "Overflow on sprite points"); goto overflow; @@ -410,6 +403,11 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->real_sprite_warping_points = ctx->num_sprite_warping_points; } + s->sprite_offset[0][0] = sprite_offset[0][0]; + s->sprite_offset[0][1] = sprite_offset[0][1]; + s->sprite_offset[1][0] = sprite_offset[1][0]; + s->sprite_offset[1][1] = sprite_offset[1][1]; + return 0; overflow: memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); From dd3a5f04b91dfaa3d22946b4ab9156dda7155899 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 02:51:13 +0200 Subject: [PATCH 065/818] avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int' Fixes: 1080/clusterfuzz-testcase-5353236754071552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce7098b8f2b59c62b5abdb3d74819db75cf67698) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 4e9c0580f4..e18113c20c 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -60,7 +60,7 @@ static void yuv_a_to_rgba(const uint8_t *ycbcr, const uint8_t *alpha, uint32_t * cb = *ycbcr++; YUV_TO_RGB1_CCIR(cb, cr); YUV_TO_RGB2_CCIR(r, g, b, y); - *rgba++ = (*alpha++ << 24) | (r << 16) | (g << 8) | b; + *rgba++ = ((unsigned)*alpha++ << 24) | (r << 16) | (g << 8) | b; } } From 175a569f5bfae35509474f6e85e86932974c6bac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 03:24:40 +0200 Subject: [PATCH 066/818] avcodec/cavsdec: Fix undefined behavior from integer overflow Fixes: 1335/clusterfuzz-testcase-minimized-5566961566089216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0e5f7f363555d2befafb1c9e1579dbe0a2fbca7) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 6f4d6aca69..4d3d2d7c65 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -465,7 +465,7 @@ static inline void mv_pred_direct(AVSContext *h, cavs_vector *pmv_fw, cavs_vector *col_mv) { cavs_vector *pmv_bw = pmv_fw + MV_BWD_OFFS; - int den = h->direct_den[col_mv->ref]; + unsigned den = h->direct_den[col_mv->ref]; int m = FF_SIGNBIT(col_mv->x); pmv_fw->dist = h->dist[1]; From 484ce1af757a50b2f99b6d504303b47f71e4d163 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 15:10:25 +0200 Subject: [PATCH 067/818] avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int' Fixes: 943/clusterfuzz-testcase-5114865297391616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a78ae465fda902565ed041d93403e04490b4be0d) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 5470b661c3..11759071da 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -757,7 +757,8 @@ static int decode_block_progressive(MJpegDecodeContext *s, int16_t *block, uint16_t *quant_matrix, int ss, int se, int Al, int *EOBRUN) { - int code, i, j, level, val, run; + int code, i, j, val, run; + unsigned level; if (*EOBRUN) { (*EOBRUN)--; From 1e8212798c823c312d9c433c9cf00a633fcd79a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 12:48:12 +0200 Subject: [PATCH 068/818] avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so Fixes: out of array access Fixes: 1348/clusterfuzz-testcase-minimized-6195673642827776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce551a3925a1cf9c7824e26a246b99b6773bda4b) Signed-off-by: Michael Niedermayer --- libavcodec/tiertexseqv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/tiertexseqv.c b/libavcodec/tiertexseqv.c index 06c5fd6b09..af39f74d7d 100644 --- a/libavcodec/tiertexseqv.c +++ b/libavcodec/tiertexseqv.c @@ -213,10 +213,15 @@ static int seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int static av_cold int seqvideo_decode_init(AVCodecContext *avctx) { SeqVideoContext *seq = avctx->priv_data; + int ret; seq->avctx = avctx; avctx->pix_fmt = AV_PIX_FMT_PAL8; + ret = ff_set_dimensions(avctx, 256, 128); + if (ret < 0) + return ret; + seq->frame = av_frame_alloc(); if (!seq->frame) return AVERROR(ENOMEM); From 671530ccb4382c0c2dcb914b7d3bfb1643058c41 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 18:01:25 +0200 Subject: [PATCH 069/818] avcodec/wnv1: Fix runtime error: left shift of negative value -1 Fixes: 1338/clusterfuzz-testcase-minimized-6485546354343936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9fac508ca46f93450ec232299dfd15ac70b6f326) Signed-off-by: Michael Niedermayer --- libavcodec/wnv1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 9ff99b2f98..126c01a02d 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -52,7 +52,7 @@ static inline int wnv1_get_code(WNV1Context *w, int base_value) if (v == 15) return ff_reverse[get_bits(&w->gb, 8 - w->shift)]; else - return base_value + ((v - 7) << w->shift); + return base_value + ((v - 7U) << w->shift); } static int decode_frame(AVCodecContext *avctx, From 5520e00a49af47f9d6cda78a579f6447cb3b1ba0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 18:07:25 +0200 Subject: [PATCH 070/818] avcodec/dss_sp: Fix multiple left shift of negative value -466 Fixes: 1339/clusterfuzz-testcase-minimized-4614671485108224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38152d9368beb080b4acd6cd9e5ccc89b3f733bf) Signed-off-by: Michael Niedermayer --- libavcodec/dss_sp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dss_sp.c b/libavcodec/dss_sp.c index ddea48304f..93e54c5209 100644 --- a/libavcodec/dss_sp.c +++ b/libavcodec/dss_sp.c @@ -33,7 +33,7 @@ #define DSS_SP_FRAME_SIZE 42 #define DSS_SP_SAMPLE_COUNT (66 * SUBFRAMES) -#define DSS_SP_FORMULA(a, b, c) (((((a) << 15) + (b) * (c)) + 0x4000) >> 15) +#define DSS_SP_FORMULA(a, b, c) (((((a) * (1 << 15)) + (b) * (c)) + 0x4000) >> 15) typedef struct DssSpSubframe { int16_t gain; @@ -499,7 +499,7 @@ static void dss_sp_scale_vector(int32_t *vec, int bits, int size) vec[i] = vec[i] >> -bits; else for (i = 0; i < size; i++) - vec[i] = vec[i] << bits; + vec[i] = vec[i] * (1 << bits); } static void dss_sp_update_buf(int32_t *hist, int32_t *vector) From 85bf84c96c5c17e4a991f26366dc814c29f68863 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 18:14:03 +0200 Subject: [PATCH 071/818] avcodec/g722: Fix multiple runtime error: left shift of negative value -1 Fixes: 1340/clusterfuzz-testcase-minimized-4669892148068352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f55df62998681c7702f008ce7c12a00b15e33f53) Signed-off-by: Michael Niedermayer --- libavcodec/g722.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/g722.c b/libavcodec/g722.c index ee3b85f845..ef7ca6d446 100644 --- a/libavcodec/g722.c +++ b/libavcodec/g722.c @@ -88,14 +88,14 @@ static inline void s_zero(int cur_diff, struct G722Band *band) ACCUM(3, band->diff_mem[2], 1); ACCUM(2, band->diff_mem[1], 1); ACCUM(1, band->diff_mem[0], 1); - ACCUM(0, cur_diff << 1, 1); + ACCUM(0, cur_diff * 2, 1); } else { ACCUM(5, band->diff_mem[4], 0); ACCUM(4, band->diff_mem[3], 0); ACCUM(3, band->diff_mem[2], 0); ACCUM(2, band->diff_mem[1], 0); ACCUM(1, band->diff_mem[0], 0); - ACCUM(0, cur_diff << 1, 0); + ACCUM(0, cur_diff * 2, 0); } #undef ACCUM band->s_zero = s_zero; @@ -119,14 +119,14 @@ static void do_adaptive_prediction(struct G722Band *band, const int cur_diff) band->part_reconst_mem[0] = cur_part_reconst; band->pole_mem[1] = av_clip((sg[0] * av_clip(band->pole_mem[0], -8191, 8191) >> 5) + - (sg[1] << 7) + (band->pole_mem[1] * 127 >> 7), -12288, 12288); + (sg[1] * 128) + (band->pole_mem[1] * 127 >> 7), -12288, 12288); limit = 15360 - band->pole_mem[1]; band->pole_mem[0] = av_clip(-192 * sg[0] + (band->pole_mem[0] * 255 >> 8), -limit, limit); s_zero(cur_diff, band); - cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) << 1); + cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) * 2); band->s_predictor = av_clip_int16(band->s_zero + (band->pole_mem[0] * cur_qtzd_reconst >> 15) + (band->pole_mem[1] * band->prev_qtzd_reconst >> 15)); From b80d4f58d8983dc0d3da0037be3dcbbe892d2e2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 19:26:02 +0200 Subject: [PATCH 072/818] avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int' Fixes: 1341/clusterfuzz-testcase-minimized-5441502618583040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1002932a3b16d35c46a08455f76462909eebb5aa) Signed-off-by: Michael Niedermayer --- libavcodec/cdxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c index c8d66b5845..7a9b41943d 100644 --- a/libavcodec/cdxl.c +++ b/libavcodec/cdxl.c @@ -275,7 +275,7 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data, else aligned_width = FFALIGN(c->avctx->width, 16); c->padded_bits = aligned_width - c->avctx->width; - if (c->video_size < aligned_width * avctx->height * c->bpp / 8) + if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8) return AVERROR_INVALIDDATA; if (!encoding && c->palette_size && c->bpp <= 8) { avctx->pix_fmt = AV_PIX_FMT_PAL8; From 2adf20b3da90b56c6f4e0576342cf7d4f2b30fdd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 19:28:56 +0200 Subject: [PATCH 073/818] avcodec/nellymoser: Fix multiple left shift of negative value -8591 Fixes: 1342/clusterfuzz-testcase-minimized-5490842129137664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0953736b7e97f6e121a0587a95434bf1857a27da) Signed-off-by: Michael Niedermayer --- libavcodec/nellymoser.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/nellymoser.c b/libavcodec/nellymoser.c index 027726e0ba..5ff6583c5e 100644 --- a/libavcodec/nellymoser.c +++ b/libavcodec/nellymoser.c @@ -84,7 +84,7 @@ const int16_t ff_nelly_delta_table[32] = { static inline int signed_shift(int i, int shift) { if (shift > 0) - return i << shift; + return (unsigned)i << shift; return i >> -shift; } @@ -108,7 +108,7 @@ static int headroom(int *la) return 31; } l = 30 - av_log2(FFABS(*la)); - *la <<= l; + *la *= 1< Date: Fri, 5 May 2017 20:42:11 +0200 Subject: [PATCH 074/818] avcodec/dfa: Fix off by 1 error Fixes out of array access Fixes: 1345/clusterfuzz-testcase-minimized-6062963045695488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f52fbf4f3ed02a7d872d8a102006f29b4421f360) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index f45d019a79..5ddb647c4c 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -175,7 +175,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height return AVERROR_INVALIDDATA; frame += v; } else { - if (frame_end - frame < width + 3) + if (frame_end - frame < width + 4) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); From 28b6588b4816fa04a09838b32e37413b9d7b39df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 22:17:59 +0200 Subject: [PATCH 075/818] avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int' Fixes: 1346/clusterfuzz-testcase-minimized-5776732600664064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a234b5ade3ca6cde805b92b8b6ecacf693460a8c) Signed-off-by: Michael Niedermayer --- libavcodec/mdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c index 42bd561cd7..8e28aa04f0 100644 --- a/libavcodec/mdec.c +++ b/libavcodec/mdec.c @@ -111,11 +111,11 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) j = scantable[i]; if (level < 0) { level = -level; - level = (level * qscale * quant_matrix[j]) >> 3; + level = (level * (unsigned)qscale * quant_matrix[j]) >> 3; level = (level - 1) | 1; level = -level; } else { - level = (level * qscale * quant_matrix[j]) >> 3; + level = (level * (unsigned)qscale * quant_matrix[j]) >> 3; level = (level - 1) | 1; } } From 955b97704f12d5bf1fca254c705a3f4744e872d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 23:00:59 +0200 Subject: [PATCH 076/818] avcodec/aacsbr_template: Do not leave bs_num_env invalid Fixes out of array read Fixes: 1349/clusterfuzz-testcase-minimized-5370707196248064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8ad83b793e883b8c6d114f81073a4e40c0308a3) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_template.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index 750131c64c..aaa48ef802 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -640,6 +640,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", ch_data->bs_num_env); + ch_data->bs_num_env = 2; return -1; } @@ -695,6 +696,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n", ch_data->bs_num_env); + ch_data->bs_num_env = 2; return -1; } From 67835afd7955abe6e57a80690e2362d3aa156b06 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 00:13:05 +0200 Subject: [PATCH 077/818] avutil/softfloat: Fix multiple runtime error: left shift of negative value -8 Fixes: 1352/clusterfuzz-testcase-minimized-5757565017260032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 35f3df0d76e28969fa77f2b865e2e40b3ba69722) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index fa91d1e1cb..fed3e77f87 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -235,12 +235,12 @@ static av_unused void av_sincos_sf(int a, int *s, int *c) int st, ct; idx = a >> 26; - sign = (idx << 27) >> 31; + sign = (int32_t)((unsigned)idx << 27) >> 31; cv = av_costbl_1_sf[idx & 0xf]; cv = (cv ^ sign) - sign; idx -= 8; - sign = (idx << 27) >> 31; + sign = (int32_t)((unsigned)idx << 27) >> 31; sv = av_costbl_1_sf[idx & 0xf]; sv = (sv ^ sign) - sign; From 645b36ce647ce9bd91ca7ff63c0787af4edd192d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 01:08:54 +0200 Subject: [PATCH 078/818] avcodec/snowdec: Check qbias Fixes: signed integer overflow: -1094995529 * 131 cannot be represented in type 'int' Fixes: 1353/clusterfuzz-testcase-minimized-5208180449607680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 523205ce1ed9415183c162998c68f573479e78fe) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 042aecbbeb..97f55288c1 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -395,6 +395,11 @@ static int decode_header(SnowContext *s){ s->block_max_depth= 0; return AVERROR_INVALIDDATA; } + if (FFABS(s->qbias) > 127) { + av_log(s->avctx, AV_LOG_ERROR, "qbias %d is too large\n", s->qbias); + s->qbias = 0; + return AVERROR_INVALIDDATA; + } return 0; } From 3585986a005af3c400b3b7e09123a71824a31bc8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 12:05:17 +0200 Subject: [PATCH 079/818] avcodec/mlpdec: Fix runtime error: left shift of negative value -22 Fixes: 1355/clusterfuzz-testcase-minimized-6662205472768000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c535436cbeeab89be64e9f3fd652bc736f2f3245) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index c93b058dd7..7cad5d1cad 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -264,7 +264,7 @@ static inline int read_huff_channels(MLPDecodeContext *m, GetBitContext *gbp, result = (result << lsb_bits) + get_bits(gbp, lsb_bits); result += cp->sign_huff_offset; - result <<= quant_step_size; + result *= 1 << quant_step_size; m->sample_buffer[pos + s->blockpos][channel] = result; } From cab8d31804ed1218a7801f65b892a6c0440cf7e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 12:10:59 +0200 Subject: [PATCH 080/818] avcodec/fic: Fix multiple left shift of negative value -15 Fixes: 1356/clusterfuzz-testcase-minimized-6008489086287872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b20c71409b24460983ba5d9afa0716714f9e0f7d) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 2bec3d7b03..3805f70722 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -95,8 +95,8 @@ static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd const int t7 = t3 - t1; const int t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; const int t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; - const int tA = (blk[0 * step] - blk[4 * step] << 15) + rnd; - const int tB = (blk[0 * step] + blk[4 * step] << 15) + rnd; + const int tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; + const int tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; blk[0 * step] = ( t4 + t9 + tB) >> shift; blk[1 * step] = ( t6 + t7 + t8 + tA) >> shift; blk[2 * step] = ( t6 - t7 - t8 + tA) >> shift; From 6f590bf05fe5694639fd2f0bb6840c2a74c8f31d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 12:17:01 +0200 Subject: [PATCH 081/818] avcodec/clearvideo: Fix multiple runtime error: left shift of negative value -1024 Fixes: 1360/clusterfuzz-testcase-minimized-5606472043986944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0ffcb34c7e94817be934a1ee4a0b4c054723549) Signed-off-by: Michael Niedermayer --- libavcodec/clearvideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index 437c459aa5..060affeafd 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -185,8 +185,8 @@ static inline int decode_block(CLVContext *ctx, int16_t *blk, int has_ac, const int t3 = OP( 2408 * blk[5 * step] - 1609 * blk[3 * step]); \ const int t4 = OP( 1108 * blk[2 * step] - 2676 * blk[6 * step]); \ const int t5 = OP( 2676 * blk[2 * step] + 1108 * blk[6 * step]); \ - const int t6 = ((blk[0 * step] + blk[4 * step]) << dshift) + bias; \ - const int t7 = ((blk[0 * step] - blk[4 * step]) << dshift) + bias; \ + const int t6 = ((blk[0 * step] + blk[4 * step]) * (1 << dshift)) + bias; \ + const int t7 = ((blk[0 * step] - blk[4 * step]) * (1 << dshift)) + bias; \ const int t8 = t0 + t2; \ const int t9 = t0 - t2; \ const int tA = 181 * (t9 + (t1 - t3)) + 0x80 >> 8; \ From 139d88127347b86df7d12cf5db52ea446a9444e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 15:17:29 +0200 Subject: [PATCH 082/818] avcodec/mimic: Fix runtime error: left shift of negative value -1 Fixes: 1365/clusterfuzz-testcase-minimized-5624158450876416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fc2c420b82939a8f30838a6aa08bfd936099d3ce) Signed-off-by: Michael Niedermayer --- libavcodec/mimic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mimic.c b/libavcodec/mimic.c index 0cc30ab0ed..61ce1ce584 100644 --- a/libavcodec/mimic.c +++ b/libavcodec/mimic.c @@ -262,7 +262,7 @@ static int vlc_decode_block(MimicContext *ctx, int num_coeffs, int qscale) coeff = vlcdec_lookup[num_bits][value]; if (pos < 3) - coeff <<= 4; + coeff *= 16; else /* TODO Use >> 10 instead of / 1001 */ coeff = (coeff * qscale) / 1001; From e2462c882813abd904e45ac9a4fb0d58db99111a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 16:32:56 +0200 Subject: [PATCH 083/818] avcodec/g723_1: Fix multiple runtime error: left shift of negative value Fixes: 1367/clusterfuzz-testcase-minimized-571496882346393 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4ace2d22192f3995911ec926940125dcb29d606a) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1.c | 18 +++++++++--------- libavcodec/g723_1.h | 2 +- libavcodec/g723_1dec.c | 4 ++-- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/g723_1.c b/libavcodec/g723_1.c index a11fec8a9e..78ce922266 100644 --- a/libavcodec/g723_1.c +++ b/libavcodec/g723_1.c @@ -41,7 +41,7 @@ int ff_g723_1_scale_vector(int16_t *dst, const int16_t *vector, int length) bits= FFMAX(bits, 0); for (i = 0; i < length; i++) - dst[i] = vector[i] << bits >> 3; + dst[i] = (vector[i] * (1 << bits)) >> 3; return bits - 3; } @@ -125,9 +125,9 @@ static void lsp2lpc(int16_t *lpc) for (j = 0; j < LPC_ORDER; j++) { int index = (lpc[j] >> 7) & 0x1FF; int offset = lpc[j] & 0x7f; - int temp1 = cos_tab[index] << 16; + int temp1 = cos_tab[index] * (1 << 16); int temp2 = (cos_tab[index + 1] - cos_tab[index]) * - ((offset << 8) + 0x80) << 1; + (((offset << 8) + 0x80) << 1); lpc[j] = -(av_sat_dadd32(1 << 15, temp1 + temp2) >> 16); } @@ -138,11 +138,11 @@ static void lsp2lpc(int16_t *lpc) */ /* Initialize with values in Q28 */ f1[0] = 1 << 28; - f1[1] = (lpc[0] << 14) + (lpc[2] << 14); + f1[1] = (lpc[0] + lpc[2]) * (1 << 14); f1[2] = lpc[0] * lpc[2] + (2 << 28); f2[0] = 1 << 28; - f2[1] = (lpc[1] << 14) + (lpc[3] << 14); + f2[1] = (lpc[1] + lpc[3]) * (1 << 14); f2[2] = lpc[1] * lpc[3] + (2 << 28); /* @@ -162,8 +162,8 @@ static void lsp2lpc(int16_t *lpc) f1[0] >>= 1; f2[0] >>= 1; - f1[1] = ((lpc[2 * i] << 16 >> i) + f1[1]) >> 1; - f2[1] = ((lpc[2 * i + 1] << 16 >> i) + f2[1]) >> 1; + f1[1] = ((lpc[2 * i] * 65536 >> i) + f1[1]) >> 1; + f2[1] = ((lpc[2 * i + 1] * 65536 >> i) + f2[1]) >> 1; } /* Convert polynomial coefficients to LPC coefficients */ @@ -171,8 +171,8 @@ static void lsp2lpc(int16_t *lpc) int64_t ff1 = f1[i + 1] + f1[i]; int64_t ff2 = f2[i + 1] - f2[i]; - lpc[i] = av_clipl_int32(((ff1 + ff2) << 3) + (1 << 15)) >> 16; - lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) << 3) + + lpc[i] = av_clipl_int32(((ff1 + ff2) * 8) + (1 << 15)) >> 16; + lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) * 8) + (1 << 15)) >> 16; } } diff --git a/libavcodec/g723_1.h b/libavcodec/g723_1.h index 40d6e700b1..f833af01c6 100644 --- a/libavcodec/g723_1.h +++ b/libavcodec/g723_1.h @@ -55,7 +55,7 @@ * @param b 16 bit multiplier */ #define MULL2(a, b) \ - ((((a) >> 16) * (b) << 1) + (((a) & 0xffff) * (b) >> 15)) + ((((a) >> 16) * (b) * 2) + (((a) & 0xffff) * (b) >> 15)) /** * G723.1 frame types diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index e9896b5e7a..0b9fd39946 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -517,7 +517,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag, (iir_coef)[n - 1] * ((dest)[m - n] >> in_shift);\ }\ \ - (dest)[m] = av_clipl_int32(((src)[m] << 16) + (filter << 3) +\ + (dest)[m] = av_clipl_int32(((src)[m] * 65536) + (filter * 8) +\ (1 << 15)) >> res_shift;\ }\ } @@ -904,7 +904,7 @@ static int g723_1_decode_frame(AVCodecContext *avctx, void *data, &p->subframe[i], p->cur_rate); /* Get the total excitation */ for (j = 0; j < SUBFRAME_LEN; j++) { - int v = av_clip_int16(vector_ptr[j] << 1); + int v = av_clip_int16(vector_ptr[j] * 2); vector_ptr[j] = av_clip_int16(v + acb_vector[j]); } vector_ptr += SUBFRAME_LEN; From 88a3e4c34e2af96c4d31b56090f8bfe95de2d68a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 16:38:22 +0200 Subject: [PATCH 084/818] avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 1368/clusterfuzz-testcase-minimized-4507293276176384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 12936a4585bc293c0f88327d6840f49e8e744b62) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 5ddb647c4c..3ea12f0511 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -67,7 +67,8 @@ static int decode_tsw1(GetByteContext *gb, uint8_t *frame, int width, int height const uint8_t *frame_start = frame; const uint8_t *frame_end = frame + width * height; int mask = 0x10000, bitbuf = 0; - int v, count, segments; + int v, count; + unsigned segments; unsigned offset; segments = bytestream2_get_le32(gb); From 28c618355c9f4e61d3f30ad831eadb74a7e3fd1d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 16:43:52 +0200 Subject: [PATCH 085/818] avcodec/webp: Fix null pointer dereference Fixes: 1369/clusterfuzz-testcase-minimized-5048908029886464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9bf4523e40148fdd27064ab570952bd8c4d1016e) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 45abfdc3ca..7d23cc7435 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1342,6 +1342,8 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, pkt.size = data_size; ret = ff_vp8_decode_frame(avctx, p, got_frame, &pkt); + if (ret < 0) + return ret; if (s->has_alpha) { ret = vp8_lossy_decode_alpha(avctx, p, s->alpha_data, s->alpha_data_size); From 2ff5e3f54e9543065bfb2a2a56f1696a7f885b52 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 18:28:09 +0200 Subject: [PATCH 086/818] avcodec/shorten: Check k in get_uint() Fixes: undefined shift Fixes: 1371/clusterfuzz-testcase-minimized-5770822591447040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b6a51f59c467ab9f4b73122dc269206fb517425) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 90569bdb1f..2d3540a229 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -160,8 +160,11 @@ static int allocate_buffers(ShortenContext *s) static inline unsigned int get_uint(ShortenContext *s, int k) { - if (s->version != 0) + if (s->version != 0) { k = get_ur_golomb_shorten(&s->gb, ULONGSIZE); + if (k > 31U) + return AVERROR_INVALIDDATA; + } return get_ur_golomb_shorten(&s->gb, k); } From 99bedf74acda5d62b2955e0f09b76d24723ab502 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 19:07:59 +0200 Subject: [PATCH 087/818] avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from Fixes integer overflow Fixes: 1372/clusterfuzz-testcase-minimized-5712192982745088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ef0f392711445e173a56b2c073dedb021ae3783) Signed-off-by: Michael Niedermayer --- libavcodec/mss3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mss3.c b/libavcodec/mss3.c index 7f3801774a..81b7e2017c 100644 --- a/libavcodec/mss3.c +++ b/libavcodec/mss3.c @@ -356,8 +356,9 @@ static int rac_get_model2_sym(RangeCoder *c, Model2 *m) static int rac_get_model_sym(RangeCoder *c, Model *m) { - int prob, prob2, helper, val; + int val; int end, end2; + unsigned prob, prob2, helper; prob = 0; prob2 = c->range; From 66b7e165db8a26b67558d1861c22a4f1f8fdb113 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 19:11:46 +0200 Subject: [PATCH 088/818] avcodec/hq_hqa: Fix runtime error: left shift of negative value -207 Fixes: 1375/clusterfuzz-testcase-minimized-6070134701555712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1283c4244767bd19918f355c31d702a94ee0cc1b) Signed-off-by: Michael Niedermayer --- libavcodec/hq_hqa.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index 5cf5fcfe2b..80dc6b5d40 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -68,11 +68,11 @@ static int hq_decode_block(HQContext *c, GetBitContext *gb, int16_t block[64], memset(block, 0, 64 * sizeof(*block)); if (!is_hqa) { - block[0] = get_sbits(gb, 9) << 6; + block[0] = get_sbits(gb, 9) * 64; q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)]; } else { q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)]; - block[0] = get_sbits(gb, 9) << 6; + block[0] = get_sbits(gb, 9) * 64; } for (;;) { From cbc5796fc3f446dbc6da66d22de1ae2f8e9c0527 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 21:31:49 +0200 Subject: [PATCH 089/818] avutil/softfloat: Fix overflow in av_div_sf() Signed-off-by: Michael Niedermayer (cherry picked from commit 277e397eb5964999bd76909f52d4bd3350289c22) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index fed3e77f87..daf91a5557 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -114,8 +114,15 @@ static inline av_const SoftFloat av_mul_sf(SoftFloat a, SoftFloat b){ * @return Will not be more denormalized than a. */ static inline av_const SoftFloat av_div_sf(SoftFloat a, SoftFloat b){ + int64_t temp = (int64_t)a.mant * (1<<(ONE_BITS+1)); + temp /= b.mant; a.exp -= b.exp; - a.mant = ((int64_t)a.mant<<(ONE_BITS+1)) / b.mant; + a.mant = temp; + while (a.mant != temp) { + temp /= 2; + a.exp--; + a.mant = temp; + } a = av_normalize1_sf(a); if (!a.mant || a.exp < MIN_EXP) return FLOAT_0; From 973a66108b8e01ceb85cf2d6922a5cbb47f6a657 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 22:24:52 +0200 Subject: [PATCH 090/818] avcodec/cdxl: Check format parameter Fixes out of array access Fixes: 1378/clusterfuzz-testcase-minimized-5715088008806400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e1b60aad77c27ed5d4dfc11e5e6a05a38c70489d) Signed-off-by: Michael Niedermayer --- libavcodec/cdxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c index 7a9b41943d..5c0ecb279c 100644 --- a/libavcodec/cdxl.c +++ b/libavcodec/cdxl.c @@ -277,7 +277,7 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data, c->padded_bits = aligned_width - c->avctx->width; if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8) return AVERROR_INVALIDDATA; - if (!encoding && c->palette_size && c->bpp <= 8) { + if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) { avctx->pix_fmt = AV_PIX_FMT_PAL8; } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) { if (c->palette_size != (1 << (c->bpp - 1))) From c108bba1ae3e14570e82ea425da178775c9d6d30 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 22:31:23 +0200 Subject: [PATCH 091/818] avcodec/dds: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 1380/clusterfuzz-testcase-minimized-650122545122508 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8a8335de030aa6cb6356bb16c7d3aefc5a80e362) Signed-off-by: Michael Niedermayer --- libavcodec/dds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index 84b440f741..468763e6bf 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -39,7 +39,7 @@ #define DDPF_FOURCC (1 << 2) #define DDPF_PALETTE (1 << 5) -#define DDPF_NORMALMAP (1 << 31) +#define DDPF_NORMALMAP (1U << 31) enum DDSPostProc { DDS_NONE = 0, From f8eea96d64c9e20d16ff43e269f872188e4ff11e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 02:46:54 +0200 Subject: [PATCH 092/818] avcodec/msmpeg4dec: Correct table depth Fixes undefined shift Fixes: 1381/clusterfuzz-testcase-minimized-5513944540119040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1121d9270783b284a70af317d8785eac7df1b72f) Signed-off-by: Michael Niedermayer --- libavcodec/msmpeg4dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/msmpeg4dec.c b/libavcodec/msmpeg4dec.c index cf43027a00..b5bc36ece2 100644 --- a/libavcodec/msmpeg4dec.c +++ b/libavcodec/msmpeg4dec.c @@ -140,7 +140,7 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64]) if(s->msmpeg4_version==2) cbp= get_vlc2(&s->gb, v2_intra_cbpc_vlc.table, V2_INTRA_CBPC_VLC_BITS, 1); else - cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 1); + cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 2); if(cbp<0 || cbp>3){ av_log(s->avctx, AV_LOG_ERROR, "cbpc %d invalid at %d %d\n", cbp, s->mb_x, s->mb_y); return -1; From bd739bce1cd374402e418d8e7a40c159a3313670 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 03:16:53 +0200 Subject: [PATCH 093/818] avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int' Fixes: 1382/clusterfuzz-testcase-minimized-6013445293998080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 669419939c1d36be35196859dc73ec9a194157ad) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 76a465b9c0..f95d39fc38 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -223,7 +223,7 @@ static int svq3_decode_end(AVCodecContext *avctx); static void svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp) { - const int qmul = svq3_dequant_coeff[qp]; + const unsigned qmul = svq3_dequant_coeff[qp]; #define stride 16 int i; int temp[16]; @@ -248,10 +248,10 @@ static void svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp) const int z2 = 7 * temp[4 * 1 + i] - 17 * temp[4 * 3 + i]; const int z3 = 17 * temp[4 * 1 + i] + 7 * temp[4 * 3 + i]; - output[stride * 0 + offset] = (z0 + z3) * qmul + 0x80000 >> 20; - output[stride * 2 + offset] = (z1 + z2) * qmul + 0x80000 >> 20; - output[stride * 8 + offset] = (z1 - z2) * qmul + 0x80000 >> 20; - output[stride * 10 + offset] = (z0 - z3) * qmul + 0x80000 >> 20; + output[stride * 0 + offset] = (int)((z0 + z3) * qmul + 0x80000) >> 20; + output[stride * 2 + offset] = (int)((z1 + z2) * qmul + 0x80000) >> 20; + output[stride * 8 + offset] = (int)((z1 - z2) * qmul + 0x80000) >> 20; + output[stride * 10 + offset] = (int)((z0 - z3) * qmul + 0x80000) >> 20; } } #undef stride From fca86d3e28423f948b1d68ceb899163559ebca14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 03:23:09 +0200 Subject: [PATCH 094/818] avcodec/ivi_dsp: Fix multiple left shift of negative value -2 Fixes: 1385/clusterfuzz-testcase-minimized-5552882663292928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e88cc94e58e9e4d1293f9f56c973510e30495fd) Signed-off-by: Michael Niedermayer --- libavcodec/ivi_dsp.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index b1c4b45745..e8d1ee62c2 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -243,7 +243,7 @@ void ff_ivi_recompose_haar(const IVIPlaneDesc *plane, uint8_t *dst, #define INV_HAAR8(s1, s5, s3, s7, s2, s4, s6, s8,\ d1, d2, d3, d4, d5, d6, d7, d8,\ t0, t1, t2, t3, t4, t5, t6, t7, t8) {\ - t1 = (s1) << 1; t5 = (s5) << 1;\ + t1 = (s1) * 2; t5 = (s5) * 2;\ IVI_HAAR_BFLY(t1, t5, t1, t5, t0); IVI_HAAR_BFLY(t1, s3, t1, t3, t0);\ IVI_HAAR_BFLY(t5, s7, t5, t7, t0); IVI_HAAR_BFLY(t1, s2, t1, t2, t0);\ IVI_HAAR_BFLY(t3, s4, t3, t4, t0); IVI_HAAR_BFLY(t5, s6, t5, t6, t0);\ @@ -284,10 +284,10 @@ void ff_ivi_inverse_haar_8x8(const int32_t *in, int16_t *out, ptrdiff_t pitch, if (flags[i]) { /* pre-scaling */ shift = !(i & 4); - sp1 = src[ 0] << shift; - sp2 = src[ 8] << shift; - sp3 = src[16] << shift; - sp4 = src[24] << shift; + sp1 = src[ 0] * (1 << shift); + sp2 = src[ 8] * (1 << shift); + sp3 = src[16] * (1 << shift); + sp4 = src[24] * (1 << shift); INV_HAAR8( sp1, sp2, sp3, sp4, src[32], src[40], src[48], src[56], dst[ 0], dst[ 8], dst[16], dst[24], From 4f0fecf9fa83a0d7724458e6d133d3ef4d5d3bc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 03:27:17 +0200 Subject: [PATCH 095/818] avcodec/texturedsp: Fix multiple runtime error: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 1386/clusterfuzz-testcase-minimized-5323086394032128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e92fb2bea1800b987ebc3cbeef9d48cfe4bcd191) Signed-off-by: Michael Niedermayer --- libavcodec/texturedsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/texturedsp.c b/libavcodec/texturedsp.c index 5012245a26..6049c96791 100644 --- a/libavcodec/texturedsp.c +++ b/libavcodec/texturedsp.c @@ -35,7 +35,7 @@ #define RGBA(r, g, b, a) (((uint8_t)(r) << 0) | \ ((uint8_t)(g) << 8) | \ ((uint8_t)(b) << 16) | \ - ((uint8_t)(a) << 24)) + ((unsigned)(uint8_t)(a) << 24)) static av_always_inline void extract_color(uint32_t colors[4], uint16_t color0, From eec20b665a9e86d3d6824f0a01fb49378243829c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 03:49:06 +0200 Subject: [PATCH 096/818] avcodec/targa_y216dec: Fix width type Fixes out of array access Fixes: 1376/clusterfuzz-testcase-minimized-6361794975105024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3e56db892600c2fbe34782c6140f1ee832a2c344) Signed-off-by: Michael Niedermayer --- libavcodec/targa_y216dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/targa_y216dec.c b/libavcodec/targa_y216dec.c index 21b3d35d67..443d48a92f 100644 --- a/libavcodec/targa_y216dec.c +++ b/libavcodec/targa_y216dec.c @@ -35,7 +35,8 @@ static int y216_decode_frame(AVCodecContext *avctx, void *data, { AVFrame *pic = data; const uint16_t *src = (uint16_t *)avpkt->data; - uint16_t *y, *u, *v, aligned_width = FFALIGN(avctx->width, 4); + uint16_t *y, *u, *v; + int aligned_width = FFALIGN(avctx->width, 4); int i, j, ret; if (avpkt->size < 4 * avctx->height * aligned_width) { From 3f7a9eef516538db825497da198bd41d05e8cbe6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 14:12:04 +0200 Subject: [PATCH 097/818] avcodec/mss34dsp: Fix multiple signed integer overflow Fixes: 1387/clusterfuzz-testcase-minimized-4802757766676480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 464c4b86ee43b7912e6f23fd3e5ba40381b4c371) Signed-off-by: Michael Niedermayer --- libavcodec/mss34dsp.c | 44 +++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/libavcodec/mss34dsp.c b/libavcodec/mss34dsp.c index 36e69db8cc..f3405658f7 100644 --- a/libavcodec/mss34dsp.c +++ b/libavcodec/mss34dsp.c @@ -62,30 +62,30 @@ void ff_mss34_gen_quant_mat(uint16_t *qmat, int quality, int luma) } #define DCT_TEMPLATE(blk, step, SOP, shift) \ - const int t0 = -39409 * blk[7 * step] - 58980 * blk[1 * step]; \ - const int t1 = 39410 * blk[1 * step] - 58980 * blk[7 * step]; \ - const int t2 = -33410 * blk[5 * step] - 167963 * blk[3 * step]; \ - const int t3 = 33410 * blk[3 * step] - 167963 * blk[5 * step]; \ - const int t4 = blk[3 * step] + blk[7 * step]; \ - const int t5 = blk[1 * step] + blk[5 * step]; \ - const int t6 = 77062 * t4 + 51491 * t5; \ - const int t7 = 77062 * t5 - 51491 * t4; \ - const int t8 = 35470 * blk[2 * step] - 85623 * blk[6 * step]; \ - const int t9 = 35470 * blk[6 * step] + 85623 * blk[2 * step]; \ - const int tA = SOP(blk[0 * step] - blk[4 * step]); \ - const int tB = SOP(blk[0 * step] + blk[4 * step]); \ + const unsigned t0 =-39409U * blk[7 * step] - 58980U * blk[1 * step]; \ + const unsigned t1 = 39410U * blk[1 * step] - 58980U * blk[7 * step]; \ + const unsigned t2 =-33410U * blk[5 * step] -167963U * blk[3 * step]; \ + const unsigned t3 = 33410U * blk[3 * step] -167963U * blk[5 * step]; \ + const unsigned t4 = blk[3 * step] + blk[7 * step]; \ + const unsigned t5 = blk[1 * step] + blk[5 * step]; \ + const unsigned t6 = 77062U * t4 + 51491U * t5; \ + const unsigned t7 = 77062U * t5 - 51491U * t4; \ + const unsigned t8 = 35470U * blk[2 * step] - 85623U * blk[6 * step]; \ + const unsigned t9 = 35470U * blk[6 * step] + 85623U * blk[2 * step]; \ + const unsigned tA = SOP(blk[0 * step] - blk[4 * step]); \ + const unsigned tB = SOP(blk[0 * step] + blk[4 * step]); \ \ - blk[0 * step] = ( t1 + t6 + t9 + tB) >> shift; \ - blk[1 * step] = ( t3 + t7 + t8 + tA) >> shift; \ - blk[2 * step] = ( t2 + t6 - t8 + tA) >> shift; \ - blk[3 * step] = ( t0 + t7 - t9 + tB) >> shift; \ - blk[4 * step] = (-(t0 + t7) - t9 + tB) >> shift; \ - blk[5 * step] = (-(t2 + t6) - t8 + tA) >> shift; \ - blk[6 * step] = (-(t3 + t7) + t8 + tA) >> shift; \ - blk[7 * step] = (-(t1 + t6) + t9 + tB) >> shift; \ + blk[0 * step] = (int)( t1 + t6 + t9 + tB) >> shift; \ + blk[1 * step] = (int)( t3 + t7 + t8 + tA) >> shift; \ + blk[2 * step] = (int)( t2 + t6 - t8 + tA) >> shift; \ + blk[3 * step] = (int)( t0 + t7 - t9 + tB) >> shift; \ + blk[4 * step] = (int)(-(t0 + t7) - t9 + tB) >> shift; \ + blk[5 * step] = (int)(-(t2 + t6) - t8 + tA) >> shift; \ + blk[6 * step] = (int)(-(t3 + t7) + t8 + tA) >> shift; \ + blk[7 * step] = (int)(-(t1 + t6) + t9 + tB) >> shift; \ -#define SOP_ROW(a) (((a) << 16) + 0x2000) -#define SOP_COL(a) (((a) + 32) << 16) +#define SOP_ROW(a) (((a) * (1U << 16)) + 0x2000) +#define SOP_COL(a) (((a) + 32) * (1U << 16)) void ff_mss34_dct_put(uint8_t *dst, ptrdiff_t stride, int *block) { From ffa39cd5740890f7a6084ae0cf6ff1b43cd41a70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 14:16:33 +0200 Subject: [PATCH 098/818] avcodec/ra144: Fix runtime error: left shift of negative value -798 Fixes: 1388/clusterfuzz-testcase-minimized-6680800936329216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 78bf446852a7e5e8aa52c7ca9889632e167b665f) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index ceec32d79d..690f7ff3d6 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1598,7 +1598,7 @@ void ff_eval_coefs(int *coefs, const int *refl) int i, j; for (i=0; i < LPC_ORDER; i++) { - b1[i] = refl[i] << 4; + b1[i] = refl[i] * 16; for (j=0; j < i; j++) b1[j] = ((refl[i] * b2[i-j-1]) >> 12) + b2[j]; From 9970fa10c0a58f7113050a1b87c5e0d01f80a638 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 14:53:31 +0200 Subject: [PATCH 099/818] avcodec/magicyuv: Check len to be supported Fixes: shift exponent -1 is negative Fixes: 1390/clusterfuzz-testcase-minimized-5452757630713856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2162b862eba5aadb59c0cf7cc304c67f4a5fb946) Signed-off-by: Michael Niedermayer --- libavcodec/magicyuv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index 6250536da6..5f09c0be53 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -97,6 +97,8 @@ static int huff_build10(VLC *vlc, uint8_t *len) for (i = 0; i < 1024; i++) { he[i].sym = 1023 - i; he[i].len = len[i]; + if (len[i] == 0) + return AVERROR_INVALIDDATA; } AV_QSORT(he, 1024, HuffEntry, huff_cmp_len10); @@ -127,6 +129,8 @@ static int huff_build(VLC *vlc, uint8_t *len) for (i = 0; i < 256; i++) { he[i].sym = 255 - i; he[i].len = len[i]; + if (len[i] == 0) + return AVERROR_INVALIDDATA; } AV_QSORT(he, 256, HuffEntry, huff_cmp_len); From 77af726871205223b89bab040817d0f79cebe55e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 15:40:07 +0200 Subject: [PATCH 100/818] avcodec/g726: Fix runtime error: left shift of negative value -2 Fixes: 1393/clusterfuzz-testcase-minimized-5948366791901184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c04aa148824f4fb7f4b70830ad3ca7a6cba8ab79) Signed-off-by: Michael Niedermayer --- libavcodec/g726.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g726.c b/libavcodec/g726.c index ca7f856eac..6922b40f87 100644 --- a/libavcodec/g726.c +++ b/libavcodec/g726.c @@ -269,7 +269,7 @@ static int16_t g726_decode(G726Context* c, int I) c->se += mult(i2f(c->a[i] >> 2, &f), &c->sr[i]); c->se >>= 1; - return av_clip(re_signal << 2, -0xffff, 0xffff); + return av_clip(re_signal * 4, -0xffff, 0xffff); } static av_cold int g726_reset(G726Context *c) From 8795bf9e5db01a499ecf340dabf8816cde33e274 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 15:42:17 +0200 Subject: [PATCH 101/818] avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int' Fixes: 1394/clusterfuzz-testcase-minimized-6493376885030912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ac1c87194a67e6104a3d241a4dd1ca0808784bd) Signed-off-by: Michael Niedermayer --- libavcodec/eamad.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index 23b1a3c944..753dee06c3 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -284,7 +284,7 @@ static int decode_frame(AVCodecContext *avctx, if (avctx->width != width || avctx->height != height) { av_frame_unref(s->last_frame); - if((width * height)/2048*7 > bytestream2_get_bytes_left(&gb)) + if((width * (int64_t)height)/2048*7 > bytestream2_get_bytes_left(&gb)) return AVERROR_INVALIDDATA; if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; From 298de0a183bf97571ef948c56ecc7488d314350b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 15:44:51 +0200 Subject: [PATCH 102/818] avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int' Fixes: 1395/clusterfuzz-testcase-minimized-5330939741732864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a38e9797cb4123d13ba871d166a737786ba04a9b) Signed-off-by: Michael Niedermayer --- libavcodec/s302m.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/s302m.c b/libavcodec/s302m.c index ccfb5913a0..a68ac79f2c 100644 --- a/libavcodec/s302m.c +++ b/libavcodec/s302m.c @@ -120,10 +120,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, if (avctx->bits_per_raw_sample == 24) { uint32_t *o = (uint32_t *)frame->data[0]; for (; buf_size > 6; buf_size -= 7) { - *o++ = (ff_reverse[buf[2]] << 24) | + *o++ = ((unsigned)ff_reverse[buf[2]] << 24) | (ff_reverse[buf[1]] << 16) | (ff_reverse[buf[0]] << 8); - *o++ = (ff_reverse[buf[6] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[6] & 0xf0] << 28) | (ff_reverse[buf[5]] << 20) | (ff_reverse[buf[4]] << 12) | (ff_reverse[buf[3] & 0x0f] << 4); @@ -142,10 +142,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, } else if (avctx->bits_per_raw_sample == 20) { uint32_t *o = (uint32_t *)frame->data[0]; for (; buf_size > 5; buf_size -= 6) { - *o++ = (ff_reverse[buf[2] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[2] & 0xf0] << 28) | (ff_reverse[buf[1]] << 20) | (ff_reverse[buf[0]] << 12); - *o++ = (ff_reverse[buf[5] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[5] & 0xf0] << 28) | (ff_reverse[buf[4]] << 20) | (ff_reverse[buf[3]] << 12); buf += 6; From bf4b8b1677949c54604723eebb1a10f8f9ff91d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Apr 2017 02:46:25 +0200 Subject: [PATCH 103/818] avcodec/aacdec_template: Do not decode 2nd PCE if it will lead to failure Fixes: out of array read Fixes: 1072/clusterfuzz-testcase-6456688074817536 Fixes: 1398/clusterfuzz-testcase-minimized-4576913622302720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a5e0dbf530d447f36099aed575b34e9258c5d75a) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 98a3240597..b20855b99d 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -406,11 +406,15 @@ static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags) /** * Save current output configuration if and only if it has been locked. */ -static void push_output_configuration(AACContext *ac) { +static int push_output_configuration(AACContext *ac) { + int pushed = 0; + if (ac->oc[1].status == OC_LOCKED || ac->oc[0].status == OC_NONE) { ac->oc[0] = ac->oc[1]; + pushed = 1; } ac->oc[1].status = OC_NONE; + return pushed; } /** @@ -3026,7 +3030,13 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, case TYPE_PCE: { uint8_t layout_map[MAX_ELEM_ID*4][3]; int tags; - push_output_configuration(ac); + + int pushed = push_output_configuration(ac); + if (pce_found && !pushed) { + err = AVERROR_INVALIDDATA; + goto fail; + } + tags = decode_pce(avctx, &ac->oc[1].m4ac, layout_map, gb, payload_alignment); if (tags < 0) { From edb8d29ca5fef83ab7a89f24fe23411c0f4f8f0d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 18:50:49 +0200 Subject: [PATCH 104/818] avcodec/xwddec: Check bpp more completely Fixes out of array access Fixes: 1399/clusterfuzz-testcase-minimized-4866094172995584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 441026fcb13ac23aa10edc312bdacb6445a0ad06) Signed-off-by: Michael Niedermayer --- libavcodec/xwddec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 64cd8418a2..8b0845fc01 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -157,9 +157,9 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, case XWD_GRAY_SCALE: if (bpp != 1 && bpp != 8) return AVERROR_INVALIDDATA; - if (pixdepth == 1) { + if (bpp == 1 && pixdepth == 1) { avctx->pix_fmt = AV_PIX_FMT_MONOWHITE; - } else if (pixdepth == 8) { + } else if (bpp == 8 && pixdepth == 8) { avctx->pix_fmt = AV_PIX_FMT_GRAY8; } break; From e397902d47ebe685b4f79d3837eba8be9beaaa4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 23:07:42 +0200 Subject: [PATCH 105/818] avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int' Fixes: 1401/clusterfuzz-testcase-minimized-6526248148795392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b1f66cf5c2e4d29ae06cdf3f12cdd3d808006bd) Signed-off-by: Michael Niedermayer --- libavcodec/wmv2dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmv2dsp.c b/libavcodec/wmv2dsp.c index 162ac92a72..7a3a851861 100644 --- a/libavcodec/wmv2dsp.c +++ b/libavcodec/wmv2dsp.c @@ -78,8 +78,8 @@ static void wmv2_idct_col(short * b) a4 = (W0 * b[8 * 0] - W0 * b[8 * 4] ) >> 3; /* step 2 */ - s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; - s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8; + s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; + s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8; /* step 3 */ b[8 * 0] = (a0 + a2 + a1 + a5 + (1 << 13)) >> 14; From 97eb92b27681be07b3c04f2f61c18668e05dd902 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 02:28:07 +0200 Subject: [PATCH 106/818] avcodec/ffv1dec: Fix copying planes of paletted formats Signed-off-by: Michael Niedermayer (cherry picked from commit 3a4d387195a5eb3c1700071af8d8150e4f7f6600) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 1a50767171..c3f43b838d 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -898,7 +898,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac const uint8_t *src[4]; uint8_t *dst[4]; ff_thread_await_progress(&f->last_picture, INT_MAX, 0); - for (j = 0; j < 4; j++) { + for (j = 0; j < desc->nb_components; j++) { int pixshift = desc->comp[j].depth > 8; int sh = (j == 1 || j == 2) ? f->chroma_h_shift : 0; int sv = (j == 1 || j == 2) ? f->chroma_v_shift : 0; @@ -906,6 +906,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac (fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift); src[j] = f->last_picture.f->data[j] + f->last_picture.f->linesize[j] * (fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift); + + } + if (desc->flags & AV_PIX_FMT_FLAG_PAL || + desc->flags & AV_PIX_FMT_FLAG_PSEUDOPAL) { + dst[1] = p->data[1]; + src[1] = f->last_picture.f->data[1]; } av_image_copy(dst, p->linesize, src, f->last_picture.f->linesize, From a483e46b794539d21b1ec0f3e521f681a54a86d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 11:46:03 +0200 Subject: [PATCH 107/818] avcodec/cdxl: Check format for BGR24 Fixes: out of array access Fixes: 1427/clusterfuzz-testcase-minimized-5020737339392000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e42736b95065c69a7481d0cf55247024f54b660) Signed-off-by: Michael Niedermayer --- libavcodec/cdxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c index 5c0ecb279c..78f5d50102 100644 --- a/libavcodec/cdxl.c +++ b/libavcodec/cdxl.c @@ -279,7 +279,7 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) { + } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8) && c->format != CHUNKY) { if (c->palette_size != (1 << (c->bpp - 1))) return AVERROR_INVALIDDATA; avctx->pix_fmt = AV_PIX_FMT_BGR24; From 88893627a1c646461f1e35b87c1d6b804bc63b91 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 11:55:27 +0200 Subject: [PATCH 108/818] avcodec/cavsdec: Check sym_factor Fixes: runtime error: signed integer overflow: 25984 * 130560 cannot be represented in type 'int' Fixes: 1404/clusterfuzz-testcase-minimized-5000441286885376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 279420b5a63b3f254e4932a4afb91759fb50186a) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 4d3d2d7c65..eb2464f36d 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1031,6 +1031,10 @@ static int decode_pic(AVSContext *h) h->scale_den[1] = h->dist[1] ? 512/h->dist[1] : 0; if (h->cur.f->pict_type == AV_PICTURE_TYPE_B) { h->sym_factor = h->dist[0] * h->scale_den[1]; + if (FFABS(h->sym_factor) > 32768) { + av_log(h->avctx, AV_LOG_ERROR, "sym_factor %d too large\n", h->sym_factor); + return AVERROR_INVALIDDATA; + } } else { h->direct_den[0] = h->dist[0] ? 16384 / h->dist[0] : 0; h->direct_den[1] = h->dist[1] ? 16384 / h->dist[1] : 0; From 0d17ecffa56c5cb1b99bc5c10a3b7c49e48db917 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 12:04:09 +0200 Subject: [PATCH 109/818] avcodec/hqxdsp: Fix multiple runtime error: signed integer overflow: 248220 * 21407 cannot be represented in type 'int' in idct_col() Fixes: 1405/clusterfuzz-testcase-minimized-5011491835084800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d5118f81bd51b9c33500616b3c637123e8e4691) Signed-off-by: Michael Niedermayer --- libavcodec/hqxdsp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/hqxdsp.c b/libavcodec/hqxdsp.c index feff9c0b68..04a65e7767 100644 --- a/libavcodec/hqxdsp.c +++ b/libavcodec/hqxdsp.c @@ -39,18 +39,18 @@ static inline void idct_col(int16_t *blk, const uint8_t *quant) s6 = (int) blk[6 * 8] * quant[6 * 8]; s7 = (int) blk[7 * 8] * quant[7 * 8]; - t0 = (s3 * 19266 + s5 * 12873) >> 15; - t1 = (s5 * 19266 - s3 * 12873) >> 15; - t2 = ((s7 * 4520 + s1 * 22725) >> 15) - t0; - t3 = ((s1 * 4520 - s7 * 22725) >> 15) - t1; + t0 = (int)(s3 * 19266U + s5 * 12873U) >> 15; + t1 = (int)(s5 * 19266U - s3 * 12873U) >> 15; + t2 = ((int)(s7 * 4520U + s1 * 22725U) >> 15) - t0; + t3 = ((int)(s1 * 4520U - s7 * 22725U) >> 15) - t1; t4 = t0 * 2 + t2; t5 = t1 * 2 + t3; t6 = t2 - t3; t7 = t3 * 2 + t6; t8 = (t6 * 11585) >> 14; t9 = (t7 * 11585) >> 14; - tA = (s2 * 8867 - s6 * 21407) >> 14; - tB = (s6 * 8867 + s2 * 21407) >> 14; + tA = (int)(s2 * 8867U - s6 * 21407U) >> 14; + tB = (int)(s6 * 8867U + s2 * 21407U) >> 14; tC = (s0 >> 1) - (s4 >> 1); tD = (s4 >> 1) * 2 + tC; tE = tC - (tA >> 1); From 6ec9c902ee4d45fc71fd4ebdef7abeeb060f43cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 12:07:56 +0200 Subject: [PATCH 110/818] avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int' Fixes: 1406/clusterfuzz-testcase-minimized-5064865125236736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8824b7370a9fb72f9c699c3751a5ceb56e0cc41d) Signed-off-by: Michael Niedermayer --- libavcodec/vp8dsp.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libavcodec/vp8dsp.c b/libavcodec/vp8dsp.c index 07bea69c78..7d9cfa8278 100644 --- a/libavcodec/vp8dsp.c +++ b/libavcodec/vp8dsp.c @@ -95,7 +95,8 @@ static void vp7_luma_dc_wht_dc_c(int16_t block[4][4][16], int16_t dc[16]) static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) { - int i, a1, b1, c1, d1; + int i; + unsigned a1, b1, c1, d1; int16_t tmp[16]; for (i = 0; i < 4; i++) { @@ -104,10 +105,10 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) c1 = block[i * 4 + 1] * 12540 - block[i * 4 + 3] * 30274; d1 = block[i * 4 + 1] * 30274 + block[i * 4 + 3] * 12540; AV_ZERO64(block + i * 4); - tmp[i * 4 + 0] = (a1 + d1) >> 14; - tmp[i * 4 + 3] = (a1 - d1) >> 14; - tmp[i * 4 + 1] = (b1 + c1) >> 14; - tmp[i * 4 + 2] = (b1 - c1) >> 14; + tmp[i * 4 + 0] = (int)(a1 + d1) >> 14; + tmp[i * 4 + 3] = (int)(a1 - d1) >> 14; + tmp[i * 4 + 1] = (int)(b1 + c1) >> 14; + tmp[i * 4 + 2] = (int)(b1 - c1) >> 14; } for (i = 0; i < 4; i++) { @@ -116,13 +117,13 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274; d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540; dst[0 * stride + i] = av_clip_uint8(dst[0 * stride + i] + - ((a1 + d1 + 0x20000) >> 18)); + ((int)(a1 + d1 + 0x20000) >> 18)); dst[3 * stride + i] = av_clip_uint8(dst[3 * stride + i] + - ((a1 - d1 + 0x20000) >> 18)); + ((int)(a1 - d1 + 0x20000) >> 18)); dst[1 * stride + i] = av_clip_uint8(dst[1 * stride + i] + - ((b1 + c1 + 0x20000) >> 18)); + ((int)(b1 + c1 + 0x20000) >> 18)); dst[2 * stride + i] = av_clip_uint8(dst[2 * stride + i] + - ((b1 - c1 + 0x20000) >> 18)); + ((int)(b1 - c1 + 0x20000) >> 18)); } } From abeb7838ca83eaca61a64c7d0fc044250ac72fa5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 15:17:31 +0200 Subject: [PATCH 111/818] avcodec/dvbsubdec: check region dimensions Fixes: 1408/clusterfuzz-testcase-minimized-6529985844084736 Fixes: integer overflow Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0075d9eced22839fa4f7a6eaa02155803ccae3e6) Signed-off-by: Michael Niedermayer --- libavcodec/dvbsubdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index 7c27d69ce2..9f6b06ca25 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -24,6 +24,7 @@ #include "bytestream.h" #include "internal.h" #include "libavutil/colorspace.h" +#include "libavutil/imgutils.h" #include "libavutil/opt.h" #define DVBSUB_PAGE_SEGMENT 0x10 @@ -1184,6 +1185,7 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx, DVBSubObject *object; DVBSubObjectDisplay *display; int fill; + int ret; if (buf_size < 10) return AVERROR_INVALIDDATA; @@ -1212,6 +1214,12 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx, region->height = AV_RB16(buf); buf += 2; + ret = av_image_check_size(region->width, region->height, 0, avctx); + if (ret < 0) { + region->width= region->height= 0; + return ret; + } + if (region->width * region->height != region->buf_size) { av_free(region->pbuf); From 27a30e4166da5ad82d1e89de9ed11be954e8c415 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 15:40:30 +0200 Subject: [PATCH 112/818] avcodec/dss_sp: Fix multiple runtime error: signed integer overflow: -15699 * -164039 cannot be represented in type 'int' Fixed: 1409/clusterfuzz-testcase-minimized-5237365020819456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ea59ef0c031b6b92f051f60c19fdd0a716769834) Signed-off-by: Michael Niedermayer --- libavcodec/dss_sp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dss_sp.c b/libavcodec/dss_sp.c index 93e54c5209..2100936e51 100644 --- a/libavcodec/dss_sp.c +++ b/libavcodec/dss_sp.c @@ -33,7 +33,7 @@ #define DSS_SP_FRAME_SIZE 42 #define DSS_SP_SAMPLE_COUNT (66 * SUBFRAMES) -#define DSS_SP_FORMULA(a, b, c) (((((a) * (1 << 15)) + (b) * (c)) + 0x4000) >> 15) +#define DSS_SP_FORMULA(a, b, c) ((int)((((a) * (1 << 15)) + (b) * (unsigned)(c)) + 0x4000) >> 15) typedef struct DssSpSubframe { int16_t gain; @@ -524,7 +524,7 @@ static void dss_sp_shift_sq_sub(const int32_t *filter_buf, tmp = dst[a] * filter_buf[0]; for (i = 14; i > 0; i--) - tmp -= error_buf[i] * filter_buf[i]; + tmp -= error_buf[i] * (unsigned)filter_buf[i]; for (i = 14; i > 0; i--) error_buf[i] = error_buf[i - 1]; From 49aa0e9cc7b38413dc891934ee12c0c51eaba2fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 15:46:55 +0200 Subject: [PATCH 113/818] avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int' Fixes: 1411/clusterfuzz-testcase-minimized-5776085184675840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 29692023b2f1e0580a4065f4c9b62bafd89ab337) Signed-off-by: Michael Niedermayer --- libavcodec/bmvvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bmvvideo.c b/libavcodec/bmvvideo.c index 78a0945b7a..679b14208a 100644 --- a/libavcodec/bmvvideo.c +++ b/libavcodec/bmvvideo.c @@ -107,7 +107,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, if (src < source || src >= source_end) return AVERROR_INVALIDDATA; shift += 2; - val |= *src << shift; + val |= (unsigned)*src << shift; if (*src & 0xC) break; } From 9e541146479bb8c4efb18b9b9518b7518ef918c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 01:42:53 +0200 Subject: [PATCH 114/818] avcodec/htmlsubtitles: Check for string truncation and return error Fixes out of array access Fixes: 1354/clusterfuzz-testcase-minimized-5520132195483648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f4ae3cce64bd46b1d539bdeac39753f83015f114) Signed-off-by: Michael Niedermayer --- libavcodec/htmlsubtitles.c | 12 +++++++++--- libavcodec/htmlsubtitles.h | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index 8b57febd26..16295daa0c 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -46,11 +46,12 @@ typedef struct SrtStack { static void rstrip_spaces_buf(AVBPrint *buf) { - while (buf->len > 0 && buf->str[buf->len - 1] == ' ') - buf->str[--buf->len] = 0; + if (av_bprint_is_complete(buf)) + while (buf->len > 0 && buf->str[buf->len - 1] == ' ') + buf->str[--buf->len] = 0; } -void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) +int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) { char *param, buffer[128], tmp[128]; int len, tag_close, sptr = 1, line_start = 1, an = 0, end = 0; @@ -171,8 +172,13 @@ void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) line_start = 0; } + if (!av_bprint_is_complete(dst)) + return AVERROR(ENOMEM); + while (dst->len >= 2 && !strncmp(&dst->str[dst->len - 2], "\\N", 2)) dst->len -= 2; dst->str[dst->len] = 0; rstrip_spaces_buf(dst); + + return 0; } diff --git a/libavcodec/htmlsubtitles.h b/libavcodec/htmlsubtitles.h index e10cdda241..f3a8ef5d8b 100644 --- a/libavcodec/htmlsubtitles.h +++ b/libavcodec/htmlsubtitles.h @@ -23,6 +23,6 @@ #include "libavutil/bprint.h" -void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in); +int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in); #endif /* AVCODEC_HTMLSUBTITLES_H */ From d9adb13ff631d030089c7e664c2899517b528bd2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 20:24:48 +0200 Subject: [PATCH 115/818] avcodec/g723_1dec: Fix several integer related cases of undefined behaviour Fixes: 1412/clusterfuzz-testcase-minimized-6561308772139008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d3088e0fd8749788818cb5df92abaa3b12e409e1) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index 0b9fd39946..6d452df189 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -664,7 +664,7 @@ static int estimate_sid_gain(G723_1_Context *p) t = p->sid_gain << shift; else t = p->sid_gain >> -shift; - x = t * cng_filt[0] >> 16; + x = av_clipl_int32(t * (int64_t)cng_filt[0] >> 16); if (x >= cng_bseg[2]) return 0x3F; @@ -733,7 +733,7 @@ static void generate_noise(G723_1_Context *p) off[i * 2 + 1] = ((t >> 1) & 1) + SUBFRAME_LEN; t >>= 2; for (j = 0; j < 11; j++) { - signs[i * 11 + j] = (t & 1) * 2 - 1 << 14; + signs[i * 11 + j] = ((t & 1) * 2 - 1) * (1 << 14); t >>= 1; } } @@ -777,7 +777,7 @@ static void generate_noise(G723_1_Context *p) sum = 0; if (shift < 0) { for (j = 0; j < SUBFRAME_LEN * 2; j++) { - t = vector_ptr[j] << -shift; + t = vector_ptr[j] * (1 << -shift); sum += t * t; tmp[j] = t; } @@ -815,7 +815,7 @@ static void generate_noise(G723_1_Context *p) if (shift < 0) x >>= -shift; else - x <<= shift; + x *= 1 << shift; x = av_clip(x, -10000, 10000); for (j = 0; j < 11; j++) { From 8850dc3771adf00745f36c5d41ecf34127115e63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 May 2017 00:02:22 +0200 Subject: [PATCH 116/818] avcodec/indeo2: Check for invalid VLCs Fixes: timeout Fixes: 1416/clusterfuzz-testcase-minimized-5536862435278848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 159fb8ff7e4038edf13e91d3c08bc7b8abc369b9) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index f1324e4635..4971b84308 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -69,6 +69,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (i = 0; i < c * 2; i++) dst[out++] = 0x80; } else { /* copy two values from table */ + if (c <= 0) + return AVERROR_INVALIDDATA; dst[out++] = table[c * 2]; dst[out++] = table[(c * 2) + 1]; } @@ -90,7 +92,10 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst out++; } } else { /* add two deltas from table */ - int t = dst[out - pitch] + (table[c * 2] - 128); + int t; + if (c <= 0) + return AVERROR_INVALIDDATA; + t = dst[out - pitch] + (table[c * 2] - 128); t = av_clip_uint8(t); dst[out] = t; out++; @@ -126,6 +131,8 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_ c -= 0x7F; out += c * 2; } else { /* add two deltas from table */ + if (c <= 0) + return AVERROR_INVALIDDATA; t = dst[out] + (((table[c * 2] - 128)*3) >> 2); t = av_clip_uint8(t); dst[out] = t; From 497de399c9c6d607b760b291d41f2cdc0a75d7f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 00:44:37 +0200 Subject: [PATCH 117/818] avcodec/takdec: Fix multiple runtime error: left shift of negative value -1 Fixes: 1423/clusterfuzz-testcase-minimized-5063889899225088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c5d2fa2fdff08e77bba0c9a31b91826a807c551c) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 5dfcca82ab..42939b4058 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -433,19 +433,19 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, s->predictors[0] = get_sbits(gb, 10); s->predictors[1] = get_sbits(gb, 10); - s->predictors[2] = get_sbits(gb, size) << (10 - size); - s->predictors[3] = get_sbits(gb, size) << (10 - size); + s->predictors[2] = get_sbits(gb, size) * (1 << (10 - size)); + s->predictors[3] = get_sbits(gb, size) * (1 << (10 - size)); if (filter_order > 4) { int tmp = size - get_bits1(gb); for (i = 4; i < filter_order; i++) { if (!(i & 3)) x = tmp - get_bits(gb, 2); - s->predictors[i] = get_sbits(gb, x) << (10 - size); + s->predictors[i] = get_sbits(gb, x) * (1 << (10 - size)); } } - tfilter[0] = s->predictors[0] << 6; + tfilter[0] = s->predictors[0] * 64; for (i = 1; i < filter_order; i++) { int32_t *p1 = &tfilter[0]; int32_t *p2 = &tfilter[i - 1]; @@ -457,7 +457,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, p2--; } - tfilter[i] = s->predictors[i] << 6; + tfilter[i] = s->predictors[i] * 64; } x = 1 << (32 - (15 - filter_quant)); @@ -491,7 +491,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, s->residues[i + j + 1] * s->filter[j + 1] + s->residues[i + j ] * s->filter[j ]; } - v = (av_clip_intp2(v >> filter_quant, 13) << dshift) - *decoded; + v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - *decoded; *decoded++ = v; s->residues[filter_order + i] = v >> dshift; } From 95c80c7d27a171784d390581af1af30f7261437b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 00:50:05 +0200 Subject: [PATCH 118/818] avcodec/lagarith: Fix runtime error: left shift of negative value -1 Fixes: 1424/clusterfuzz-testcase-minimized-6088327159611392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ddb2dd7edbccc5596d8e3c039133be8444cb1d02) Signed-off-by: Michael Niedermayer --- libavcodec/lagarith.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 469eec4232..044497720f 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -98,7 +98,7 @@ static uint32_t softfloat_mul(uint32_t x, uint64_t mantissa) static uint8_t lag_calc_zero_run(int8_t x) { - return (x << 1) ^ (x >> 7); + return (x * 2) ^ (x >> 7); } static int lag_decode_prob(GetBitContext *gb, uint32_t *value) From be3a7857ed6c040910a748a91fafbf54e8119f92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 00:56:45 +0200 Subject: [PATCH 119/818] avcodec/lagarith: Check scale_factor Fixes: 1425/clusterfuzz-testcase-minimized-6295712339853312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ed3c9b5b0dd5abb545c48e930e1c32c187b0776a) Signed-off-by: Michael Niedermayer --- libavcodec/lagarith.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 044497720f..1f4afc5312 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -191,7 +191,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb) } scale_factor++; - cumulative_target = 1 << scale_factor; + if (scale_factor >= 32U) + return AVERROR_INVALIDDATA; + cumulative_target = 1U << scale_factor; if (scaled_cumul_prob > cumulative_target) { av_log(rac->avctx, AV_LOG_ERROR, From 311b29134e5b4e2e38d36f46d212d850a605c1b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 01:18:36 +0200 Subject: [PATCH 120/818] avcodec/texturedsp: Fix runtime error: left shift of 218 by 24 places cannot be represented in type 'int' Fixes: 1428/clusterfuzz-testcase-minimized-5263281793007616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2bd8eb05d21b582d627a93852b59cb3cfc305dae) Signed-off-by: Michael Niedermayer --- libavcodec/texturedsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/texturedsp.c b/libavcodec/texturedsp.c index 6049c96791..49e97c91ae 100644 --- a/libavcodec/texturedsp.c +++ b/libavcodec/texturedsp.c @@ -291,7 +291,7 @@ static inline void dxt5_block_internal(uint8_t *dst, ptrdiff_t stride, } } } - pixel = colors[code & 3] | (alpha << 24); + pixel = colors[code & 3] | ((unsigned)alpha << 24); code >>= 2; AV_WL32(dst + x * 4, pixel); } From 452629fb23de7f0dfd4f0cbf3b7ab5f284c0f735 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 01:26:39 +0200 Subject: [PATCH 121/818] avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int' Fixes: 1429/clusterfuzz-testcase-minimized-5959951610544128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae6fd1790f48c457a8cedb445dcac73f8f7b7698) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index f95d39fc38..c9d4160a1a 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -281,16 +281,16 @@ static void svq3_add_idct_c(uint8_t *dst, int16_t *block, } for (i = 0; i < 4; i++) { - const int z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]); - const int z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); - const int z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; - const int z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; + const unsigned z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]); + const unsigned z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); + const unsigned z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; + const unsigned z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; const int rr = (dc + 0x80000); - dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((z0 + z3) * qmul + rr >> 20)); - dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((z1 + z2) * qmul + rr >> 20)); - dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((z1 - z2) * qmul + rr >> 20)); - dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((z0 - z3) * qmul + rr >> 20)); + dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((int)((z0 + z3) * qmul + rr) >> 20)); + dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((int)((z1 + z2) * qmul + rr) >> 20)); + dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((int)((z1 - z2) * qmul + rr) >> 20)); + dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((int)((z0 - z3) * qmul + rr) >> 20)); } memset(block, 0, 16 * sizeof(int16_t)); From f66eaded0157b8649a6a07340ff7f85efb1b7d68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 14:33:27 +0200 Subject: [PATCH 122/818] avcodec/y41pdec: Fix width in input buffer size check Fixes: out of array read Fixes: 1437/clusterfuzz-testcase-minimized-4569970002362368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d8d3729475c7dce52d8fb9ffb280fd2ea62e1a2) Signed-off-by: Michael Niedermayer --- libavcodec/y41pdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/y41pdec.c b/libavcodec/y41pdec.c index 1b177d4262..85a39e4ae2 100644 --- a/libavcodec/y41pdec.c +++ b/libavcodec/y41pdec.c @@ -43,7 +43,7 @@ static int y41p_decode_frame(AVCodecContext *avctx, void *data, uint8_t *y, *u, *v; int i, j, ret; - if (avpkt->size < 3LL * avctx->height * avctx->width / 2) { + if (avpkt->size < 3LL * avctx->height * FFALIGN(avctx->width, 8) / 2) { av_log(avctx, AV_LOG_ERROR, "Insufficient input data.\n"); return AVERROR(EINVAL); } From 5d2ddaa139b5c6fc95866f08b09a085aed9cd51e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 14:41:23 +0200 Subject: [PATCH 123/818] avcodec/cavs: Check updated MV Fixes: runtime error: signed integer overflow: 251 + 2147483647 cannot be represented in type 'int' Fixes: 1438/clusterfuzz-testcase-minimized-4917542646710272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5871adc90f8c1037535563e33ebeaf032bb4d5d6) Signed-off-by: Michael Niedermayer --- libavcodec/cavs.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/cavs.c b/libavcodec/cavs.c index 549fb9eefd..40bb63a278 100644 --- a/libavcodec/cavs.c +++ b/libavcodec/cavs.c @@ -613,8 +613,15 @@ void ff_cavs_mv(AVSContext *h, enum cavs_mv_loc nP, enum cavs_mv_loc nC, mv_pred_median(h, mvP, mvA, mvB, mvC); if (mode < MV_PRED_PSKIP) { - mvP->x += get_se_golomb(&h->gb); - mvP->y += get_se_golomb(&h->gb); + int mx = get_se_golomb(&h->gb) + (unsigned)mvP->x; + int my = get_se_golomb(&h->gb) + (unsigned)mvP->y; + + if (mx != (int16_t)mx || my != (int16_t)my) { + av_log(h->avctx, AV_LOG_ERROR, "MV %d %d out of supported range\n", mx, my); + } else { + mvP->x = mx; + mvP->y = my; + } } set_mvs(mvP, size); } From f58b45f0ac565a9df4f623eedc5e286995b8a241 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E8=B5=9E?= Date: Wed, 10 May 2017 14:55:34 +0200 Subject: [PATCH 124/818] avformat/wavdec: Check chunk_size Fixes integer overflow and out of array access Signed-off-by: Michael Niedermayer (cherry picked from commit 3d232196372f309a75ed074c4cef30578eec1782) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 602ce97530..81dbc9f16e 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -841,6 +841,8 @@ static int w64_read_header(AVFormatContext *s) chunk_key[4] = 0; avio_read(pb, chunk_key, 4); chunk_size = avio_rl32(pb); + if (chunk_size == UINT32_MAX) + return AVERROR_INVALIDDATA; value = av_mallocz(chunk_size + 1); if (!value) From 3459fd598ea80b8dc1f6ca711fdf6a1c8ce2b246 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 18:51:58 +0200 Subject: [PATCH 125/818] avcodec/dss_sp: Fix runtime error: signed integer overflow: 2147481189 + 4096 cannot be represented in type 'int' Fixes: 1441/clusterfuzz-testcase-minimized-6223152357048320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ea428789371fa0601e9ebb5b7f2216d4e73e831) Signed-off-by: Michael Niedermayer --- libavcodec/dss_sp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dss_sp.c b/libavcodec/dss_sp.c index 2100936e51..14025fcdde 100644 --- a/libavcodec/dss_sp.c +++ b/libavcodec/dss_sp.c @@ -529,7 +529,7 @@ static void dss_sp_shift_sq_sub(const int32_t *filter_buf, for (i = 14; i > 0; i--) error_buf[i] = error_buf[i - 1]; - tmp = (tmp + 4096) >> 13; + tmp = (int)(tmp + 4096U) >> 13; error_buf[1] = tmp; From 3af036360d1cc3aff7e91d44d8defd0406fa287c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 19:02:05 +0200 Subject: [PATCH 126/818] avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int' Fixes: 1443/clusterfuzz-testcase-minimized-4826998612426752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8de60ba2740185c53cabbee6c00ed67a0d530e2) Signed-off-by: Michael Niedermayer --- libavcodec/eatqi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c index f5ecacb984..725289448a 100644 --- a/libavcodec/eatqi.c +++ b/libavcodec/eatqi.c @@ -112,7 +112,7 @@ static inline void tqi_idct_put(AVCodecContext *avctx, AVFrame *frame, static void tqi_calculate_qtable(TqiContext *t, int quant) { - const int qscale = (215 - 2*quant)*5; + const int64_t qscale = (215 - 2*quant)*5; int i; t->intra_matrix[0] = (ff_inv_aanscales[0] * ff_mpeg1_default_intra_matrix[0]) >> 11; From e6997adee98eff9f7ac69ed5e5a7fcc5a9660253 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 19:09:31 +0200 Subject: [PATCH 127/818] avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1 Fixes: 1446/clusterfuzz-testcase-minimized-5577409124368384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db5fae32294763677caa4c1417dcba704c7e764e) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index c2022fb8d8..57694cb892 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -177,10 +177,10 @@ static int make_ydt15_entry(int p1, int p2, int16_t *ydt) int lo, hi; lo = ydt[p1]; - lo += (lo << 5) + (lo << 10); + lo += (lo * 32) + (lo * 1024); hi = ydt[p2]; - hi += (hi << 5) + (hi << 10); - return (lo + (hi << 16)) << 1; + hi += (hi * 32) + (hi * 1024); + return (lo + (hi * (1 << 16))) * 2; } static int make_cdt15_entry(int p1, int p2, int16_t *cdt) @@ -188,9 +188,9 @@ static int make_cdt15_entry(int p1, int p2, int16_t *cdt) int r, b, lo; b = cdt[p2]; - r = cdt[p1] << 10; + r = cdt[p1] * 1024; lo = b + r; - return (lo + (lo << 16)) << 1; + return (lo + (lo * (1 << 16))) * 2; } #if HAVE_BIGENDIAN From e9c3c8df45dc6f0c5f88e2f14c43a3a1f1418306 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 21:54:31 +0200 Subject: [PATCH 128/818] avfilter/vf_uspp: Fix currently unused input frame dimensions Found-by: Nicolas Signed-off-by: Michael Niedermayer (cherry picked from commit 942036e97c8b149ce2f3ec6e7cbc990df8713d0c) Signed-off-by: Michael Niedermayer --- libavfilter/vf_uspp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_uspp.c b/libavfilter/vf_uspp.c index ef493b860f..66035cd78c 100644 --- a/libavfilter/vf_uspp.c +++ b/libavfilter/vf_uspp.c @@ -228,8 +228,8 @@ static void filter(USPPContext *p, uint8_t *dst[3], uint8_t *src[3], p->frame->quality = ff_norm_qscale((qpsum + qpcount/2) / qpcount, p->qscale_type) * FF_QP2LAMBDA; } // init per MB qscale stuff FIXME - p->frame->height = height; - p->frame->width = width; + p->frame->height = height + BLOCK; + p->frame->width = width + BLOCK; for (i = 0; i < count; i++) { const int x1 = offset[i+count-1][0]; From 924a2dd57a04792fae1dce1626fafb223fb97201 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 18:37:49 +0200 Subject: [PATCH 129/818] avcodec/webp: Always set pix_fmt Fixes: out of array access Fixes: 1434/clusterfuzz-testcase-minimized-6314998085189632 Fixes: 1435/clusterfuzz-testcase-minimized-6483783723253760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 ++ libavcodec/webp.c | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index fe7aa23491..5bf601a8ef 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2550,6 +2550,8 @@ int vp78_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, enum AVDiscard skip_thresh; VP8Frame *av_uninit(curframe), *prev_frame; + av_assert0(avctx->pix_fmt == AV_PIX_FMT_YUVA420P || avctx->pix_fmt == AV_PIX_FMT_YUV420P); + if (is_vp7) ret = vp7_decode_frame_header(s, avpkt->data, avpkt->size); else diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 7d23cc7435..b2ae5bcbba 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1327,9 +1327,8 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, if (!s->initialized) { ff_vp8_decode_init(avctx); s->initialized = 1; - if (s->has_alpha) - avctx->pix_fmt = AV_PIX_FMT_YUVA420P; } + avctx->pix_fmt = s->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P; s->lossless = 0; if (data_size > INT_MAX) { From 4a974cb59501d9da0c33c41f93eb596dc6cdc3fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 23:48:30 +0200 Subject: [PATCH 130/818] avcodec/pixlet: Fix runtime error: signed integer overflow: 436207616 * -5160230545260541 cannot be represented in type 'long' Fixes: 1462/clusterfuzz-testcase-minimized-6558894463647744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 60765cc42e3eb4a1193ef352a89946113a6e5802) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index c4f7597866..419fef6102 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -256,7 +256,7 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, i j = 0; dst += stride; } - state += (int64_t)d * yflag - (d * state >> 8); + state += (int64_t)d * yflag - ((int64_t)(d * (uint64_t)state) >> 8); flag = 0; From 35f293fe898d2744a644c5e17d5b4bdd92858910 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 00:49:31 +0200 Subject: [PATCH 131/818] avcodec/mpeg12dec: Fixes runtime error: division by zero Fixes: 1464/clusterfuzz-testcase-minimized-4925445571084288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0ece1f4addf8ac31df95775a2d36be2a55fc759) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index e49167f89e..186fbd27b6 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1242,7 +1242,8 @@ static int mpeg_decode_postinit(AVCodecContext *avctx) if (avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO) { // MPEG-1 aspect - avctx->sample_aspect_ratio = av_d2q(1.0 / ff_mpeg1_aspect[s->aspect_ratio_info], 255); + AVRational aspect_inv = av_d2q(ff_mpeg1_aspect[s->aspect_ratio_info], 255); + avctx->sample_aspect_ratio = (AVRational) { aspect_inv.den, aspect_inv.num }; } else { // MPEG-2 // MPEG-2 aspect if (s->aspect_ratio_info > 1) { From 363b46cdbf5dfa64cdfdd69544b711233c45d2d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 15:13:53 +0200 Subject: [PATCH 132/818] avcodec/aacdec_fixed: Fix multiple shift exponent 33 is too large for 32-bit type 'int' Fixes: 1471/clusterfuzz-testcase-minimized-6376460543590400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3a0ff78168f80f5b2c5c5544325aca4023bc67a4) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index acb8178337..6a5bdebe89 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -171,7 +171,11 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len) s = offset - (s >> 2); - if (s > 0) { + if (s > 31) { + for (i=0; i 0) { round = 1 << (s-1); for (i=0; i> 32); From 9b754ccc53730bc214e15f7613423e4b45059c25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 15:18:50 +0200 Subject: [PATCH 133/818] avcodec/dvbsubdec: Check entry_id Fixes: randomly writing over the array end Fixes: 1473/clusterfuzz-testcase-minimized-5768907824562176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8a69f2602fea04b7ebae2db16f2581e8ff5ee0cd) Signed-off-by: Michael Niedermayer --- libavcodec/dvbsubdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index 9f6b06ca25..4bdcc6333a 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -1160,9 +1160,9 @@ static int dvbsub_parse_clut_segment(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } - if (depth & 0x80) + if (depth & 0x80 && entry_id < 4) clut->clut4[entry_id] = RGBA(r,g,b,255 - alpha); - else if (depth & 0x40) + else if (depth & 0x40 && entry_id < 16) clut->clut16[entry_id] = RGBA(r,g,b,255 - alpha); else if (depth & 0x20) clut->clut256[entry_id] = RGBA(r,g,b,255 - alpha); From 79f6a1b96ee20eec311e8c44c2bcd5f8fb49f55f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 15:29:31 +0200 Subject: [PATCH 134/818] avcodec/scpr: Check y in first line loop in decompress_i() Fixes: out of array access Fixes: 1478/clusterfuzz-testcase-minimized-5285486908145664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7ac5067146613997bb38442cb022d7f41321a706) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index 465926af19..ea3beae29d 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -331,6 +331,9 @@ static int decompress_i(AVCodecContext *avctx, uint32_t *dst, int linesize) clr = (b << 16) + (g << 8) + r; k += run; while (run-- > 0) { + if (y >= avctx->height) + return AVERROR_INVALIDDATA; + dst[y * linesize + x] = clr; lx = x; ly = y; From 383fdec3b2568681c5ed905bcd6d3628308c8e4c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 18:35:24 +0200 Subject: [PATCH 135/818] avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers Signed-off-by: Michael Niedermayer (cherry picked from commit e717fa1f0a66825fb10fec7debad768f311ee240) Signed-off-by: Michael Niedermayer --- libavcodec/cllc.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/libavcodec/cllc.c b/libavcodec/cllc.c index 80b049861e..bbd2e62c5c 100644 --- a/libavcodec/cllc.c +++ b/libavcodec/cllc.c @@ -29,6 +29,10 @@ #include "avcodec.h" #include "internal.h" +#define VLC_BITS 7 +#define VLC_DEPTH 2 + + typedef struct CLLCContext { AVCodecContext *avctx; BswapDSPContext bdsp; @@ -74,7 +78,7 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) prefix <<= 1; } - return ff_init_vlc_sparse(vlc, 7, count, bits, 1, 1, + return ff_init_vlc_sparse(vlc, VLC_BITS, count, bits, 1, 1, codes, 2, 2, symbols, 1, 1, 0); } @@ -101,7 +105,7 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left, for (i = 0; i < ctx->avctx->width; i++) { /* Always get the alpha component */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[0].table, 7, 2); + GET_VLC(code, bits, gb, vlc[0].table, VLC_BITS, VLC_DEPTH); pred[0] += code; dst[0] = pred[0]; @@ -110,21 +114,21 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left, if (dst[0]) { /* Red */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[1].table, 7, 2); + GET_VLC(code, bits, gb, vlc[1].table, VLC_BITS, VLC_DEPTH); pred[1] += code; dst[1] = pred[1]; /* Green */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[2].table, 7, 2); + GET_VLC(code, bits, gb, vlc[2].table, VLC_BITS, VLC_DEPTH); pred[2] += code; dst[2] = pred[2]; /* Blue */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[3].table, 7, 2); + GET_VLC(code, bits, gb, vlc[3].table, VLC_BITS, VLC_DEPTH); pred[3] += code; dst[3] = pred[3]; @@ -166,7 +170,7 @@ static int read_rgb24_component_line(CLLCContext *ctx, GetBitContext *gb, /* Simultaneously read and restore the line */ for (i = 0; i < ctx->avctx->width; i++) { UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc->table, 7, 2); + GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH); pred += code; dst[0] = pred; @@ -195,7 +199,7 @@ static int read_yuv_component_line(CLLCContext *ctx, GetBitContext *gb, /* Simultaneously read and restore the line */ for (i = 0; i < ctx->avctx->width >> is_chroma; i++) { UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc->table, 7, 2); + GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH); pred += code; outbuf[i] = pred; From 5d0e4c877f3b06d96e8f96d7373006cb1ed00153 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 18:39:33 +0200 Subject: [PATCH 136/818] avcodec/cllc: Check num_bits Fixes: runtime error: shift exponent -2 is negative Fixes: 1479/clusterfuzz-testcase-minimized-6638493360979968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2bfd0a97587d26c0c39413a6291ccc66e4a928d0) Signed-off-by: Michael Niedermayer --- libavcodec/cllc.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/cllc.c b/libavcodec/cllc.c index bbd2e62c5c..ec11fc34b0 100644 --- a/libavcodec/cllc.c +++ b/libavcodec/cllc.c @@ -55,6 +55,13 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) num_lens = get_bits(gb, 5); + if (num_lens > VLC_BITS * VLC_DEPTH) { + vlc->table = NULL; + + av_log(ctx->avctx, AV_LOG_ERROR, "To long VLCs %d\n", num_lens); + return AVERROR_INVALIDDATA; + } + for (i = 0; i < num_lens; i++) { num_codes = get_bits(gb, 9); num_codes_sum += num_codes; From 971fe06074207a7b3263993a13567c0047e36b4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 19:10:16 +0200 Subject: [PATCH 137/818] avcodec/msmpeg4dec: Check for cbpy VLC errors Fixes: runtime error: left shift of negative value -1 Fixes: 1480/clusterfuzz-testcase-minimized-5188321007370240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 15e892aad12b23e9b5686cf66ca6fa739c734ead) Signed-off-by: Michael Niedermayer --- libavcodec/msmpeg4dec.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavcodec/msmpeg4dec.c b/libavcodec/msmpeg4dec.c index b5bc36ece2..4105d4ba7d 100644 --- a/libavcodec/msmpeg4dec.c +++ b/libavcodec/msmpeg4dec.c @@ -169,12 +169,23 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64]) s->mv[0][0][1] = my; *mb_type_ptr = MB_TYPE_L0 | MB_TYPE_16x16; } else { + int v; if(s->msmpeg4_version==2){ s->ac_pred = get_bits1(&s->gb); - cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors + v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1); + if (v < 0) { + av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n"); + return -1; + } + cbp|= v<<2; } else{ s->ac_pred = 0; - cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors + v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1); + if (v < 0) { + av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n"); + return -1; + } + cbp|= v<<2; if(s->pict_type==AV_PICTURE_TYPE_P) cbp^=0x3C; } *mb_type_ptr = MB_TYPE_INTRA; From 256b9442df2cd76e48f5086f77c85e9c0c3e4209 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 23:24:23 +0200 Subject: [PATCH 138/818] avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610 Fixes: 1487/clusterfuzz-testcase-minimized-6288036495097856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6899e6e56065d9365963e02690dc9e2ce7866050) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 202ae94922..3573298ca1 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -2047,9 +2047,9 @@ static int get_delayed_pic(DiracContext *s, AVFrame *picture, int *got_frame) if (out) { out->reference ^= DELAYED_PIC_REF; - *got_frame = 1; if((ret = av_frame_ref(picture, out->avframe)) < 0) return ret; + *got_frame = 1; } return 0; From ee92ea890388cac50db2a4334c702c2f47bdca5b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 May 2017 13:05:46 +0200 Subject: [PATCH 139/818] avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int' Fixes: 1503/clusterfuzz-testcase-minimized-5369271855087616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit df640dbbc949d0f4deefaf43e86b8bd50ae997cc) Signed-off-by: Michael Niedermayer --- libavcodec/wmv2dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmv2dsp.c b/libavcodec/wmv2dsp.c index 7a3a851861..543f01b852 100644 --- a/libavcodec/wmv2dsp.c +++ b/libavcodec/wmv2dsp.c @@ -48,8 +48,8 @@ static void wmv2_idct_row(short * b) a4 = W0 * b[0] - W0 * b[4]; /* step 2 */ - s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7 - s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8; + s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7 + s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8; /* step 3 */ b[0] = (a0 + a2 + a1 + a5 + (1 << 7)) >> 8; From 34ae6101156f66b514981b34f680e6bbfc3bde4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 May 2017 13:13:46 +0200 Subject: [PATCH 140/818] avcodec/g723_1dec: Fix runtime error: left shift of negative value -1 Fixes: 1504/clusterfuzz-testcase-minimized-6249212138225664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c4c0245686bc2fcc545644101c7b328fed71f268) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index 6d452df189..89089f5f64 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -695,13 +695,13 @@ static int estimate_sid_gain(G723_1_Context *p) if (y <= 0) { t = seg * 32 + (val + 1 << seg2); t = t * t - x; - val = (seg2 - 1 << 4) + val; + val = (seg2 - 1) * 16 + val; if (t >= y) val++; } else { t = seg * 32 + (val - 1 << seg2); t = t * t - x; - val = (seg2 - 1 << 4) + val; + val = (seg2 - 1) * 16 + val; if (t >= y) val--; } From 3526d2501746c3c9679a06fdd9671f3b58ce4515 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 May 2017 13:15:33 +0200 Subject: [PATCH 141/818] avcodec/texturedsp: Fix runtime error: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 1505/clusterfuzz-testcase-minimized-4561688818876416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f225003d17364cd38fd28f268ae2b29abd8e5024) Signed-off-by: Michael Niedermayer --- libavcodec/texturedsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/texturedsp.c b/libavcodec/texturedsp.c index 49e97c91ae..90b1eb4f11 100644 --- a/libavcodec/texturedsp.c +++ b/libavcodec/texturedsp.c @@ -158,7 +158,7 @@ static inline void dxt3_block_internal(uint8_t *dst, ptrdiff_t stride, for (x = 0; x < 4; x++) { uint8_t alpha = alpha_values[x]; - uint32_t pixel = colors[code & 3] | (alpha << 24); + uint32_t pixel = colors[code & 3] | ((unsigned)alpha << 24); code >>= 2; AV_WL32(dst + x * 4, pixel); From 5121f31cacf01761aa7b454d1bec2fc8e2b3697d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 13:01:36 +0200 Subject: [PATCH 142/818] avcodec/avcodec: Limit the number of side data elements per packet Fixes: 1293/clusterfuzz-testcase-minimized-6054752074858496 See: [FFmpeg-devel] [PATCH] avcodec/avcodec: Limit the number of side data elements per packet Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d5711cb89121268e8d78ebe8563a68e67a236cbb) Signed-off-by: Michael Niedermayer --- libavcodec/avcodec.h | 10 ++++++++++ libavcodec/avpacket.c | 5 ++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index d7804773cb..57334df3fc 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -1583,6 +1583,16 @@ enum AVPacketSideDataType { * to the AVSphericalMapping structure. */ AV_PKT_DATA_SPHERICAL, + + /** + * The number of side data elements (in fact a bit more than it). + * This is not part of the public API/ABI in the sense that it may + * change when new side data types are added. + * This must stay the last enum value. + * If its value becomes huge, some code using it + * needs to be updated as it assumes it to be smaller than other limits. + */ + AV_PKT_DATA_NB }; #define AV_PKT_DATA_QUALITY_FACTOR AV_PKT_DATA_QUALITY_STATS //DEPRECATED diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index e633245a62..7cb9fdf822 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -298,7 +298,7 @@ int av_packet_add_side_data(AVPacket *pkt, enum AVPacketSideDataType type, AVPacketSideData *tmp; int elems = pkt->side_data_elems; - if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data)) + if ((unsigned)elems + 1 > AV_PKT_DATA_NB) return AVERROR(ERANGE); tmp = av_realloc(pkt->side_data, (elems + 1) * sizeof(*tmp)); @@ -436,6 +436,9 @@ int av_packet_split_side_data(AVPacket *pkt){ p-= size+5; } + if (i > AV_PKT_DATA_NB) + return AVERROR(ERANGE); + pkt->side_data = av_malloc_array(i, sizeof(*pkt->side_data)); if (!pkt->side_data) return AVERROR(ENOMEM); From f0ee408624c1c65a1e4f77d15fb31bfb0e478877 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 14:50:40 +0200 Subject: [PATCH 143/818] avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int' Fixes: 1440/clusterfuzz-testcase-minimized-5785716111966208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ccce2248bf56692fc7bd436ca2c9acca772d486a) Signed-off-by: Michael Niedermayer --- libavcodec/vp8dsp.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libavcodec/vp8dsp.c b/libavcodec/vp8dsp.c index 7d9cfa8278..fed5c67a90 100644 --- a/libavcodec/vp8dsp.c +++ b/libavcodec/vp8dsp.c @@ -53,7 +53,8 @@ static void name ## _idct_dc_add4y_c(uint8_t *dst, int16_t block[4][16], \ #if CONFIG_VP7_DECODER static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) { - int i, a1, b1, c1, d1; + int i; + unsigned a1, b1, c1, d1; int16_t tmp[16]; for (i = 0; i < 4; i++) { @@ -61,10 +62,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) b1 = (dc[i * 4 + 0] - dc[i * 4 + 2]) * 23170; c1 = dc[i * 4 + 1] * 12540 - dc[i * 4 + 3] * 30274; d1 = dc[i * 4 + 1] * 30274 + dc[i * 4 + 3] * 12540; - tmp[i * 4 + 0] = (a1 + d1) >> 14; - tmp[i * 4 + 3] = (a1 - d1) >> 14; - tmp[i * 4 + 1] = (b1 + c1) >> 14; - tmp[i * 4 + 2] = (b1 - c1) >> 14; + tmp[i * 4 + 0] = (int)(a1 + d1) >> 14; + tmp[i * 4 + 3] = (int)(a1 - d1) >> 14; + tmp[i * 4 + 1] = (int)(b1 + c1) >> 14; + tmp[i * 4 + 2] = (int)(b1 - c1) >> 14; } for (i = 0; i < 4; i++) { @@ -73,10 +74,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274; d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540; AV_ZERO64(dc + i * 4); - block[0][i][0] = (a1 + d1 + 0x20000) >> 18; - block[3][i][0] = (a1 - d1 + 0x20000) >> 18; - block[1][i][0] = (b1 + c1 + 0x20000) >> 18; - block[2][i][0] = (b1 - c1 + 0x20000) >> 18; + block[0][i][0] = (int)(a1 + d1 + 0x20000) >> 18; + block[3][i][0] = (int)(a1 - d1 + 0x20000) >> 18; + block[1][i][0] = (int)(b1 + c1 + 0x20000) >> 18; + block[2][i][0] = (int)(b1 - c1 + 0x20000) >> 18; } } From 906f1f66a8208388262b4a3a1484b32c0510d9eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 02:38:33 +0200 Subject: [PATCH 144/818] avcodec/xpmdec: Fix multiple pointer/memory issues Most of these were found through code review in response to fixing 1466/clusterfuzz-testcase-minimized-5961584419536896 There is thus no testcase for most of this. The initial issue was Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cb243972b121b1ae6b60a78ff55a0506c69f3879) Signed-off-by: Michael Niedermayer --- libavcodec/xpmdec.c | 37 ++++++++++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 7 deletions(-) diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c index 9112d4cb5e..03172e4aad 100644 --- a/libavcodec/xpmdec.c +++ b/libavcodec/xpmdec.c @@ -29,6 +29,8 @@ typedef struct XPMContext { uint32_t *pixels; int pixels_size; + uint8_t *buf; + int buf_size; } XPMDecContext; typedef struct ColorEntry { @@ -233,6 +235,8 @@ static uint32_t color_string_to_rgba(const char *p, int len) const ColorEntry *entry; char color_name[100]; + len = FFMIN(FFMAX(len, 0), sizeof(color_name) - 1); + if (*p == '#') { p++; len--; @@ -299,18 +303,25 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, { XPMDecContext *x = avctx->priv_data; AVFrame *p=data; - const uint8_t *end, *ptr = avpkt->data; + const uint8_t *end, *ptr; int ncolors, cpp, ret, i, j; int64_t size; uint32_t *dst; avctx->pix_fmt = AV_PIX_FMT_BGRA; - end = avpkt->data + avpkt->size; - while (memcmp(ptr, "/* XPM */", 9) && ptr < end - 9) + av_fast_padded_malloc(&x->buf, &x->buf_size, avpkt->size); + if (!x->buf) + return AVERROR(ENOMEM); + memcpy(x->buf, avpkt->data, avpkt->size); + x->buf[avpkt->size] = 0; + + ptr = x->buf; + end = x->buf + avpkt->size; + while (end - ptr > 9 && memcmp(ptr, "/* XPM */", 9)) ptr++; - if (ptr >= end) { + if (end - ptr <= 9) { av_log(avctx, AV_LOG_ERROR, "missing signature\n"); return AVERROR_INVALIDDATA; } @@ -335,7 +346,7 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, size = 1; for (i = 0; i < cpp; i++) - size *= 94; + size *= 95; if (ncolors <= 0 || ncolors > size) { av_log(avctx, AV_LOG_ERROR, "invalid number of colors: %d\n", ncolors); @@ -349,12 +360,15 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, return AVERROR(ENOMEM); ptr += mod_strcspn(ptr, ",") + 1; + if (end - ptr < 1) + return AVERROR_INVALIDDATA; + for (i = 0; i < ncolors; i++) { const uint8_t *index; int len; ptr += mod_strcspn(ptr, "\"") + 1; - if (ptr + cpp > end) + if (end - ptr < cpp) return AVERROR_INVALIDDATA; index = ptr; ptr += cpp; @@ -373,14 +387,20 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, x->pixels[ret] = color_string_to_rgba(ptr, len); ptr += mod_strcspn(ptr, ",") + 1; + if (end - ptr < 1) + return AVERROR_INVALIDDATA; } for (i = 0; i < avctx->height; i++) { dst = (uint32_t *)(p->data[0] + i * p->linesize[0]); + if (end - ptr < 1) + return AVERROR_INVALIDDATA; ptr += mod_strcspn(ptr, "\"") + 1; + if (end - ptr < 1) + return AVERROR_INVALIDDATA; for (j = 0; j < avctx->width; j++) { - if (ptr + cpp > end) + if (end - ptr < cpp) return AVERROR_INVALIDDATA; if ((ret = ascii2index(ptr, cpp)) < 0) @@ -405,6 +425,9 @@ static av_cold int xpm_decode_close(AVCodecContext *avctx) XPMDecContext *x = avctx->priv_data; av_freep(&x->pixels); + av_freep(&x->buf); + x->buf_size = 0; + return 0; } From 00a9eaff97881c40d2d67379d231e47739afe2fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 14:39:26 +0200 Subject: [PATCH 145/818] avcodec/mlp: Fix multiple runtime error: left shift of negative value -1 Fixes: 1512/clusterfuzz-testcase-minimized-4713846423945216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74dc728a2c2cc353da20cdc09b8cdfbbe14b7be8) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 6 +++--- libavcodec/mlpdsp.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 7cad5d1cad..b471f0d760 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -684,7 +684,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp, } for (i = 0; i < order; i++) - fcoeff[i] = get_sbits(gbp, coeff_bits) << coeff_shift; + fcoeff[i] = get_sbits(gbp, coeff_bits) * (1 << coeff_shift); if (get_bits1(gbp)) { int state_bits, state_shift; @@ -999,8 +999,8 @@ static void generate_2_noise_channels(MLPDecodeContext *m, unsigned int substr) for (i = 0; i < s->blockpos; i++) { uint16_t seed_shr7 = seed >> 7; - m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) << s->noise_shift; - m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) << s->noise_shift; + m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) * (1 << s->noise_shift); + m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) * (1 << s->noise_shift); seed = (seed << 16) ^ seed_shr7 ^ (seed_shr7 << 5); } diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 3ae8c37708..2fc453c1f0 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -113,8 +113,8 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, for (i = 0; i < blockpos; i++) { for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) { int mat_ch = ch_assign[out_ch]; - int32_t sample = sample_buffer[i][mat_ch] - << output_shift[mat_ch]; + int32_t sample = sample_buffer[i][mat_ch] * + (1 << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) *data_32++ = sample << 8; From d1dd90ae5425402fe176c2400351395b3165c309 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 15:39:32 +0200 Subject: [PATCH 146/818] avcodec/scpr: Fix multiple runtime error: index 256 out of bounds for type 'unsigned int [256]' Fixes: 1519/clusterfuzz-testcase-minimized-5286680976162816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2171dfae8c065878a2e130390eb78cf2947a5b69) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index ea3beae29d..286fffbf35 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -261,6 +261,9 @@ static int decode_unit(SCPRContext *s, PixelModel *pixel, unsigned step, unsigne break; c++; } + if (x >= 16 || c >= 256) { + return AVERROR_INVALIDDATA; + } if ((ret = s->decode(gb, rc, cumfr, cnt_c, totfr)) < 0) return ret; From 128b42f4d1910ff4a2f1bbf8c7e401c5f246e4dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 May 2017 04:12:15 +0200 Subject: [PATCH 147/818] avcodec/aacsbr_template: Do not change bs_num_env before its checked Fixes: 1489/clusterfuzz-testcase-minimized-5075102901207040 Fixes: out of array access Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87b08ee6d2a3b0880f0a267c5d51dc7f415e81d7) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_template.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index aaa48ef802..930d33e9e5 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -624,25 +624,26 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, int abs_bord_trail = 16; int num_rel_lead, num_rel_trail; unsigned bs_num_env_old = ch_data->bs_num_env; + int bs_frame_class, bs_num_env; ch_data->bs_freq_res[0] = ch_data->bs_freq_res[ch_data->bs_num_env]; ch_data->bs_amp_res = sbr->bs_amp_res_header; ch_data->t_env_num_env_old = ch_data->t_env[bs_num_env_old]; - switch (ch_data->bs_frame_class = get_bits(gb, 2)) { + switch (bs_frame_class = get_bits(gb, 2)) { case FIXFIX: - ch_data->bs_num_env = 1 << get_bits(gb, 2); + bs_num_env = 1 << get_bits(gb, 2); + if (bs_num_env > 4) { + av_log(ac->avctx, AV_LOG_ERROR, + "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", + bs_num_env); + return -1; + } + ch_data->bs_num_env = bs_num_env; num_rel_lead = ch_data->bs_num_env - 1; if (ch_data->bs_num_env == 1) ch_data->bs_amp_res = 0; - if (ch_data->bs_num_env > 4) { - av_log(ac->avctx, AV_LOG_ERROR, - "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", - ch_data->bs_num_env); - ch_data->bs_num_env = 2; - return -1; - } ch_data->t_env[0] = 0; ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail; @@ -690,15 +691,15 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, abs_bord_trail += get_bits(gb, 2); num_rel_lead = get_bits(gb, 2); num_rel_trail = get_bits(gb, 2); - ch_data->bs_num_env = num_rel_lead + num_rel_trail + 1; + bs_num_env = num_rel_lead + num_rel_trail + 1; - if (ch_data->bs_num_env > 5) { + if (bs_num_env > 5) { av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n", - ch_data->bs_num_env); - ch_data->bs_num_env = 2; + bs_num_env); return -1; } + ch_data->bs_num_env = bs_num_env; ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail; @@ -713,6 +714,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, get_bits1_vector(gb, ch_data->bs_freq_res + 1, ch_data->bs_num_env); break; } + ch_data->bs_frame_class = bs_frame_class; av_assert0(bs_pointer >= 0); if (bs_pointer > ch_data->bs_num_env + 1) { From b0f3f56bbcec5ce0de2ac90d62692e6996ce010e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 18:13:48 +0200 Subject: [PATCH 148/818] avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1 Fixes: 1535/clusterfuzz-testcase-minimized-5826695535788032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 26227d91865ddfbfe35c9ff84853cc469e1c7daf) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 6a5bdebe89..1b5e8aa326 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -125,7 +125,7 @@ static inline int *DEC_SQUAD(int *dst, unsigned idx) static inline int *DEC_UPAIR(int *dst, unsigned idx, unsigned sign) { dst[0] = (idx & 15) * (1 - (sign & 0xFFFFFFFE)); - dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) << 1)); + dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) * 2)); return dst + 2; } @@ -134,16 +134,16 @@ static inline int *DEC_UQUAD(int *dst, unsigned idx, unsigned sign) { unsigned nz = idx >> 12; - dst[0] = (idx & 3) * (1 + (((int)sign >> 31) << 1)); + dst[0] = (idx & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) * 2)); return dst + 4; } From 479bb1cacd25bd2b1fcaebbf716d3ffb3960453e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 18:27:27 +0200 Subject: [PATCH 149/818] avcodec/webp: Add missing input padding Fixes: 1536/clusterfuzz-testcase-minimized-5973925404082176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a3508cc3fe643a8adad6a82a60bece3ea3c5dc63) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index b2ae5bcbba..e2769c0bf9 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1043,7 +1043,7 @@ static int apply_color_indexing_transform(WebPContext *s) uint8_t *line; int pixel_bits = 8 >> pal->size_reduction; - line = av_malloc(img->frame->linesize[0]); + line = av_malloc(img->frame->linesize[0] + AV_INPUT_BUFFER_PADDING_SIZE); if (!line) return AVERROR(ENOMEM); From 47da68fc8e244158c858b928b82181271dd28a60 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 19:28:01 +0200 Subject: [PATCH 150/818] avcodec/ac3dec: Keep track of band structure It is needed in some corner cases that seem not to be forbidden Fixes: out of array index Fixes: 1538/clusterfuzz-testcase-minimized-4696904925446144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9351a156de724edb69ba6e1f05884fe806a13a21) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 27 +++++++++++++++------------ libavcodec/ac3dec.h | 2 ++ 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 4a0d8bbcc7..bd6f1478ac 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -761,30 +761,31 @@ static void ac3_upmix_delay(AC3DecodeContext *s) * @param[in] default_band_struct default band structure table * @param[out] num_bands number of bands (optionally NULL) * @param[out] band_sizes array containing the number of bins in each band (optionally NULL) + * @param[in,out] band_struct current band structure */ static void decode_band_structure(GetBitContext *gbc, int blk, int eac3, int ecpl, int start_subband, int end_subband, const uint8_t *default_band_struct, - int *num_bands, uint8_t *band_sizes) + int *num_bands, uint8_t *band_sizes, + uint8_t *band_struct, int band_struct_size) { int subbnd, bnd, n_subbands, n_bands=0; uint8_t bnd_sz[22]; - uint8_t coded_band_struct[22]; - const uint8_t *band_struct; n_subbands = end_subband - start_subband; + if (!blk) + memcpy(band_struct, default_band_struct, band_struct_size); + + av_assert0(band_struct_size >= start_subband + n_subbands); + + band_struct += start_subband + 1; + /* decode band structure from bitstream or use default */ if (!eac3 || get_bits1(gbc)) { for (subbnd = 0; subbnd < n_subbands - 1; subbnd++) { - coded_band_struct[subbnd] = get_bits1(gbc); + band_struct[subbnd] = get_bits1(gbc); } - band_struct = coded_band_struct; - } else if (!blk) { - band_struct = &default_band_struct[start_subband+1]; - } else { - /* no change in band structure */ - return; } /* calculate number of bands and band sizes based on band structure. @@ -863,7 +864,8 @@ static inline int spx_strategy(AC3DecodeContext *s, int blk) start_subband, end_subband, ff_eac3_default_spx_band_struct, &s->num_spx_bands, - s->spx_band_sizes); + s->spx_band_sizes, + s->spx_band_struct, sizeof(s->spx_band_struct)); return 0; } @@ -1000,7 +1002,8 @@ static inline int coupling_strategy(AC3DecodeContext *s, int blk, decode_band_structure(bc, blk, s->eac3, 0, cpl_start_subband, cpl_end_subband, ff_eac3_default_cpl_band_struct, - &s->num_cpl_bands, s->cpl_band_sizes); + &s->num_cpl_bands, s->cpl_band_sizes, + s->cpl_band_struct, sizeof(s->cpl_band_struct)); } else { /* coupling not in use */ for (ch = 1; ch <= fbw_channels; ch++) { diff --git a/libavcodec/ac3dec.h b/libavcodec/ac3dec.h index bac661c167..aa4cf04f8a 100644 --- a/libavcodec/ac3dec.h +++ b/libavcodec/ac3dec.h @@ -128,6 +128,7 @@ typedef struct AC3DecodeContext { int phase_flags_in_use; ///< phase flags in use (phsflginu) int phase_flags[AC3_MAX_CPL_BANDS]; ///< phase flags (phsflg) int num_cpl_bands; ///< number of coupling bands (ncplbnd) + uint8_t cpl_band_struct[AC3_MAX_CPL_BANDS]; uint8_t cpl_band_sizes[AC3_MAX_CPL_BANDS]; ///< number of coeffs in each coupling band int firstchincpl; ///< first channel in coupling int first_cpl_coords[AC3_MAX_CHANNELS]; ///< first coupling coordinates states (firstcplcos) @@ -144,6 +145,7 @@ typedef struct AC3DecodeContext { int spx_dst_start_freq; ///< spx starting frequency bin for copying (copystartmant) ///< the copy region ends at the start of the spx region. int num_spx_bands; ///< number of spx bands (nspxbnds) + uint8_t spx_band_struct[SPX_MAX_BANDS]; uint8_t spx_band_sizes[SPX_MAX_BANDS]; ///< number of bins in each spx band uint8_t first_spx_coords[AC3_MAX_CHANNELS]; ///< first spx coordinates states (firstspxcos) INTFLOAT spx_noise_blend[AC3_MAX_CHANNELS][SPX_MAX_BANDS]; ///< spx noise blending factor (nblendfact) From 6f8dab7a7bd9fdf00b2c1f1e62bd2aa159f40908 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 23:13:38 +0200 Subject: [PATCH 151/818] avcodec/mlpdec: Check that there is enough data for headers Fixes: out of array access Fixes: 1541/clusterfuzz-testcase-minimized-6403410590957568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e3e51f8c14d22ae11684dcfe58df355f0f9e6401) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index b471f0d760..fa4347fb23 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -1162,6 +1162,11 @@ static int read_access_unit(AVCodecContext *avctx, void* data, substr_header_size += 2; } + if (length < header_size + substr_header_size) { + av_log(m->avctx, AV_LOG_ERROR, "Insuffient data for headers\n"); + goto error; + } + if (!(nonrestart_substr ^ m->is_major_sync_unit)) { av_log(m->avctx, AV_LOG_ERROR, "Invalid nonrestart_substr.\n"); goto error; From 3ed0d94b827a67b91b727f2a58ed96e66d8ea2d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 23:16:44 +0200 Subject: [PATCH 152/818] avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int' Fixes: 1556/clusterfuzz-testcase-minimized-5027865978470400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 86b1b0d33dd7459f0d9c352c51ee2e374fd6f7fe) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index c9d4160a1a..4814b80c3a 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -263,7 +263,7 @@ static void svq3_add_idct_c(uint8_t *dst, int16_t *block, int i; if (dc) { - dc = 13 * 13 * (dc == 1 ? 1538 * block[0] + dc = 13 * 13 * (dc == 1 ? 1538U* block[0] : qmul * (block[0] >> 3) / 2); block[0] = 0; } From 9fb677dd825618fd5e44b955e7f8d2ad7333ab3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 23:21:24 +0200 Subject: [PATCH 153/818] avcodec/webp: Fix signedness in prefix_code check Fixes: out of array read Fixes: 1557/clusterfuzz-testcase-minimized-6535013757616128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c5cd1c9d33b4b287f85d42efb1aecfaee31de6c) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index e2769c0bf9..147d85f15b 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -694,7 +694,7 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, length = offset + get_bits(&s->gb, extra_bits) + 1; } prefix_code = huff_reader_get_symbol(&hg[HUFF_IDX_DIST], &s->gb); - if (prefix_code > 39) { + if (prefix_code > 39U) { av_log(s->avctx, AV_LOG_ERROR, "distance prefix code too large: %d\n", prefix_code); return AVERROR_INVALIDDATA; From 236912f78923f335555d08403f5b55f1ca73202d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 23:24:04 +0200 Subject: [PATCH 154/818] avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int' Fixes: 1559/clusterfuzz-testcase-minimized-5048096079740928 Fixes: 1560/clusterfuzz-testcase-minimized-6011037813833728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8630b2cd36c57918acfe18302fe77d1ceefbd676) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index c3f43b838d..20921c6adf 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -45,7 +45,8 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state, if (get_rac(c, state + 0)) return 0; else { - int i, e, a; + int i, e; + unsigned a; e = 0; while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10 e++; From bbda1264775e1a5a7743b516b06ca817a2c3df40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Apr 2017 18:46:48 +0200 Subject: [PATCH 155/818] libswscale/tests/swscale: Fix uninitialized variables Signed-off-by: Michael Niedermayer (cherry picked from commit 7796f290653349a4126f2d448d11bb4440b9f257) Signed-off-by: Michael Niedermayer --- libswscale/tests/swscale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/tests/swscale.c b/libswscale/tests/swscale.c index bd8d098a3d..b4b8173a31 100644 --- a/libswscale/tests/swscale.c +++ b/libswscale/tests/swscale.c @@ -309,10 +309,10 @@ static int fileTest(uint8_t *ref[4], int refStride[4], int w, int h, FILE *fp, struct Results r; enum AVPixelFormat srcFormat; char srcStr[12]; - int srcW, srcH; + int srcW = 0, srcH = 0; enum AVPixelFormat dstFormat; char dstStr[12]; - int dstW, dstH; + int dstW = 0, dstH = 0; int flags; int ret; From 8fbd34750834a6c91ec4079b3ee9b0877f3a21b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 02:38:30 +0200 Subject: [PATCH 156/818] Update for 3.3.1 Signed-off-by: Michael Niedermayer --- Changelog | 120 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 122 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 6f023a9caf..54e4854c6e 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,126 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. + +version 3.3.1: +- libswscale/tests/swscale: Fix uninitialized variables +- avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int' +- avcodec/webp: Fix signedness in prefix_code check +- avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int' +- avcodec/mlpdec: Check that there is enough data for headers +- avcodec/ac3dec: Keep track of band structure +- avcodec/webp: Add missing input padding +- avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1 +- avcodec/aacsbr_template: Do not change bs_num_env before its checked +- avcodec/scpr: Fix multiple runtime error: index 256 out of bounds for type 'unsigned int [256]' +- avcodec/mlp: Fix multiple runtime error: left shift of negative value -1 +- avcodec/xpmdec: Fix multiple pointer/memory issues +- avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int' +- avcodec/avcodec: Limit the number of side data elements per packet +- avcodec/texturedsp: Fix runtime error: left shift of 255 by 24 places cannot be represented in type 'int' +- avcodec/g723_1dec: Fix runtime error: left shift of negative value -1 +- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int' +- avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610 +- avcodec/msmpeg4dec: Check for cbpy VLC errors +- avcodec/cllc: Check num_bits +- avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers +- avcodec/scpr: Check y in first line loop in decompress_i() +- avcodec/dvbsubdec: Check entry_id +- avcodec/aacdec_fixed: Fix multiple shift exponent 33 is too large for 32-bit type 'int' +- avcodec/mpeg12dec: Fixes runtime error: division by zero +- avcodec/pixlet: Fix runtime error: signed integer overflow: 436207616 * -5160230545260541 cannot be represented in type 'long' +- avcodec/webp: Always set pix_fmt +- avfilter/vf_uspp: Fix currently unused input frame dimensions +- avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1 +- avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int' +- avcodec/dss_sp: Fix runtime error: signed integer overflow: 2147481189 + 4096 cannot be represented in type 'int' +- avformat/wavdec: Check chunk_size +- avcodec/cavs: Check updated MV +- avcodec/y41pdec: Fix width in input buffer size check +- avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int' +- avcodec/texturedsp: Fix runtime error: left shift of 218 by 24 places cannot be represented in type 'int' +- avcodec/lagarith: Check scale_factor +- avcodec/lagarith: Fix runtime error: left shift of negative value -1 +- avcodec/takdec: Fix multiple runtime error: left shift of negative value -1 +- avcodec/indeo2: Check for invalid VLCs +- avcodec/g723_1dec: Fix several integer related cases of undefined behaviour +- avcodec/htmlsubtitles: Check for string truncation and return error +- avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int' +- avcodec/dss_sp: Fix multiple runtime error: signed integer overflow: -15699 * -164039 cannot be represented in type 'int' +- avcodec/dvbsubdec: check region dimensions +- avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int' +- avcodec/hqxdsp: Fix multiple runtime error: signed integer overflow: 248220 * 21407 cannot be represented in type 'int' in idct_col() +- avcodec/cavsdec: Check sym_factor +- avcodec/cdxl: Check format for BGR24 +- avcodec/ffv1dec: Fix copying planes of paletted formats +- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int' +- avcodec/xwddec: Check bpp more completely +- avcodec/aacdec_template: Do not decode 2nd PCE if it will lead to failure +- avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int' +- avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int' +- avcodec/g726: Fix runtime error: left shift of negative value -2 +- avcodec/magicyuv: Check len to be supported +- avcodec/ra144: Fix runtime error: left shift of negative value -798 +- avcodec/mss34dsp: Fix multiple signed integer overflow +- avcodec/targa_y216dec: Fix width type +- avcodec/texturedsp: Fix multiple runtime error: left shift of 255 by 24 places cannot be represented in type 'int' +- avcodec/ivi_dsp: Fix multiple left shift of negative value -2 +- avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int' +- avcodec/msmpeg4dec: Correct table depth +- avcodec/dds: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/cdxl: Check format parameter +- avutil/softfloat: Fix overflow in av_div_sf() +- avcodec/hq_hqa: Fix runtime error: left shift of negative value -207 +- avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from +- avcodec/shorten: Check k in get_uint() +- avcodec/webp: Fix null pointer dereference +- avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' +- avcodec/g723_1: Fix multiple runtime error: left shift of negative value +- avcodec/mimic: Fix runtime error: left shift of negative value -1 +- avcodec/clearvideo: Fix multiple runtime error: left shift of negative value -1024 +- avcodec/fic: Fix multiple left shift of negative value -15 +- avcodec/mlpdec: Fix runtime error: left shift of negative value -22 +- avcodec/snowdec: Check qbias +- avutil/softfloat: Fix multiple runtime error: left shift of negative value -8 +- avcodec/aacsbr_template: Do not leave bs_num_env invalid +- avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int' +- avcodec/dfa: Fix off by 1 error +- avcodec/nellymoser: Fix multiple left shift of negative value -8591 +- avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int' +- avcodec/g722: Fix multiple runtime error: left shift of negative value -1 +- avcodec/dss_sp: Fix multiple left shift of negative value -466 +- avcodec/wnv1: Fix runtime error: left shift of negative value -1 +- avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so +- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int' +- avcodec/cavsdec: Fix undefined behavior from integer overflow +- avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int' +- libavcodec/mpeg4videodec: Convert sprite_offset to 64bit +- avcodec/pngdec: Use ff_set_dimensions() +- avcodec/msvideo1: Check buffer size before re-getting the frame +- avcodec/h264_cavlc: Fix undefined behavior on qscale overflow +- avcodec/dcadsp: Fix runtime error: signed integer overflow +- avcodec/svq3: Reject dx/dy beyond 16bit +- avcodec/svq3: Increase offsets to prevent integer overflows +- avcodec/indeo2: Check remaining bits in ir2_decode_plane() +- avcodec/vp3: Check remaining bits in unpack_dct_coeffs() +- doc/developer: Add terse documentation of assumed C implementation defined behavior +- avcodec/bmp: Use ff_set_dimensions() +- avcodec/mdec: Fix runtime error: left shift of negative value -127 +- avcodec/x86/vc1dsp_init: Fix build failure with --disable-optimizations and clang +- libavcodec/exr : fix float to uint16 conversion for negative float value +- avformat/webmdashenc: Validate the 'streams' adaptation sets parameter +- avformat/webmdashenc: Require the 'adaptation_sets' option to be set +- lavfi/avfiltergraph: only return EOF in avfilter_graph_request_oldest if all sinks EOFed +- ffmpeg: check for unconnected outputs +- avformat/utils: free AVStream.codec properly in free_stream() +- avcodec/options: do a more thorough clean up in avcodec_copy_context() +- avcodec/options: factorize avcodec_copy_context() cleanup code +- ffmpeg: count packets when queued +- avformat/concatdec: fix the h264 annexb extradata check +- avcodec/dnxhd_parser: fix parsing interlaced video, simplify code +- ffmpeg; check return code of avcodec_send_frame when flushing encoders + + version 3.3: - CrystalHD decoder moved to new decode API - add internal ebur128 library, remove external libebur128 dependency diff --git a/RELEASE b/RELEASE index eb39e5382f..bea438e9ad 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.3 +3.3.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index f1899c74f5..226b5f7b9d 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.3 +PROJECT_NUMBER = 3.3.1 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 8c33e2e11bc9e8a46f07ad86500d5271484f6000 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 12 May 2017 13:45:44 -0300 Subject: [PATCH 157/818] avcodec/avpacket: allow only one element per type in packet side data It was never meant to do otherwise, as av_packet_get_side_data() returns the first entry it finds of a given type. Based on code from libavformat's av_stream_add_side_data(). Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 28f60eeabbdc3d0550f45da813ba91a0354524c4) --- libavcodec/avpacket.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index 7cb9fdf822..8de9558854 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -296,7 +296,18 @@ int av_packet_add_side_data(AVPacket *pkt, enum AVPacketSideDataType type, uint8_t *data, size_t size) { AVPacketSideData *tmp; - int elems = pkt->side_data_elems; + int i, elems = pkt->side_data_elems; + + for (i = 0; i < elems; i++) { + AVPacketSideData *sd = &pkt->side_data[i]; + + if (sd->type == type) { + av_free(sd->data); + sd->data = data; + sd->size = size; + return 0; + } + } if ((unsigned)elems + 1 > AV_PKT_DATA_NB) return AVERROR(ERANGE); From d7b86cd308363013025a27b155ae5e4d77cf7446 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 6 May 2017 20:31:45 -0300 Subject: [PATCH 158/818] avcodec/hevc_sei: fix amount of bits skipped when reading picture timing SEI message The code was skipping the entire reported SEI message size regardless of the amount of bits read. While in theory safe for NALU where the picture timing SEI message is alone or at the end as we're using the checked bitstream reader, it isn't in any other situation, where every SEI message in the NALU after the picture timing one would potentially fail to parse. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit f738140807f504c9af7850042067777832f05e88) Conflicts: libavcodec/hevc_sei.c --- libavcodec/hevc_sei.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index 8fc026cf1e..d4a82fd456 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -145,7 +145,7 @@ static int decode_nal_sei_display_orientation(HEVCContext *s) return 0; } -static int decode_pic_timing(HEVCContext *s) +static int decode_pic_timing(HEVCContext *s, int size) { GetBitContext *gb = &s->HEVClc->gb; HEVCSPS *sps; @@ -166,8 +166,12 @@ static int decode_pic_timing(HEVCContext *s) } get_bits(gb, 2); // source_scan_type get_bits(gb, 1); // duplicate_flag + skip_bits1(gb); + size--; } - return 1; + skip_bits_long(gb, 8 * size); + + return 0; } static int decode_registered_user_data_closed_caption(HEVCContext *s, int size) @@ -297,9 +301,8 @@ static int decode_nal_sei_prefix(HEVCContext *s, int type, int size) return decode_nal_sei_display_orientation(s); case SEI_TYPE_PICTURE_TIMING: { - int ret = decode_pic_timing(s); + int ret = decode_pic_timing(s, size); av_log(s->avctx, AV_LOG_DEBUG, "Skipped PREFIX SEI %d\n", type); - skip_bits(gb, 8 * size); return ret; } case SEI_TYPE_MASTERING_DISPLAY_INFO: From 6a9017d3a58669eaee79232365f27f10021a026d Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 12 Apr 2017 19:38:17 -0300 Subject: [PATCH 159/818] avcodec/aacenc_ltp: fix use of uninitialized values Fixes some valgrind warnings. Reviewed-by: Rostislav Pehlivanov Signed-off-by: James Almer (cherry picked from commit 8cd8c8331730fbaac5066bfd66e15b39a85ce537) --- libavcodec/aacenc_ltp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacenc_ltp.c b/libavcodec/aacenc_ltp.c index 1bec85b9e3..674a2a0680 100644 --- a/libavcodec/aacenc_ltp.c +++ b/libavcodec/aacenc_ltp.c @@ -74,8 +74,8 @@ void ff_aac_ltp_insert_new_frame(AACEncContext *s) static void get_lag(float *buf, const float *new, LongTermPrediction *ltp) { - int i, j, lag, max_corr = 0; - float max_ratio; + int i, j, lag = 0, max_corr = 0; + float max_ratio = 0.0f; for (i = 0; i < 2048; i++) { float corr, s0 = 0.0f, s1 = 0.0f; const int start = FFMAX(0, i - 1024); From 7f79879a01898b94d5d2e8788752beae5e20e154 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 11 Apr 2017 01:03:51 -0300 Subject: [PATCH 160/818] avcodec/aac_adtstoasc: fix ASC passthrough on small frames ASC frames smaller than AAC_ADTS_HEADER_SIZE were being discarded. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 0f05f2c7e67949ce77de3cf7013f7d4da1c3e046) --- libavcodec/aac_adtstoasc_bsf.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/aac_adtstoasc_bsf.c b/libavcodec/aac_adtstoasc_bsf.c index 1067160559..e116b1d85b 100644 --- a/libavcodec/aac_adtstoasc_bsf.c +++ b/libavcodec/aac_adtstoasc_bsf.c @@ -49,14 +49,14 @@ static int aac_adtstoasc_filter(AVBSFContext *bsfc, AVPacket *out) if (ret < 0) return ret; + if (bsfc->par_in->extradata && in->size >= 2 && (AV_RB16(in->data) >> 4) != 0xfff) + goto finish; + if (in->size < AAC_ADTS_HEADER_SIZE) goto packet_too_small; init_get_bits(&gb, in->data, AAC_ADTS_HEADER_SIZE * 8); - if (bsfc->par_in->extradata && show_bits(&gb, 12) != 0xfff) - goto finish; - if (avpriv_aac_parse_header(&gb, &hdr) < 0) { av_log(bsfc, AV_LOG_ERROR, "Error parsing ADTS frame header!\n"); ret = AVERROR_INVALIDDATA; From d8afd8d371ec0dc05baa2585caffba100ca45cec Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Fri, 28 Apr 2017 21:58:55 +0200 Subject: [PATCH 161/818] lavc/aarch64/simple_idct: fix iOS build without gas-preprocessor MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Separates macro arguments with commas and passes .4H/.8H as macro arguments instead of 4H/8H (the later form being interpreted as an hexadecimal value). Fixes ticket #6324. Suggested-by: Martin Storsjö --- libavcodec/aarch64/simple_idct_neon.S | 74 +++++++++++++-------------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/libavcodec/aarch64/simple_idct_neon.S b/libavcodec/aarch64/simple_idct_neon.S index 52273420f9..92987985d2 100644 --- a/libavcodec/aarch64/simple_idct_neon.S +++ b/libavcodec/aarch64/simple_idct_neon.S @@ -61,37 +61,37 @@ endconst br x10 .endm -.macro smull1 a b c +.macro smull1 a, b, c smull \a, \b, \c .endm -.macro smlal1 a b c +.macro smlal1 a, b, c smlal \a, \b, \c .endm -.macro smlsl1 a b c +.macro smlsl1 a, b, c smlsl \a, \b, \c .endm -.macro idct_col4_top y1 y2 y3 y4 i l - smull\i v7.4S, \y3\().\l, z2 - smull\i v16.4S, \y3\().\l, z6 - smull\i v17.4S, \y2\().\l, z1 +.macro idct_col4_top y1, y2, y3, y4, i, l + smull\i v7.4S, \y3\l, z1 + smull\i v16.4S, \y3\l, z6 + smull\i v17.4S, \y2\l, z1 add v19.4S, v23.4S, v7.4S - smull\i v18.4S, \y2\().\l, z3 + smull\i v18.4S, \y2\l, z3 add v20.4S, v23.4S, v16.4S - smull\i v5.4S, \y2\().\l, z5 + smull\i v5.4S, \y2\l, z5 sub v21.4S, v23.4S, v16.4S - smull\i v6.4S, \y2\().\l, z7 + smull\i v6.4S, \y2\l, z7 sub v22.4S, v23.4S, v7.4S - smlal\i v17.4S, \y4\().\l, z3 - smlsl\i v18.4S, \y4\().\l, z7 - smlsl\i v5.4S, \y4\().\l, z1 - smlsl\i v6.4S, \y4\().\l, z5 + smlal\i v17.4S, \y4\l, z3 + smlsl\i v18.4S, \y4\l, z7 + smlsl\i v5.4S, \y4\l, z1 + smlsl\i v6.4S, \y4\l, z5 .endm -.macro idct_row4_neon y1 y2 y3 y4 pass +.macro idct_row4_neon y1, y2, y3, y4, pass ld1 {\y1\().2D-\y2\().2D}, [x2], #32 movi v23.4S, #1<<2, lsl #8 orr v5.16B, \y1\().16B, \y2\().16B @@ -101,7 +101,7 @@ endconst mov x3, v5.D[1] smlal v23.4S, \y1\().4H, z4 - idct_col4_top \y1 \y2 \y3 \y4 1 4H + idct_col4_top \y1, \y2, \y3, \y4, 1, .4H cmp x3, #0 beq \pass\()f @@ -153,7 +153,7 @@ endconst trn2 \y4\().4S, v17.4S, v19.4S .endm -.macro declare_idct_col4_neon i l +.macro declare_idct_col4_neon i, l function idct_col4_neon\i dup v23.4H, z4c .if \i == 1 @@ -164,14 +164,14 @@ function idct_col4_neon\i .endif smull v23.4S, v23.4H, z4 - idct_col4_top v24 v25 v26 v27 \i \l + idct_col4_top v24, v25, v26, v27, \i, \l mov x4, v28.D[\i - 1] mov x5, v29.D[\i - 1] cmp x4, #0 beq 1f - smull\i v7.4S, v28.\l, z4 + smull\i v7.4S, v28\l, z4 add v19.4S, v19.4S, v7.4S sub v20.4S, v20.4S, v7.4S sub v21.4S, v21.4S, v7.4S @@ -181,17 +181,17 @@ function idct_col4_neon\i cmp x5, #0 beq 2f - smlal\i v17.4S, v29.\l, z5 - smlsl\i v18.4S, v29.\l, z1 - smlal\i v5.4S, v29.\l, z7 - smlal\i v6.4S, v29.\l, z3 + smlal\i v17.4S, v29\l, z5 + smlsl\i v18.4S, v29\l, z1 + smlal\i v5.4S, v29\l, z7 + smlal\i v6.4S, v29\l, z3 2: mov x5, v31.D[\i - 1] cmp x4, #0 beq 3f - smull\i v7.4S, v30.\l, z6 - smull\i v16.4S, v30.\l, z2 + smull\i v7.4S, v30\l, z6 + smull\i v16.4S, v30\l, z2 add v19.4S, v19.4S, v7.4S sub v22.4S, v22.4S, v7.4S sub v20.4S, v20.4S, v16.4S @@ -200,10 +200,10 @@ function idct_col4_neon\i 3: cmp x5, #0 beq 4f - smlal\i v17.4S, v31.\l, z7 - smlsl\i v18.4S, v31.\l, z5 - smlal\i v5.4S, v31.\l, z3 - smlsl\i v6.4S, v31.\l, z1 + smlal\i v17.4S, v31\l, z7 + smlsl\i v18.4S, v31\l, z5 + smlal\i v5.4S, v31\l, z3 + smlsl\i v6.4S, v31\l, z1 4: addhn v7.4H, v19.4S, v17.4S addhn2 v7.8H, v20.4S, v18.4S @@ -219,14 +219,14 @@ function idct_col4_neon\i endfunc .endm -declare_idct_col4_neon 1 4H -declare_idct_col4_neon 2 8H +declare_idct_col4_neon 1, .4H +declare_idct_col4_neon 2, .8H function ff_simple_idct_put_neon, export=1 idct_start x2 - idct_row4_neon v24 v25 v26 v27 1 - idct_row4_neon v28 v29 v30 v31 2 + idct_row4_neon v24, v25, v26, v27, 1 + idct_row4_neon v28, v29, v30, v31, 2 bl idct_col4_neon1 sqshrun v1.8B, v7.8H, #COL_SHIFT-16 @@ -263,8 +263,8 @@ endfunc function ff_simple_idct_add_neon, export=1 idct_start x2 - idct_row4_neon v24 v25 v26 v27 1 - idct_row4_neon v28 v29 v30 v31 2 + idct_row4_neon v24, v25, v26, v27, 1 + idct_row4_neon v28, v29, v30, v31, 2 bl idct_col4_neon1 sshr v1.8H, V7.8H, #COL_SHIFT-16 @@ -328,8 +328,8 @@ function ff_simple_idct_neon, export=1 idct_start x0 mov x2, x0 - idct_row4_neon v24 v25 v26 v27 1 - idct_row4_neon v28 v29 v30 v31 2 + idct_row4_neon v24, v25, v26, v27, 1 + idct_row4_neon v28, v29, v30, v31, 2 add x2, x2, #-128 bl idct_col4_neon1 From 79122e26713579acca576d81e6f7b9efebdb447f Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Wed, 10 May 2017 15:57:57 +0200 Subject: [PATCH 162/818] lavc/ffjni: fix local reference leak MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Clément Bœsch --- libavcodec/ffjni.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ffjni.c b/libavcodec/ffjni.c index 3f4c380673..b2bcae9602 100644 --- a/libavcodec/ffjni.c +++ b/libavcodec/ffjni.c @@ -303,6 +303,11 @@ int ff_jni_init_jfields(JNIEnv *env, void *jfields, const struct FFJniField *jfi last_clazz = *(jclass*)((uint8_t*)jfields + jfields_mapping[i].offset) = global ? (*env)->NewGlobalRef(env, clazz) : clazz; + + if (global) { + (*env)->DeleteLocalRef(env, clazz); + } + } else { if (!last_clazz) { From 1d37fe95e85806f02b8c79dba459eede3fa239f4 Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Wed, 10 May 2017 15:59:41 +0200 Subject: [PATCH 163/818] lavc/mediacodec_wrapper: fix local reference leaks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Clément Bœsch --- libavcodec/mediacodec_wrapper.c | 63 ++++++++++++++++++++++----------- 1 file changed, 42 insertions(+), 21 deletions(-) diff --git a/libavcodec/mediacodec_wrapper.c b/libavcodec/mediacodec_wrapper.c index c2af950f39..43fbb511fd 100644 --- a/libavcodec/mediacodec_wrapper.c +++ b/libavcodec/mediacodec_wrapper.c @@ -1129,9 +1129,11 @@ fail: FFAMediaCodec* ff_AMediaCodec_createCodecByName(const char *name) { + int ret = -1; JNIEnv *env = NULL; FFAMediaCodec *codec = NULL; jstring codec_name = NULL; + jobject object = NULL; codec = av_mallocz(sizeof(FFAMediaCodec)); if (!codec) { @@ -1154,12 +1156,12 @@ FFAMediaCodec* ff_AMediaCodec_createCodecByName(const char *name) goto fail; } - codec->object = (*env)->CallStaticObjectMethod(env, codec->jfields.mediacodec_class, codec->jfields.create_by_codec_name_id, codec_name); + object = (*env)->CallStaticObjectMethod(env, codec->jfields.mediacodec_class, codec->jfields.create_by_codec_name_id, codec_name); if (ff_jni_exception_check(env, 1, codec) < 0) { goto fail; } - codec->object = (*env)->NewGlobalRef(env, codec->object); + codec->object = (*env)->NewGlobalRef(env, object); if (!codec->object) { goto fail; } @@ -1172,24 +1174,31 @@ FFAMediaCodec* ff_AMediaCodec_createCodecByName(const char *name) codec->has_get_i_o_buffer = 1; } - return codec; + ret = 0; fail: - ff_jni_reset_jfields(env, &codec->jfields, jni_amediacodec_mapping, 1, codec); - if (codec_name) { (*env)->DeleteLocalRef(env, codec_name); } - av_freep(&codec); + if (object) { + (*env)->DeleteLocalRef(env, object); + } - return NULL; + if (ret < 0) { + ff_jni_reset_jfields(env, &codec->jfields, jni_amediacodec_mapping, 1, codec); + av_freep(&codec); + } + + return codec; } FFAMediaCodec* ff_AMediaCodec_createDecoderByType(const char *mime) { + int ret = -1; JNIEnv *env = NULL; FFAMediaCodec *codec = NULL; jstring mime_type = NULL; + jobject object = NULL; codec = av_mallocz(sizeof(FFAMediaCodec)); if (!codec) { @@ -1212,12 +1221,12 @@ FFAMediaCodec* ff_AMediaCodec_createDecoderByType(const char *mime) goto fail; } - codec->object = (*env)->CallStaticObjectMethod(env, codec->jfields.mediacodec_class, codec->jfields.create_decoder_by_type_id, mime_type); + object = (*env)->CallStaticObjectMethod(env, codec->jfields.mediacodec_class, codec->jfields.create_decoder_by_type_id, mime_type); if (ff_jni_exception_check(env, 1, codec) < 0) { goto fail; } - codec->object = (*env)->NewGlobalRef(env, codec->object); + codec->object = (*env)->NewGlobalRef(env, object); if (!codec->object) { goto fail; } @@ -1230,24 +1239,31 @@ FFAMediaCodec* ff_AMediaCodec_createDecoderByType(const char *mime) codec->has_get_i_o_buffer = 1; } - return codec; + ret = 0; fail: - ff_jni_reset_jfields(env, &codec->jfields, jni_amediacodec_mapping, 1, codec); - if (mime_type) { (*env)->DeleteLocalRef(env, mime_type); } - av_freep(&codec); + if (object) { + (*env)->DeleteLocalRef(env, object); + } - return NULL; + if (ret < 0) { + ff_jni_reset_jfields(env, &codec->jfields, jni_amediacodec_mapping, 1, codec); + av_freep(&codec); + } + + return codec; } FFAMediaCodec* ff_AMediaCodec_createEncoderByType(const char *mime) { + int ret = -1; JNIEnv *env = NULL; FFAMediaCodec *codec = NULL; jstring mime_type = NULL; + jobject object = NULL; codec = av_mallocz(sizeof(FFAMediaCodec)); if (!codec) { @@ -1270,12 +1286,12 @@ FFAMediaCodec* ff_AMediaCodec_createEncoderByType(const char *mime) goto fail; } - codec->object = (*env)->CallStaticObjectMethod(env, codec->jfields.mediacodec_class, codec->jfields.create_encoder_by_type_id, mime_type); + object = (*env)->CallStaticObjectMethod(env, codec->jfields.mediacodec_class, codec->jfields.create_encoder_by_type_id, mime_type); if (ff_jni_exception_check(env, 1, codec) < 0) { goto fail; } - codec->object = (*env)->NewGlobalRef(env, codec->object); + codec->object = (*env)->NewGlobalRef(env, object); if (!codec->object) { goto fail; } @@ -1288,17 +1304,22 @@ FFAMediaCodec* ff_AMediaCodec_createEncoderByType(const char *mime) codec->has_get_i_o_buffer = 1; } - return codec; + ret = 0; fail: - ff_jni_reset_jfields(env, &codec->jfields, jni_amediacodec_mapping, 1, codec); - if (mime_type) { (*env)->DeleteLocalRef(env, mime_type); } - av_freep(&codec); + if (object) { + (*env)->DeleteLocalRef(env, object); + } - return NULL; + if (ret < 0) { + ff_jni_reset_jfields(env, &codec->jfields, jni_amediacodec_mapping, 1, codec); + av_freep(&codec); + } + + return codec; } int ff_AMediaCodec_delete(FFAMediaCodec* codec) From bc6c12b7e7699d374cffa81d6086cc73662f3b7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 14:00:42 +0200 Subject: [PATCH 164/818] avcodec/g723_1dec: Fix LCG type Fixes: 1567/clusterfuzz-testcase-minimized-5693653555085312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f2c539d3501111f10a2b4e9480ea54c0a3190680) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index 89089f5f64..aaa26c24ef 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -488,7 +488,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag, (FRAME_LEN - lag) * sizeof(*out)); } else { /* Unvoiced */ for (i = 0; i < FRAME_LEN; i++) { - *rseed = *rseed * 521 + 259; + *rseed = (int16_t)(*rseed * 521 + 259); out[i] = gain * *rseed >> 15; } memset(buf, 0, (FRAME_LEN + PITCH_MAX) * sizeof(*buf)); From b38c8fd291dcf4be44ce96f9f745f808e26a8060 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 14:06:56 +0200 Subject: [PATCH 165/818] avcodec/hqxdsp: Fix runtime error: signed integer overflow: -196264 * 11585 cannot be represented in type 'int' Fixes: 1568/clusterfuzz-testcase-minimized-5944868608147456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b923213276777f33d6366b1cb9d1845a8658f365) Signed-off-by: Michael Niedermayer --- libavcodec/hqxdsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hqxdsp.c b/libavcodec/hqxdsp.c index 04a65e7767..7f8044e463 100644 --- a/libavcodec/hqxdsp.c +++ b/libavcodec/hqxdsp.c @@ -47,8 +47,8 @@ static inline void idct_col(int16_t *blk, const uint8_t *quant) t5 = t1 * 2 + t3; t6 = t2 - t3; t7 = t3 * 2 + t6; - t8 = (t6 * 11585) >> 14; - t9 = (t7 * 11585) >> 14; + t8 = (int)(t6 * 11585U) >> 14; + t9 = (int)(t7 * 11585U) >> 14; tA = (int)(s2 * 8867U - s6 * 21407U) >> 14; tB = (int)(s6 * 8867U + s2 * 21407U) >> 14; tC = (s0 >> 1) - (s4 >> 1); From 09912081519438de5f48a5f1bc3846fb3ef1af02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 14:42:45 +0200 Subject: [PATCH 166/818] avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]' It seems dual mono with a LFE channel is not forbidden Fixes: 1570/clusterfuzz-testcase-minimized-6455337349545984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c55e637072b694a1db40e21948d218bfa2e744bb) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index bd6f1478ac..148f058fa2 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1389,7 +1389,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) for (ch = 1; ch <= s->channels; ch++) { int audio_channel = 0; INTFLOAT gain; - if (s->channel_mode == AC3_CHMODE_DUALMONO) + if (s->channel_mode == AC3_CHMODE_DUALMONO && ch <= 2) audio_channel = 2-ch; if (s->heavy_compression && s->compression_exists[audio_channel]) gain = s->heavy_dynamic_range[audio_channel]; From 340690e8e6867c2b3ffd8295c2e67bd8f1b3368e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 16:47:13 +0200 Subject: [PATCH 167/818] avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode Fixes: Integer overflow Fixes: 1572/clusterfuzz-testcase-minimized-4578773729017856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 467677769a2222ff8beab3c4d7826df9b7cbc81b) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 39f177f8d0..54b7be10dd 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2455,16 +2455,20 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) ff_init_scantable(s->idsp.idct_permutation, &s->intra_v_scantable, ff_alternate_vertical_scan); } - if (s->pict_type == AV_PICTURE_TYPE_S && - (ctx->vol_sprite_usage == STATIC_SPRITE || - ctx->vol_sprite_usage == GMC_SPRITE)) { - if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0) - return AVERROR_INVALIDDATA; - if (ctx->sprite_brightness_change) - av_log(s->avctx, AV_LOG_ERROR, - "sprite_brightness_change not supported\n"); - if (ctx->vol_sprite_usage == STATIC_SPRITE) - av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); + if (s->pict_type == AV_PICTURE_TYPE_S) { + if((ctx->vol_sprite_usage == STATIC_SPRITE || + ctx->vol_sprite_usage == GMC_SPRITE)) { + if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0) + return AVERROR_INVALIDDATA; + if (ctx->sprite_brightness_change) + av_log(s->avctx, AV_LOG_ERROR, + "sprite_brightness_change not supported\n"); + if (ctx->vol_sprite_usage == STATIC_SPRITE) + av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); + } else { + memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); + memset(s->sprite_delta, 0, sizeof(s->sprite_delta)); + } } if (ctx->shape != BIN_ONLY_SHAPE) { From 611ef6381b599818b2555bf56bb84003b1217803 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 17:02:49 +0200 Subject: [PATCH 168/818] avcodec/pixlet: Fixes: runtime error: signed integer overflow: 9203954323419769657 + 29897660706736950 cannot be represented in type 'long' Fixes: 1569/clusterfuzz-testcase-minimized-6328690508038144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a453f5549a8c3f8307200b32d3b342f0b4af3153) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 419fef6102..3de802fea9 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -256,7 +256,7 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, i j = 0; dst += stride; } - state += (int64_t)d * yflag - ((int64_t)(d * (uint64_t)state) >> 8); + state += (int64_t)d * (uint64_t)yflag - ((int64_t)(d * (uint64_t)state) >> 8); flag = 0; From 0f928e5918abeaeac62bcf20bacaf59037b963e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 01:35:56 +0200 Subject: [PATCH 169/818] avcodec/dds: Fix runtime error: left shift of 210 by 24 places cannot be represented in type 'int' Fixes: 1510/clusterfuzz-testcase-minimized-5826231746428928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit afb4632cc30e83287338690c785ebac180436a59) Signed-off-by: Michael Niedermayer --- libavcodec/dds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index 468763e6bf..bc11bdb0fa 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -718,7 +718,7 @@ static int dds_decode(AVCodecContext *avctx, void *data, (frame->data[1][2+i*4]<<0)+ (frame->data[1][1+i*4]<<8)+ (frame->data[1][0+i*4]<<16)+ - (frame->data[1][3+i*4]<<24) + ((unsigned)frame->data[1][3+i*4]<<24) ); frame->palette_has_changed = 1; From d9b25b392330e8039fffbd918285c7ae917a057e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 01:31:19 +0200 Subject: [PATCH 170/818] avcodec/rscc: Check pixel_size for overflow Fixes: 1509/clusterfuzz-testcase-minimized-5129419876204544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 934572c5c3592732a30336afdf2df9926a8b4df2) Signed-off-by: Michael Niedermayer --- libavcodec/rscc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c index ebacd3f62c..f270cd5351 100644 --- a/libavcodec/rscc.c +++ b/libavcodec/rscc.c @@ -211,6 +211,12 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, ctx->tiles[i].y = bytestream2_get_le16(gbc); ctx->tiles[i].h = bytestream2_get_le16(gbc); + if (pixel_size + ctx->tiles[i].w * (int64_t)ctx->tiles[i].h * ctx->component_size > INT_MAX) { + av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions\n"); + ret = AVERROR_INVALIDDATA; + goto end; + } + pixel_size += ctx->tiles[i].w * ctx->tiles[i].h * ctx->component_size; ff_dlog(avctx, "tile %d orig(%d,%d) %dx%d.\n", i, From d2108de6b84440c2bfd34cfd1df7d4793a369a2e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 01:22:27 +0200 Subject: [PATCH 171/818] avcodec/fmvc: Check nb_blocks Fixes: out of array read Fixes: 1508/clusterfuzz-testcase-minimized-5011336327069696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0158b405a71f386c7844a3d975315afd47f16b5d) Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 1f8b0c5c17..ff5f291da6 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -561,6 +561,9 @@ static av_cold int decode_init(AVCodecContext *avctx) } s->nb_blocks = s->xb * s->yb; + if (!s->nb_blocks) + return AVERROR_INVALIDDATA; + s->blocks = av_calloc(s->nb_blocks, sizeof(*s->blocks)); if (!s->blocks) return AVERROR(ENOMEM); From 70d3ad7b6fb79b17c44193e9de402496f51ae27a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 May 2017 19:38:46 +0200 Subject: [PATCH 172/818] avcodec/cllc: Check prefix Fixes: runtime error: left shift of 1610706944 by 1 places cannot be represented in type 'int' Fixes: 1421/clusterfuzz-testcase-minimized-6239947507892224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 62c5949beca2c95d6af5c74985467438d2295a66) Signed-off-by: Michael Niedermayer --- libavcodec/cllc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cllc.c b/libavcodec/cllc.c index ec11fc34b0..fe9583796f 100644 --- a/libavcodec/cllc.c +++ b/libavcodec/cllc.c @@ -81,6 +81,10 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) count++; } + if (prefix > (65535 - 256)/2) { + vlc->table = NULL; + return AVERROR_INVALIDDATA; + } prefix <<= 1; } From d93a5a8d11f2b48e00e9d4b176de84f9af101157 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 14:43:02 +0200 Subject: [PATCH 173/818] avcodec/webp: Factor update_canvas_size() out Signed-off-by: Michael Niedermayer (cherry picked from commit c4f63b78b71e07dd2f5d49c032d9c3eef620c0f3) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 147d85f15b..3fef45603c 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1099,6 +1099,21 @@ static int apply_color_indexing_transform(WebPContext *s) return 0; } +static void update_canvas_size(AVCodecContext *avctx, int w, int h) +{ + WebPContext *s = avctx->priv_data; + if (s->width && s->width != w) { + av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n", + s->width, w); + } + s->width = w; + if (s->height && s->height != h) { + av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n", + s->height, h); + } + s->height = h; +} + static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, int *got_frame, uint8_t *data_start, unsigned int data_size, int is_alpha_chunk) @@ -1123,16 +1138,8 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, w = get_bits(&s->gb, 14) + 1; h = get_bits(&s->gb, 14) + 1; - if (s->width && s->width != w) { - av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n", - s->width, w); - } - s->width = w; - if (s->height && s->height != h) { - av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n", - s->width, w); - } - s->height = h; + + update_canvas_size(avctx, w, h); ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) From 0f980302902a7db35253bff282d05d739d7ed6e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 14:43:03 +0200 Subject: [PATCH 174/818] avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame() Fixes: 1407/clusterfuzz-testcase-minimized-6044604124102656 Fixes: 1420/clusterfuzz-testcase-minimized-6059927359455232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 72810d20b74f05cc4b214d6c277fa6f43160df54) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 3fef45603c..ef7b26c4c8 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1350,6 +1350,9 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, ret = ff_vp8_decode_frame(avctx, p, got_frame, &pkt); if (ret < 0) return ret; + + update_canvas_size(avctx, avctx->width, avctx->height); + if (s->has_alpha) { ret = vp8_lossy_decode_alpha(avctx, p, s->alpha_data, s->alpha_data_size); From b4cea069a5ad9c3a0fd0be25e6e71efe3cf09df2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 May 2017 16:08:14 +0200 Subject: [PATCH 175/818] avcodec/snowdec: Check width Fixes: out of array read Fixes: 1419/clusterfuzz-testcase-minimized-6108700873850880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 78aa93807b3e0674e34d32c0bf6f78d7f5b7927e) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 97f55288c1..022e9693c7 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -384,6 +384,10 @@ static int decode_header(SnowContext *s){ av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_count %d too large for size\n", s->spatial_decomposition_count); return AVERROR_INVALIDDATA; } + if (s->avctx->width > 65536-4) { + av_log(s->avctx, AV_LOG_ERROR, "Width %d is too large\n", s->avctx->width); + return AVERROR_INVALIDDATA; + } s->qlog += get_symbol(&s->c, s->header_state, 1); From 224b47f76dbe360a394ef85b9a3beaf11bb39c5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 May 2017 13:25:34 +0200 Subject: [PATCH 176/818] avcodec/flacdec: Return error code instead of 0 for failures Fixes: infinite loop Fixes: 1418/clusterfuzz-testcase-minimized-5934472438480896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3f5a68533decdfb4757207e8d7b5af06e1dcd197) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index f73a32b461..581c73efc8 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -205,12 +205,12 @@ static int get_metadata_size(const uint8_t *buf, int buf_size) buf += 4; do { if (buf_end - buf < 4) - return 0; + return AVERROR_INVALIDDATA; flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size); buf += 4; if (buf_end - buf < metadata_size) { /* need more data in order to read the complete header */ - return 0; + return AVERROR_INVALIDDATA; } buf += metadata_size; } while (!metadata_last); From 814dd3e9ebc617707dc7dacd735f221aaac2327a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 14:28:20 +0200 Subject: [PATCH 177/818] avcodec/opus_silk: Fix integer overflow and out of array read Fixes: 1362/clusterfuzz-testcase-minimized-6097275002552320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4654baff125d937ae0b1037aa5f0bf53c7351658) Signed-off-by: Michael Niedermayer --- libavcodec/opus_silk.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index bfaf1d7d00..dbf6756864 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -128,8 +128,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_ if (nlsf[0] < min_delta[0]) nlsf[0] = min_delta[0]; for (i = 1; i < order; i++) - if (nlsf[i] < nlsf[i - 1] + min_delta[i]) - nlsf[i] = nlsf[i - 1] + min_delta[i]; + nlsf[i] = FFMAX(nlsf[i], FFMIN(nlsf[i - 1] + min_delta[i], 32767)); /* push backwards to increase distance */ if (nlsf[order-1] > 32768 - min_delta[order]) From dd349b24ce242320dec45aded3b9a9542bf435f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 13:16:07 +0200 Subject: [PATCH 178/818] avcodec/aacps: Fix undefined behavior Fixes: 1337/clusterfuzz-testcase-minimized-5212314171080704 Fixes the existence of a potentially invalid pointer intermediate Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 527f89e05922e840083ac6d49eeb838b1e350dd4) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index ccc79ffc1d..48b595adbd 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -975,7 +975,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r) h_step[1][3] = AAC_MSUB31_V3(H22[1][e+1][b], h[1][3], width); } ps->dsp.stereo_interpolate[!PS_BASELINE && ps->enable_ipdopd]( - l[k] + start + 1, r[k] + start + 1, + l[k] + 1 + start, r[k] + 1 + start, h, h_step, stop - start); } } From 9b33462dc4e4b7c094874298515ca61826e23309 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 13:02:22 +0200 Subject: [PATCH 179/818] avcodec/pixlet: Fix shift exponent 4294967268 is too large for 32-bit type 'int' Fixes: 1336/clusterfuzz-testcase-minimized-4761381930795008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f5b6c7e1ee604b1525b3ab84ea6e8817fe66f36) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 3de802fea9..05262648ae 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -154,7 +154,7 @@ static int read_low_coeffs(AVCodecContext *avctx, int16_t *dst, int size, int wi state = 120 * (escape + flag) + state - (120 * state >> 8); flag = 0; - if (state * 4 > 0xFF || i >= size) + if (state * 4ULL > 0xFF || i >= size) continue; nbits = ((state + 8) >> 5) + (state ? ff_clz(state) : 32) - 24; @@ -260,7 +260,7 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, i flag = 0; - if (state * 4 > 0xFF || i >= size) + if (state * 4ULL > 0xFF || i >= size) continue; pfx = ((state + 8) >> 5) + (state ? ff_clz(state): 32) - 24; From ff1f181178fff32eb96b80dce2d0f6e22b3dbaec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Wed, 5 Apr 2017 18:38:33 +0200 Subject: [PATCH 180/818] doc/general: fix project name after 2b1a6b1ae (cherry picked from commit d8eb40bd70c9c6326f51ce4afe29c3d4485388b2) Signed-off-by: Michael Niedermayer --- doc/general.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/general.texi b/doc/general.texi index b4897629c9..712eda2437 100644 --- a/doc/general.texi +++ b/doc/general.texi @@ -188,7 +188,7 @@ For Linux and OS X, the supported AviSynth variant is @float NOTE There is currently a regression in AviSynth+'s @code{capi.h} header as of -October 2016, which interferes with the ability for builds of Libav to use +October 2016, which interferes with the ability for builds of FFmpeg to use MSVC-built binaries of AviSynth. Until this is resolved, you can make sure a known good version is installed by checking out a version from before the regression occurred: From c1c50650df6cef69c392ad0d544c30e571e24214 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 17:57:14 +0200 Subject: [PATCH 181/818] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/Changelog b/Changelog index 54e4854c6e..9403f12ca1 100644 --- a/Changelog +++ b/Changelog @@ -119,6 +119,23 @@ version 3.3.1: - avformat/concatdec: fix the h264 annexb extradata check - avcodec/dnxhd_parser: fix parsing interlaced video, simplify code - ffmpeg; check return code of avcodec_send_frame when flushing encoders +- avcodec/g723_1dec: Fix LCG type +- avcodec/hqxdsp: Fix runtime error: signed integer overflow: -196264 * 11585 cannot be represented in type 'int' +- avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]' +- avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode +- avcodec/pixlet: Fixes: runtime error: signed integer overflow: 9203954323419769657 + 29897660706736950 cannot be represented in type 'long' +- avcodec/dds: Fix runtime error: left shift of 210 by 24 places cannot be represented in type 'int' +- avcodec/rscc: Check pixel_size for overflow +- avcodec/fmvc: Check nb_blocks +- avcodec/cllc: Check prefix +- avcodec/webp: Factor update_canvas_size() out +- avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame() +- avcodec/snowdec: Check width +- avcodec/flacdec: Return error code instead of 0 for failures +- avcodec/opus_silk: Fix integer overflow and out of array read +- avcodec/aacps: Fix undefined behavior +- avcodec/pixlet: Fix shift exponent 4294967268 is too large for 32-bit type 'int' +- doc/general: fix project name after 2b1a6b1ae version 3.3: From 19fea7d703b0a7e02860df5fc2e94b826059d64d Mon Sep 17 00:00:00 2001 From: Aaron Levinson Date: Tue, 16 May 2017 05:04:36 -0700 Subject: [PATCH 182/818] avutil/hwcontext_dxva2: Don't improperly free IDirect3DSurface9 objects Add dxva2_pool_release_dummy() and use it in call to av_buffer_create() in dxva2_pool_alloc(). Prior to this change, av_buffer_create() was called with NULL for the third argument, which indicates that av_buffer_default_free() should be used to free the buffer's data. Eventually, it gets to buffer_pool_free() and calls buf->free() on a surface object (which is av_buffer_default_free()). This can result in a crash when the debug version of the C-runtime is used on Windows. While it doesn't appear to result in a crash when the release version of the C-runtime is used on Windows, it likely results in memory corruption, since av_free() is being called on memory that was allocated using IDirectXVideoAccelerationService::CreateSurface(). Signed-off-by: Aaron Levinson Reviewed-by: wm4 Reviewed-by: Steven Liu Reviewed-by: Mark Thompson (cherry picked from commit 0c1c514643d5e1645160d697fa4c27cd38c7c791) --- libavutil/hwcontext_dxva2.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavutil/hwcontext_dxva2.c b/libavutil/hwcontext_dxva2.c index 4ed0d56aea..6c41788e2e 100644 --- a/libavutil/hwcontext_dxva2.c +++ b/libavutil/hwcontext_dxva2.c @@ -121,6 +121,13 @@ static void dxva2_frames_uninit(AVHWFramesContext *ctx) } } +static void dxva2_pool_release_dummy(void *opaque, uint8_t *data) +{ + // important not to free anything here--data is a surface object + // associated with the call to CreateSurface(), and these surfaces are + // released in dxva2_frames_uninit() +} + static AVBufferRef *dxva2_pool_alloc(void *opaque, int size) { AVHWFramesContext *ctx = (AVHWFramesContext*)opaque; @@ -130,7 +137,7 @@ static AVBufferRef *dxva2_pool_alloc(void *opaque, int size) if (s->nb_surfaces_used < hwctx->nb_surfaces) { s->nb_surfaces_used++; return av_buffer_create((uint8_t*)s->surfaces_internal[s->nb_surfaces_used - 1], - sizeof(*hwctx->surfaces), NULL, 0, 0); + sizeof(*hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); } return NULL; From 7fae0ea21daa6d8e391cbffb08f66c0b4509ddd6 Mon Sep 17 00:00:00 2001 From: Muhammad Faiz Date: Thu, 18 May 2017 20:10:47 +0700 Subject: [PATCH 183/818] avfilter: take_samples: do not directly return frame when samples are skipped Modifying data pointer when skipping samples may make it unaligned. Workaround for Ticket6349. This should fix the crash of ticket's testcase and a crash/regression with avxsynth (reported by Michael Niedermayer). Also change frame->nb_samples < max to frame->nb_samples <= max. This improves performance. Benchmark: ./ffmpeg -filter_complex "aevalsrc=0:n=1166,firequalizer=fixed=on" -f null null old: 25767 decicycles in take_samples, 1023 runs, 1 skips 25422 decicycles in take_samples, 2047 runs, 1 skips 25181 decicycles in take_samples, 4095 runs, 1 skips 24904 decicycles in take_samples, 8191 runs, 1 skips new: 550 decicycles in take_samples, 1024 runs, 0 skips 548 decicycles in take_samples, 2048 runs, 0 skips 545 decicycles in take_samples, 4096 runs, 0 skips 544 decicycles in take_samples, 8192 runs, 0 skips Reviewed-by: Nicolas George Reviewed-by: Michael Niedermayer Reviewed-by: Paul B Mahol Signed-off-by: Muhammad Faiz (cherry picked from commit fc3a03fcf9cd7eafe7342e2508e6128888efa0bb) --- libavfilter/avfilter.c | 8 +++++++- libavfilter/framequeue.c | 2 ++ libavfilter/framequeue.h | 5 +++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/libavfilter/avfilter.c b/libavfilter/avfilter.c index ecfb872ed8..7d306a5c33 100644 --- a/libavfilter/avfilter.c +++ b/libavfilter/avfilter.c @@ -1191,7 +1191,7 @@ static int take_samples(AVFilterLink *link, unsigned min, unsigned max, called with enough samples. */ av_assert1(samples_ready(link, link->min_samples)); frame0 = frame = ff_framequeue_peek(&link->fifo, 0); - if (frame->nb_samples >= min && frame->nb_samples < max) { + if (!link->fifo.samples_skipped && frame->nb_samples >= min && frame->nb_samples <= max) { *rframe = ff_framequeue_take(&link->fifo); return 0; } @@ -1522,6 +1522,12 @@ int ff_inlink_consume_frame(AVFilterLink *link, AVFrame **rframe) *rframe = NULL; if (!ff_inlink_check_available_frame(link)) return 0; + + if (link->fifo.samples_skipped) { + frame = ff_framequeue_peek(&link->fifo, 0); + return ff_inlink_consume_samples(link, frame->nb_samples, frame->nb_samples, rframe); + } + frame = ff_framequeue_take(&link->fifo); consume_update(link, frame); *rframe = frame; diff --git a/libavfilter/framequeue.c b/libavfilter/framequeue.c index 26bfa49967..fed1118975 100644 --- a/libavfilter/framequeue.c +++ b/libavfilter/framequeue.c @@ -107,6 +107,7 @@ AVFrame *ff_framequeue_take(FFFrameQueue *fq) fq->tail &= fq->allocated - 1; fq->total_frames_tail++; fq->total_samples_tail += b->frame->nb_samples; + fq->samples_skipped = 0; check_consistency(fq); return b->frame; } @@ -146,5 +147,6 @@ void ff_framequeue_skip_samples(FFFrameQueue *fq, size_t samples, AVRational tim for (i = 0; i < planes && i < AV_NUM_DATA_POINTERS; i++) b->frame->data[i] = b->frame->extended_data[i]; fq->total_samples_tail += samples; + fq->samples_skipped = 1; ff_framequeue_update_peeked(fq, 0); } diff --git a/libavfilter/framequeue.h b/libavfilter/framequeue.h index 5aa2c725a7..c49d872e85 100644 --- a/libavfilter/framequeue.h +++ b/libavfilter/framequeue.h @@ -100,6 +100,11 @@ typedef struct FFFrameQueue { */ uint64_t total_samples_tail; + /** + * Indicate that samples are skipped + */ + int samples_skipped; + } FFFrameQueue; /** From 8640339dbbb50a4031b71d092dad29fa036f4266 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 22 May 2017 12:00:23 +0200 Subject: [PATCH 184/818] Use AVOnce as a static variable consistently Using AVOnce as a stack variable makes no sense as the state is lost when the function exits. This fixes repeated calls to av(filter/device)_register_all --- libavdevice/alldevices.c | 2 +- libavfilter/allfilters.c | 2 +- libavformat/allformats.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavdevice/alldevices.c b/libavdevice/alldevices.c index 280a260bd3..a8ed53ae5d 100644 --- a/libavdevice/alldevices.c +++ b/libavdevice/alldevices.c @@ -73,7 +73,7 @@ static void register_all(void) void avdevice_register_all(void) { - AVOnce control = AV_ONCE_INIT; + static AVOnce control = AV_ONCE_INIT; ff_thread_once(&control, register_all); } diff --git a/libavfilter/allfilters.c b/libavfilter/allfilters.c index ec6ec048e8..ba0949943a 100644 --- a/libavfilter/allfilters.c +++ b/libavfilter/allfilters.c @@ -381,7 +381,7 @@ static void register_all(void) void avfilter_register_all(void) { - AVOnce control = AV_ONCE_INIT; + static AVOnce control = AV_ONCE_INIT; ff_thread_once(&control, register_all); } diff --git a/libavformat/allformats.c b/libavformat/allformats.c index 09e62c3cfc..3e014c6063 100644 --- a/libavformat/allformats.c +++ b/libavformat/allformats.c @@ -384,7 +384,7 @@ static void register_all(void) void av_register_all(void) { - AVOnce control = AV_ONCE_INIT; + static AVOnce control = AV_ONCE_INIT; ff_thread_once(&control, register_all); } From 3bc5e427e4da0e22fd1434123cd19bf007fb4cf4 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Tue, 23 May 2017 11:24:40 +0200 Subject: [PATCH 185/818] avcodec/nvenc: remove unnecessary alignment Fixes #6260 --- libavcodec/nvenc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index cf054550c1..00541f4c49 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1106,8 +1106,8 @@ static av_cold int nvenc_alloc_surface(AVCodecContext *avctx, int idx) } allocSurf.version = NV_ENC_CREATE_INPUT_BUFFER_VER; - allocSurf.width = (avctx->width + 31) & ~31; - allocSurf.height = (avctx->height + 31) & ~31; + allocSurf.width = avctx->width; + allocSurf.height = avctx->height; allocSurf.memoryHeap = NV_ENC_MEMORY_HEAP_SYSMEM_CACHED; allocSurf.bufferFmt = ctx->surfaces[idx].format; @@ -1718,8 +1718,8 @@ int ff_nvenc_encode_frame(AVCodecContext *avctx, AVPacket *pkt, pic_params.inputBuffer = inSurf->input_surface; pic_params.bufferFmt = inSurf->format; - pic_params.inputWidth = avctx->width; - pic_params.inputHeight = avctx->height; + pic_params.inputWidth = inSurf->width; + pic_params.inputHeight = inSurf->height; pic_params.inputPitch = inSurf->pitch; pic_params.outputBitstream = inSurf->output_surface; From 2fb25e2dd6ff6bf7803fd2ebc2716ffc540bd19a Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Sun, 21 May 2017 16:48:30 +0200 Subject: [PATCH 186/818] lavc/mediacodec_wrapper: fix local reference leaks --- libavcodec/mediacodec_wrapper.c | 41 ++++++++++++++++++++++----------- 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/libavcodec/mediacodec_wrapper.c b/libavcodec/mediacodec_wrapper.c index 43fbb511fd..5e1beed43a 100644 --- a/libavcodec/mediacodec_wrapper.c +++ b/libavcodec/mediacodec_wrapper.c @@ -608,6 +608,7 @@ FFAMediaFormat *ff_AMediaFormat_new(void) { JNIEnv *env = NULL; FFAMediaFormat *format = NULL; + jobject object = NULL; format = av_mallocz(sizeof(FFAMediaFormat)); if (!format) { @@ -625,23 +626,27 @@ FFAMediaFormat *ff_AMediaFormat_new(void) goto fail; } - format->object = (*env)->NewObject(env, format->jfields.mediaformat_class, format->jfields.init_id); + object = (*env)->NewObject(env, format->jfields.mediaformat_class, format->jfields.init_id); + if (!object) { + goto fail; + } + + format->object = (*env)->NewGlobalRef(env, object); if (!format->object) { goto fail; } - format->object = (*env)->NewGlobalRef(env, format->object); +fail: + if (object) { + (*env)->DeleteLocalRef(env, object); + } + if (!format->object) { - goto fail; + ff_jni_reset_jfields(env, &format->jfields, jni_amediaformat_mapping, 1, format); + av_freep(&format); } return format; -fail: - ff_jni_reset_jfields(env, &format->jfields, jni_amediaformat_mapping, 1, format); - - av_freep(&format); - - return NULL; } static FFAMediaFormat *ff_AMediaFormat_newFromObject(void *object) @@ -1562,6 +1567,7 @@ uint8_t* ff_AMediaCodec_getInputBuffer(FFAMediaCodec* codec, size_t idx, size_t JNIEnv *env = NULL; jobject buffer = NULL; + jobject input_buffers = NULL; JNI_GET_ENV_OR_RETURN(env, codec, NULL); @@ -1572,12 +1578,12 @@ uint8_t* ff_AMediaCodec_getInputBuffer(FFAMediaCodec* codec, size_t idx, size_t } } else { if (!codec->input_buffers) { - codec->input_buffers = (*env)->CallObjectMethod(env, codec->object, codec->jfields.get_input_buffers_id); + input_buffers = (*env)->CallObjectMethod(env, codec->object, codec->jfields.get_input_buffers_id); if (ff_jni_exception_check(env, 1, codec) < 0) { goto fail; } - codec->input_buffers = (*env)->NewGlobalRef(env, codec->input_buffers); + codec->input_buffers = (*env)->NewGlobalRef(env, input_buffers); if (ff_jni_exception_check(env, 1, codec) < 0) { goto fail; } @@ -1596,6 +1602,10 @@ fail: (*env)->DeleteLocalRef(env, buffer); } + if (input_buffers) { + (*env)->DeleteLocalRef(env, input_buffers); + } + return ret; } @@ -1605,6 +1615,7 @@ uint8_t* ff_AMediaCodec_getOutputBuffer(FFAMediaCodec* codec, size_t idx, size_t JNIEnv *env = NULL; jobject buffer = NULL; + jobject output_buffers = NULL; JNI_GET_ENV_OR_RETURN(env, codec, NULL); @@ -1615,12 +1626,12 @@ uint8_t* ff_AMediaCodec_getOutputBuffer(FFAMediaCodec* codec, size_t idx, size_t } } else { if (!codec->output_buffers) { - codec->output_buffers = (*env)->CallObjectMethod(env, codec->object, codec->jfields.get_output_buffers_id); + output_buffers = (*env)->CallObjectMethod(env, codec->object, codec->jfields.get_output_buffers_id); if (ff_jni_exception_check(env, 1, codec) < 0) { goto fail; } - codec->output_buffers = (*env)->NewGlobalRef(env, codec->output_buffers); + codec->output_buffers = (*env)->NewGlobalRef(env, output_buffers); if (ff_jni_exception_check(env, 1, codec) < 0) { goto fail; } @@ -1639,6 +1650,10 @@ fail: (*env)->DeleteLocalRef(env, buffer); } + if (output_buffers) { + (*env)->DeleteLocalRef(env, output_buffers); + } + return ret; } From cbae648eb8b2789eeb624959e8451967ea9e263a Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Sun, 21 May 2017 17:48:05 +0200 Subject: [PATCH 187/818] lavc/mediacodec_wrapper: do not declare JNIAMedia{Codec,CodecList,Format}Fields on the stack --- libavcodec/mediacodec_wrapper.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/mediacodec_wrapper.c b/libavcodec/mediacodec_wrapper.c index 5e1beed43a..4a37cd7cd7 100644 --- a/libavcodec/mediacodec_wrapper.c +++ b/libavcodec/mediacodec_wrapper.c @@ -66,7 +66,7 @@ struct JNIAMediaCodecListFields { jfieldID hevc_profile_main10_id; jfieldID hevc_profile_main10_hdr10_id; -} JNIAMediaCodecListFields; +}; static const struct FFJniField jni_amediacodeclist_mapping[] = { { "android/media/MediaCodecList", NULL, NULL, FF_JNI_CLASS, offsetof(struct JNIAMediaCodecListFields, mediacodec_list_class), 1 }, @@ -125,7 +125,7 @@ struct JNIAMediaFormatFields { jmethodID to_string_id; -} JNIAMediaFormatFields; +}; static const struct FFJniField jni_amediaformat_mapping[] = { { "android/media/MediaFormat", NULL, NULL, FF_JNI_CLASS, offsetof(struct JNIAMediaFormatFields, mediaformat_class), 1 }, @@ -210,7 +210,7 @@ struct JNIAMediaCodecFields { jfieldID presentation_time_us_id; jfieldID size_id; -} JNIAMediaCodecFields; +}; static const struct FFJniField jni_amediacodec_mapping[] = { { "android/media/MediaCodec", NULL, NULL, FF_JNI_CLASS, offsetof(struct JNIAMediaCodecFields, mediacodec_class), 1 }, From 3e38bf95c53714f5b5d8c5214481073aedf7d11d Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Sun, 21 May 2017 17:44:12 +0200 Subject: [PATCH 188/818] lavc/ffjni: add missing '\n' --- libavcodec/ffjni.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffjni.c b/libavcodec/ffjni.c index b2bcae9602..f5b581f0f6 100644 --- a/libavcodec/ffjni.c +++ b/libavcodec/ffjni.c @@ -85,7 +85,7 @@ JNIEnv *ff_jni_get_env(void *log_ctx) av_log(log_ctx, AV_LOG_ERROR, "The specified JNI version is not supported\n"); break; default: - av_log(log_ctx, AV_LOG_ERROR, "Failed to get the JNI environment attached to this thread"); + av_log(log_ctx, AV_LOG_ERROR, "Failed to get the JNI environment attached to this thread\n"); break; } From 6ee4b20f4ae3e726868d3efa038ed3103f69d2a2 Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Thu, 11 May 2017 15:16:22 +0200 Subject: [PATCH 189/818] lavf/mov: make invalid m{d,v}hd time_scale default to 1 instead of erroring out Some samples have their metadata track time_scale incorrectly set to 0 and the check introduced by a398f054fdb9b0f0b5a91c231fba6ce014143f71 prevents playback of those samples. Setting the time_scale to 1 fixes playback. --- libavformat/mov.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f2296f8917..036693a652 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1232,8 +1232,8 @@ static int mov_read_mdhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc->time_scale = avio_rb32(pb); if (sc->time_scale <= 0) { - av_log(c->fc, AV_LOG_ERROR, "Invalid mdhd time scale %d\n", sc->time_scale); - return AVERROR_INVALIDDATA; + av_log(c->fc, AV_LOG_ERROR, "Invalid mdhd time scale %d, defaulting to 1\n", sc->time_scale); + sc->time_scale = 1; } st->duration = (version == 1) ? avio_rb64(pb) : avio_rb32(pb); /* duration */ @@ -1262,8 +1262,8 @@ static int mov_read_mvhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) mov_metadata_creation_time(&c->fc->metadata, creation_time); c->time_scale = avio_rb32(pb); /* time scale */ if (c->time_scale <= 0) { - av_log(c->fc, AV_LOG_ERROR, "Invalid mvhd time scale %d\n", c->time_scale); - return AVERROR_INVALIDDATA; + av_log(c->fc, AV_LOG_ERROR, "Invalid mvhd time scale %d, defaulting to 1\n", c->time_scale); + c->time_scale = 1; } av_log(c->fc, AV_LOG_TRACE, "time scale = %i\n", c->time_scale); From 1cbeb16187c87655e1affaae075a9646aeb465e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 31 May 2017 12:53:32 +0300 Subject: [PATCH 190/818] configure: Fix the msvcrt version check for mingw32 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was actually broken when committed in 46e3936fb04; the test never succeeded, and thus, _aligned_malloc wasn't actually used on legacy mingw. Signed-off-by: Martin Storsjö (cherry picked from commit 427f7a1f9ec1977bcb57cb4d6e6f7228dc1e858b) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 9b5789ab83..23823e3b70 100755 --- a/configure +++ b/configure @@ -5067,7 +5067,7 @@ probe_libc(){ add_${pfx}cppflags -U__STRICT_ANSI__ -D__USE_MINGW_ANSI_STDIO=1 check_${pfx}cpp_condition _mingw.h "defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x0502" || add_${pfx}cppflags -D_WIN32_WINNT=0x0502 - check_${pfx}cpp_condition _mingw.h "__MSVCRT_VERSION__ < 0x0700__" && + check_${pfx}cpp_condition _mingw.h "__MSVCRT_VERSION__ < 0x0700" && add_${pfx}cppflags -D__MSVCRT_VERSION__=0x0700 eval test \$${pfx_no_}cc_type = "gcc" && add_${pfx}cppflags -D__printf__=__gnu_printf__ From 75697b500c3ecfe02f7565673da0ce154868d979 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 May 2017 21:19:06 +0200 Subject: [PATCH 191/818] avcodec/tiff: reset sampling[] if its invalid Fixes divission by 0 Fixes: clusterfuzz-testcase-minimized-5592896440893440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f08122fbe039a56ab3c24f74636b4b0efea97d85) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 3aaf63338d..9b9d37bb83 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1033,6 +1033,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->subsampling[i] = ff_tget(&s->gb, type, s->le); if (s->subsampling[i] <= 0) { av_log(s->avctx, AV_LOG_ERROR, "subsampling %d is invalid\n", s->subsampling[i]); + s->subsampling[i] = 1; return AVERROR_INVALIDDATA; } } From b147ded288ead7b4f22de4add3b8912ae54b406f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 May 2017 21:21:20 +0200 Subject: [PATCH 192/818] avcodec/svq3: Fix runtime error: left shift of negative value -6 Fixes: 1604/clusterfuzz-testcase-minimized-5312060206350336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a6eb006ad47beb6d5e5cc2c99f8185965209ec6b) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 4814b80c3a..a766fa49ad 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -524,8 +524,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, if (mode != PREDICT_MODE) { svq3_pred_motion(s, k, part_width >> 2, dir, 1, &mx, &my); } else { - mx = s->next_pic->motion_val[0][b_xy][0] << 1; - my = s->next_pic->motion_val[0][b_xy][1] << 1; + mx = s->next_pic->motion_val[0][b_xy][0] * 2; + my = s->next_pic->motion_val[0][b_xy][1] * 2; if (dir == 0) { mx = mx * s->frame_num_offset / From 72e5ccfe3783db37131de3ec4606ba512f98cd97 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 May 2017 03:04:26 +0200 Subject: [PATCH 193/818] avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int' Fixes: 1616/clusterfuzz-testcase-minimized-5119196578971648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5ea6bc2a166edac37042f2bbc28eb603a0fbeccb) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index 57694cb892..e1824384c5 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -180,7 +180,7 @@ static int make_ydt15_entry(int p1, int p2, int16_t *ydt) lo += (lo * 32) + (lo * 1024); hi = ydt[p2]; hi += (hi * 32) + (hi * 1024); - return (lo + (hi * (1 << 16))) * 2; + return (lo + (hi * (1U << 16))) * 2; } static int make_cdt15_entry(int p1, int p2, int16_t *cdt) @@ -190,7 +190,7 @@ static int make_cdt15_entry(int p1, int p2, int16_t *cdt) b = cdt[p2]; r = cdt[p1] * 1024; lo = b + r; - return (lo + (lo * (1 << 16))) * 2; + return (lo + (lo * (1U << 16))) * 2; } #if HAVE_BIGENDIAN From 21d50c185db03349282bc718f8aa4b7bb3d355a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 May 2017 02:22:37 +0200 Subject: [PATCH 194/818] avcodec/scpr: mask bits to prevent out of array read Fixes: 1615/clusterfuzz-testcase-minimized-6625214647500800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5666b95c9f27efa6f9b1e1bb6c592b9a8d78bca5) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index 286fffbf35..b4cc7df07f 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -488,7 +488,7 @@ static int decompress_i(AVCodecContext *avctx, uint32_t *dst, int linesize) if (avctx->bits_per_coded_sample == 16) { cx1 = (clr & 0x3F00) >> 2; - cx = (clr & 0xFFFFFF) >> 16; + cx = (clr & 0x3FFFFF) >> 16; } else { cx1 = (clr & 0xFC00) >> 4; cx = (clr & 0xFFFFFF) >> 18; @@ -726,7 +726,7 @@ static int decompress_p(AVCodecContext *avctx, if (avctx->bits_per_coded_sample == 16) { cx1 = (clr & 0x3F00) >> 2; - cx = (clr & 0xFFFFFF) >> 16; + cx = (clr & 0x3FFFFF) >> 16; } else { cx1 = (clr & 0xFC00) >> 4; cx = (clr & 0xFFFFFF) >> 18; From b7b28b6aadd43f0feea81f09272e6b4e0f2a0ca1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 May 2017 23:44:24 +0200 Subject: [PATCH 195/818] avcodec/hq_hqa: Fix: runtime error: signed integer overflow: -255 * 10180917 cannot be represented in type 'int' Fixes: 1626/clusterfuzz-testcase-minimized-6416580571299840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d9cb583c8f005a260d255853ef5f1c21e8599a0) Signed-off-by: Michael Niedermayer --- libavcodec/hq_hqa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index 80dc6b5d40..f88ad7d5f5 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -83,7 +83,7 @@ static int hq_decode_block(HQContext *c, GetBitContext *gb, int16_t block[64], pos += ff_hq_ac_skips[val]; if (pos >= 64) break; - block[ff_zigzag_direct[pos]] = (ff_hq_ac_syms[val] * q[pos]) >> 12; + block[ff_zigzag_direct[pos]] = (int)(ff_hq_ac_syms[val] * (unsigned)q[pos]) >> 12; pos++; } From f34dc82d566cf0789c47fa3c86535e86cf926b8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 00:44:36 +0200 Subject: [PATCH 196/818] avcodec/takdec: Fix runtime error: left shift of negative value -42 Fixes: 1635/clusterfuzz-testcase-minimized-4992749856096256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 99c4c76cfbc4ae56dc8c37f5fab02f88f6b2cb48) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 42939b4058..31d703135a 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -904,7 +904,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, for (chan = 0; chan < avctx->channels; chan++) { int32_t *samples = (int32_t *)frame->extended_data[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] <<= 8; + samples[i] *= 1 << 8; } break; } From 6e788fadaee94353f8f24bc3acc0af2a8a9dbffe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 00:53:32 +0200 Subject: [PATCH 197/818] avcodec/mlpdec: Fix runtime error: left shift of negative value -1 Fixes: 1636/clusterfuzz-testcase-minimized-5310494757879808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 552adf1dd3a38fb7a1a6109dd2b517d63290f20e) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index fa4347fb23..eaf1aa7c75 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -701,7 +701,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp, /* TODO: Check validity of state data. */ for (i = 0; i < order; i++) - fp->state[i] = state_bits ? get_sbits(gbp, state_bits) << state_shift : 0; + fp->state[i] = state_bits ? get_sbits(gbp, state_bits) * (1 << state_shift) : 0; } } From 6ebb9e7b7765d699692ba18c2b0ef1ff1ce6dbf4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 01:12:55 +0200 Subject: [PATCH 198/818] avcodec/flicvideo: Check frame_size before decrementing Fixes: runtime error: signed integer overflow: -2147483627 - 22 cannot be represented in type 'int' Fixes: 1637/clusterfuzz-testcase-minimized-5376582493405184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 355e27e24dc88d6ba8f27501a34925d9d937a399) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index b1b7b5a42f..46fd21d2b1 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -199,6 +199,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, num_chunks = bytestream2_get_le16(&g2); bytestream2_skip(&g2, 8); /* skip padding */ + if (frame_size < 16) + return AVERROR_INVALIDDATA; + frame_size -= 16; /* iterate through the chunks */ @@ -519,6 +522,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, if (frame_size > buf_size) frame_size = buf_size; + if (frame_size < 16) + return AVERROR_INVALIDDATA; frame_size -= 16; /* iterate through the chunks */ @@ -804,6 +809,8 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx, if (frame_size > buf_size) frame_size = buf_size; + if (frame_size < 16) + return AVERROR_INVALIDDATA; frame_size -= 16; /* iterate through the chunks */ From fedd8b65077d8f78de22c56fb5c408271af7c7a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 02:17:13 +0200 Subject: [PATCH 199/818] avcodec/fmvc: Fix off by 1 error Fixes: out of array access Fixes: 1643/clusterfuzz-testcase-minimized-6117573403869184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e11dcc35bb4dbacd87378465b4cafa6a604e8b87) Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index ff5f291da6..2368e95f29 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -459,7 +459,7 @@ static int decode_frame(AVCodecContext *avctx, int size, offset, start = 0; offset = bytestream2_get_le16(gb); - if (offset > s->nb_blocks) + if (offset >= s->nb_blocks) return AVERROR_INVALIDDATA; size = bytestream2_get_le16(gb); From 41867021840d9cef86a3e1cd1da31f059ad9c34e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 15:51:46 +0200 Subject: [PATCH 200/818] avcodec/aacdec_template: Fix fixed point scale in decode_cce() Fixes: runtime error: shift exponent 1073741824 is too large for 32-bit type 'int' Fixes: 1654/clusterfuzz-testcase-minimized-5151903795118080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53a502206a9ea698926694d7252526fe00d1ea44) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index b20855b99d..978df68c42 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2181,7 +2181,11 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che) coup->coupling_point += get_bits1(gb) || (coup->coupling_point >> 1); sign = get_bits(gb, 1); - scale = AAC_RENAME(cce_scale)[get_bits(gb, 2)]; +#if USE_FIXED + scale = get_bits(gb, 2); +#else + scale = cce_scale[get_bits(gb, 2)]; +#endif if ((ret = decode_ics(ac, sce, gb, 0, 0))) return ret; From 72e5607c8758639aa2d63b16e502a23134acbaff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 16:45:46 +0200 Subject: [PATCH 201/818] avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' Fixes: 1656/clusterfuzz-testcase-minimized-5900404925661184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 94d05ff15985d17aba070eaec82acd21c0da3d86) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 726ea03dc4..f3656c056a 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -431,6 +431,8 @@ static int read_payload_length_info(struct LATMContext *ctx, GetBitContext *gb) if (ctx->frame_length_type == 0) { int mux_slot_length = 0; do { + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; tmp = get_bits(gb, 8); mux_slot_length += tmp; } while (tmp == 255); @@ -460,7 +462,7 @@ static int read_audio_mux_element(struct LATMContext *latmctx, } if (latmctx->audio_mux_version_A == 0) { int mux_slot_length_bytes = read_payload_length_info(latmctx, gb); - if (mux_slot_length_bytes * 8 > get_bits_left(gb)) { + if (mux_slot_length_bytes < 0 || mux_slot_length_bytes * 8LL > get_bits_left(gb)) { av_log(latmctx->aac_ctx.avctx, AV_LOG_ERROR, "incomplete frame\n"); return AVERROR_INVALIDDATA; } else if (mux_slot_length_bytes * 8 + 256 < get_bits_left(gb)) { From b6c0ad571f609cb95b7d495d1e9a469d27e02acb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 01:54:43 +0200 Subject: [PATCH 202/818] avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877 cannot be represented in type 'int' Fixes: 1657/clusterfuzz-testcase-minimized-4710000079405056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 58ac7fb9c395ab91cb321fa4c8c9e127ce8147c3) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 3ea12f0511..8067ac94e5 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -250,7 +250,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le16u(gb); while ((segments & 0xC000) == 0xC000) { unsigned skip_lines = -(int16_t)segments; - unsigned delta = -((int16_t)segments * width); + int64_t delta = -((int16_t)segments * (int64_t)width); if (frame_end - frame <= delta || y + lines + skip_lines > height) return AVERROR_INVALIDDATA; frame += delta; From 686eb3b1ed5b91fdedc0f11d8f19bf0b21505788 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 02:07:17 +0200 Subject: [PATCH 203/818] avcodec/mlpdec: Fix: runtime error: left shift of negative value -8 Fixes: 1658/clusterfuzz-testcase-minimized-4889937130291200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 25c81e4b737bcc737b13c9a752cb301a28cb3906) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index eaf1aa7c75..5426712007 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -759,7 +759,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo if (get_bits1(gbp)) coeff_val = get_sbits(gbp, frac_bits + 2); - s->matrix_coeff[mat][ch] = coeff_val << (14 - frac_bits); + s->matrix_coeff[mat][ch] = coeff_val * (1 << (14 - frac_bits)); } if (s->noise_type) From fc7c37906077a703aaa46b718e3018900abcd751 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 16:51:08 +0200 Subject: [PATCH 204/818] avcodec/pixlet: Fix reading invalid numbers of bits Fixes: asertion failure Fixes: 1664/clusterfuzz-testcase-minimized-6587801187385344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d32ebce8fd79bb859ba4a04c92470a052f2aafa6) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 05262648ae..0dfd5edbf7 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -229,6 +229,8 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, i cnt1 = get_bits(b, nbits); } else { pfx = 14 + ((((uint64_t)(value - 14)) >> 32) & (value - 14)); + if (pfx < 1 || pfx > 25) + return AVERROR_INVALIDDATA; cnt1 *= (1 << pfx) - 1; shbits = show_bits(b, pfx); if (shbits <= 1) { From f254c7ea1397f157c8035748a646edf8f5818625 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 17:13:18 +0200 Subject: [PATCH 205/818] avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int' Fixes: 1669/clusterfuzz-testcase-minimized-5287529198649344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a173f484b52ed63292439de5347e49bd78cad0ed) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 3805f70722..f19b5d4974 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -89,22 +89,22 @@ static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; - const int t4 = 5793 * (t2 + t0 + 0x800 >> 12); - const int t5 = 5793 * (t3 + t1 + 0x800 >> 12); - const int t6 = t2 - t0; - const int t7 = t3 - t1; - const int t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; - const int t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; - const int tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; - const int tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; - blk[0 * step] = ( t4 + t9 + tB) >> shift; - blk[1 * step] = ( t6 + t7 + t8 + tA) >> shift; - blk[2 * step] = ( t6 - t7 - t8 + tA) >> shift; - blk[3 * step] = ( t5 - t9 + tB) >> shift; - blk[4 * step] = ( -t5 - t9 + tB) >> shift; - blk[5 * step] = (-(t6 - t7) - t8 + tA) >> shift; - blk[6 * step] = (-(t6 + t7) + t8 + tA) >> shift; - blk[7 * step] = ( -t4 + t9 + tB) >> shift; + const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12); + const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12); + const unsigned t6 = t2 - t0; + const unsigned t7 = t3 - t1; + const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; + const unsigned t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; + const unsigned tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; + const unsigned tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; + blk[0 * step] = (int)( t4 + t9 + tB) >> shift; + blk[1 * step] = (int)( t6 + t7 + t8 + tA) >> shift; + blk[2 * step] = (int)( t6 - t7 - t8 + tA) >> shift; + blk[3 * step] = (int)( t5 - t9 + tB) >> shift; + blk[4 * step] = (int)( -t5 - t9 + tB) >> shift; + blk[5 * step] = (int)(-(t6 - t7) - t8 + tA) >> shift; + blk[6 * step] = (int)(-(t6 + t7) + t8 + tA) >> shift; + blk[7 * step] = (int)( -t4 + t9 + tB) >> shift; } static void fic_idct_put(uint8_t *dst, int stride, int16_t *block) From e46bc3052dc1286c5430a35f2259a09812d8ad7d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 17:46:56 +0200 Subject: [PATCH 206/818] avcodec/mimic: Use ff_set_dimensions() to set the dimensions Fixes: OOM Fixes: 1671/clusterfuzz-testcase-minimized-4759078033162240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e434840fd4b3c854beec845f950b80bc1bf93b60) Signed-off-by: Michael Niedermayer --- libavcodec/mimic.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/mimic.c b/libavcodec/mimic.c index 61ce1ce584..70565af199 100644 --- a/libavcodec/mimic.c +++ b/libavcodec/mimic.c @@ -390,9 +390,11 @@ static int mimic_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + res = ff_set_dimensions(avctx, width, height); + if (res < 0) + return res; + ctx->avctx = avctx; - avctx->width = width; - avctx->height = height; avctx->pix_fmt = AV_PIX_FMT_YUV420P; for (i = 0; i < 3; i++) { ctx->num_vblocks[i] = AV_CEIL_RSHIFT(height, 3 + !!i); From f3b6ea14081a696d6ece566c403ae55d8109ddb0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 May 2017 12:25:52 +0200 Subject: [PATCH 207/818] avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 150 is too large for 32-bit type 'int' Fixes: 1681/clusterfuzz-testcase-minimized-5970545365483520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3fb104f4476ad238e2ca768e9b80dc314e6e856d) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index b26314a7eb..480062dfcc 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -288,6 +288,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, shift = a00.exp; if (shift >= 3) alpha0[k][0] = 0x7fffffff; + else if (shift <= -30) + alpha0[k][0] = 0; else { a00.mant <<= 1; shift = 2-shift; @@ -302,6 +304,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, shift = a01.exp; if (shift >= 3) alpha0[k][1] = 0x7fffffff; + else if (shift <= -30) + alpha0[k][1] = 0; else { a01.mant <<= 1; shift = 2-shift; @@ -315,6 +319,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, shift = a10.exp; if (shift >= 3) alpha1[k][0] = 0x7fffffff; + else if (shift <= -30) + alpha1[k][0] = 0; else { a10.mant <<= 1; shift = 2-shift; @@ -329,6 +335,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, shift = a11.exp; if (shift >= 3) alpha1[k][1] = 0x7fffffff; + else if (shift <= -30) + alpha1[k][1] = 0; else { a11.mant <<= 1; shift = 2-shift; From e605faaabcf8503166e5cb06a98cddbca46756a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 May 2017 01:23:01 +0200 Subject: [PATCH 208/818] avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context Fixes: runtime error: index 8 out of bounds for type 'uint8_t [8]' Fixes: 1699/clusterfuzz-testcase-minimized-6327177438035968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 64ea4d102a070b95832ae4a751688f87da7760a2) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 5426712007..eac19a0d5e 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -729,6 +729,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Number of primitive matrices cannot be greater than %d.\n", max_primitive_matrices); + s->num_primitive_matrices = 0; return AVERROR_INVALIDDATA; } From 9c65a87bd48e861f97999489cd8114499ed676de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 00:06:10 +0200 Subject: [PATCH 209/818] avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 170 is too large for 32-bit type 'int' Fixes part of 1709/clusterfuzz-testcase-minimized-4513580554649600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6310fc714de3cd73848416ead73228fcef8b6dc0) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 480062dfcc..01f81afaaa 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -575,20 +575,25 @@ static void sbr_hf_assemble(int Y1[38][64][2], SoftFloat *in = sbr->s_m[e]; for (m = 0; m+1 < m_max; m+=2) { - shift = 22 - in[m ].exp; - round = 1 << (shift-1); - out[2*m ] += (in[m ].mant * A + round) >> shift; + shift = 22 - in[m ].exp; + if (shift < 32) { + round = 1 << (shift-1); + out[2*m ] += (in[m ].mant * A + round) >> shift; + } - shift = 22 - in[m+1].exp; - round = 1 << (shift-1); - out[2*m+2] += (in[m+1].mant * B + round) >> shift; + shift = 22 - in[m+1].exp; + if (shift < 32) { + round = 1 << (shift-1); + out[2*m+2] += (in[m+1].mant * B + round) >> shift; + } } if(m_max&1) { - shift = 22 - in[m ].exp; - round = 1 << (shift-1); - - out[2*m ] += (in[m ].mant * A + round) >> shift; + shift = 22 - in[m ].exp; + if (shift < 32) { + round = 1 << (shift-1); + out[2*m ] += (in[m ].mant * A + round) >> shift; + } } } indexnoise = (indexnoise + m_max) & 0x1ff; From f397613f059538feb2bd94558b5ada0c9b10f5e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 01:43:04 +0200 Subject: [PATCH 210/818] avcodec/sbrdsp_fixed: fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: part of 1709/clusterfuzz-testcase-minimized-4513580554649600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 384508b2ff69bc3fad1e1c2e7de0dcd0913c6208) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index f4e3de0c71..924da83c85 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -229,11 +229,11 @@ static void sbr_hf_gen_c(int (*X_high)[2], const int (*X_low)[2], static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2], const SoftFloat *g_filt, int m_max, intptr_t ixh) { - int m, r; + int m; int64_t accu; for (m = 0; m < m_max; m++) { - r = 1 << (22-g_filt[m].exp); + int64_t r = 1LL << (22-g_filt[m].exp); accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7); Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp)); From a5875f8a1e55291dd0f3e450890fb0ae6bf8e39a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 02:42:12 +0200 Subject: [PATCH 211/818] avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128 cannot be represented in type 'int' Fixes: 1711/clusterfuzz-testcase-minimized-5248503515185152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d04fc94e1021b70e542dc01a48b8398c6fc6325) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 2fc453c1f0..fbafa92d72 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -114,7 +114,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) { int mat_ch = ch_assign[out_ch]; int32_t sample = sample_buffer[i][mat_ch] * - (1 << output_shift[mat_ch]); + (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) *data_32++ = sample << 8; From ff4f52590529b56a5a9338f97227adae5de219b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 02:46:55 +0200 Subject: [PATCH 212/818] avcodec/takdec: Fix runtime error: left shift of negative value -63 Fixes: 1713/clusterfuzz-testcase-minimized-5791887476654080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d66193252b4067144f11211f8f3e1d5a50146235) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 31d703135a..9a13b8efbe 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -862,7 +862,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, if (s->sample_shift[chan] > 0) for (i = 0; i < s->nb_samples; i++) - decoded[i] <<= s->sample_shift[chan]; + decoded[i] *= 1 << s->sample_shift[chan]; } } From f832d7361d0329024ae748a0b3b8f864fded3be4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 02:51:04 +0200 Subject: [PATCH 213/818] avcodec/aac_defines: Fix: runtime error: left shift of negative value -2 Fixes: 1716/clusterfuzz-testcase-minimized-4691012196761600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c3547dcbc326474745f02a618e01848a293f3f92) Signed-off-by: Michael Niedermayer --- libavcodec/aac_defines.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aac_defines.h b/libavcodec/aac_defines.h index c12dc2fab7..0ea667e77b 100644 --- a/libavcodec/aac_defines.h +++ b/libavcodec/aac_defines.h @@ -45,7 +45,7 @@ typedef int AAC_SIGNE; #define Q30(x) (int)((x)*1073741824.0 + 0.5) #define Q31(x) (int)((x)*2147483648.0 + 0.5) #define RANGE15(x) x -#define GET_GAIN(x, y) (-(y) << (x)) + 1024 +#define GET_GAIN(x, y) (-(y) * (1 << (x))) + 1024 #define AAC_MUL16(x, y) (int)(((int64_t)(x) * (y) + 0x8000) >> 16) #define AAC_MUL26(x, y) (int)(((int64_t)(x) * (y) + 0x2000000) >> 26) #define AAC_MUL30(x, y) (int)(((int64_t)(x) * (y) + 0x20000000) >> 30) From 3cfb01607144e4ae642d6d21dea1919195db0a13 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 00:07:02 +0200 Subject: [PATCH 214/818] avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308 cannot be represented in type 'int' Fixes: 1630/clusterfuzz-testcase-minimized-6326111917047808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 955db411929a9876d3cd016fbbb9c49b6362feba) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 9a13b8efbe..85ef56644b 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -267,11 +267,11 @@ static int decode_segment(TAKDecContext *s, int8_t mode, int32_t *decoded, int l code = xcodes[mode - 1]; for (i = 0; i < len; i++) { - int x = get_bits_long(gb, code.init); + unsigned x = get_bits_long(gb, code.init); if (x >= code.escape && get_bits1(gb)) { x |= 1 << code.init; if (x >= code.aescape) { - int scale = get_unary(gb, 1, 9); + unsigned scale = get_unary(gb, 1, 9); if (scale == 9) { int scale_bits = get_bits(gb, 3); if (scale_bits > 0) { From 0ea475942e751af3aa98021d226210104aeb8818 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 13:22:16 +0200 Subject: [PATCH 215/818] avcodec/vmnc: Check location before use Fixes: runtime error: signed integer overflow: 65535 * 64256 cannot be represented in type 'int' Fixes: 1717/clusterfuzz-testcase-minimized-5491696676634624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ec2b76aab44f55be22eb12d86eb0dfd2eff68581) Signed-off-by: Michael Niedermayer --- libavcodec/vmnc.c | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index a756dab211..30b1414e49 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -381,6 +381,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, w = bytestream2_get_be16(gb); h = bytestream2_get_be16(gb); enc = bytestream2_get_be32(gb); + if ((dx + w > c->width) || (dy + h > c->height)) { + av_log(avctx, AV_LOG_ERROR, + "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", + w, h, dx, dy, c->width, c->height); + return AVERROR_INVALIDDATA; + } outptr = c->pic->data[0] + dx * c->bpp2 + dy * c->pic->linesize[0]; size_left = bytestream2_get_bytes_left(gb); switch (enc) { @@ -458,12 +464,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, bytestream2_skip(gb, 2); break; case 0x00000000: // raw rectangle data - if ((dx + w > c->width) || (dy + h > c->height)) { - av_log(avctx, AV_LOG_ERROR, - "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", - w, h, dx, dy, c->width, c->height); - return AVERROR_INVALIDDATA; - } if (size_left < w * h * c->bpp2) { av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", @@ -474,12 +474,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, c->pic->linesize[0]); break; case 0x00000005: // HexTile encoded rectangle - if ((dx + w > c->width) || (dy + h > c->height)) { - av_log(avctx, AV_LOG_ERROR, - "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", - w, h, dx, dy, c->width, c->height); - return AVERROR_INVALIDDATA; - } res = decode_hextile(c, outptr, gb, w, h, c->pic->linesize[0]); if (res < 0) return res; From d11c686204b40921152fa6fd56e6b4b171ea39c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 02:12:21 +0200 Subject: [PATCH 216/818] avcodec/vp9block: fix runtime error: signed integer overflow: 196675 * 20670 cannot be represented in type 'int' Fixes: 1710/clusterfuzz-testcase-minimized-4837032931098624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit d4ee76780869c659a5d3b0815c56024ab260a81d) Signed-off-by: Michael Niedermayer --- libavcodec/vp9block.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp9block.c b/libavcodec/vp9block.c index ae2f0e4c6f..a16ccdccdb 100644 --- a/libavcodec/vp9block.c +++ b/libavcodec/vp9block.c @@ -915,9 +915,9 @@ skip_eob: if (!--band_left) band_left = band_counts[++band]; if (is_tx32x32) - STORE_COEF(coef, rc, ((vp8_rac_get(c) ? -val : val) * qmul[!!i]) / 2); + STORE_COEF(coef, rc, (int)((vp8_rac_get(c) ? -val : val) * (unsigned)qmul[!!i]) / 2); else - STORE_COEF(coef, rc, (vp8_rac_get(c) ? -val : val) * qmul[!!i]); + STORE_COEF(coef, rc, (vp8_rac_get(c) ? -val : val) * (unsigned)qmul[!!i]); nnz = (1 + cache[nb[i][0]] + cache[nb[i][1]]) >> 1; tp = p[band][nnz]; } while (++i < n_coeffs); From a7442f8d357d7a057c255fe9481fb1053b7a74bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 16:01:27 +0200 Subject: [PATCH 217/818] avcodec/mpeg4videodec: Check for multiple VOL headers Fixes multiple: runtime error: signed integer overflow: 2147115008 + 413696 cannot be represented in type 'int' Fixes: 1723/clusterfuzz-testcase-minimized-5309409372667904 Fixes: 1727/clusterfuzz-testcase-minimized-5900685306494976 Fixes: 1737/clusterfuzz-testcase-minimized-5922321338466304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit efeb47fd5d5cbf980e52a6d5e741c3c74b94b5e2) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 54b7be10dd..1e22165c0b 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2566,6 +2566,7 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb) MpegEncContext *s = &ctx->m; unsigned startcode, v; int ret; + int vol = 0; /* search next start code */ align_get_bits(gb); @@ -2654,6 +2655,11 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb) } if (startcode >= 0x120 && startcode <= 0x12F) { + if (vol) { + av_log(s->avctx, AV_LOG_ERROR, "Multiple VOL headers"); + return AVERROR_INVALIDDATA; + } + vol++; if ((ret = decode_vol_header(ctx, gb)) < 0) return ret; } else if (startcode == USER_DATA_STARTCODE) { From e73efe469112ade26f11f627053cbcec81fced0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 16:53:55 +0200 Subject: [PATCH 218/818] avcodec/aacdec_fixed: Fix runtime error: shift exponent 34 is too large for 32-bit type 'int' Fixes: 1721/clusterfuzz-testcase-minimized-4719352135811072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5228e44c7f3a5eba537c8a39a45cfbf2961a28d) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 1b5e8aa326..33f959070c 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -207,7 +207,11 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len) c /= band_energy; s = 21 + nlz - (s >> 2); - if (s > 0) { + if (s > 31) { + for (i=0; i 0) { round = 1 << (s-1); for (i=0; i> 32); From 17a4e791bfe57686ad5df137173dc3f986ae252c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 21:49:54 +0200 Subject: [PATCH 219/818] avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int' Fixes: 1724/clusterfuzz-testcase-minimized-4842395432648704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 40fa6a2fa2c255293a780a194eecae5df52644a1) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 11759071da..c2a0dc6233 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -738,7 +738,7 @@ static int decode_dc_progressive(MJpegDecodeContext *s, int16_t *block, int component, int dc_index, uint16_t *quant_matrix, int Al) { - int val; + unsigned val; s->bdsp.clear_block(block); val = mjpeg_decode_dc(s, dc_index); if (val == 0xfffff) { From abd5277318c5776d522eff2601f0a4827bd0941c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 May 2017 01:19:50 +0200 Subject: [PATCH 220/818] avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71 Fixes: 1734/clusterfuzz-testcase-minimized-5385630815092736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8fb00b3e858b7a5aeccfe6bdfc10290c2121c3ec) Signed-off-by: Michael Niedermayer --- libavcodec/ivi_dsp.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index e8d1ee62c2..2768531dbf 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -116,10 +116,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, b0_2 = b0_ptr[pitch+indx+1]; tmp1 = tmp0 + b0_1; - p0 = tmp0 << 4; - p1 = tmp1 << 3; - p2 = (tmp0 + tmp2) << 3; - p3 = (tmp1 + tmp2 + b0_2) << 2; + p0 = tmp0 * 16; + p1 = tmp1 * 8; + p2 = (tmp0 + tmp2) * 8; + p3 = (tmp1 + tmp2 + b0_2) * 4; } /* process the HL-band by applying HPF vertically and LPF horizontally */ @@ -132,10 +132,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, tmp2 = tmp1 - tmp0*6 + b1_3; b1_3 = b1_1 - b1_2*6 + b1_ptr[pitch+indx+1]; - p0 += (tmp0 + tmp1) << 3; - p1 += (tmp0 + tmp1 + b1_1 + b1_2) << 2; - p2 += tmp2 << 2; - p3 += (tmp2 + b1_3) << 1; + p0 += (tmp0 + tmp1) * 8; + p1 += (tmp0 + tmp1 + b1_1 + b1_2) * 4; + p2 += tmp2 * 4; + p3 += (tmp2 + b1_3) * 2; } /* process the LH-band by applying LPF vertically and HPF horizontally */ @@ -146,10 +146,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, tmp0 = b2_1 + b2_2; tmp1 = b2_1 - b2_2*6 + b2_3; - p0 += tmp0 << 3; - p1 += tmp1 << 2; - p2 += (tmp0 + b2_4 + b2_5) << 2; - p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) << 1; + p0 += tmp0 * 8; + p1 += tmp1 * 4; + p2 += (tmp0 + b2_4 + b2_5) * 4; + p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) * 2; } /* process the HH-band by applying HPF both vertically and horizontally */ @@ -163,9 +163,9 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, b3_9 = b3_3 - b3_6*6 + b3_ptr[pitch+indx+1]; - p0 += (tmp0 + tmp1) << 2; - p1 += (tmp0 - tmp1*6 + tmp2) << 1; - p2 += (b3_7 + b3_8) << 1; + p0 += (tmp0 + tmp1) * 4; + p1 += (tmp0 - tmp1*6 + tmp2) * 2; + p2 += (b3_7 + b3_8) * 2; p3 += b3_7 - b3_8*6 + b3_9; } From 6b839e9aa3364f3c6f109721e5a725f5a2e517c2 Mon Sep 17 00:00:00 2001 From: Max Justicz Date: Tue, 23 May 2017 11:22:35 +0200 Subject: [PATCH 221/818] avcodec/fmvc: Fix use of uninitialized memory when the first frame is not a keyframe Fixes: fmvc-poc.avi Signed-off-by: Michael Niedermayer (cherry picked from commit 3766aa7343c43521c8ad67aaec26e3c91f6d91c7) Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 2368e95f29..74e9bdd8a0 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -596,8 +596,8 @@ static av_cold int decode_init(AVCodecContext *avctx) s->bpp = avctx->bits_per_coded_sample >> 3; s->buffer_size = avctx->width * avctx->height * 4; s->pbuffer_size = avctx->width * avctx->height * 4; - s->buffer = av_malloc(s->buffer_size); - s->pbuffer = av_malloc(s->pbuffer_size); + s->buffer = av_mallocz(s->buffer_size); + s->pbuffer = av_mallocz(s->pbuffer_size); if (!s->buffer || !s->pbuffer) return AVERROR(ENOMEM); From ba7ea7c4b1aa0f3c4b65db4f218c54a97d0f942f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 May 2017 22:18:52 +0200 Subject: [PATCH 222/818] avcodec/jpeglsdec: Check get_bits_left() before decoding a picture Signed-off-by: Michael Niedermayer (cherry picked from commit 4bc3008d04451cd31818e21703ed7ed96b6ff074) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index c8550e47ea..64505321af 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -390,6 +390,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan); } + if (get_bits_left(&s->gb) < s->height) { + ret = AVERROR_INVALIDDATA; + goto end; + } if (ilv == 0) { /* separate planes */ if (s->cur_scan > s->nb_components) { ret = AVERROR_INVALIDDATA; From 861c05b286f2f4cf6c5a621977e3957bb6c30ad9 Mon Sep 17 00:00:00 2001 From: Max Justicz Date: Wed, 24 May 2017 15:25:50 +0200 Subject: [PATCH 223/818] avcodec/sanm: Fix uninitialized reference frames Fixes: poc.snm Signed-off-by: Michael Niedermayer (cherry picked from commit ca616b0f72c65b0ef5f9e1e6125698b15f50a26e) Signed-off-by: Michael Niedermayer --- libavcodec/sanm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index dab9e410c3..811fd2188e 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -462,11 +462,11 @@ static void destroy_buffers(SANMVideoContext *ctx) static av_cold int init_buffers(SANMVideoContext *ctx) { - av_fast_padded_malloc(&ctx->frm0, &ctx->frm0_size, ctx->buf_size); - av_fast_padded_malloc(&ctx->frm1, &ctx->frm1_size, ctx->buf_size); - av_fast_padded_malloc(&ctx->frm2, &ctx->frm2_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm0, &ctx->frm0_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm1, &ctx->frm1_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm2, &ctx->frm2_size, ctx->buf_size); if (!ctx->version) - av_fast_padded_malloc(&ctx->stored_frame, + av_fast_padded_mallocz(&ctx->stored_frame, &ctx->stored_frame_size, ctx->buf_size); if (!ctx->frm0 || !ctx->frm1 || !ctx->frm2 || From 38fd2a33b93c658765f7f1e64d594dc7cb6280de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 May 2017 19:40:42 +0200 Subject: [PATCH 224/818] avcodec/jpeg2000dec: Check tile offsets Fixes: runtime error: signed integer overflow: 4096 - -2147483648 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 89325417e7b33f4b08171d9d609c48662d96b2d3) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index e9f5f51af3..b320c41c3a 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -298,6 +298,14 @@ static int get_siz(Jpeg2000DecoderContext *s) return AVERROR_PATCHWELCOME; } + if (s->tile_offset_x < 0 || s->tile_offset_y < 0 || + s->image_offset_x < s->tile_offset_x || + s->image_offset_y < s->tile_offset_y) { + av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n", + s->ncomponents); + return AVERROR_INVALIDDATA; + } + s->ncomponents = ncomponents; if (s->tile_width <= 0 || s->tile_height <= 0) { From 80cebb992c2dcdb7d5d035e757116e2da7cc3ee7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2017 11:11:33 +0200 Subject: [PATCH 225/818] avcodec/jpeg2000dec: Fix copy and paste error Found-by: jamrial Signed-off-by: Michael Niedermayer (cherry picked from commit 5782e0ba8cc30bb08a806cdeda1adfb89a0556b4) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index b320c41c3a..fca7740b5d 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -301,8 +301,7 @@ static int get_siz(Jpeg2000DecoderContext *s) if (s->tile_offset_x < 0 || s->tile_offset_y < 0 || s->image_offset_x < s->tile_offset_x || s->image_offset_y < s->tile_offset_y) { - av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n", - s->ncomponents); + av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n"); return AVERROR_INVALIDDATA; } From 190787a026308006f67a269da35d1850375c4746 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2017 16:35:40 +0200 Subject: [PATCH 226/818] avcodec/diracdec: Fix off by 1 error in quant check Fixes: out of array read Fixes: 1781/clusterfuzz-testcase-minimized-4617176877105152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b946bd8ef2c7aeee09469a4901182a44f9b67189) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 3573298ca1..39f062eb8e 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -823,7 +823,7 @@ static int decode_hq_slice(DiracContext *s, DiracSlice *slice, uint8_t *tmp_buf) skip_bits_long(gb, 8*s->highquality.prefix_bytes); quant_idx = get_bits(gb, 8); - if (quant_idx > DIRAC_MAX_QUANT_INDEX) { + if (quant_idx > DIRAC_MAX_QUANT_INDEX - 1) { av_log(s->avctx, AV_LOG_ERROR, "Invalid quantization index - %i\n", quant_idx); return AVERROR_INVALIDDATA; } From a49743407bc6afcf982f10b01f19d2aa45b4320b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2017 20:07:49 +0200 Subject: [PATCH 227/818] avcodec/smc: Check remaining input Fixes: Timeout Fixes: 1818/clusterfuzz-testcase-minimized-5039166473633792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 356194fcb17375de2472f4cbff6ede48d6a374b2) Signed-off-by: Michael Niedermayer --- libavcodec/smc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index 89524219f8..79f9a757a0 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -132,6 +132,10 @@ static void smc_decode_stream(SmcContext *s) row_ptr, image_size); return; } + if (bytestream2_get_bytes_left(&s->gb) < 1) { + av_log(s->avctx, AV_LOG_ERROR, "input too small\n"); + return; + } opcode = bytestream2_get_byte(&s->gb); switch (opcode & 0xF0) { From f85a71527a8b93fc59249cb6dccee999a3414fbd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2017 23:01:27 +0200 Subject: [PATCH 228/818] avcodec/aacdec_fixed: Fix runtime error: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 1825/clusterfuzz-testcase-minimized-6002833050566656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e87d146d798ca25d8f3a4520a6deb7946b39d73) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 33f959070c..29a363dec8 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -187,7 +187,7 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len) round = 1 << (s-1); for (i=0; i> s); - dst[i] = out * ssign; + dst[i] = out * (unsigned)ssign; } } } From 4e8c5721b35615e9807d7452a663e8b07413c0e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 May 2017 01:37:14 +0200 Subject: [PATCH 229/818] avcodec/clearvideo: Check buf_size before decoding frame Fixes; Timeout Fixes: 1826/clusterfuzz-testcase-minimized-5728569256837120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 43c394dcaebe9eec5802b420f273385473380909) Signed-off-by: Michael Niedermayer --- libavcodec/clearvideo.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index 060affeafd..f81090a675 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -297,6 +297,11 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data, c->pic->pict_type = frame_type & 0x20 ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P; if (frame_type & 0x2) { + if (buf_size < c->mb_width * c->mb_height) { + av_log(avctx, AV_LOG_ERROR, "Packet too small\n"); + return AVERROR_INVALIDDATA; + } + bytestream2_get_be32(&gb); // frame size; c->ac_quant = bytestream2_get_byte(&gb); c->luma_dc_quant = 32; From 42163d4c551d1e1b1f18c0489aa8feb2cd9f8092 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Apr 2017 13:49:09 +0200 Subject: [PATCH 230/818] avutil/internal: Do not enable CHECKED with DEBUG This avoids potential undefined behavior in debug mode while still allowing developers which want to check for potential additional overflows to do so by manually enabling this. Reviewed-by: wm4 Signed-off-by: Michael Niedermayer (cherry picked from commit a44b3abb4cf922e379fbac55452d0482a8223597) Signed-off-by: Michael Niedermayer --- libavutil/internal.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavutil/internal.h b/libavutil/internal.h index 7780a9a791..a2d73e3cc6 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -30,9 +30,8 @@ # define NDEBUG #endif -#if defined(DEBUG) && !defined(CHECKED) -# define CHECKED -#endif +// This can be enabled to allow detection of additional integer overflows with ubsan +//#define CHECKED #include #include From 92a23e2a639c6805f433c2bff2009ff02c464789 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 May 2017 18:01:31 +0200 Subject: [PATCH 231/818] avformat/mux: Fix copy an paste typo Found-by: Roger Scott Signed-off-by: Michael Niedermayer (cherry picked from commit 1a36354698fc0453ba4d337786d2cb4d3e374cfb) Signed-off-by: Michael Niedermayer --- libavformat/mux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mux.c b/libavformat/mux.c index 3a5e876913..f14a5cfd87 100644 --- a/libavformat/mux.c +++ b/libavformat/mux.c @@ -732,7 +732,7 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt) av_log(s, AV_LOG_WARNING, "failed to avoid negative " "pts %s in stream %d.\n" "Try -avoid_negative_ts 1 as a possible workaround.\n", - av_ts2str(pkt->dts), + av_ts2str(pkt->pts), pkt->stream_index ); } From dbff2d602d86c13627ee785a748988d4f1c964cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 May 2017 13:03:36 +0200 Subject: [PATCH 232/818] avcodec/pixlet: Fix runtime error: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Fixes: 1829/clusterfuzz-testcase-minimized-5527165321871360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 77d98898211eeb0241e8411428b0b364a6231744) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 0dfd5edbf7..0e541a9ccb 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -594,6 +594,10 @@ static int pixlet_decode_frame(AVCodecContext *avctx, void *data, width = bytestream2_get_be32(&ctx->gb); height = bytestream2_get_be32(&ctx->gb); + if ( width > INT_MAX - (1U << (NB_LEVELS + 1)) + || height > INT_MAX - (1U << (NB_LEVELS + 1))) + return AVERROR_INVALIDDATA; + w = FFALIGN(width, 1 << (NB_LEVELS + 1)); h = FFALIGN(height, 1 << (NB_LEVELS + 1)); From b803624aae4cea90805b4739551db6bd110f743f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 May 2017 13:07:00 +0200 Subject: [PATCH 233/818] avcodec/ra144dec: Fix runtime error: left shift of negative value -17 Fixes: 1830/clusterfuzz-testcase-minimized-5828293733384192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53c0c637d36c1de9ea461a8d863e8703da090894) Signed-off-by: Michael Niedermayer --- libavcodec/ra144dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144dec.c b/libavcodec/ra144dec.c index 3eed17c0da..c716c32e67 100644 --- a/libavcodec/ra144dec.c +++ b/libavcodec/ra144dec.c @@ -113,7 +113,7 @@ static int ra144_decode_frame(AVCodecContext * avctx, void *data, do_output_subblock(ractx, block_coefs[i], refl_rms[i], &gb); for (j=0; j < BLOCKSIZE; j++) - *samples++ = av_clip_int16(ractx->curr_sblock[j + 10] << 2); + *samples++ = av_clip_int16(ractx->curr_sblock[j + 10] * (1 << 2)); } ractx->old_energy = energy; From 75d881f1a97905c22e2a3329b371c4ad87c292e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 May 2017 13:17:34 +0200 Subject: [PATCH 234/818] avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error Fixes: runtime error: index 12 out of bounds for type 'uint8_t [8]' Fixes: 1832/clusterfuzz-testcase-minimized-6574546079449088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ac8dfcbd89a818b786d05ebc1af70f7bf6aeb86e) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index eac19a0d5e..f60f14cc71 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -729,8 +729,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Number of primitive matrices cannot be greater than %d.\n", max_primitive_matrices); - s->num_primitive_matrices = 0; - return AVERROR_INVALIDDATA; + goto error; } for (mat = 0; mat < s->num_primitive_matrices; mat++) { @@ -743,12 +742,12 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Invalid channel %d specified as output from matrix.\n", s->matrix_out_ch[mat]); - return AVERROR_INVALIDDATA; + goto error; } if (frac_bits > 14) { av_log(m->avctx, AV_LOG_ERROR, "Too many fractional bits specified.\n"); - return AVERROR_INVALIDDATA; + goto error; } max_chan = s->max_matrix_channel; @@ -770,6 +769,11 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo } return 0; +error: + s->num_primitive_matrices = 0; + memset(s->matrix_out_ch, 0, sizeof(s->matrix_out_ch)); + + return AVERROR_INVALIDDATA; } /** Read channel parameters. */ From 573e40e8f1c3b6aabd4e60520e3c6e7a72a7c629 Mon Sep 17 00:00:00 2001 From: Kevin Mark Date: Sat, 27 May 2017 10:10:46 -0400 Subject: [PATCH 235/818] doc/filters: Clarify scale2ref example Signed-off-by: Kevin Mark Signed-off-by: Michael Niedermayer (cherry picked from commit 114e8716214d414d7965029ae5fe74668ed69e4a) Signed-off-by: Michael Niedermayer --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index 8e5e21f9ed..b1e063f63b 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -12077,7 +12077,7 @@ uses the reference video instead of the main input as basis. @itemize @item -Scale a subtitle stream to match the main video in size before overlaying +Scale a subtitle stream (b) to match the main video (a) in size before overlaying @example 'scale2ref[b][a];[a][b]overlay' @end example From f5626db24e7864bffb7b7fd58283e4fe151935af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 03:03:46 +0200 Subject: [PATCH 236/818] avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2 Fixes: 1839/clusterfuzz-testcase-minimized-6238490993885184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 357f2316a08478a4442e8051978c7b161e10281c) Signed-off-by: Michael Niedermayer --- libavcodec/ivi_dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index 2768531dbf..4aedf17907 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -393,8 +393,8 @@ void ff_ivi_inverse_haar_4x4(const int32_t *in, int16_t *out, ptrdiff_t pitch, if (flags[i]) { /* pre-scaling */ shift = !(i & 2); - sp1 = src[0] << shift; - sp2 = src[4] << shift; + sp1 = src[0] * (1 << shift); + sp2 = src[4] * (1 << shift); INV_HAAR4( sp1, sp2, src[8], src[12], dst[0], dst[4], dst[8], dst[12], t0, t1, t2, t3, t4); From c0895d64f5fad631453f4b405871ac9546f0eb84 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 May 2017 21:08:48 +0200 Subject: [PATCH 237/818] avcodec/sbrdsp_template: Fix: runtime error: signed integer overflow: 849815297 + 1315389781 cannot be represented in type 'int' Fixes: 1770/clusterfuzz-testcase-minimized-5285511235108864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c36ee216f1e668e2c2af1573bd9dbbb2a501f48) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_template.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/sbrdsp_template.c b/libavcodec/sbrdsp_template.c index b649dfd7ee..897a3bbffb 100644 --- a/libavcodec/sbrdsp_template.c +++ b/libavcodec/sbrdsp_template.c @@ -33,8 +33,13 @@ static void sbr_qmf_deint_bfly_c(INTFLOAT *v, const INTFLOAT *src0, const INTFLO { int i; for (i = 0; i < 64; i++) { - v[ i] = AAC_SRA_R((src0[i] - src1[63 - i]), 5); - v[127 - i] = AAC_SRA_R((src0[i] + src1[63 - i]), 5); +#if USE_FIXED + v[ i] = (int)(0x10U + src0[i] - src1[63 - i]) >> 5; + v[127 - i] = (int)(0x10U + src0[i] + src1[63 - i]) >> 5; +#else + v[ i] = src0[i] - src1[63 - i]; + v[127 - i] = src0[i] + src1[63 - i]; +#endif } } From d2476bd465a103df57eeaa71f68751bef5f71bf9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2017 03:21:50 +0200 Subject: [PATCH 238/818] avcodec/libfdk-aacdec: Correct buffer_size parameter the timeDataSize argument to aacDecoder_DecodeFrame() seems undocumented and until 2016 04 (203e3f28fbebec7011342017fafc2a0bda0ce530) unused. after that commit libfdk-aacdec interprets it as size in sample units and memsets that on error. FFmpeg as well as others (like GStreamer) did interpret it as size in bytes Fixes: 1442/clusterfuzz-testcase-minimized-4540199973421056 (This requires recent libfdk to reproduce) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ca6776a993903dbcfef5ae8a18556c40ecf83e1c) Signed-off-by: Michael Niedermayer --- libavcodec/libfdk-aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libfdk-aacdec.c b/libavcodec/libfdk-aacdec.c index e5f7c4ebdc..2857b9453f 100644 --- a/libavcodec/libfdk-aacdec.c +++ b/libavcodec/libfdk-aacdec.c @@ -325,7 +325,7 @@ static int fdk_aac_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) s->decoder_buffer, s->decoder_buffer_size, 0); + err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) s->decoder_buffer, s->decoder_buffer_size / sizeof(INT_PCM), 0); if (err == AAC_DEC_NOT_ENOUGH_BITS) { ret = avpkt->size - valid; goto end; From 1d589a93b07c107f13bf526f43d96f071fa4bd6a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 03:18:02 +0200 Subject: [PATCH 239/818] avcodec/wnv1: More strict buffer size check This requires at least 25% of a picture to allocate and decode it Fixes: Timeout Fixes: 1845/clusterfuzz-testcase-minimized-5075974343360512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f50c25124a015a539823077bb302ff0c7ce8963) Signed-off-by: Michael Niedermayer --- libavcodec/wnv1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 126c01a02d..915e9c7dc9 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -68,7 +68,7 @@ static int decode_frame(AVCodecContext *avctx, int prev_y = 0, prev_u = 0, prev_v = 0; uint8_t *rbuf; - if (buf_size <= 8) { + if (buf_size < 8 + avctx->height * (avctx->width/2)/8) { av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size); return AVERROR_INVALIDDATA; } From b330fec1ced7e967f9025e4131f9c29bfa00d3f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 03:34:09 +0200 Subject: [PATCH 240/818] avcodec/aacdec_fixed: Fix multiple runtime error: shift exponent 127 is too large for 32-bit type 'int' Fixes: 1851/clusterfuzz-testcase-minimized-5692607495667712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6c3a63fc3d1be7ac947e38a165a299c9e5d37764) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 29a363dec8..b78a27a236 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -370,7 +370,9 @@ static void apply_dependent_coupling_fixed(AACContext *ac, shift = (gain-1024) >> 3; } - if (shift < 0) { + if (shift < -31) { + // Nothing to do + } else if (shift < 0) { shift = -shift; round = 1 << (shift - 1); From 3e18f0fddde8fe1b89c1af63874d60a4862b29be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 13:30:46 +0200 Subject: [PATCH 241/818] avcodec/sheervideo: Check input buffer size before allocating and decoding Fixes: Timeout Fixes: 1858/clusterfuzz-testcase-minimized-6450473802399744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8030c14bd7ac983b81ebe898631979f6b5aea09) Signed-off-by: Michael Niedermayer --- libavcodec/sheervideo.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/sheervideo.c b/libavcodec/sheervideo.c index 092ac6ed82..6f99b5c869 100644 --- a/libavcodec/sheervideo.c +++ b/libavcodec/sheervideo.c @@ -3105,6 +3105,11 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_PATCHWELCOME; } + if (avpkt->size < 20 + avctx->width * avctx->height / 16) { + av_log(avctx, AV_LOG_ERROR, "Input packet too small\n"); + return AVERROR_INVALIDDATA; + } + if (s->format != format) { if (ret < 0) return ret; From cd3314552b2478bb23f70cb6fced1e8cae73520f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 13:52:13 +0200 Subject: [PATCH 242/818] avcodec/jpeg2000dec: Check tile offsets more completely Signed-off-by: Michael Niedermayer (cherry picked from commit 9c1812491f7be2730351969f4abd9b99d300d604) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index fca7740b5d..6267629fad 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -300,7 +300,10 @@ static int get_siz(Jpeg2000DecoderContext *s) if (s->tile_offset_x < 0 || s->tile_offset_y < 0 || s->image_offset_x < s->tile_offset_x || - s->image_offset_y < s->tile_offset_y) { + s->image_offset_y < s->tile_offset_y || + s->tile_width + (int64_t)s->tile_offset_x <= s->image_offset_x || + s->tile_height + (int64_t)s->tile_offset_y <= s->image_offset_y + ) { av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n"); return AVERROR_INVALIDDATA; } From bc2cbb307761287d1bb11923979c60dae890336a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 14:00:30 +0200 Subject: [PATCH 243/818] avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int' Fixes: 1870/clusterfuzz-testcase-minimized-4686788029317120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 781f88bb26534ececc76eaa972f02536ba2f0f55) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000.h b/libavcodec/jpeg2000.h index ed3b421ad8..873e4505ec 100644 --- a/libavcodec/jpeg2000.h +++ b/libavcodec/jpeg2000.h @@ -220,7 +220,7 @@ static inline int ff_jpeg2000_ceildivpow2(int a, int b) static inline int ff_jpeg2000_ceildiv(int a, int b) { - return (a + b - 1) / b; + return (a + (int64_t)b - 1) / b; } /* TIER-1 routines */ From 586e00d7d3ecdc232bbde3e8f4a910a48e3b9eaf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 17:12:35 +0200 Subject: [PATCH 244/818] avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int' Fixes: 1871/clusterfuzz-testcase-minimized-5719950331215872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b9c032ebc0ad17ac0ffefb915ff96baf9d79cab1) Signed-off-by: Michael Niedermayer --- libavcodec/snow.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index 59c710b5f9..f7ed1f82e7 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -540,7 +540,8 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state, int is_signed){ if(get_rac(c, state+0)) return 0; else{ - int i, e, a; + int i, e; + unsigned a; e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; From b419c7564c5fd396d0c22e89841661667f25f3d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 17:20:42 +0200 Subject: [PATCH 245/818] avcodec/ylc: Check count in build_vlc() Fixes: runtime error: signed integer overflow: 211633430 + 2147483647 cannot be represented in type 'int' Fixes: 1874/clusterfuzz-testcase-minimized-5037763613163520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 67b30decf7793523f7fdaef6fdf7f1179ef42b18) Signed-off-by: Michael Niedermayer --- libavcodec/ylc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/ylc.c b/libavcodec/ylc.c index 02162a37e7..bf55e37be1 100644 --- a/libavcodec/ylc.c +++ b/libavcodec/ylc.c @@ -109,7 +109,7 @@ static int build_vlc(AVCodecContext *avctx, VLC *vlc, const uint32_t *table) int new_node = j; int first_node = cur_node; int second_node = cur_node; - int nd, st; + unsigned nd, st; nodes[cur_node].count = -1; @@ -133,6 +133,10 @@ static int build_vlc(AVCodecContext *avctx, VLC *vlc, const uint32_t *table) st = nodes[first_node].count; nodes[second_node].count = 0; nodes[first_node].count = 0; + if (nd >= UINT32_MAX - st) { + av_log(avctx, AV_LOG_ERROR, "count overflow\n"); + return AVERROR_INVALIDDATA; + } nodes[cur_node].count = nd + st; nodes[cur_node].sym = -1; nodes[cur_node].n0 = cur_node; From be9268e35044cc42aca236f1bb5c9af63c7a854d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 18:09:47 +0200 Subject: [PATCH 246/818] avcodec/aacdec_fixed: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 1878/clusterfuzz-testcase-minimized-6441918630199296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6b9cb5d26a2d9905093621d12785bc5903dce66d) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index b78a27a236..7945c46355 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -211,8 +211,8 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len) for (i=0; i 0) { - round = 1 << (s-1); + } else if (s >= 0) { + round = s ? 1 << (s-1) : 0; for (i=0; i> 32); coefs[i] = ((int)(out+round) >> s) * ssign; From 080edf29e74a8aace6ca23ef34740caae6a88039 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 18:37:50 +0200 Subject: [PATCH 247/818] avcodec/webp: Fixes null pointer dereference Fixes: 1470/clusterfuzz-testcase-minimized-5404421666111488 Fixes: 1472/clusterfuzz-testcase-minimized-5677426430443520 Fixes: 1875/clusterfuzz-testcase-minimized-5536474562822144 Approved-by: BBB Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 67020711b7d45afa073ef671f755765035a64373) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index ef7b26c4c8..3d63cb8349 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1351,6 +1351,9 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, if (ret < 0) return ret; + if (!*got_frame) + return AVERROR_INVALIDDATA; + update_canvas_size(avctx, avctx->width, avctx->height); if (s->has_alpha) { From b578ba915f07509baad253fc74f19e754c85a15d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 20:08:49 +0200 Subject: [PATCH 248/818] avcodec/aac_defines: Add missing () to AAC_HALF_SUM() macro Fixes: runtime error: shift exponent 1073741848 is too large for 32-bit type 'INTFLOAT' (aka 'int') Fixes: 1880/clusterfuzz-testcase-minimized-4900645322620928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 872bac81590ccbec40ba7ad203421d9e38d1b253) Signed-off-by: Michael Niedermayer --- libavcodec/aac_defines.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aac_defines.h b/libavcodec/aac_defines.h index 0ea667e77b..3c79a8a4a1 100644 --- a/libavcodec/aac_defines.h +++ b/libavcodec/aac_defines.h @@ -72,7 +72,7 @@ typedef int AAC_SIGNE; #define AAC_MSUB31_V3(x, y, z) (int)((((int64_t)(x) * (z)) - \ ((int64_t)(y) * (z)) + \ 0x40000000) >> 31) -#define AAC_HALF_SUM(x, y) (x) >> 1 + (y) >> 1 +#define AAC_HALF_SUM(x, y) (((x) >> 1) + ((y) >> 1)) #define AAC_SRA_R(x, y) (int)(((x) + (1 << ((y) - 1))) >> (y)) #else From 22dab0f4e1b83eea1be4e6850690e9aa5d44e937 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 21:38:24 +0200 Subject: [PATCH 249/818] avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int' Fixes: 1884/clusterfuzz-testcase-minimized-4637425835966464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4c472c52525fcab4c80cdbc98b4625d318c84fcb) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 690f7ff3d6..4f8471d28a 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1701,7 +1701,7 @@ void ff_subblock_synthesis(RA144Context *ractx, const int16_t *lpc_coefs, if (cba_idx) { cba_idx += BLOCKSIZE/2 - 1; ff_copy_and_dup(ractx->buffer_a, ractx->adapt_cb, cba_idx); - m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * gval) >> 12; + m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * (unsigned)gval) >> 12; } else { m[0] = 0; } From 3a0e4368ec5a9130d51fcbee32ac9ec8c30b8330 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 21:44:32 +0200 Subject: [PATCH 250/818] avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int' Fixes: 1885/clusterfuzz-testcase-minimized-5336328549957632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c845450d2daa0d066045cf94ab51cb496f1b824) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 4f8471d28a..c869824e35 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1573,7 +1573,7 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx) if((int)(a*(unsigned)b) != a*(int64_t)b) return 1; #endif - bp1[j] = ((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * b) >> 12; + bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12; } if ((unsigned) bp1[i] + 0x1000 > 0x1fff) From 722cc62baa982d4aa0648421e399750c2b84bafa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 21:54:02 +0200 Subject: [PATCH 251/818] avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes part of: 1888/clusterfuzz-testcase-minimized-5237704826552320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c9e884f3d98df85bf7f2cf30d71877b22929fdcb) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 245a32a8d7..4f0e52dbf7 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -272,7 +272,7 @@ static int tm2_read_deltas(TM2Context *ctx, int stream_id) for (i = 0; i < d; i++) { v = get_bits_long(&ctx->gb, mb); if (v & (1 << (mb - 1))) - ctx->deltas[stream_id][i] = v - (1 << mb); + ctx->deltas[stream_id][i] = v - (1U << mb); else ctx->deltas[stream_id][i] = v; } From ece91a3918cad23ae809834de038f6fed1dd3d9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 21:54:02 +0200 Subject: [PATCH 252/818] avcodec/truemotion2: Fix passing null pointer to memset() Fixes part of: 1888/clusterfuzz-testcase-minimized-5237704826552320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c901627918ff7480c1bb6f9cae507ee2c7c933d8) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 4f0e52dbf7..e6ae05f1d5 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -915,7 +915,8 @@ static int decode_frame(AVCodecContext *avctx, buf_size - offset); if (t < 0) { int j = tm2_stream_order[i]; - memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]); + if (l->tok_lens[j]) + memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]); return t; } offset += t; From 0a0eec60c87837ec41bf6229b48a39f7f991b971 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 May 2017 13:45:29 +0200 Subject: [PATCH 253/818] avcodec/jpeg2000dec: Use ff_set_dimensions() Fixes: OOM Fixes: 1890/clusterfuzz-testcase-minimized-6329019509243904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f3da6fbff864e05e8871dd04222143abdee9e77b) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 6267629fad..b23e1678d5 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -260,6 +260,7 @@ static int get_siz(Jpeg2000DecoderContext *s) uint32_t log2_chroma_wh = 0; const enum AVPixelFormat *possible_fmts = NULL; int possible_fmts_nb = 0; + int ret; if (bytestream2_get_bytes_left(&s->g) < 36) { av_log(s->avctx, AV_LOG_ERROR, "Insufficient space for SIZ\n"); @@ -359,10 +360,13 @@ static int get_siz(Jpeg2000DecoderContext *s) } /* compute image size with reduction factor */ - s->avctx->width = ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x, - s->reduction_factor); - s->avctx->height = ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y, - s->reduction_factor); + ret = ff_set_dimensions(s->avctx, + ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x, + s->reduction_factor), + ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y, + s->reduction_factor)); + if (ret < 0) + return ret; if (s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_2K || s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_4K) { From d59e6cef7902a2c4672860f16a4322c7a2f86c36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 May 2017 13:51:08 +0200 Subject: [PATCH 254/818] avcodec/dds: Fix runtime error: left shift of 145 by 24 places cannot be represented in type 'int' Fixes: 1891/clusterfuzz-testcase-minimized-6274417925554176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c49fa2a51452eeba0cf2c14ce999ddeadf69aa4f) Signed-off-by: Michael Niedermayer --- libavcodec/dds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index bc11bdb0fa..f026f9cd5a 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -687,7 +687,7 @@ static int dds_decode(AVCodecContext *avctx, void *data, (frame->data[1][2+i*4]<<0)+ (frame->data[1][1+i*4]<<8)+ (frame->data[1][0+i*4]<<16)+ - (frame->data[1][3+i*4]<<24) + ((unsigned)frame->data[1][3+i*4]<<24) ); } frame->palette_has_changed = 1; From c1074aea71315467c36dbaec181c025e855f44be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 May 2017 14:07:33 +0200 Subject: [PATCH 255/818] avcodec/ansi: Fix frame memleak Fixes: 1892/clusterfuzz-testcase-minimized-4519341733183488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e091b9b3c7859030f2896ca2ae96faa3afc694a1) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index 3c82dcd338..f1fafab771 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -80,10 +80,6 @@ static av_cold int decode_init(AVCodecContext *avctx) AnsiContext *s = avctx->priv_data; avctx->pix_fmt = AV_PIX_FMT_PAL8; - s->frame = av_frame_alloc(); - if (!s->frame) - return AVERROR(ENOMEM); - /* defaults */ s->font = avpriv_vga16_font; s->font_height = 16; @@ -98,6 +94,11 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "Invalid dimensions %d %d\n", avctx->width, avctx->height); return AVERROR(EINVAL); } + + s->frame = av_frame_alloc(); + if (!s->frame) + return AVERROR(ENOMEM); + return 0; } From a24cd04074c827548c7482649723b9e5117fa2b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 May 2017 03:09:11 +0200 Subject: [PATCH 256/818] avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int' Fixes: 1894/clusterfuzz-testcase-minimized-4716739789062144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d90c5bf10559554d6f9cd1dfb90767b991b76d5d) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 2bda3599a8..e49a9b54a7 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -554,7 +554,7 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, if (type != AV_SAMPLE_FMT_S16P) S = T + ((s->decorr[i].weightA * (int64_t)A + 512) >> 10); else - S = T + ((s->decorr[i].weightA * A + 512) >> 10); + S = T + ((int)(s->decorr[i].weightA * (unsigned)A + 512) >> 10); if (A && T) s->decorr[i].weightA -= ((((T ^ A) >> 30) & 2) - 1) * s->decorr[i].delta; s->decorr[i].samplesA[j] = T = S; From 795f65eed59df703cc2f00643b645f97fabb90d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 May 2017 03:13:21 +0200 Subject: [PATCH 257/818] avcodec/wavpack: Check float_shift Fixes: runtime error: shift exponent 40 is too large for 32-bit type 'unsigned int' Fixes: 1898/clusterfuzz-testcase-minimized-5970744880136192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4020b009d1e88ff10abd25fb768165afa546851d) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index e49a9b54a7..427296d06b 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -887,6 +887,12 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->float_flag = bytestream2_get_byte(&gb); s->float_shift = bytestream2_get_byte(&gb); s->float_max_exp = bytestream2_get_byte(&gb); + if (s->float_shift > 31) { + av_log(avctx, AV_LOG_ERROR, + "Invalid FLOATINFO, shift = %d (> 31)\n", s->float_shift); + s->float_shift = 0; + continue; + } got_float = 1; bytestream2_skip(&gb, 1); break; From 003cce421da64cf423bc73e0d2de74c7838be1e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 May 2017 04:03:09 +0200 Subject: [PATCH 258/818] avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float' Fixes: 1902/clusterfuzz-testcase-minimized-4762451407011840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87bddba43b725d43767f2a387cdea0936ac1b549) Signed-off-by: Michael Niedermayer --- libavcodec/acelp_pitch_delay.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/acelp_pitch_delay.c b/libavcodec/acelp_pitch_delay.c index 8ec1ba3a83..c345a99c81 100644 --- a/libavcodec/acelp_pitch_delay.c +++ b/libavcodec/acelp_pitch_delay.c @@ -135,7 +135,7 @@ float ff_amr_set_fixed_gain(float fixed_gain_factor, float fixed_mean_energy, ff_exp10(0.05 * (avpriv_scalarproduct_float_c(pred_table, prediction_error, 4) + energy_mean)) / - sqrtf(fixed_mean_energy); + sqrtf(fixed_mean_energy ? fixed_mean_energy : 1.0); // update quantified prediction error energy history memmove(&prediction_error[0], &prediction_error[1], From 1998147f2ebcb0eff33438339b2051d159edb688 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 May 2017 21:29:20 +0200 Subject: [PATCH 259/818] avformat/avidec: Limit formats in gab2 to srt and ass/ssa This prevents part of one exploit leading to an information leak Found-by: Emil Lerner and Pavel Cheremushkin Reported-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit a5d849b149ca67ced2d271dc84db0bc95a548abb) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 4e694fe447..ed043470f0 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1098,6 +1098,9 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) if (!sub_demuxer) goto error; + if (strcmp(sub_demuxer->name, "srt") && strcmp(sub_demuxer->name, "ass")) + goto error; + if (!(ast->sub_ctx = avformat_alloc_context())) goto error; From 771206c0dbb4761307bdfc0a9f0a98b694d58a31 Mon Sep 17 00:00:00 2001 From: Micah Galizia Date: Tue, 30 May 2017 21:29:54 -0400 Subject: [PATCH 260/818] libavformat/http: Ignore expired cookies Signed-off-by: Micah Galizia Signed-off-by: Michael Niedermayer (cherry picked from commit 28b24670741e1de25bfc7b5ea7c1d6dbae1aef6f) Signed-off-by: Micah Galizia Signed-off-by: Michael Niedermayer --- libavformat/http.c | 213 +++++++++++++++++++++++++++++++++------------ 1 file changed, 156 insertions(+), 57 deletions(-) diff --git a/libavformat/http.c b/libavformat/http.c index 293a8a7204..d06103ab6d 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -29,6 +29,7 @@ #include "libavutil/avstring.h" #include "libavutil/opt.h" #include "libavutil/time.h" +#include "libavutil/parseutils.h" #include "avformat.h" #include "http.h" @@ -48,6 +49,8 @@ #define MAX_REDIRECTS 8 #define HTTP_SINGLE 1 #define HTTP_MUTLI 2 +#define MAX_EXPIRY 19 +#define WHITESPACES " \n\t\r" typedef enum { LOWER_PROTO, READ_HEADERS, @@ -680,10 +683,112 @@ static int parse_icy(HTTPContext *s, const char *tag, const char *p) return 0; } +static int parse_set_cookie_expiry_time(const char *exp_str, struct tm *buf) +{ + char exp_buf[MAX_EXPIRY]; + int i, j, exp_buf_len = MAX_EXPIRY-1; + char *expiry; + + // strip off any punctuation or whitespace + for (i = 0, j = 0; exp_str[i] != '\0' && j < exp_buf_len; i++) { + if ((exp_str[i] >= '0' && exp_str[i] <= '9') || + (exp_str[i] >= 'A' && exp_str[i] <= 'Z') || + (exp_str[i] >= 'a' && exp_str[i] <= 'z')) { + exp_buf[j] = exp_str[i]; + j++; + } + } + exp_buf[j] = '\0'; + expiry = exp_buf; + + // move the string beyond the day of week + while ((*expiry < '0' || *expiry > '9') && *expiry != '\0') + expiry++; + + return av_small_strptime(expiry, "%d%b%Y%H%M%S", buf) ? 0 : AVERROR(EINVAL); +} + +static int parse_set_cookie(const char *set_cookie, AVDictionary **dict) +{ + char *param, *next_param, *cstr, *back; + + if (!(cstr = av_strdup(set_cookie))) + return AVERROR(EINVAL); + + // strip any trailing whitespace + back = &cstr[strlen(cstr)-1]; + while (strchr(WHITESPACES, *back)) { + *back='\0'; + back--; + } + + next_param = cstr; + while ((param = av_strtok(next_param, ";", &next_param))) { + char *name, *value; + param += strspn(param, WHITESPACES); + if ((name = av_strtok(param, "=", &value))) { + if (av_dict_set(dict, name, value, 0) < 0) { + av_free(cstr); + return -1; + } + } + } + + av_free(cstr); + return 0; +} + static int parse_cookie(HTTPContext *s, const char *p, AVDictionary **cookies) { + AVDictionary *new_params = NULL; + AVDictionaryEntry *e, *cookie_entry; char *eql, *name; + // ensure the cookie is parsable + if (parse_set_cookie(p, &new_params)) + return -1; + + // if there is no cookie value there is nothing to parse + cookie_entry = av_dict_get(new_params, "", NULL, AV_DICT_IGNORE_SUFFIX); + if (!cookie_entry || !cookie_entry->value) { + av_dict_free(&new_params); + return -1; + } + + // ensure the cookie is not expired or older than an existing value + if ((e = av_dict_get(new_params, "expires", NULL, 0)) && e->value) { + struct tm new_tm = {0}; + if (!parse_set_cookie_expiry_time(e->value, &new_tm)) { + AVDictionaryEntry *e2; + + // if the cookie has already expired ignore it + if (av_timegm(&new_tm) < av_gettime() / 1000000) { + av_dict_free(&new_params); + return -1; + } + + // only replace an older cookie with the same name + e2 = av_dict_get(*cookies, cookie_entry->key, NULL, 0); + if (e2 && e2->value) { + AVDictionary *old_params = NULL; + if (!parse_set_cookie(p, &old_params)) { + e2 = av_dict_get(old_params, "expires", NULL, 0); + if (e2 && e2->value) { + struct tm old_tm = {0}; + if (!parse_set_cookie_expiry_time(e->value, &old_tm)) { + if (av_timegm(&new_tm) < av_timegm(&old_tm)) { + av_dict_free(&new_params); + av_dict_free(&old_params); + return -1; + } + } + } + } + av_dict_free(&old_params); + } + } + } + // duplicate the cookie name (dict will dupe the value) if (!(eql = strchr(p, '='))) return AVERROR(EINVAL); if (!(name = av_strndup(p, eql - p))) return AVERROR(ENOMEM); @@ -868,7 +973,7 @@ static int get_cookies(HTTPContext *s, char **cookies, const char *path, // cookie strings will look like Set-Cookie header field values. Multiple // Set-Cookie fields will result in multiple values delimited by a newline int ret = 0; - char *next, *cookie, *set_cookies = av_strdup(s->cookies), *cset_cookies = set_cookies; + char *cookie, *set_cookies = av_strdup(s->cookies), *next = set_cookies; if (!set_cookies) return AVERROR(EINVAL); @@ -876,87 +981,81 @@ static int get_cookies(HTTPContext *s, char **cookies, const char *path, av_dict_free(&s->cookie_dict); *cookies = NULL; - while ((cookie = av_strtok(set_cookies, "\n", &next))) { - int domain_offset = 0; - char *param, *next_param, *cdomain = NULL, *cpath = NULL, *cvalue = NULL; - set_cookies = NULL; + while ((cookie = av_strtok(next, "\n", &next))) { + AVDictionary *cookie_params = NULL; + AVDictionaryEntry *cookie_entry, *e; // store the cookie in a dict in case it is updated in the response if (parse_cookie(s, cookie, &s->cookie_dict)) av_log(s, AV_LOG_WARNING, "Unable to parse '%s'\n", cookie); - while ((param = av_strtok(cookie, "; ", &next_param))) { - if (cookie) { - // first key-value pair is the actual cookie value - cvalue = av_strdup(param); - cookie = NULL; - } else if (!av_strncasecmp("path=", param, 5)) { - av_free(cpath); - cpath = av_strdup(¶m[5]); - } else if (!av_strncasecmp("domain=", param, 7)) { - // if the cookie specifies a sub-domain, skip the leading dot thereby - // supporting URLs that point to sub-domains and the master domain - int leading_dot = (param[7] == '.'); - av_free(cdomain); - cdomain = av_strdup(¶m[7+leading_dot]); - } else { - // ignore unknown attributes + // continue on to the next cookie if this one cannot be parsed + if (parse_set_cookie(cookie, &cookie_params)) + continue; + + // if the cookie has no value, skip it + cookie_entry = av_dict_get(cookie_params, "", NULL, AV_DICT_IGNORE_SUFFIX); + if (!cookie_entry || !cookie_entry->value) { + av_dict_free(&cookie_params); + continue; + } + + // if the cookie has expired, don't add it + if ((e = av_dict_get(cookie_params, "expires", NULL, 0)) && e->value) { + struct tm tm_buf = {0}; + if (!parse_set_cookie_expiry_time(e->value, &tm_buf)) { + if (av_timegm(&tm_buf) < av_gettime() / 1000000) { + av_dict_free(&cookie_params); + continue; + } } } - if (!cdomain) - cdomain = av_strdup(domain); - // ensure all of the necessary values are valid - if (!cdomain || !cpath || !cvalue) { - av_log(s, AV_LOG_WARNING, - "Invalid cookie found, no value, path or domain specified\n"); - goto done_cookie; + // if no domain in the cookie assume it appied to this request + if ((e = av_dict_get(cookie_params, "domain", NULL, 0)) && e->value) { + // find the offset comparison is on the min domain (b.com, not a.b.com) + int domain_offset = strlen(domain) - strlen(e->value); + if (domain_offset < 0) { + av_dict_free(&cookie_params); + continue; + } + + // match the cookie domain + if (av_strcasecmp(&domain[domain_offset], e->value)) { + av_dict_free(&cookie_params); + continue; + } } - // check if the request path matches the cookie path - if (av_strncasecmp(path, cpath, strlen(cpath))) - goto done_cookie; - - // the domain should be at least the size of our cookie domain - domain_offset = strlen(domain) - strlen(cdomain); - if (domain_offset < 0) - goto done_cookie; - - // match the cookie domain - if (av_strcasecmp(&domain[domain_offset], cdomain)) - goto done_cookie; + // ensure this cookie matches the path + e = av_dict_get(cookie_params, "path", NULL, 0); + if (!e || av_strncasecmp(path, e->value, strlen(e->value))) { + av_dict_free(&cookie_params); + continue; + } // cookie parameters match, so copy the value if (!*cookies) { - if (!(*cookies = av_strdup(cvalue))) { + if (!(*cookies = av_asprintf("%s=%s", cookie_entry->key, cookie_entry->value))) { ret = AVERROR(ENOMEM); - goto done_cookie; + break; } } else { char *tmp = *cookies; - size_t str_size = strlen(cvalue) + strlen(*cookies) + 3; + size_t str_size = strlen(cookie_entry->key) + strlen(cookie_entry->value) + strlen(*cookies) + 4; if (!(*cookies = av_malloc(str_size))) { ret = AVERROR(ENOMEM); - goto done_cookie; + av_free(tmp); + break; } - snprintf(*cookies, str_size, "%s; %s", tmp, cvalue); + snprintf(*cookies, str_size, "%s; %s=%s", tmp, cookie_entry->key, cookie_entry->value); av_free(tmp); } - - done_cookie: - av_freep(&cdomain); - av_freep(&cpath); - av_freep(&cvalue); - if (ret < 0) { - if (*cookies) av_freep(cookies); - av_free(cset_cookies); - return ret; - } } - av_free(cset_cookies); + av_free(set_cookies); - return 0; + return ret; } static inline int has_header(const char *str, const char *header) From e5e01d24773dde50159df2ad616f3e16a8d2a650 Mon Sep 17 00:00:00 2001 From: Micah Galizia Date: Tue, 30 May 2017 21:29:55 -0400 Subject: [PATCH 261/818] libavformat/hls: Observe Set-Cookie headers Signed-off-by: Micah Galizia Signed-off-by: Michael Niedermayer (cherry picked from commit c4c73020f4bbf261f0b263be82de575c17fa5a60) Signed-off-by: Micah Galizia Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index bac53a4350..42022690f1 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -630,8 +630,16 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, ret = s->io_open(s, pb, url, AVIO_FLAG_READ, &tmp); if (ret >= 0) { // update cookies on http response with setcookies. - void *u = (s->flags & AVFMT_FLAG_CUSTOM_IO) ? NULL : s->pb; - update_options(&c->cookies, "cookies", u); + char *new_cookies = NULL; + + if (!(s->flags & AVFMT_FLAG_CUSTOM_IO)) + av_opt_get(*pb, "cookies", AV_OPT_SEARCH_CHILDREN, (uint8_t**)&new_cookies); + + if (new_cookies) { + av_free(c->cookies); + c->cookies = new_cookies; + } + av_dict_set(&opts, "cookies", c->cookies, 0); } From 9b351d0d888dfc75bf4259f854a8b4920cc60119 Mon Sep 17 00:00:00 2001 From: Ganapathy Kasi Date: Tue, 30 May 2017 19:03:14 -0700 Subject: [PATCH 262/818] avcodec/nvenc: fix hw accelerated transcode with bframes hw accelerated transcode (h264_cuvid -> h264_nvenc with -hwaccel cuvid) was broken after the filtergraph initialization was changed to intialize decoder first followed by encoder (commit af1761f7b5b1b72197dc40934953b775c2d951cc). During initialzing encoder with bframes, local buffers are allocated internally in encoder which fails since no cuda context is available. Now pushing the correct cuda context before encoder initialization fixes the issue. Also adding push/pop cuda ctx during create/destroy/map/unmap resources and destroy encoder session. Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 00541f4c49..b7957867d7 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -373,9 +373,21 @@ static av_cold int nvenc_check_device(AVCodecContext *avctx, int idx) return 0; fail3: + cu_res = dl_fn->cuda_dl->cuCtxPushCurrent(ctx->cu_context); + if (cu_res != CUDA_SUCCESS) { + av_log(avctx, AV_LOG_ERROR, "cuCtxPushCurrent failed\n"); + return AVERROR_EXTERNAL; + } + p_nvenc->nvEncDestroyEncoder(ctx->nvencoder); ctx->nvencoder = NULL; + cu_res = dl_fn->cuda_dl->cuCtxPopCurrent(&dummy); + if (cu_res != CUDA_SUCCESS) { + av_log(avctx, AV_LOG_ERROR, "cuCtxPopCurrent failed\n"); + return AVERROR_EXTERNAL; + } + fail2: dl_fn->cuda_dl->cuCtxDestroy(ctx->cu_context_internal); ctx->cu_context_internal = NULL; @@ -951,6 +963,8 @@ static av_cold int nvenc_setup_encoder(AVCodecContext *avctx) NV_ENC_PRESET_CONFIG preset_config = { 0 }; NVENCSTATUS nv_status = NV_ENC_SUCCESS; AVCPBProperties *cpb_props; + CUresult cu_res; + CUcontext dummy; int res = 0; int dw, dh; @@ -1038,7 +1052,20 @@ static av_cold int nvenc_setup_encoder(AVCodecContext *avctx) if (res) return res; + cu_res = dl_fn->cuda_dl->cuCtxPushCurrent(ctx->cu_context); + if (cu_res != CUDA_SUCCESS) { + av_log(avctx, AV_LOG_ERROR, "cuCtxPushCurrent failed\n"); + return AVERROR_EXTERNAL; + } + nv_status = p_nvenc->nvEncInitializeEncoder(ctx->nvencoder, &ctx->init_encode_params); + + cu_res = dl_fn->cuda_dl->cuCtxPopCurrent(&dummy); + if (cu_res != CUDA_SUCCESS) { + av_log(avctx, AV_LOG_ERROR, "cuCtxPopCurrent failed\n"); + return AVERROR_EXTERNAL; + } + if (nv_status != NV_ENC_SUCCESS) { return nvenc_print_error(avctx, nv_status, "InitializeEncoder failed"); } @@ -1147,6 +1174,9 @@ static av_cold int nvenc_alloc_surface(AVCodecContext *avctx, int idx) static av_cold int nvenc_setup_surfaces(AVCodecContext *avctx) { NvencContext *ctx = avctx->priv_data; + NvencDynLoadFunctions *dl_fn = &ctx->nvenc_dload_funcs; + CUresult cu_res; + CUcontext dummy; int i, res; ctx->surfaces = av_mallocz_array(ctx->nb_surfaces, sizeof(*ctx->surfaces)); @@ -1163,9 +1193,28 @@ static av_cold int nvenc_setup_surfaces(AVCodecContext *avctx) if (!ctx->output_surface_ready_queue) return AVERROR(ENOMEM); + cu_res = dl_fn->cuda_dl->cuCtxPushCurrent(ctx->cu_context); + if (cu_res != CUDA_SUCCESS) { + av_log(avctx, AV_LOG_ERROR, "cuCtxPushCurrent failed\n"); + return AVERROR_EXTERNAL; + } + for (i = 0; i < ctx->nb_surfaces; i++) { if ((res = nvenc_alloc_surface(avctx, i)) < 0) + { + cu_res = dl_fn->cuda_dl->cuCtxPopCurrent(&dummy); + if (cu_res != CUDA_SUCCESS) { + av_log(avctx, AV_LOG_ERROR, "cuCtxPopCurrent failed\n"); + return AVERROR_EXTERNAL; + } return res; + } + } + + cu_res = dl_fn->cuda_dl->cuCtxPopCurrent(&dummy); + if (cu_res != CUDA_SUCCESS) { + av_log(avctx, AV_LOG_ERROR, "cuCtxPopCurrent failed\n"); + return AVERROR_EXTERNAL; } return 0; @@ -1209,8 +1258,16 @@ av_cold int ff_nvenc_encode_close(AVCodecContext *avctx) NvencContext *ctx = avctx->priv_data; NvencDynLoadFunctions *dl_fn = &ctx->nvenc_dload_funcs; NV_ENCODE_API_FUNCTION_LIST *p_nvenc = &dl_fn->nvenc_funcs; + CUresult cu_res; + CUcontext dummy; int i; + cu_res = dl_fn->cuda_dl->cuCtxPushCurrent(ctx->cu_context); + if (cu_res != CUDA_SUCCESS) { + av_log(avctx, AV_LOG_ERROR, "cuCtxPushCurrent failed\n"); + return AVERROR_EXTERNAL; + } + /* the encoder has to be flushed before it can be closed */ if (ctx->nvencoder) { NV_ENC_PIC_PARAMS params = { .version = NV_ENC_PIC_PARAMS_VER, @@ -1251,6 +1308,12 @@ av_cold int ff_nvenc_encode_close(AVCodecContext *avctx) p_nvenc->nvEncDestroyEncoder(ctx->nvencoder); ctx->nvencoder = NULL; + cu_res = dl_fn->cuda_dl->cuCtxPopCurrent(&dummy); + if (cu_res != CUDA_SUCCESS) { + av_log(avctx, AV_LOG_ERROR, "cuCtxPopCurrent failed\n"); + return AVERROR_EXTERNAL; + } + if (ctx->cu_context_internal) dl_fn->cuda_dl->cuCtxDestroy(ctx->cu_context_internal); ctx->cu_context = ctx->cu_context_internal = NULL; @@ -1785,8 +1848,20 @@ int ff_nvenc_encode_frame(AVCodecContext *avctx, AVPacket *pkt, if (output_ready(avctx, !frame)) { av_fifo_generic_read(ctx->output_surface_ready_queue, &tmpoutsurf, sizeof(tmpoutsurf), NULL); + cu_res = dl_fn->cuda_dl->cuCtxPushCurrent(ctx->cu_context); + if (cu_res != CUDA_SUCCESS) { + av_log(avctx, AV_LOG_ERROR, "cuCtxPushCurrent failed\n"); + return AVERROR_EXTERNAL; + } + res = process_output_surface(avctx, pkt, tmpoutsurf); + cu_res = dl_fn->cuda_dl->cuCtxPopCurrent(&dummy); + if (cu_res != CUDA_SUCCESS) { + av_log(avctx, AV_LOG_ERROR, "cuCtxPopCurrent failed\n"); + return AVERROR_EXTERNAL; + } + if (res) return res; From eac6114e0187ae148b09a95b38dfcb380f0c41d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 13:21:58 +0200 Subject: [PATCH 263/818] avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int' Fixes: 1903/clusterfuzz-testcase-minimized-5359318167715840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 58f8cd4ac576028ef492a005bd06b1f22c3a6879) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index eb2464f36d..2bcb42a6eb 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -615,7 +615,7 @@ static inline int decode_residual_inter(AVSContext *h) /* get quantizer */ if (h->cbp && !h->qp_fixed) - h->qp = (h->qp + get_se_golomb(&h->gb)) & 63; + h->qp = (h->qp + (unsigned)get_se_golomb(&h->gb)) & 63; for (block = 0; block < 4; block++) if (h->cbp & (1 << block)) decode_residual_block(h, &h->gb, inter_dec, 0, h->qp, From fc74ac463c08cf57a35ff2499646b7b10d20d97a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 13:39:45 +0200 Subject: [PATCH 264/818] avcodec/pnm: Use ff_set_dimensions() Fixes: OOM Fixes: 1906/clusterfuzz-testcase-minimized-4599315114754048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a1c0d1d906d27d3f9e1b058bb065f897f90c1c7c) Signed-off-by: Michael Niedermayer --- libavcodec/pnm.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c index 4753923631..b06a6e81b5 100644 --- a/libavcodec/pnm.c +++ b/libavcodec/pnm.c @@ -24,6 +24,7 @@ #include "libavutil/imgutils.h" #include "avcodec.h" +#include "internal.h" #include "pnm.h" static inline int pnm_space(int c) @@ -61,6 +62,7 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) { char buf1[32], tuple_type[32]; int h, w, depth, maxval; + int ret; pnm_get(s, buf1, sizeof(buf1)); if(buf1[0] != 'P') @@ -111,8 +113,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) return AVERROR_INVALIDDATA; - avctx->width = w; - avctx->height = h; + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + return ret; s->maxval = maxval; if (depth == 1) { if (maxval == 1) { @@ -154,8 +157,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) if(w <= 0 || h <= 0 || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) return AVERROR_INVALIDDATA; - avctx->width = w; - avctx->height = h; + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + return ret; if (avctx->pix_fmt != AV_PIX_FMT_MONOWHITE && avctx->pix_fmt != AV_PIX_FMT_MONOBLACK) { pnm_get(s, buf1, sizeof(buf1)); From e3a1d133f71d14b065955a1974662a14354cd08a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 15:52:56 +0200 Subject: [PATCH 265/818] avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int' Fixes: 1908/clusterfuzz-testcase-minimized-5392712477966336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 08cb69e870c1b2fdc3574780a3662b92bfd6ef79) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index c869824e35..2ed7361e38 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1512,7 +1512,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m, v[0] = 0; for (i=!skip_first; i<3; i++) - v[i] = (ff_gain_val_tab[n][i] * m[i]) >> ff_gain_exp_tab[n]; + v[i] = (ff_gain_val_tab[n][i] * (unsigned)m[i]) >> ff_gain_exp_tab[n]; if (v[0]) { for (i=0; i < BLOCKSIZE; i++) From 797621afab82e899a8fd40caa22f56d44c38df1e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 22:02:07 +0200 Subject: [PATCH 266/818] avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int' Fixes: 1909/clusterfuzz-testcase-minimized-6732072662073344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6726328f7940a76c43b4d97ac37ababf363d042f) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index acd55cc513..923a39bcc9 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -751,7 +751,7 @@ static int scaling_list_data(GetBitContext *gb, AVCodecContext *avctx, ScalingLi ff_hevc_diag_scan8x8_x[i]; scaling_list_delta_coef = get_se_golomb(gb); - next_coef = (next_coef + scaling_list_delta_coef + 256) % 256; + next_coef = (next_coef + 256U + scaling_list_delta_coef) % 256; sl->sl[size_id][matrix_id][pos] = next_coef; } } From 706b427ff5de7d7ba152ec07c17f657e58180767 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 22:18:23 +0200 Subject: [PATCH 267/818] avcodec/cinepak: Check input packet size before frame reallocation Reduces time spend decoding 1917/clusterfuzz-testcase-minimized-5023221273329664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e47057e932ff9a071d52fa1d5d4a956340eb2475) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index d657e9c0c1..89e940ae0d 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -322,9 +322,6 @@ static int cinepak_decode (CinepakContext *s) int y0 = 0; int encoded_buf_size; - if (s->size < 10) - return AVERROR_INVALIDDATA; - frame_flags = s->data[0]; num_strips = AV_RB16 (&s->data[8]); encoded_buf_size = AV_RB24(&s->data[1]); @@ -439,6 +436,9 @@ static int cinepak_decode_frame(AVCodecContext *avctx, s->data = buf; s->size = buf_size; + if (s->size < 10) + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; From 30abd8e6f98243ba0e6744128ece372cc0d7c0fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 22:53:02 +0200 Subject: [PATCH 268/818] avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int' Fixes: 1922/clusterfuzz-testcase-minimized-5561194112876544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a47273c803edfbc43793349b74429ae29b05c003) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 427296d06b..83e5c906cf 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -245,7 +245,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, if (get_bits_left(gb) <= 0) goto error; if (get_bits1(gb)) { - add -= (mid - base); + add -= (mid - (unsigned)base); base = mid; } else add = mid - base - 1; From 4f02447d45681bf7e99f184bc97ee8d68284ffc5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jun 2017 18:32:52 +0200 Subject: [PATCH 269/818] avcodec/cfhd: Fix runtime error: signed integer overflow: 65280 * 65288 cannot be represented in type 'int' Fixes: 1925/clusterfuzz-testcase-minimized-5564569688735744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cd6f319a7470394044627d1bd900e21b9aca5f4a) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index ef97b547ab..57a8d2b76e 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -501,7 +501,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, int highpass_a_width = s->plane[s->channel_num].band[s->level][s->subband_num].a_width; int highpass_a_height = s->plane[s->channel_num].band[s->level][s->subband_num].a_height; int highpass_stride = s->plane[s->channel_num].band[s->level][s->subband_num].stride; - int expected = highpass_height * highpass_stride; + int expected; int a_expected = highpass_a_height * highpass_a_width; int level, run, coeff; int count = 0, bytes; @@ -512,11 +512,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, goto end; } - if (highpass_height > highpass_a_height || highpass_width > highpass_a_width || a_expected < expected) { + if (highpass_height > highpass_a_height || highpass_width > highpass_a_width || a_expected < highpass_height * (uint64_t)highpass_stride) { av_log(avctx, AV_LOG_ERROR, "Too many highpass coefficients\n"); ret = AVERROR(EINVAL); goto end; } + expected = highpass_height * highpass_stride; av_log(avctx, AV_LOG_DEBUG, "Start subband coeffs plane %i level %i codebook %i expected %i\n", s->channel_num, s->level, s->codebook, expected); From 3dc62e679ab2ed88b7fe4a5e691dba3874d62a22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jun 2017 18:48:37 +0200 Subject: [PATCH 270/818] avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' Fixes: 1967/clusterfuzz-testcase-minimized-5757031199801344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b3e580b7f436206e84dac89415e057fa9abdab8) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 83e5c906cf..ba5fa7a266 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -188,7 +188,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, goto error; t += t2; } else { - if (get_bits_left(gb) < t2 - 1) + if (t2 >= 32 || get_bits_left(gb) < t2 - 1) goto error; t += get_bits_long(gb, t2 - 1) | (1 << (t2 - 1)); } From 52a7ae844b05b987e8ffa34940a00a1d9c223baa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Jun 2017 22:31:02 +0200 Subject: [PATCH 271/818] avcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'INTFLOAT' (aka 'int') Fixes: 2005/clusterfuzz-testcase-minimized-5744226438479872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9faf098163b33e7b0f5baafa3371ef5401f4105d) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 48b595adbd..01f6d1f076 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -942,7 +942,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r) int stop = ps->border_position[e+1]; INTFLOAT width = Q30(1.f) / ((stop - start) ? (stop - start) : 1); #if USE_FIXED - width <<= 1; + width = FFMIN(2U*width, INT_MAX); #endif b = k_to_i[k]; h[0][0] = H11[0][e][b]; From 4e6de49a5a4a9269db88825ca06f24a2e522add5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Jun 2017 14:47:16 +0200 Subject: [PATCH 272/818] avformat/options: log filename on open The loglevel is choosen so that the main filename and any images of multi image sequences are shown only at debug level to avoid clutter. This makes exploits in playlists more visible. As they would show accesses to private/sensitive files Signed-off-by: Michael Niedermayer (cherry picked from commit 53e0d5d7247548743e13c59c35e59fc2161e9582) Signed-off-by: Michael Niedermayer --- libavformat/options.c | 12 ++++++++++++ libavformat/utils.c | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/options.c b/libavformat/options.c index 25a506eef8..9371c72667 100644 --- a/libavformat/options.c +++ b/libavformat/options.c @@ -102,6 +102,18 @@ static const AVClass av_format_context_class = { static int io_open_default(AVFormatContext *s, AVIOContext **pb, const char *url, int flags, AVDictionary **options) { + int loglevel; + + if (!strcmp(url, s->filename) || + s->iformat && !strcmp(s->iformat->name, "image2") || + s->oformat && !strcmp(s->oformat->name, "image2") + ) { + loglevel = AV_LOG_DEBUG; + } else + loglevel = AV_LOG_INFO; + + av_log(s, loglevel, "Opening \'%s\' for %s\n", url, flags & AVIO_FLAG_WRITE ? "writing" : "reading"); + #if FF_API_OLD_OPEN_CALLBACKS FF_DISABLE_DEPRECATION_WARNINGS if (s->open_cb) diff --git a/libavformat/utils.c b/libavformat/utils.c index a82bbc702d..a9f8cf6f84 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -533,6 +533,7 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, if ((ret = av_opt_set_dict(s, &tmp)) < 0) goto fail; + av_strlcpy(s->filename, filename ? filename : "", sizeof(s->filename)); if ((ret = init_input(s, filename, &tmp)) < 0) goto fail; s->probe_score = ret; @@ -570,7 +571,6 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, } s->duration = s->start_time = AV_NOPTS_VALUE; - av_strlcpy(s->filename, filename ? filename : "", sizeof(s->filename)); /* Allocate private data. */ if (s->iformat->priv_data_size > 0) { From aae731b9d39f18ee7d42e632a0139187435c35b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 13:02:51 +0200 Subject: [PATCH 273/818] avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int' Fixes: 1352/clusterfuzz-testcase-minimized-5757565017260032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 136ce8baa4fc16cf38690cb457f7356c00e00a28) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index 682fe935b0..5a868e4abf 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -69,7 +69,7 @@ static void scale_coefs ( int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7; mul = (dynrng & 0x1f) + 0x20; - shift = 4 - ((dynrng << 23) >> 28); + shift = 4 - (sign_extend(dynrng, 9) >> 5); if (shift > 0 ) { round = 1 << (shift-1); for (i=0; i Date: Sun, 4 Jun 2017 13:38:02 +0200 Subject: [PATCH 274/818] avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer() Fixes 1745/clusterfuzz-testcase-minimized-6160693365571584 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit faa5a2181df53b5226f998a20b735798addcd365) Signed-off-by: Michael Niedermayer --- libavcodec/pafvideo.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index cab3129f8f..1618a3e7c3 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -267,12 +267,20 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, uint8_t code, *dst, *end; int i, frame, ret; - if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) - return ret; + if (pkt->size < 2) + return AVERROR_INVALIDDATA; bytestream2_init(&c->gb, pkt->data, pkt->size); code = bytestream2_get_byte(&c->gb); + if ((code & 0xF) > 4) { + avpriv_request_sample(avctx, "unknown/invalid code"); + return AVERROR_INVALIDDATA; + } + + if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) + return ret; + if (code & 0x20) { // frame is keyframe for (i = 0; i < 4; i++) memset(c->frame[i], 0, c->frame_size); @@ -367,8 +375,7 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, } break; default: - avpriv_request_sample(avctx, "unknown/invalid code"); - return AVERROR_INVALIDDATA; + av_assert0(0); } av_image_copy_plane(c->pic->data[0], c->pic->linesize[0], From 00312b5ea4a240af39a30acf8d6570c147734717 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 15:41:18 +0200 Subject: [PATCH 275/818] avcodec/dxv: Check remaining bytes in dxv_decompress_raw() Fixes: Timeout Fixes: 2006/clusterfuzz-testcase-minimized-5766515037044736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eb5049227033d946add93c0714bb8a28d94166f1) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index 4b1c2d25cc..6f3c075d06 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -335,6 +335,9 @@ static int dxv_decompress_raw(AVCodecContext *avctx) DXVContext *ctx = avctx->priv_data; GetByteContext *gbc = &ctx->gbc; + if (bytestream2_get_bytes_left(gbc) < ctx->tex_size) + return AVERROR_INVALIDDATA; + bytestream2_get_buffer(gbc, ctx->tex_data, ctx->tex_size); return 0; } From 0d19167a657c3cf475e5e32deb0bbfd2f348d1cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 17:06:27 +0200 Subject: [PATCH 276/818] avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]' Fixes: 2010/clusterfuzz-testcase-minimized-6209288450080768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 29808fff339da3e0f26131f7a6209b853947a54b) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 923a39bcc9..19919e562f 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -170,6 +170,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, } } + if (k >= FF_ARRAY_ELEMS(rps->used)) { + av_log(avctx, AV_LOG_ERROR, + "Invalid num_delta_pocs: %d\n", k); + return AVERROR_INVALIDDATA; + } + rps->num_delta_pocs = k; rps->num_negative_pics = k0; // sort in increasing order (smallest first) From cefbc513ea1c74277337568eef7fffb0b4c397a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 20:45:09 +0200 Subject: [PATCH 277/818] avutil/softfloat: Fix sign error in and improve documentation of av_int2sf() Signed-off-by: Michael Niedermayer (cherry picked from commit 6019d721d4c10bf73018d68511d9d0a914c0a389) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index daf91a5557..c50aaf5285 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -177,8 +177,10 @@ static inline av_const SoftFloat av_sub_sf(SoftFloat a, SoftFloat b){ //FIXME log, exp, pow /** - * Converts a mantisse and exponent to a SoftFloat - * @returns a SoftFloat with value v * 2^frac_bits + * Converts a mantisse and exponent to a SoftFloat. + * This converts a fixed point value v with frac_bits fractional bits to a + * SoftFloat. + * @returns a SoftFloat with value v * 2^-frac_bits */ static inline av_const SoftFloat av_int2sf(int v, int frac_bits){ int exp_offset = 0; From d34d06d1e23333ee06a496f42db209b8c828694e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 21:37:47 +0200 Subject: [PATCH 278/818] avcodec/qdrw: Fix null pointer dereference The RGB555 PACKBITSRGN case tries to read a palette, if such palette is actually stored then it accesses a null pointer. All 16bit samples i could find use DIRECTBITSRGN. Fixes: 2065/clusterfuzz-testcase-minimized-6298930457346048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 46b865ea9f86cbd12e1bf701913263c7932cccb0) Signed-off-by: Michael Niedermayer --- libavcodec/qdrw.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index c92cd85f12..3a0bc6f760 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -58,6 +58,8 @@ static int parse_palette(AVCodecContext *avctx, GetByteContext *gbc, bytestream2_skip(gbc, 6); continue; } + if (avctx->pix_fmt != AV_PIX_FMT_PAL8) + return AVERROR_INVALIDDATA; r = bytestream2_get_byte(gbc); bytestream2_skip(gbc, 1); g = bytestream2_get_byte(gbc); @@ -378,7 +380,9 @@ static int decode_frame(AVCodecContext *avctx, if ((ret = ff_get_buffer(avctx, p, 0)) < 0) return ret; - parse_palette(avctx, &gbc, (uint32_t *)p->data[1], colors); + ret = parse_palette(avctx, &gbc, (uint32_t *)p->data[1], colors); + if (ret < 0) + return ret; p->palette_has_changed = 1; /* jump to image data */ From 3dd1f38329e7bd7225445c92fc0019adc43899f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Jun 2017 21:20:04 +0200 Subject: [PATCH 279/818] avformat/hls: Check local file extensions This reduces the attack surface of local file-system information leaking. It prevents the existing exploit leading to an information leak. As well as similar hypothetical attacks. Leaks of information from files and symlinks ending in common multimedia extensions are still possible. But files with sensitive information like private keys and passwords generally do not use common multimedia filename extensions. It does not stop leaks via remote addresses in the LAN. The existing exploit depends on a specific decoder as well. It does appear though that the exploit should be possible with any decoder. The problem is that as long as sensitive information gets into the decoder, the output of the decoder becomes sensitive as well. The only obvious solution is to prevent access to sensitive information. Or to disable hls or possibly some of its feature. More complex solutions like checking the path to limit access to only subdirectories of the hls path may work as an alternative. But such solutions are fragile and tricky to implement portably and would not stop every possible attack nor would they work with all valid hls files. Developers have expressed their dislike / objected to disabling hls by default as well as disabling hls with local files. There also where objections against restricting remote url file extensions. This here is a less robust but also lower inconvenience solution. It can be applied stand alone or together with other solutions. limiting the check to local files was suggested by nevcairiel This recommits the security fix without the author name joke which was originally requested by Nicolas. Found-by: Emil Lerner and Pavel Cheremushkin Reported-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit 189ff4219644532bdfa7bab28dfedaee4d6d4021) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 42022690f1..73d3ee46f6 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -204,6 +204,7 @@ typedef struct HLSContext { char *http_proxy; ///< holds the address of the HTTP proxy server AVDictionary *avio_opts; int strict_std_compliance; + char *allowed_extensions; } HLSContext; static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) @@ -618,8 +619,19 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, return AVERROR_INVALIDDATA; // only http(s) & file are allowed - if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) + if (av_strstart(proto_name, "file", NULL)) { + if (strcmp(c->allowed_extensions, "ALL") && !av_match_ext(url, c->allowed_extensions)) { + av_log(s, AV_LOG_ERROR, + "Filename extension of \'%s\' is not a common multimedia extension, blocked for security reasons.\n" + "If you wish to override this adjust allowed_extensions, you can set it to \'ALL\' to allow all\n", + url); + return AVERROR_INVALIDDATA; + } + } else if (av_strstart(proto_name, "http", NULL)) { + ; + } else return AVERROR_INVALIDDATA; + if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':') ; else if (av_strstart(url, "crypto", NULL) && !strncmp(proto_name, url + 7, strlen(proto_name)) && url[7 + strlen(proto_name)] == ':') @@ -2134,6 +2146,10 @@ static int hls_probe(AVProbeData *p) static const AVOption hls_options[] = { {"live_start_index", "segment index to start live streams at (negative values are from the end)", OFFSET(live_start_index), AV_OPT_TYPE_INT, {.i64 = -3}, INT_MIN, INT_MAX, FLAGS}, + {"allowed_extensions", "List of file extensions that hls is allowed to access", + OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, + {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, + INT_MIN, INT_MAX, FLAGS}, {NULL} }; From 0fb432a23b0aa609f20469030fd29b1e5d1a5d01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Jun 2017 19:33:56 +0200 Subject: [PATCH 280/818] avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int' Fixes: 2067/clusterfuzz-testcase-minimized-5578430902960128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e6ee86d9254e8fd2158cc9a31d3be96b0809411) Signed-off-by: Michael Niedermayer --- libavcodec/cavs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/cavs.c b/libavcodec/cavs.c index 40bb63a278..ba2b6ef232 100644 --- a/libavcodec/cavs.c +++ b/libavcodec/cavs.c @@ -537,8 +537,7 @@ void ff_cavs_inter(AVSContext *h, enum cavs_mb mb_type) static inline void scale_mv(AVSContext *h, int *d_x, int *d_y, cavs_vector *src, int distp) { - int den = h->scale_den[FFMAX(src->ref, 0)]; - + int64_t den = h->scale_den[FFMAX(src->ref, 0)]; *d_x = (src->x * distp * den + 256 + FF_SIGNBIT(src->x)) >> 9; *d_y = (src->y * distp * den + 256 + FF_SIGNBIT(src->y)) >> 9; } From ec5e262e1d7294484e58499b758f0e29f0959915 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Jun 2017 20:39:21 +0200 Subject: [PATCH 281/818] avcodec/tiff: Avoid loosing allocated geotag values Fixes memleak Fixes: 2076/clusterfuzz-testcase-minimized-6542640243802112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d7cbeab4c1381f95ed0ebf85d7950bee96f66164) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 9b9d37bb83..81bf7ae54d 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1137,6 +1137,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) bytestream2_seek(&s->gb, pos + s->geotags[i].offset, SEEK_SET); if (bytestream2_get_bytes_left(&s->gb) < s->geotags[i].count) return AVERROR_INVALIDDATA; + if (s->geotags[i].val) + return AVERROR_INVALIDDATA; ap = av_malloc(s->geotags[i].count); if (!ap) { av_log(s->avctx, AV_LOG_ERROR, "Error allocating temporary buffer\n"); From 34887d091d53edb530aca66de98ce545c4fcea5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Jun 2017 22:23:15 +0200 Subject: [PATCH 282/818] avcodec/mjpegdec: Check that reference frame matches the current frame Fixes: out of array read Fixes: 2097/clusterfuzz-testcase-minimized-5036861833609216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4705edbbb96e193f51c72248f508ae5693702a48) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index c2a0dc6233..6cc9473309 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1479,6 +1479,15 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask, return -1; } + if (reference) { + if (reference->width != s->picture_ptr->width || + reference->height != s->picture_ptr->height || + reference->format != s->picture_ptr->format) { + av_log(s->avctx, AV_LOG_ERROR, "Reference mismatching\n"); + return AVERROR_INVALIDDATA; + } + } + av_assert0(s->picture_ptr->data[0]); /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); From 07944df9a7d76a212ca898e37d91a660cd4ee0e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jun 2017 16:01:16 +0200 Subject: [PATCH 283/818] avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int' Fixes: 2079/clusterfuzz-testcase-minimized-5345861779324928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e4efd41b83e78c7f2ee3e74bee90226110743a8e) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 85ef56644b..dbcc11747d 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -862,7 +862,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, if (s->sample_shift[chan] > 0) for (i = 0; i < s->nb_samples; i++) - decoded[i] *= 1 << s->sample_shift[chan]; + decoded[i] *= 1U << s->sample_shift[chan]; } } @@ -904,7 +904,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, for (chan = 0; chan < avctx->channels; chan++) { int32_t *samples = (int32_t *)frame->extended_data[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] *= 1 << 8; + samples[i] *= 1U << 8; } break; } From 90b6425b1285b4e3fc74d4d6c62e2a71c0de25b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jun 2017 16:21:37 +0200 Subject: [PATCH 284/818] avcodec/pafvideo: Fix assertion failure Fixes: 2100/clusterfuzz-testcase-minimized-4522961547558912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c4360559ee2a6c8c624f24fc7e2a1cf00972ba68) Signed-off-by: Michael Niedermayer --- libavcodec/pafvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index 1618a3e7c3..91bfe16376 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -273,7 +273,7 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, bytestream2_init(&c->gb, pkt->data, pkt->size); code = bytestream2_get_byte(&c->gb); - if ((code & 0xF) > 4) { + if ((code & 0xF) > 4 || (code & 0xF) == 3) { avpriv_request_sample(avctx, "unknown/invalid code"); return AVERROR_INVALIDDATA; } From 4c7477f132ea3e7c246598b13ef1d5ebbd70d444 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jun 2017 16:28:57 +0200 Subject: [PATCH 285/818] avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int' Fixes: 2106/clusterfuzz-testcase-minimized-6136503639998464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 18bca25adbae9d010d75f9fc197c0af656af758d) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 1e22165c0b..304ab47000 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2340,7 +2340,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) if (s->pict_type != AV_PICTURE_TYPE_B) { s->last_time_base = s->time_base; s->time_base += time_incr; - s->time = s->time_base * s->avctx->framerate.num + time_increment; + s->time = s->time_base * (int64_t)s->avctx->framerate.num + time_increment; if (s->workaround_bugs & FF_BUG_UMP4) { if (s->time < s->last_non_b_time) { /* header is not mpeg-4-compatible, broken encoder, @@ -2352,7 +2352,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) s->pp_time = s->time - s->last_non_b_time; s->last_non_b_time = s->time; } else { - s->time = (s->last_time_base + time_incr) * s->avctx->framerate.num + time_increment; + s->time = (s->last_time_base + time_incr) * (int64_t)s->avctx->framerate.num + time_increment; s->pb_time = s->pp_time - (s->last_non_b_time - s->time); if (s->pp_time <= s->pb_time || s->pp_time <= s->pp_time - s->pb_time || From 6d7192bcb7bbab17dc194e8dbb56c208bced0a92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jun 2017 22:11:21 +0200 Subject: [PATCH 286/818] Update for 3.3.2 Signed-off-by: Michael Niedermayer --- Changelog | 106 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 108 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 9403f12ca1..d719317dd6 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,112 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.3.2: +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int' +- avcodec/pafvideo: Fix assertion failure +- avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int' +- avcodec/mjpegdec: Check that reference frame matches the current frame +- avcodec/tiff: Avoid loosing allocated geotag values +- avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int' +- avformat/hls: Check local file extensions +- avcodec/qdrw: Fix null pointer dereference +- avutil/softfloat: Fix sign error in and improve documentation of av_int2sf() +- avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]' +- avcodec/dxv: Check remaining bytes in dxv_decompress_raw() +- avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer() +- avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int' +- avformat/options: log filename on open +- avcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'INTFLOAT' (aka 'int') +- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' +- avcodec/cfhd: Fix runtime error: signed integer overflow: 65280 * 65288 cannot be represented in type 'int' +- avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int' +- avcodec/cinepak: Check input packet size before frame reallocation +- avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int' +- avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int' +- avcodec/pnm: Use ff_set_dimensions() +- avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int' +- avcodec/nvenc: fix hw accelerated transcode with bframes +- libavformat/hls: Observe Set-Cookie headers +- libavformat/http: Ignore expired cookies +- avformat/avidec: Limit formats in gab2 to srt and ass/ssa +- avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float' +- avcodec/wavpack: Check float_shift +- avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int' +- avcodec/ansi: Fix frame memleak +- avcodec/dds: Fix runtime error: left shift of 145 by 24 places cannot be represented in type 'int' +- avcodec/jpeg2000dec: Use ff_set_dimensions() +- avcodec/truemotion2: Fix passing null pointer to memset() +- avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int' +- avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int' +- avcodec/aac_defines: Add missing () to AAC_HALF_SUM() macro +- avcodec/webp: Fixes null pointer dereference +- avcodec/aacdec_fixed: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/ylc: Check count in build_vlc() +- avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int' +- avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int' +- avcodec/jpeg2000dec: Check tile offsets more completely +- avcodec/sheervideo: Check input buffer size before allocating and decoding +- avcodec/aacdec_fixed: Fix multiple runtime error: shift exponent 127 is too large for 32-bit type 'int' +- avcodec/wnv1: More strict buffer size check +- avcodec/libfdk-aacdec: Correct buffer_size parameter +- avcodec/sbrdsp_template: Fix: runtime error: signed integer overflow: 849815297 + 1315389781 cannot be represented in type 'int' +- avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2 +- doc/filters: Clarify scale2ref example +- avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error +- avcodec/ra144dec: Fix runtime error: left shift of negative value -17 +- avcodec/pixlet: Fix runtime error: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' +- avformat/mux: Fix copy an paste typo +- avutil/internal: Do not enable CHECKED with DEBUG +- avcodec/clearvideo: Check buf_size before decoding frame +- avcodec/aacdec_fixed: Fix runtime error: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' +- avcodec/smc: Check remaining input +- avcodec/diracdec: Fix off by 1 error in quant check +- avcodec/jpeg2000dec: Fix copy and paste error +- avcodec/jpeg2000dec: Check tile offsets +- avcodec/sanm: Fix uninitialized reference frames +- avcodec/jpeglsdec: Check get_bits_left() before decoding a picture +- avcodec/fmvc: Fix use of uninitialized memory when the first frame is not a keyframe +- avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71 +- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int' +- avcodec/aacdec_fixed: Fix runtime error: shift exponent 34 is too large for 32-bit type 'int' +- avcodec/mpeg4videodec: Check for multiple VOL headers +- avcodec/vp9block: fix runtime error: signed integer overflow: 196675 * 20670 cannot be represented in type 'int' +- avcodec/vmnc: Check location before use +- avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308 cannot be represented in type 'int' +- avcodec/aac_defines: Fix: runtime error: left shift of negative value -2 +- avcodec/takdec: Fix runtime error: left shift of negative value -63 +- avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128 cannot be represented in type 'int' +- avcodec/sbrdsp_fixed: fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 170 is too large for 32-bit type 'int' +- avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context +- avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 150 is too large for 32-bit type 'int' +- avcodec/mimic: Use ff_set_dimensions() to set the dimensions +- avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int' +- avcodec/pixlet: Fix reading invalid numbers of bits +- avcodec/mlpdec: Fix: runtime error: left shift of negative value -8 +- avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877 cannot be represented in type 'int' +- avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' +- avcodec/aacdec_template: Fix fixed point scale in decode_cce() +- avcodec/fmvc: Fix off by 1 error +- avcodec/flicvideo: Check frame_size before decrementing +- avcodec/mlpdec: Fix runtime error: left shift of negative value -1 +- avcodec/takdec: Fix runtime error: left shift of negative value -42 +- avcodec/hq_hqa: Fix: runtime error: signed integer overflow: -255 * 10180917 cannot be represented in type 'int' +- avcodec/scpr: mask bits to prevent out of array read +- avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int' +- avcodec/svq3: Fix runtime error: left shift of negative value -6 +- avcodec/tiff: reset sampling[] if its invalid +- configure: Fix the msvcrt version check for mingw32 +- lavf/mov: make invalid m{d,v}hd time_scale default to 1 instead of erroring out +- lavc/ffjni: add missing '\n' +- lavc/mediacodec_wrapper: do not declare JNIAMedia{Codec,CodecList,Format}Fields on the stack +- lavc/mediacodec_wrapper: fix local reference leaks +- avcodec/nvenc: remove unnecessary alignment +- Use AVOnce as a static variable consistently +- avfilter: take_samples: do not directly return frame when samples are skipped +- avutil/hwcontext_dxva2: Don't improperly free IDirect3DSurface9 objects + version 3.3.1: - libswscale/tests/swscale: Fix uninitialized variables - avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int' diff --git a/RELEASE b/RELEASE index bea438e9ad..4772543317 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.3.1 +3.3.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index 226b5f7b9d..baddcb8d8a 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.3.1 +PROJECT_NUMBER = 3.3.2 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 20f5e2c17785ef84db565e658420faf6f8ca0807 Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Tue, 13 Jun 2017 17:19:51 +0200 Subject: [PATCH 287/818] lavc/aarch64/simple_idct: fix idct_col4_top coefficient Fixes regression introduced by 5d0b8b1ae307951310c7d9a8fa282fbca9b997cd. --- libavcodec/aarch64/simple_idct_neon.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aarch64/simple_idct_neon.S b/libavcodec/aarch64/simple_idct_neon.S index 92987985d2..5bd31e5be9 100644 --- a/libavcodec/aarch64/simple_idct_neon.S +++ b/libavcodec/aarch64/simple_idct_neon.S @@ -74,7 +74,7 @@ endconst .endm .macro idct_col4_top y1, y2, y3, y4, i, l - smull\i v7.4S, \y3\l, z1 + smull\i v7.4S, \y3\l, z2 smull\i v16.4S, \y3\l, z6 smull\i v17.4S, \y2\l, z1 add v19.4S, v23.4S, v7.4S From 50c2ef91d34138a94dad46c6c7c367852dbd7df6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Jun 2017 13:44:32 +0200 Subject: [PATCH 288/818] avcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008 * 59 cannot be represented in type 'int' Fixes: 2113/clusterfuzz-testcase-minimized-6510704959946752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4e3ab1a5c12fe3a88f44b734d3f2e25f4769ec47) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index 5a868e4abf..9a6d7a08b1 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -65,7 +65,7 @@ static void scale_coefs ( int len) { int i, shift, round; - int16_t mul; + unsigned mul; int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7; mul = (dynrng & 0x1f) + 0x20; From ad9ce1fa1d9644a24eb8a81a6096986b7c831f11 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Jun 2017 13:58:47 +0200 Subject: [PATCH 289/818] avcodec/indeo4: Check remaining data in Pic hdr extension parsing code Fixes: Timeout Fixes: 2115/clusterfuzz-testcase-minimized-6594111748440064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a3b5b60bdf451faefeeec07c4e684a251968bf2d) Signed-off-by: Michael Niedermayer --- libavcodec/indeo4.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 594c56d163..85d5fa3e7a 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -237,6 +237,8 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) /* skip picture header extension if any */ while (get_bits1(&ctx->gb)) { ff_dlog(avctx, "Pic hdr extension encountered!\n"); + if (get_bits_left(&ctx->gb) < 10) + return AVERROR_INVALIDDATA; skip_bits(&ctx->gb, 8); } From 741c341968836c420fcf6982f2f0ad25047728a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jun 2017 00:13:07 +0200 Subject: [PATCH 290/818] avcodec/h264_parse: Check picture structure when initializig weight table Fixes: runtime error: index 49 out of bounds for type 'int [48][2][2]' Fixes: 2159/clusterfuzz-testcase-minimized-5267945972301824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3a1ad368a78b153b63ccc07af864b3611e2a4ac3) Signed-off-by: Michael Niedermayer --- libavcodec/h264_parse.c | 15 +++++++++------ libavcodec/h264_parse.h | 3 ++- libavcodec/h264_parser.c | 2 +- libavcodec/h264_slice.c | 3 ++- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c index ea202e759c..3d20075f6a 100644 --- a/libavcodec/h264_parse.c +++ b/libavcodec/h264_parse.c @@ -26,7 +26,8 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, const int *ref_count, int slice_type_nos, - H264PredWeightTable *pwt, void *logctx) + H264PredWeightTable *pwt, + int picture_structure, void *logctx) { int list, i, j; int luma_def, chroma_def; @@ -98,11 +99,13 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, } // for MBAFF - pwt->luma_weight[16 + 2 * i][list][0] = pwt->luma_weight[16 + 2 * i + 1][list][0] = pwt->luma_weight[i][list][0]; - pwt->luma_weight[16 + 2 * i][list][1] = pwt->luma_weight[16 + 2 * i + 1][list][1] = pwt->luma_weight[i][list][1]; - for (j = 0; j < 2; j++) { - pwt->chroma_weight[16 + 2 * i][list][j][0] = pwt->chroma_weight[16 + 2 * i + 1][list][j][0] = pwt->chroma_weight[i][list][j][0]; - pwt->chroma_weight[16 + 2 * i][list][j][1] = pwt->chroma_weight[16 + 2 * i + 1][list][j][1] = pwt->chroma_weight[i][list][j][1]; + if (picture_structure == PICT_FRAME) { + pwt->luma_weight[16 + 2 * i][list][0] = pwt->luma_weight[16 + 2 * i + 1][list][0] = pwt->luma_weight[i][list][0]; + pwt->luma_weight[16 + 2 * i][list][1] = pwt->luma_weight[16 + 2 * i + 1][list][1] = pwt->luma_weight[i][list][1]; + for (j = 0; j < 2; j++) { + pwt->chroma_weight[16 + 2 * i][list][j][0] = pwt->chroma_weight[16 + 2 * i + 1][list][j][0] = pwt->chroma_weight[i][list][j][0]; + pwt->chroma_weight[16 + 2 * i][list][j][1] = pwt->chroma_weight[16 + 2 * i + 1][list][j][1] = pwt->chroma_weight[i][list][j][1]; + } } } if (slice_type_nos != AV_PICTURE_TYPE_B) diff --git a/libavcodec/h264_parse.h b/libavcodec/h264_parse.h index 290da34d44..4d01620125 100644 --- a/libavcodec/h264_parse.h +++ b/libavcodec/h264_parse.h @@ -55,7 +55,8 @@ typedef struct H264POCContext { int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, const int *ref_count, int slice_type_nos, - H264PredWeightTable *pwt, void *logctx); + H264PredWeightTable *pwt, + int picture_structure, void *logctx); /** * Check if the top & left blocks are available if needed & change the diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index bc35a6146e..2564c6c6c3 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -202,7 +202,7 @@ static int scan_mmco_reset(AVCodecParserContext *s, GetBitContext *gb, if ((p->ps.pps->weighted_pred && slice_type_nos == AV_PICTURE_TYPE_P) || (p->ps.pps->weighted_bipred_idc == 1 && slice_type_nos == AV_PICTURE_TYPE_B)) ff_h264_pred_weight_table(gb, p->ps.sps, ref_count, slice_type_nos, - &pwt, logctx); + &pwt, p->picture_structure, logctx); if (get_bits1(gb)) { // adaptive_ref_pic_marking_mode_flag int i; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index acf6a73f60..506e6775dc 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1782,7 +1782,8 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl, (pps->weighted_bipred_idc == 1 && sl->slice_type_nos == AV_PICTURE_TYPE_B)) { ret = ff_h264_pred_weight_table(&sl->gb, sps, sl->ref_count, - sl->slice_type_nos, &sl->pwt, h->avctx); + sl->slice_type_nos, &sl->pwt, + picture_structure, h->avctx); if (ret < 0) return ret; } From 460abcd67188280460befd849f227b521c0081dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jun 2017 18:45:08 +0200 Subject: [PATCH 291/818] avcodec/cfhd: Check band parameters before storing them Fixes out of array read Fixes: 2169/clusterfuzz-testcase-minimized-5688641642823680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 54aaadf648073149f1ac34f56cbde4e6c5aa22ef) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 57a8d2b76e..ed127de29e 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -317,22 +317,22 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->prescale_shift[2] = (data >> 6) & 0x7; av_log(avctx, AV_LOG_DEBUG, "Prescale shift (VC-5): %x\n", data); } else if (tag == 27) { - s->plane[s->channel_num].band[0][0].width = data; - s->plane[s->channel_num].band[0][0].stride = data; av_log(avctx, AV_LOG_DEBUG, "Lowpass width %"PRIu16"\n", data); if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_width) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass width\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[0][0].width = data; + s->plane[s->channel_num].band[0][0].stride = data; } else if (tag == 28) { - s->plane[s->channel_num].band[0][0].height = data; av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data); if (data < 3 || data > s->plane[s->channel_num].band[0][0].height) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[0][0].height = data; } else if (tag == 1) av_log(avctx, AV_LOG_DEBUG, "Sample type? %"PRIu16"\n", data); else if (tag == 10) { @@ -363,39 +363,39 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, av_log(avctx, AV_LOG_DEBUG, "Tag/Value = %x %x\n", tag2, val2); } } else if (tag == 41) { - s->plane[s->channel_num].band[s->level][s->subband_num].width = data; - s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); av_log(avctx, AV_LOG_DEBUG, "Highpass width %i channel %i level %i subband %i\n", data, s->channel_num, s->level, s->subband_num); if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass width\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].width = data; + s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); } else if (tag == 42) { - s->plane[s->channel_num].band[s->level][s->subband_num].height = data; av_log(avctx, AV_LOG_DEBUG, "Highpass height %i\n", data); if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass height\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].height = data; } else if (tag == 49) { - s->plane[s->channel_num].band[s->level][s->subband_num].width = data; - s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); av_log(avctx, AV_LOG_DEBUG, "Highpass width2 %i\n", data); if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass width2\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].width = data; + s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); } else if (tag == 50) { - s->plane[s->channel_num].band[s->level][s->subband_num].height = data; av_log(avctx, AV_LOG_DEBUG, "Highpass height2 %i\n", data); if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass height2\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].height = data; } else if (tag == 71) { s->codebook = data; av_log(avctx, AV_LOG_DEBUG, "Codebook %i\n", s->codebook); From 311f2f5abaa67615656680f0d3afa8e1703fadbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jun 2017 19:43:25 +0200 Subject: [PATCH 292/818] avcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot be represented in type 'int' Fixes: 2174/clusterfuzz-testcase-minimized-5739234533048320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90e8317b3b33dcb54ae01e419d85cbbfbd874963) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index 46fd21d2b1..598dd1741b 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -272,10 +272,14 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, while (compressed_lines > 0) { if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) break; + if (y_ptr > pixel_limit) + return AVERROR_INVALIDDATA; line_packets = bytestream2_get_le16(&g2); if ((line_packets & 0xC000) == 0xC000) { // line skip opcode line_packets = -line_packets; + if (line_packets > s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr += line_packets * s->frame->linesize[0]; } else if ((line_packets & 0xC000) == 0x4000) { av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets); @@ -324,6 +328,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, case FLI_LC: /* line compressed */ starting_line = bytestream2_get_le16(&g2); + if (starting_line >= s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr = 0; y_ptr += starting_line * s->frame->linesize[0]; @@ -560,9 +566,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, while (compressed_lines > 0) { if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) break; + if (y_ptr > pixel_limit) + return AVERROR_INVALIDDATA; line_packets = bytestream2_get_le16(&g2); if (line_packets < 0) { line_packets = -line_packets; + if (line_packets > s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr += line_packets * s->frame->linesize[0]; } else { compressed_lines--; @@ -847,9 +857,13 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx, while (compressed_lines > 0) { if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) break; + if (y_ptr > pixel_limit) + return AVERROR_INVALIDDATA; line_packets = bytestream2_get_le16(&g2); if (line_packets < 0) { line_packets = -line_packets; + if (line_packets > s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr += line_packets * s->frame->linesize[0]; } else { compressed_lines--; From 5217145824bf1f18d154a0cc8a8b4f50ffc4b33c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 00:45:20 +0200 Subject: [PATCH 293/818] avcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot be represented in type 'int' Fixes: 2175/clusterfuzz-testcase-minimized-5809657849315328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 71da0a5c9750e9fd0c9609470f610d32952923eb) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 2ed7361e38..c077b7b327 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1601,7 +1601,7 @@ void ff_eval_coefs(int *coefs, const int *refl) b1[i] = refl[i] * 16; for (j=0; j < i; j++) - b1[j] = ((refl[i] * b2[i-j-1]) >> 12) + b2[j]; + b1[j] = ((int)(refl[i] * (unsigned)b2[i-j-1]) >> 12) + b2[j]; FFSWAP(int *, b1, b2); } From f3ac7e40d6bf1a7f7b750fa8a4d4545a1faa79af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 01:05:26 +0200 Subject: [PATCH 294/818] avcodec/tiff: Fix leak of geotags[].val Fixes: 2176/clusterfuzz-testcase-minimized-5908197216878592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 22a25ab3896cbb8dceebdba4d439e8b2b398ff0e) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 81bf7ae54d..6d833cd992 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1111,6 +1111,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) if (s->geotags[i].count == 0 || s->geotags[i].offset + s->geotags[i].count > count) { av_log(s->avctx, AV_LOG_WARNING, "Invalid GeoTIFF key %d\n", s->geotags[i].key); + } else if (s->geotags[i].val) { + av_log(s->avctx, AV_LOG_WARNING, "Duplicate GeoTIFF key %d\n", s->geotags[i].key); } else { char *ap = doubles2str(&dp[s->geotags[i].offset], s->geotags[i].count, ", "); if (!ap) { From 53a32fdf0a5f8e490f5b1ef3227732c5a010c35f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 14:32:35 +0200 Subject: [PATCH 295/818] avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1297616 Fixes: 2195/clusterfuzz-testcase-minimized-4736721533009920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6d499ecef9c2467772b6066176ffda0b7ab27cc2) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 7945c46355..4506001619 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -389,7 +389,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac, for (k = offsets[i]; k < offsets[i + 1]; k++) { tmp = (int)(((int64_t)src[group * 128 + k] * c + \ (int64_t)0x1000000000) >> 37); - dest[group * 128 + k] += tmp << shift; + dest[group * 128 + k] += tmp * (1 << shift); } } } From e1b6d78bf706da4cea49cec8a48c378bb4067638 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 14:34:54 +0200 Subject: [PATCH 296/818] avcodec/snowdec: Fix runtime error: left shift of negative value -1 Fixes: 2197/clusterfuzz-testcase-minimized-6010716676947968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2e44126363bc9e23093ceced5d7bde1ee4bbb338) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 022e9693c7..7d6d7ff44f 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -586,7 +586,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for(; yqsb, yq); for(x=0; x Date: Sun, 11 Jun 2017 20:19:59 +0200 Subject: [PATCH 297/818] avcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640 cannot be represented in type 'int' Fixes: 2181/clusterfuzz-testcase-minimized-6314784322486272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c996374d4d86e0efbef71812448b4c65656bc667) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.h b/libavcodec/wavpack.h index c949390f51..053b1c575d 100644 --- a/libavcodec/wavpack.h +++ b/libavcodec/wavpack.h @@ -94,7 +94,7 @@ typedef struct Decorr { typedef struct WvChannel { int median[3]; int slow_level, error_limit; - int bitrate_acc, bitrate_delta; + unsigned bitrate_acc, bitrate_delta; } WvChannel; // macros for manipulating median values From cce9471373cf758ec576cd55f6cb8001e0acd62a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 20:28:46 +0200 Subject: [PATCH 298/818] avcodec/jpeg2000dwt: Fix runtime error: left shift of negative value -123 Fixes: 2208/clusterfuzz-testcase-minimized-5976593765761024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d24043e1a2f93f206a2ad59054f24f45ff023e5c) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 188cc261a4..735ed0b1dc 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -488,7 +488,7 @@ static void dwt_decode97_int(DWTContext *s, int32_t *t) line += 5; for (i = 0; i < w * h; i++) - data[i] <<= I_PRESHIFT; + data[i] *= 1 << I_PRESHIFT; for (lev = 0; lev < s->ndeclevels; lev++) { int lh = s->linelen[lev][0], From 452c78a09cb500dd7bbb1d1de7c2b6e5b573353c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Jun 2017 19:17:30 +0200 Subject: [PATCH 299/818] avcodec/libvpxdec: Check that display dimensions fit in the storage dimensions Fixes assertion failure Fixes: 2112/clusterfuzz-testcase-minimized-4526878557732864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f8593c2f492a514b67533a877b716a25d3770418) Signed-off-by: Michael Niedermayer --- libavcodec/libvpxdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/libvpxdec.c b/libavcodec/libvpxdec.c index 5204c993cd..ad0ea3b02a 100644 --- a/libavcodec/libvpxdec.c +++ b/libavcodec/libvpxdec.c @@ -244,6 +244,13 @@ static int vpx_decode(AVCodecContext *avctx, (img_alpha = vpx_codec_get_frame(&ctx->decoder_alpha, &iter_alpha)))) { uint8_t *planes[4]; int linesizes[4]; + + if (img->d_w > img->w || img->d_h > img->h) { + av_log(avctx, AV_LOG_ERROR, "Display dimensions %dx%d exceed storage %dx%d\n", + img->d_w, img->d_h, img->w, img->h); + return AVERROR_EXTERNAL; + } + if ((ret = set_pix_fmt(avctx, img, ctx->has_alpha_channel)) < 0) { #ifdef VPX_IMG_FMT_HIGHBITDEPTH av_log(avctx, AV_LOG_ERROR, "Unsupported output colorspace (%d) / bit_depth (%d)\n", From d2567caea9b12b935a249306697e7bd48e733c3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Jun 2017 13:28:23 +0200 Subject: [PATCH 300/818] avcodec/sbrdsp_fixed: Return an error from sbr_hf_apply_noise() if operations are impossible Fixes: 1775/clusterfuzz-testcase-minimized-5330288148217856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d549f026d8b64b879c3ce3b8c7d153c82aa5eb52) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 924da83c85..f42708a8a7 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -242,7 +242,7 @@ static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2], } } -static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], +static av_always_inline int sbr_hf_apply_noise(int (*Y)[2], const SoftFloat *s_m, const SoftFloat *q_filt, int noise, @@ -260,7 +260,10 @@ static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], int shift, round; shift = 22 - s_m[m].exp; - if (shift < 30) { + if (shift < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_apply_noise, shift=%d\n", shift); + return AVERROR(ERANGE); + } else if (shift < 30) { round = 1 << (shift-1); y0 += (s_m[m].mant * phi_sign0 + round) >> shift; y1 += (s_m[m].mant * phi_sign1 + round) >> shift; @@ -270,7 +273,10 @@ static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], int64_t accu; shift = 22 - q_filt[m].exp; - if (shift < 30) { + if (shift < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_apply_noise, shift=%d\n", shift); + return AVERROR(ERANGE); + } else if (shift < 30) { round = 1 << (shift-1); accu = (int64_t)q_filt[m].mant * ff_sbr_noise_table_fixed[noise][0]; @@ -286,6 +292,7 @@ static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], Y[m][1] = y1; phi_sign1 = -phi_sign1; } + return 0; } #include "sbrdsp_template.c" From 3c98e4be896e89b0ab03bf64d32dd19b1eceeba1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Jun 2017 16:25:59 +0200 Subject: [PATCH 301/818] avcodec/aacsbr_fixed: Check shift in sbr_hf_assemble() Fixes: runtime error: shift exponent -10 is negative Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d1992448d37f7cfa2acda5cc729dc0ff1b019390) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 01f81afaaa..1f5ff410d1 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -575,22 +575,30 @@ static void sbr_hf_assemble(int Y1[38][64][2], SoftFloat *in = sbr->s_m[e]; for (m = 0; m+1 < m_max; m+=2) { + int shift2; shift = 22 - in[m ].exp; + shift2= 22 - in[m+1].exp; + if (shift < 1 || shift2 < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_assemble, shift=%d,%d\n", shift, shift2); + return; + } if (shift < 32) { round = 1 << (shift-1); out[2*m ] += (in[m ].mant * A + round) >> shift; } - shift = 22 - in[m+1].exp; - if (shift < 32) { - round = 1 << (shift-1); - out[2*m+2] += (in[m+1].mant * B + round) >> shift; + if (shift2 < 32) { + round = 1 << (shift2-1); + out[2*m+2] += (in[m+1].mant * B + round) >> shift2; } } if(m_max&1) { shift = 22 - in[m ].exp; - if (shift < 32) { + if (shift < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_assemble, shift=%d\n", shift); + return; + } else if (shift < 32) { round = 1 << (shift-1); out[2*m ] += (in[m ].mant * A + round) >> shift; } From 7a86581afd6868a19556a30ecd1096da82b08ffe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Jun 2017 23:49:23 +0200 Subject: [PATCH 302/818] avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case Fixes: runtime error: signed integer overflow: 131072 + 2147352576 cannot be represented in type 'int' Fixes: 2192/clusterfuzz-testcase-minimized-5370387988742144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a87be404ab7e3f47e67e79160dcc9623e36835b) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 40 +++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 304ab47000..3edf266580 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -284,26 +284,26 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 2: - sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-vop_ref[0][0]) + - (r * sprite_ref[0][1] - virtual_ref[0][1]) * - (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) + - (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - (-vop_ref[0][0]) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-2 * vop_ref[0][0] + 1) + - (r * sprite_ref[0][1] - virtual_ref[0][1]) * - (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * - sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); - sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * - (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * - sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); + sprite_offset[0][0] = ((int64_t) sprite_ref[0][0] * (1 << alpha + rho)) + + ((int64_t) -r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t) -vop_ref[0][0]) + + ((int64_t) r * sprite_ref[0][1] - virtual_ref[0][1]) * + ((int64_t) -vop_ref[0][1]) + (1 << (alpha + rho - 1)); + sprite_offset[0][1] = ((int64_t) sprite_ref[0][1] * (1 << alpha + rho)) + + ((int64_t) -r * sprite_ref[0][1] + virtual_ref[0][1]) * + ((int64_t) -vop_ref[0][0]) + + ((int64_t) -r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t) -vop_ref[0][1]) + (1 << (alpha + rho - 1)); + sprite_offset[1][0] = (((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-2 * vop_ref[0][0] + 1) + + ((int64_t) r * sprite_ref[0][1] - virtual_ref[0][1]) * + ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * + (int64_t) sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); + sprite_offset[1][1] = (((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * + ((int64_t)-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * + (int64_t) sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); s->sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]); s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]); From f33c3ccbe747b63ddb495cfcf7159e222f86ed7d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Jun 2017 23:55:17 +0200 Subject: [PATCH 303/818] avcodec/mpeg4videodec: Check sprite delta upshift against overflowing. Fixes: runtime error: signed integer overflow: -268386304 * 16 cannot be represented in type 'int' Fixes: 2204/clusterfuzz-testcase-minimized-5616756909408256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 12245ab1f677074b8ff83e87f76a41aba692ccd6) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 3edf266580..99680dabc3 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -361,14 +361,16 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; - if (shift_c < 0 || shift_y < 0 || - FFABS(sprite_offset[0][0]) >= INT_MAX >> shift_y || - FFABS(sprite_offset[1][0]) >= INT_MAX >> shift_c || - FFABS(sprite_offset[0][1]) >= INT_MAX >> shift_y || - FFABS(sprite_offset[1][1]) >= INT_MAX >> shift_c - ) { - avpriv_request_sample(s->avctx, "Too large sprite shift or offset"); - goto overflow; + for (i = 0; i < 2; i++) { + if (shift_c < 0 || shift_y < 0 || + FFABS( sprite_offset[0][i]) >= INT_MAX >> shift_y || + FFABS( sprite_offset[1][i]) >= INT_MAX >> shift_c || + FFABS(s->sprite_delta[0][i]) >= INT_MAX >> shift_y || + FFABS(s->sprite_delta[1][i]) >= INT_MAX >> shift_y + ) { + avpriv_request_sample(s->avctx, "Too large sprite shift, delta or offset"); + goto overflow; + } } for (i = 0; i < 2; i++) { From f8a331598efe22821e4d1f96971adbf716652a7b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 01:26:01 +0200 Subject: [PATCH 304/818] avcodec/hevc_refs: Check nb_refs in add_candidate_ref() Fixes: runtime error: index 16 out of bounds for type 'int [16]' Fixes: 2209/clusterfuzz-testcase-minimized-5012343912136704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1cb4ef526dd1e5f547d0354efb0831d07e967919) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c index 9103c84686..d2759ba5f5 100644 --- a/libavcodec/hevc_refs.c +++ b/libavcodec/hevc_refs.c @@ -439,7 +439,7 @@ static int add_candidate_ref(HEVCContext *s, RefPicList *list, { HEVCFrame *ref = find_ref_idx(s, poc); - if (ref == s->ref) + if (ref == s->ref || list->nb_refs >= HEVC_MAX_REFS) return AVERROR_INVALIDDATA; if (!ref) { From 10d821309b02014d7663b63635ff2a3294382558 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 01:28:28 +0200 Subject: [PATCH 305/818] avcodec/hevcdec: Check nb_sps Signed-off-by: Michael Niedermayer (cherry picked from commit bc406744620710911de9157eafa3e61d0246566f) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index f9e8ff0c9f..c05a66d14c 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -247,6 +247,8 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb) nb_sps = get_ue_golomb_long(gb); nb_sh = get_ue_golomb_long(gb); + if (nb_sps > sps->num_long_term_ref_pics_sps) + return AVERROR_INVALIDDATA; if (nb_sh + (uint64_t)nb_sps > FF_ARRAY_ELEMS(rps->poc)) return AVERROR_INVALIDDATA; From 0a709e2a10b8288a0cc383547924ecfe285cef89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Jun 2017 16:58:20 +0200 Subject: [PATCH 306/818] avcodec/dnxhd_parser: Do not return invalid value from dnxhd_find_frame_end() on error Fixes: Null pointer dereference Fixes: CVE-2017-9608 Found-by: Yihan Lian Signed-off-by: Michael Niedermayer (cherry picked from commit 611b35627488a8d0763e75c25ee0875c5b7987dd) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhd_parser.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c index a1f632a620..f1166be100 100644 --- a/libavcodec/dnxhd_parser.c +++ b/libavcodec/dnxhd_parser.c @@ -81,16 +81,18 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx, dctx->w = (state >> 32) & 0xFFFF; } else if (dctx->cur_byte == 42) { int cid = (state >> 32) & 0xFFFFFFFF; + int remaining; if (cid <= 0) continue; - dctx->remaining = avpriv_dnxhd_get_frame_size(cid); - if (dctx->remaining <= 0) { - dctx->remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h); - if (dctx->remaining <= 0) - return dctx->remaining; + remaining = avpriv_dnxhd_get_frame_size(cid); + if (remaining <= 0) { + remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h); + if (remaining <= 0) + continue; } + dctx->remaining = remaining; if (buf_size - i + 47 >= dctx->remaining) { int remaining = dctx->remaining; From 15cc15170909f3a0713936ce145176be97925ad9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 23:26:18 +0200 Subject: [PATCH 307/818] avcodec/jpeg2000: Fixes integer overflow in ff_jpeg2000_ceildivpow2() Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 2231/clusterfuzz-testcase-minimized-4565181982048256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e3fadc57c5c170f31455abacbcbd67115d7321d7) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000.h b/libavcodec/jpeg2000.h index 873e4505ec..8a022ad918 100644 --- a/libavcodec/jpeg2000.h +++ b/libavcodec/jpeg2000.h @@ -215,7 +215,7 @@ typedef struct Jpeg2000Component { /* misc tools */ static inline int ff_jpeg2000_ceildivpow2(int a, int b) { - return -(((int64_t)(-a)) >> b); + return -((-(int64_t)a) >> b); } static inline int ff_jpeg2000_ceildiv(int a, int b) From 1729101c44c093078f9b1e7466c16d06bbbc85bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 23:41:46 +0200 Subject: [PATCH 308/818] avcodec/truemotion2: Move skip computation after checks Fixes: runtime error: signed integer overflow: 630067357 * 4 cannot be represented in type 'int' Fixes: 2233/clusterfuzz-testcase-minimized-5943031318446080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3c716682a8b69e6644a385a663aaf0e5dc808ae8) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index e6ae05f1d5..a463a925fd 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -298,15 +298,15 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i /* get stream length in dwords */ bytestream2_init(&gb, buf, buf_size); len = bytestream2_get_be32(&gb); - skip = len * 4 + 4; if (len == 0) return 4; - if (len >= INT_MAX / 4 - 1 || len < 0 || skip > buf_size) { + if (len >= INT_MAX / 4 - 1 || len < 0 || len * 4 + 4 > buf_size) { av_log(ctx->avctx, AV_LOG_ERROR, "Error, invalid stream size.\n"); return AVERROR_INVALIDDATA; } + skip = len * 4 + 4; toks = bytestream2_get_be32(&gb); if (toks & 1) { From 01ed8d93b2b9374858285cd6af6bc6b0bce2dcb6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Jun 2017 02:16:54 +0200 Subject: [PATCH 309/818] avcodec/shorten: Sanity check maxnlpc Fixes OOM Fixes: 2131/clusterfuzz-testcase-minimized-4718045157130240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e77ddd31a8e14bcf5eccd6008d866ae90b4b0d4c) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 2d3540a229..920887b2a0 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -445,6 +445,10 @@ static int read_header(ShortenContext *s) s->blocksize = blocksize; maxnlpc = get_uint(s, LPCQSIZE); + if (maxnlpc > 1024U) { + av_log(s->avctx, AV_LOG_ERROR, "maxnlpc is: %d\n", maxnlpc); + return AVERROR_INVALIDDATA; + } s->nmean = get_uint(s, 0); skip_bytes = get_uint(s, NSKIPSIZE); From ee2396cefd7ea19737cf41cce43f61c2c2f73fb5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Jun 2017 19:57:08 +0200 Subject: [PATCH 310/818] avcodec/jpeg2000dec: Check nonzerobits more completely Fixes: runtime error: shift exponent 36 is too large for 32-bit type 'int' Fixes: 2239/clusterfuzz-testcase-minimized-5639766592716800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dfb61ea2630029b7aec7911aade769bf1a914eea) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index b23e1678d5..f1abc9a5ef 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -960,9 +960,9 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, if (!cblk->npasses) { int v = expn[bandno] + numgbits - 1 - tag_tree_decode(s, prec->zerobits + cblkno, 100); - if (v < 0) { + if (v < 0 || v > 30) { av_log(s->avctx, AV_LOG_ERROR, - "nonzerobits %d invalid\n", v); + "nonzerobits %d invalid or unsupported\n", v); return AVERROR_INVALIDDATA; } cblk->nonzerobits = v; From f17443cdcdfadf6c32b390db936215b56396ad85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jun 2017 00:34:08 +0200 Subject: [PATCH 311/818] avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps() Fixes: runtime error: signed integer overflow: 2147483647 + 6 cannot be represented in type 'int' Fixes: 2263/clusterfuzz-testcase-minimized-4800359627227136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1edbf5e20c75f06d6987bc823e63aa4e649ccddd) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index c05a66d14c..03bf068ce2 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -272,12 +272,16 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb) delta_poc_msb_present = get_bits1(gb); if (delta_poc_msb_present) { - int delta = get_ue_golomb_long(gb); + int64_t delta = get_ue_golomb_long(gb); + int64_t poc; if (i && i != nb_sps) delta += prev_delta_msb; - rps->poc[i] += s->poc - delta * max_poc_lsb - s->sh.pic_order_cnt_lsb; + poc = rps->poc[i] + s->poc - delta * max_poc_lsb - s->sh.pic_order_cnt_lsb; + if (poc != (int32_t)poc) + return AVERROR_INVALIDDATA; + rps->poc[i] = poc; prev_delta_msb = delta; } } From 7119574f4831f22df5f026f691b6da1f1d687355 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jun 2017 14:54:19 +0200 Subject: [PATCH 312/818] avcodec/hevcpred_template: Fix left shift of negative value Fixes: runtime error: left shift of negative value -1 Fixes: 2250/clusterfuzz-testcase-minimized-5693382112313344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c94326c1fc2fb5719c6f28fe1b95c0c74417998b) Signed-off-by: Michael Niedermayer --- libavcodec/hevcpred_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcpred_template.c b/libavcodec/hevcpred_template.c index 6ae87cca13..6fe33546b1 100644 --- a/libavcodec/hevcpred_template.c +++ b/libavcodec/hevcpred_template.c @@ -35,7 +35,7 @@ static av_always_inline void FUNC(intra_pred)(HEVCContext *s, int x0, int y0, #define MVF(x, y) \ (s->ref->tab_mvf[(x) + (y) * min_pu_width]) #define MVF_PU(x, y) \ - MVF(PU(x0 + ((x) << hshift)), PU(y0 + ((y) << vshift))) + MVF(PU(x0 + ((x) * (1 << hshift))), PU(y0 + ((y) * (1 << vshift)))) #define IS_INTRA(x, y) \ (MVF_PU(x, y).pred_flag == PF_INTRA) #define MIN_TB_ADDR_ZS(x, y) \ From 347cc89daf90eaa307b966445cbdeff9ba026c64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jun 2017 15:06:21 +0200 Subject: [PATCH 313/818] avcodec/jpeg2000dsp: Reorder operations in ict_int() to avoid 2 integer overflows Fixes: runtime error: signed integer overflow: 58065 * 51981 cannot be represented in type 'int' Fixes: 2271/clusterfuzz-testcase-minimized-5778297776504832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c746f92a8e03d5a062359fba836eba4b3530687e) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c index d183cbb87d..c746aed924 100644 --- a/libavcodec/jpeg2000dsp.c +++ b/libavcodec/jpeg2000dsp.c @@ -64,10 +64,10 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize) int i; for (i = 0; i < csize; i++) { - i0 = *src0 + (((i_ict_params[0] * *src2) + (1 << 15)) >> 16); + i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16); i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16) - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16); - i2 = *src0 + (((i_ict_params[3] * *src1) + (1 << 15)) >> 16); + i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16); *src0++ = i0; *src1++ = i1; *src2++ = i2; From 4384481fbcb6154534b3dab5a1cc37529296d532 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Jun 2017 14:37:19 +0200 Subject: [PATCH 314/818] avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output Fixes: runtime error: signed integer overflow: 2147483543 + 128 cannot be represented in type 'int' Fixes: 2234/clusterfuzz-testcase-minimized-6266896041115648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 27c20068054d8c6786833234f7b6db19f1e98362) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index dbcc11747d..2861a813e1 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -889,7 +889,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, uint8_t *samples = (uint8_t *)frame->extended_data[chan]; int32_t *decoded = s->decoded[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] = decoded[i] + 0x80; + samples[i] = decoded[i] + 0x80U; } break; case AV_SAMPLE_FMT_S16P: From b8d0d7674066c06eaf0bf15b21cd748ae3c06446 Mon Sep 17 00:00:00 2001 From: Anton Mitrofanov Date: Wed, 31 May 2017 02:37:41 +0300 Subject: [PATCH 315/818] avcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4 Use the correct ctxIdxInc calculation for coded_block_flag. Keep old behavior for old versions of x264 for backward compatibility. Signed-off-by: Ronald S. Bultje (cherry picked from commit 840b41b2a643fc8f0617c0370125a19c02c6b586) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 47 +++++++++++++++++++++++++++++------------ 1 file changed, 33 insertions(+), 14 deletions(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index a1a16daafa..79b1c492da 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2347,21 +2347,40 @@ decode_intra_mb: if (CHROMA444(h) && IS_8x8DCT(mb_type)){ int i; uint8_t *nnz_cache = sl->non_zero_count_cache; - for (i = 0; i < 2; i++){ - if (sl->left_type[LEFT(i)] && !IS_8x8DCT(sl->left_type[LEFT(i)])) { - nnz_cache[3+8* 1 + 2*8*i]= - nnz_cache[3+8* 2 + 2*8*i]= - nnz_cache[3+8* 6 + 2*8*i]= - nnz_cache[3+8* 7 + 2*8*i]= - nnz_cache[3+8*11 + 2*8*i]= - nnz_cache[3+8*12 + 2*8*i]= IS_INTRA(mb_type) ? 64 : 0; + if (h->sei.unregistered.x264_build < 151U) { + for (i = 0; i < 2; i++){ + if (sl->left_type[LEFT(i)] && !IS_8x8DCT(sl->left_type[LEFT(i)])) { + nnz_cache[3+8* 1 + 2*8*i]= + nnz_cache[3+8* 2 + 2*8*i]= + nnz_cache[3+8* 6 + 2*8*i]= + nnz_cache[3+8* 7 + 2*8*i]= + nnz_cache[3+8*11 + 2*8*i]= + nnz_cache[3+8*12 + 2*8*i]= IS_INTRA(mb_type) ? 64 : 0; + } + } + if (sl->top_type && !IS_8x8DCT(sl->top_type)){ + uint32_t top_empty = !IS_INTRA(mb_type) ? 0 : 0x40404040; + AV_WN32A(&nnz_cache[4+8* 0], top_empty); + AV_WN32A(&nnz_cache[4+8* 5], top_empty); + AV_WN32A(&nnz_cache[4+8*10], top_empty); + } + } else { + for (i = 0; i < 2; i++){ + if (sl->left_type[LEFT(i)] && !IS_8x8DCT(sl->left_type[LEFT(i)])) { + nnz_cache[3+8* 1 + 2*8*i]= + nnz_cache[3+8* 2 + 2*8*i]= + nnz_cache[3+8* 6 + 2*8*i]= + nnz_cache[3+8* 7 + 2*8*i]= + nnz_cache[3+8*11 + 2*8*i]= + nnz_cache[3+8*12 + 2*8*i]= !IS_INTRA_PCM(sl->left_type[LEFT(i)]) ? 0 : 64; + } + } + if (sl->top_type && !IS_8x8DCT(sl->top_type)){ + uint32_t top_empty = !IS_INTRA_PCM(sl->top_type) ? 0 : 0x40404040; + AV_WN32A(&nnz_cache[4+8* 0], top_empty); + AV_WN32A(&nnz_cache[4+8* 5], top_empty); + AV_WN32A(&nnz_cache[4+8*10], top_empty); } - } - if (sl->top_type && !IS_8x8DCT(sl->top_type)){ - uint32_t top_empty = !IS_INTRA(mb_type) ? 0 : 0x40404040; - AV_WN32A(&nnz_cache[4+8* 0], top_empty); - AV_WN32A(&nnz_cache[4+8* 5], top_empty); - AV_WN32A(&nnz_cache[4+8*10], top_empty); } } h->cur_pic.mb_type[mb_xy] = mb_type; From e8558abeaf704005ff84c10629da32f6a6a49651 Mon Sep 17 00:00:00 2001 From: Anton Mitrofanov Date: Tue, 13 Jun 2017 23:37:29 +0300 Subject: [PATCH 316/818] avcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264 Signed-off-by: Ronald S. Bultje (cherry picked from commit 06dda70f1e7c69a3b1684af5e6930431c62c527a) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mb.c b/libavcodec/h264_mb.c index 638dcba2f9..cb9fe856b2 100644 --- a/libavcodec/h264_mb.c +++ b/libavcodec/h264_mb.c @@ -637,7 +637,7 @@ static av_always_inline void hl_decode_mb_predict_luma(const H264Context *h, uint8_t *const ptr = dest_y + block_offset[i]; const int dir = sl->intra4x4_pred_mode_cache[scan8[i]]; if (transform_bypass && h->ps.sps->profile_idc == 244 && dir <= 1) { - if (h->sei.unregistered.x264_build != -1) { + if (h->sei.unregistered.x264_build < 151U) { h->hpc.pred8x8l_add[dir](ptr, sl->mb + (i * 16 + p * 256 << pixel_shift), linesize); } else h->hpc.pred8x8l_filter_add[dir](ptr, sl->mb + (i * 16 + p * 256 << pixel_shift), From b2522f35ecd1d68edea66d1d387036a15162759b Mon Sep 17 00:00:00 2001 From: Anton Mitrofanov Date: Wed, 14 Jun 2017 03:01:56 +0300 Subject: [PATCH 317/818] avcodec/h264: Fix mix of lossless and lossy MBs decoding Signed-off-by: Ronald S. Bultje (cherry picked from commit cf231b68da1150c100114f2c5671b7ed740f917a) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 16 ++++++++-------- libavcodec/h264_cavlc.c | 16 ++++++++-------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 79b1c492da..04b77f284f 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2389,14 +2389,6 @@ decode_intra_mb: const uint8_t *scan, *scan8x8; const uint32_t *qmul; - if(IS_INTERLACED(mb_type)){ - scan8x8 = sl->qscale ? h->field_scan8x8 : h->field_scan8x8_q0; - scan = sl->qscale ? h->field_scan : h->field_scan_q0; - }else{ - scan8x8 = sl->qscale ? h->zigzag_scan8x8 : h->zigzag_scan8x8_q0; - scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; - } - // decode_cabac_mb_dqp if(get_cabac_noinline( &sl->cabac, &sl->cabac_state[60 + (sl->last_qscale_diff != 0)])){ int val = 1; @@ -2427,6 +2419,14 @@ decode_intra_mb: }else sl->last_qscale_diff=0; + if(IS_INTERLACED(mb_type)){ + scan8x8 = sl->qscale ? h->field_scan8x8 : h->field_scan8x8_q0; + scan = sl->qscale ? h->field_scan : h->field_scan_q0; + }else{ + scan8x8 = sl->qscale ? h->zigzag_scan8x8 : h->zigzag_scan8x8_q0; + scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; + } + decode_cabac_luma_residual(h, sl, scan, scan8x8, pixel_shift, mb_type, cbp, 0); if (CHROMA444(h)) { decode_cabac_luma_residual(h, sl, scan, scan8x8, pixel_shift, mb_type, cbp, 1); diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 72dfaaab45..cd2e97af7e 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -1102,14 +1102,6 @@ decode_intra_mb: const uint8_t *scan, *scan8x8; const int max_qp = 51 + 6 * (h->ps.sps->bit_depth_luma - 8); - if(IS_INTERLACED(mb_type)){ - scan8x8 = sl->qscale ? h->field_scan8x8_cavlc : h->field_scan8x8_cavlc_q0; - scan = sl->qscale ? h->field_scan : h->field_scan_q0; - }else{ - scan8x8 = sl->qscale ? h->zigzag_scan8x8_cavlc : h->zigzag_scan8x8_cavlc_q0; - scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; - } - dquant= get_se_golomb(&sl->gb); sl->qscale += (unsigned)dquant; @@ -1126,6 +1118,14 @@ decode_intra_mb: sl->chroma_qp[0] = get_chroma_qp(h->ps.pps, 0, sl->qscale); sl->chroma_qp[1] = get_chroma_qp(h->ps.pps, 1, sl->qscale); + if(IS_INTERLACED(mb_type)){ + scan8x8 = sl->qscale ? h->field_scan8x8_cavlc : h->field_scan8x8_cavlc_q0; + scan = sl->qscale ? h->field_scan : h->field_scan_q0; + }else{ + scan8x8 = sl->qscale ? h->zigzag_scan8x8_cavlc : h->zigzag_scan8x8_cavlc_q0; + scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; + } + if ((ret = decode_luma_residual(h, sl, gb, scan, scan8x8, pixel_shift, mb_type, cbp, 0)) < 0 ) { return -1; } From 93456ca3eacc9e7a58bfb39a83bccc679baf07e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 17:58:45 +0200 Subject: [PATCH 318/818] avcodec/htmlsubtitles: Replace very slow redundant sscanf() calls by cleaner and faster code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reduces the worst case from O(n²) to O(n) time Fixes Timeout Fixes: 2127/clusterfuzz-testcase-minimized-6595787859427328 Signed-off-by: Michael Niedermayer (cherry picked from commit 4132218b87cd6fb13abd162e3037ef4563286baa) Signed-off-by: Michael Niedermayer --- libavcodec/htmlsubtitles.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index 16295daa0c..70311c66d5 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -56,6 +56,7 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) char *param, buffer[128], tmp[128]; int len, tag_close, sptr = 1, line_start = 1, an = 0, end = 0; SrtStack stack[16]; + int closing_brace_missing = 0; stack[0].tag[0] = 0; strcpy(stack[0].param[PARAM_SIZE], "{\\fs}"); @@ -83,11 +84,20 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) and all microdvd like styles such as {Y:xxx} */ len = 0; an += sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0; - if ((an != 1 && (len = 0, sscanf(in, "{\\%*[^}]}%n", &len) >= 0 && len > 0)) || - (len = 0, sscanf(in, "{%*1[CcFfoPSsYy]:%*[^}]}%n", &len) >= 0 && len > 0)) { - in += len - 1; - } else - av_bprint_chars(dst, *in, 1); + + if (!closing_brace_missing) { + if ( (an != 1 && in[1] == '\\') + || (in[1] && strchr("CcFfoPSsYy", in[1]) && in[2] == ':')) { + char *bracep = strchr(in+2, '}'); + if (bracep) { + in = bracep; + break; + } else + closing_brace_missing = 1; + } + } + + av_bprint_chars(dst, *in, 1); break; case '<': tag_close = in[1] == '/'; From cf61bf81073e2721c0c7c30738af2d63322f83d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Jun 2017 14:04:32 +0200 Subject: [PATCH 319/818] avcodec/aacdec_fixed: Check s for being too small Fixes: runtime error: shift exponent -8 is negative Fixes: 2286/clusterfuzz-testcase-minimized-5711764169687040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf7edbd6c5d48d7302877352f7b60092d5b65243) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 4506001619..0cac3bf4eb 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -181,14 +181,15 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len) out = (int)(((int64_t)src[i] * c) >> 32); dst[i] = ((int)(out+round) >> s) * ssign; } - } - else { + } else if (s > -32) { s = s + 32; round = 1 << (s-1); for (i=0; i> s); dst[i] = out * (unsigned)ssign; } + } else { + av_log(NULL, AV_LOG_ERROR, "Overflow in subband_scale()\n"); } } From eaf2bacca1c42bc784bb0994d1d91171e864e62d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Jun 2017 14:08:58 +0200 Subject: [PATCH 320/818] avcodec/wavpack: Fix undefined integer negation Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 2291/clusterfuzz-testcase-minimized-5538453481586688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f89747086af741ddc34e2378cde8519b8faee78) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index ba5fa7a266..96d6d65bf0 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -313,8 +313,8 @@ static float wv_get_value_float(WavpackFrameContext *s, uint32_t *crc, int S) S <<= s->float_shift; sign = S < 0; if (sign) - S = -S; - if (S >= 0x1000000) { + S = -(unsigned)S; + if (S >= 0x1000000U) { if (s->got_extra_bits && get_bits1(&s->gb_extra_bits)) S = get_bits(&s->gb_extra_bits, 23); else From 72403ba2b9d6911f9a823090800fe133a85d7cd5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 01:35:49 +0200 Subject: [PATCH 321/818] avcodec/lpc: signed integer overflow in compute_lpc_coefs() (aacdec_fixed) Fixes: runtime error: signed integer overflow: -1575818955 + -915383657 cannot be represented in type 'int' Fixes: 2224/clusterfuzz-testcase-minimized-6208559949807616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e95fcfe8fb28fdfdaecec465c60aad79bc340a3d) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/lpc.h b/libavcodec/lpc.h index 182adfa8ca..88ca247f87 100644 --- a/libavcodec/lpc.h +++ b/libavcodec/lpc.h @@ -117,11 +117,14 @@ void ff_lpc_end(LPCContext *s); #if USE_FIXED typedef int LPC_TYPE; +typedef unsigned LPC_TYPE_U; #else #ifdef LPC_USE_DOUBLE typedef double LPC_TYPE; +typedef double LPC_TYPE_U; #else typedef float LPC_TYPE; +typedef float LPC_TYPE_U; #endif #endif // USE_FIXED @@ -192,8 +195,8 @@ static inline int AAC_RENAME(compute_lpc_coefs)(const LPC_TYPE *autoc, int max_o for(j=0; j < (i+1)>>1; j++) { LPC_TYPE f = lpc_last[ j]; LPC_TYPE b = lpc_last[i-1-j]; - lpc[ j] = f + AAC_MUL26(r, b); - lpc[i-1-j] = b + AAC_MUL26(r, f); + lpc[ j] = f + (LPC_TYPE_U)AAC_MUL26(r, b); + lpc[i-1-j] = b + (LPC_TYPE_U)AAC_MUL26(r, f); } if (fail && err < 0) From ada21bca5551977ab00c5a799b20dbff544ac3f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2017 13:52:06 +0200 Subject: [PATCH 322/818] avcodec/mpeg4videodec: Fix overflow in virtual_ref computation Fixes: runtime error: signed integer overflow: 262144 * -16120 cannot be represented in type 'int' Fixes: 2292/clusterfuzz-testcase-minimized-6156080415506432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5443c4bdf4828ac5b7b19cf54feb496c2da40079) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 99680dabc3..d2f22dd372 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -243,18 +243,18 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g * from w&h based to w2&h2 based which are of the 2^x form. */ virtual_ref[0][0] = 16 * (vop_ref[0][0] + w2) + ROUNDED_DIV(((w - w2) * - (r * sprite_ref[0][0] - 16 * vop_ref[0][0]) + - w2 * (r * sprite_ref[1][0] - 16 * vop_ref[1][0])), w); + (r * sprite_ref[0][0] - 16LL * vop_ref[0][0]) + + w2 * (r * sprite_ref[1][0] - 16LL * vop_ref[1][0])), w); virtual_ref[0][1] = 16 * vop_ref[0][1] + ROUNDED_DIV(((w - w2) * - (r * sprite_ref[0][1] - 16 * vop_ref[0][1]) + - w2 * (r * sprite_ref[1][1] - 16 * vop_ref[1][1])), w); + (r * sprite_ref[0][1] - 16LL * vop_ref[0][1]) + + w2 * (r * sprite_ref[1][1] - 16LL * vop_ref[1][1])), w); virtual_ref[1][0] = 16 * vop_ref[0][0] + - ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][0] - 16 * vop_ref[0][0]) + - h2 * (r * sprite_ref[2][0] - 16 * vop_ref[2][0])), h); + ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][0] - 16LL * vop_ref[0][0]) + + h2 * (r * sprite_ref[2][0] - 16LL * vop_ref[2][0])), h); virtual_ref[1][1] = 16 * (vop_ref[0][1] + h2) + - ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][1] - 16 * vop_ref[0][1]) + - h2 * (r * sprite_ref[2][1] - 16 * vop_ref[2][1])), h); + ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][1] - 16LL * vop_ref[0][1]) + + h2 * (r * sprite_ref[2][1] - 16LL * vop_ref[2][1])), h); switch (ctx->num_sprite_warping_points) { case 0: From 5b8a97d000efe57b898d64c54b366b927eddd162 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2017 14:38:34 +0200 Subject: [PATCH 323/818] avcodec/hevc_filter: Fix invalid shift Fixes: runtime error: left shift of negative value -1 Fixes: 2299/clusterfuzz-testcase-minimized-4843509351710720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d7b3d5c3f2e2ff1994762b5e09c05fbc33790b5b) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_filter.c b/libavcodec/hevc_filter.c index 14e7c8dd50..b53f4cc721 100644 --- a/libavcodec/hevc_filter.c +++ b/libavcodec/hevc_filter.c @@ -470,7 +470,7 @@ static int get_pcm(HEVCContext *s, int x, int y) #define TC_CALC(qp, bs) \ tctable[av_clip((qp) + DEFAULT_INTRA_TC_OFFSET * ((bs) - 1) + \ - (tc_offset >> 1 << 1), \ + (tc_offset & -2), \ 0, MAX_QP + DEFAULT_INTRA_TC_OFFSET)] static void deblocking_filter_CTB(HEVCContext *s, int x0, int y0) From fe8960ab8623427bb0ebfaa97a64762543a09120 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Jun 2017 17:56:34 +0200 Subject: [PATCH 324/818] avcodec/cfhd: Fix undefined shift Fixes: runtime error: left shift of negative value -1 Fixes: 2303/clusterfuzz-testcase-minimized-5529675273076736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5a950f4e32a9756391f81987246d96b6549dd447) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index ed127de29e..2a53a23c2b 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -711,7 +711,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, output = s->plane[plane].subband[0]; for (i = 0; i < lowpass_height * 2; i++) { for (j = 0; j < lowpass_width * 2; j++) - output[j] <<= 2; + output[j] *= 4; output += lowpass_width * 2; } From 0749384f0a7de0d03c2dbec99d58d33c4290b7eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Jun 2017 19:34:31 +0200 Subject: [PATCH 325/818] avcodec/cfhd: Check bpc before setting bpc in context Fixes: runtime error: shift exponent 32 is too large for 32-bit type 'int' Fixes: 2306/clusterfuzz-testcase-minimized-5002997392211968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6f1d2355a7e4d681bea82b4cf4280272d9fe8af3) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 2a53a23c2b..16fbdb0b78 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -258,6 +258,11 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->coded_height = data; } else if (tag == 101) { av_log(avctx, AV_LOG_DEBUG, "Bits per component: %"PRIu16"\n", data); + if (data < 1 || data > 31) { + av_log(avctx, AV_LOG_ERROR, "Bits per component %d is invalid\n", data); + ret = AVERROR(EINVAL); + break; + } s->bpc = data; } else if (tag == 12) { av_log(avctx, AV_LOG_DEBUG, "Channel Count: %"PRIu16"\n", data); @@ -404,12 +409,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, av_log(avctx, AV_LOG_DEBUG, "Other codebook? %i\n", s->codebook); } else if (tag == 70) { av_log(avctx, AV_LOG_DEBUG, "Subsampling or bit-depth flag? %i\n", data); - s->bpc = data; - if (!(s->bpc == 10 || s->bpc == 12)) { + if (!(data == 10 || data == 12)) { av_log(avctx, AV_LOG_ERROR, "Invalid bits per channel\n"); ret = AVERROR(EINVAL); break; } + s->bpc = data; } else if (tag == 84) { av_log(avctx, AV_LOG_DEBUG, "Sample format? %i\n", data); if (data == 1) From f1116294aa3e63105b34f8b70a11146bc9f1e8ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Jun 2017 20:21:05 +0200 Subject: [PATCH 326/818] avcodec/tiff: Update pointer only when the result is used Fixes: runtime error: signed integer overflow: 538976288 * 32 cannot be represented in type 'int' Fixes: 2310/clusterfuzz-testcase-minimized-4534784887881728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 27f80ab0160d2e64007e1c9799ffd4504cc13eb5) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 6d833cd992..78bae5d6d4 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1303,6 +1303,8 @@ static int decode_frame(AVCodecContext *avctx, stride = p->linesize[plane]; dst = p->data[plane]; for (i = 0; i < s->height; i += s->rps) { + if (i) + dst += s->rps * stride; if (s->stripsizesoff) ssize = ff_tget(&stripsizes, s->sstype, le); else @@ -1323,7 +1325,6 @@ static int decode_frame(AVCodecContext *avctx, return ret; break; } - dst += s->rps * stride; } if (s->predictor == 2) { if (s->photometric == TIFF_PHOTOMETRIC_YCBCR) { From 3ed986522ad5766812ce90ff4605df4b0a33d58d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Jun 2017 21:21:56 +0200 Subject: [PATCH 327/818] avcodec/takdec: Fix integer overflow Fixes: runtime error: signed integer overflow: 512 + 2147483146 cannot be represented in type 'int' Fixes: 2314/clusterfuzz-testcase-minimized-4519333877252096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c2ef4f6b4d52a7b7184c747ffea3576926ea1b1) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 2861a813e1..3583a31210 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -483,7 +483,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, int v = 1 << (filter_quant - 1); if (filter_order & -16) - v += s->adsp.scalarproduct_int16(&s->residues[i], s->filter, + v += (unsigned)s->adsp.scalarproduct_int16(&s->residues[i], s->filter, filter_order & -16); for (j = filter_order & -16; j < filter_order; j += 4) { v += s->residues[i + j + 3] * s->filter[j + 3] + From 94f3c06678c7e924c537c7edac838a353ed729eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Jun 2017 01:58:48 +0200 Subject: [PATCH 328/818] avcodec/wavpack: Fix integer overflow Fixes: runtime error: signed integer overflow: 227511904 + 1964113935 cannot be represented in type 'int' Fixes: 2331/clusterfuzz-testcase-minimized-6182185830711296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 24e95f9d4de012f51fdd5767dff0b3142e13ec3a) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 96d6d65bf0..aef538865b 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -225,7 +225,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, INC_MED(1); DEC_MED(2); } else { - base = GET_MED(0) + GET_MED(1) + GET_MED(2) * (t - 2); + base = GET_MED(0) + GET_MED(1) + GET_MED(2) * (t - 2U); add = GET_MED(2) - 1; INC_MED(0); INC_MED(1); From f21e96109dc9594281052117698ed0bf1cab6aab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Jun 2017 13:45:35 +0200 Subject: [PATCH 329/818] avcodec/mpeg4videodec: Fix GMC with videos of dimension 1 Fixes: runtime error: shift exponent -1 is negative Fixes: 2338/clusterfuzz-testcase-minimized-5153426541379584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4976a3411f71518d17a57e373b62517f066648fd) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index d2f22dd372..89c4b367f7 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -171,7 +171,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int a = 2 << s->sprite_warping_accuracy; int rho = 3 - s->sprite_warping_accuracy; int r = 16 / a; - int alpha = 0; + int alpha = 1; int beta = 0; int w = s->width; int h = s->height; From ea153eb52cba9cf3260e76db9599ccd21c2d705d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Jun 2017 00:00:13 +0200 Subject: [PATCH 330/818] avcodec/hevc_ps: Fix max_dec_buffer check Fixes: runtime error: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 2339/clusterfuzz-testcase-minimized-6663164320022528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 63e7bfe78e6d764097e845248f6d77b28b2b235c) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 19919e562f..8952bae439 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -939,9 +939,9 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, sps->temporal_layer[i].max_dec_pic_buffering = get_ue_golomb_long(gb) + 1; sps->temporal_layer[i].num_reorder_pics = get_ue_golomb_long(gb); sps->temporal_layer[i].max_latency_increase = get_ue_golomb_long(gb) - 1; - if (sps->temporal_layer[i].max_dec_pic_buffering > HEVC_MAX_DPB_SIZE) { + if (sps->temporal_layer[i].max_dec_pic_buffering > (unsigned)HEVC_MAX_DPB_SIZE) { av_log(avctx, AV_LOG_ERROR, "sps_max_dec_pic_buffering_minus1 out of range: %d\n", - sps->temporal_layer[i].max_dec_pic_buffering - 1); + sps->temporal_layer[i].max_dec_pic_buffering - 1U); return AVERROR_INVALIDDATA; } if (sps->temporal_layer[i].num_reorder_pics > sps->temporal_layer[i].max_dec_pic_buffering - 1) { From 165b2ee6920ac113ac39b1ce101d7cd7c68ca787 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Jun 2017 00:13:53 +0200 Subject: [PATCH 331/818] avcodec/wavpack: Fix integer overflow in wv_unpack_stereo() Fixes: runtime error: signed integer overflow: 2080374785 + 2080374784 cannot be represented in type 'int' Fixes: 2351/clusterfuzz-testcase-minimized-5359403240783872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 73ea2a028e12a7d779834f78dc496c8c4b08361f) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index aef538865b..b964b3c2fa 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -480,7 +480,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, } if (type == AV_SAMPLE_FMT_S16P) { - if (FFABS(L) + FFABS(R) > (1<<19)) { + if (FFABS(L) + (unsigned)FFABS(R) > (1<<19)) { av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, R); return AVERROR_INVALIDDATA; } From 0272afe70d6205caff05f3548da22a19f1eff9b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jul 2017 14:57:20 +0200 Subject: [PATCH 332/818] avcodec/apedec: Fix integer overflow Fixes: out of array access Fixes: PoC.ape and others Found-by: Bingchang, Liu@VARAS of IIE Signed-off-by: Michael Niedermayer (cherry picked from commit ba4beaf6149f7241c8bd85fe853318c2f6837ad0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index a6b14b8e24..15eb416ba4 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1412,6 +1412,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, int32_t *sample24; int i, ch, ret; int blockstodecode; + uint64_t decoded_buffer_size; /* this should never be negative, but bad things will happen if it is, so check it just to make sure. */ @@ -1467,7 +1468,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, skip_bits_long(&s->gb, offset); } - if (!nblocks || nblocks > INT_MAX) { + if (!nblocks || nblocks > INT_MAX / 2 / sizeof(*s->decoded_buffer) - 8) { av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %"PRIu32".\n", nblocks); return AVERROR_INVALIDDATA; @@ -1493,8 +1494,9 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, blockstodecode = s->samples; /* reallocate decoded sample buffer if needed */ - av_fast_malloc(&s->decoded_buffer, &s->decoded_size, - 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)); + decoded_buffer_size = 2LL * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer); + av_assert0(decoded_buffer_size <= INT_MAX); + av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size); if (!s->decoded_buffer) return AVERROR(ENOMEM); memset(s->decoded_buffer, 0, s->decoded_size); From 736c73a24345712574ad389d71c4077e88745083 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Jun 2017 15:05:08 +0200 Subject: [PATCH 333/818] avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int() Fixes: runtime error: signed integer overflow: -163654656 * 256 cannot be represented in type 'int' Fixes: 2367/clusterfuzz-testcase-minimized-4648678897745920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ea5366670e26b2c6c396e6a5f49827a2b71e6dd6) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 735ed0b1dc..e4aa2e4a3d 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -488,7 +488,7 @@ static void dwt_decode97_int(DWTContext *s, int32_t *t) line += 5; for (i = 0; i < w * h; i++) - data[i] *= 1 << I_PRESHIFT; + data[i] *= 1LL << I_PRESHIFT; for (lev = 0; lev < s->ndeclevels; lev++) { int lh = s->linelen[lev][0], From f3cb2eedebbc18c206c9d9cff03f09f91ed9da7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Jun 2017 14:11:00 +0200 Subject: [PATCH 334/818] avcodec/hevcdec: do basic validity check on delta_chroma_weight and offset Fixes: runtime error: signed integer overflow: 2147483520 + 128 cannot be represented in type 'int' Fixes: 2385/clusterfuzz-testcase-minimized-6594333576790016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c874548d663225a61b9c25a8b2ce490d26b65fa) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 03bf068ce2..f673b08c15 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -138,7 +138,7 @@ fail: return AVERROR(ENOMEM); } -static void pred_weight_table(HEVCContext *s, GetBitContext *gb) +static int pred_weight_table(HEVCContext *s, GetBitContext *gb) { int i = 0; int j = 0; @@ -181,6 +181,12 @@ static void pred_weight_table(HEVCContext *s, GetBitContext *gb) for (j = 0; j < 2; j++) { int delta_chroma_weight_l0 = get_se_golomb(gb); int delta_chroma_offset_l0 = get_se_golomb(gb); + + if ( (int8_t)delta_chroma_weight_l0 != delta_chroma_weight_l0 + || delta_chroma_offset_l0 < -(1<<17) || delta_chroma_offset_l0 > (1<<17)) { + return AVERROR_INVALIDDATA; + } + s->sh.chroma_weight_l0[i][j] = (1 << s->sh.chroma_log2_weight_denom) + delta_chroma_weight_l0; s->sh.chroma_offset_l0[i][j] = av_clip((delta_chroma_offset_l0 - ((128 * s->sh.chroma_weight_l0[i][j]) >> s->sh.chroma_log2_weight_denom) + 128), -128, 127); @@ -217,6 +223,12 @@ static void pred_weight_table(HEVCContext *s, GetBitContext *gb) for (j = 0; j < 2; j++) { int delta_chroma_weight_l1 = get_se_golomb(gb); int delta_chroma_offset_l1 = get_se_golomb(gb); + + if ( (int8_t)delta_chroma_weight_l1 != delta_chroma_weight_l1 + || delta_chroma_offset_l1 < -(1<<17) || delta_chroma_offset_l1 > (1<<17)) { + return AVERROR_INVALIDDATA; + } + s->sh.chroma_weight_l1[i][j] = (1 << s->sh.chroma_log2_weight_denom) + delta_chroma_weight_l1; s->sh.chroma_offset_l1[i][j] = av_clip((delta_chroma_offset_l1 - ((128 * s->sh.chroma_weight_l1[i][j]) >> s->sh.chroma_log2_weight_denom) + 128), -128, 127); @@ -229,6 +241,7 @@ static void pred_weight_table(HEVCContext *s, GetBitContext *gb) } } } + return 0; } static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb) @@ -682,7 +695,9 @@ static int hls_slice_header(HEVCContext *s) if ((s->ps.pps->weighted_pred_flag && sh->slice_type == HEVC_SLICE_P) || (s->ps.pps->weighted_bipred_flag && sh->slice_type == HEVC_SLICE_B)) { - pred_weight_table(s, gb); + int ret = pred_weight_table(s, gb); + if (ret < 0) + return ret; } sh->max_num_merge_cand = 5 - get_ue_golomb_long(gb); From 132037ad5b6eff8e446dc78e89c525bb2445b59e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Jun 2017 20:29:02 +0200 Subject: [PATCH 335/818] avcodec/vb: Check vertical GMC component before multiply Fixes: runtime error: signed integer overflow: 8224 * 663584 cannot be represented in type 'int' Fixes: 2393/clusterfuzz-testcase-minimized-6128334993883136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bc6ab72bc7af27189e7b524b97e45c6fcadab5cf) Signed-off-by: Michael Niedermayer --- libavcodec/vb.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vb.c b/libavcodec/vb.c index 560165adc7..021657f7d8 100644 --- a/libavcodec/vb.c +++ b/libavcodec/vb.c @@ -205,6 +205,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (flags & VB_HAS_GMC) { i = (int16_t)bytestream2_get_le16(&c->stream); j = (int16_t)bytestream2_get_le16(&c->stream); + if (FFABS(j) > avctx->height) { + av_log(avctx, AV_LOG_ERROR, "GMV out of range\n"); + return AVERROR_INVALIDDATA; + } offset = i + j * avctx->width; } if (flags & VB_HAS_VIDEO) { From 94c8e53034bc3d5dad6e4f290839e83fc8643154 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Jun 2017 20:47:59 +0200 Subject: [PATCH 336/818] avcodec/cfhd: Fix invalid left shift of negative value Fixes: runtime error: left shift of negative value -1 Fixes: 2395/clusterfuzz-testcase-minimized-6540529313513472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c709f009dad20d99b28918f4f8d7cd394b838def) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 16fbdb0b78..f78bad9ae1 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -663,7 +663,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, output = s->plane[plane].subband[0]; for (i = 0; i < lowpass_height * 2; i++) { for (j = 0; j < lowpass_width * 2; j++) - output[j] <<= 2; + output[j] *= 4; output += lowpass_width * 2; } From 1a21edf7b885df9e48b142b6080c8265a9d3643c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Jun 2017 16:23:32 +0200 Subject: [PATCH 337/818] avcodec/hevc_ps: Fix integer overflow with beta/tc offsets Fixes: runtime error: signed integer overflow: 2113929216 * 2 cannot be represented in type 'int' Fixes: 2422/clusterfuzz-testcase-minimized-5242114713583616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de54a37c1dfa2817b5838720fac44e82312ccbfd) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 8952bae439..65de6f0f81 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1608,20 +1608,22 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, pps->deblocking_filter_override_enabled_flag = get_bits1(gb); pps->disable_dbf = get_bits1(gb); if (!pps->disable_dbf) { - pps->beta_offset = get_se_golomb(gb) * 2; - pps->tc_offset = get_se_golomb(gb) * 2; - if (pps->beta_offset/2 < -6 || pps->beta_offset/2 > 6) { + int beta_offset_div2 = get_se_golomb(gb); + int tc_offset_div2 = get_se_golomb(gb) ; + if (beta_offset_div2 < -6 || beta_offset_div2 > 6) { av_log(avctx, AV_LOG_ERROR, "pps_beta_offset_div2 out of range: %d\n", - pps->beta_offset/2); + beta_offset_div2); ret = AVERROR_INVALIDDATA; goto err; } - if (pps->tc_offset/2 < -6 || pps->tc_offset/2 > 6) { + if (tc_offset_div2 < -6 || tc_offset_div2 > 6) { av_log(avctx, AV_LOG_ERROR, "pps_tc_offset_div2 out of range: %d\n", - pps->tc_offset/2); + tc_offset_div2); ret = AVERROR_INVALIDDATA; goto err; } + pps->beta_offset = 2 * beta_offset_div2; + pps->tc_offset = 2 * tc_offset_div2; } } From 0a36341e967d69136c5a904b58c809f9d38c84c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 5 Jul 2017 00:05:11 +0200 Subject: [PATCH 338/818] avcodec/h264_slice: Fix signed integer overflow Fixes: runtime error: signed integer overflow: 26 + 2147483644 cannot be represented in type 'int' Fixes: 2456/clusterfuzz-testcase-minimized-4822695051001856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7592d97f10134422d4509ab1287796af70e003ba) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 506e6775dc..86b72dff7f 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1805,7 +1805,7 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl, } sl->last_qscale_diff = 0; - tmp = pps->init_qp + get_se_golomb(&sl->gb); + tmp = pps->init_qp + (unsigned)get_se_golomb(&sl->gb); if (tmp > 51 + 6 * (sps->bit_depth_luma - 8)) { av_log(h->avctx, AV_LOG_ERROR, "QP %u out of range\n", tmp); return AVERROR_INVALIDDATA; From fb55620369845c057183993a14d8bd85633c2ff3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Jun 2017 13:47:32 +0200 Subject: [PATCH 339/818] avcodec/wavpack: Fix invalid shift Fixes: runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 2377/clusterfuzz-testcase-minimized-6108505935183872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c07af720984acaafaa273369080b458d73975775) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index b964b3c2fa..27d631c4e9 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -846,9 +846,9 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, continue; } bytestream2_get_buffer(&gb, val, 4); - if (val[0] > 31) { + if (val[0] > 30) { av_log(avctx, AV_LOG_ERROR, - "Invalid INT32INFO, extra_bits = %d (> 32)\n", val[0]); + "Invalid INT32INFO, extra_bits = %d (> 30)\n", val[0]); continue; } else if (val[0]) { s->extra_bits = val[0]; From ba3a4a94bcedb10237540d859519d16900cb6b67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Jul 2017 22:33:52 +0200 Subject: [PATCH 340/818] avcodec/hevcdec: do not let updated extradata corrupt state Fixes: out of array access Fixes: 2451/clusterfuzz-testcase-minimized-4781613957251072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Hendrik Leppkes Signed-off-by: Michael Niedermayer (cherry picked from commit c8cfbc6629c1fe5755b59a3bcfd95ad08b843a07) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index f673b08c15..5579a4df43 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -2995,7 +2995,7 @@ static int verify_md5(HEVCContext *s, AVFrame *frame) return 0; } -static int hevc_decode_extradata(HEVCContext *s, uint8_t *buf, int length) +static int hevc_decode_extradata(HEVCContext *s, uint8_t *buf, int length, int first) { AVCodecContext *avctx = s->avctx; GetByteContext gb; @@ -3057,7 +3057,7 @@ static int hevc_decode_extradata(HEVCContext *s, uint8_t *buf, int length) /* export stream parameters from the first SPS */ for (i = 0; i < FF_ARRAY_ELEMS(s->ps.sps_list); i++) { - if (s->ps.sps_list[i]) { + if (first && s->ps.sps_list[i]) { const HEVCSPS *sps = (const HEVCSPS*)s->ps.sps_list[i]->data; export_stream_params(s->avctx, &s->ps, sps); break; @@ -3087,7 +3087,7 @@ static int hevc_decode_frame(AVCodecContext *avctx, void *data, int *got_output, new_extradata = av_packet_get_side_data(avpkt, AV_PKT_DATA_NEW_EXTRADATA, &new_extradata_size); if (new_extradata && new_extradata_size > 0) { - ret = hevc_decode_extradata(s, new_extradata, new_extradata_size); + ret = hevc_decode_extradata(s, new_extradata, new_extradata_size, 0); if (ret < 0) return ret; } @@ -3370,7 +3370,7 @@ static av_cold int hevc_decode_init(AVCodecContext *avctx) s->threads_number = 1; if (avctx->extradata_size > 0 && avctx->extradata) { - ret = hevc_decode_extradata(s, avctx->extradata, avctx->extradata_size); + ret = hevc_decode_extradata(s, avctx->extradata, avctx->extradata_size, 1); if (ret < 0) { hevc_decode_free(avctx); return ret; From 8d3ac812ffddeed24e3d7a55b0f997af9df49d61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Jul 2017 03:30:54 +0200 Subject: [PATCH 341/818] avcodec/sbrdsp_fixed: Fix integer overflow in sbr_hf_apply_noise() Fixes: runtime error: signed integer overflow: -2049425300 + -117591631 cannot be represented in type 'int' Fixes: part of 2096/clusterfuzz-testcase-minimized-4901566068817920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2061de8a3f73f14806e5f6ccaf9a635f740a54e6) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index f42708a8a7..7d593a18b8 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -253,8 +253,8 @@ static av_always_inline int sbr_hf_apply_noise(int (*Y)[2], int m; for (m = 0; m < m_max; m++) { - int y0 = Y[m][0]; - int y1 = Y[m][1]; + unsigned y0 = Y[m][0]; + unsigned y1 = Y[m][1]; noise = (noise + 1) & 0x1ff; if (s_m[m].mant) { int shift, round; From 20d4514f25784e9e53c2df379b67de678db96ba4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jul 2017 22:51:57 +0200 Subject: [PATCH 342/818] avcodec/ylc: Fix vlc of 31 bits Fixes: runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 2515/clusterfuzz-testcase-minimized-6197200012967936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit fe9242204d33db070b8a9d907d93c9ead8a6f3ee) Signed-off-by: Michael Niedermayer --- libavcodec/ylc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ylc.c b/libavcodec/ylc.c index bf55e37be1..ae46b3b8c2 100644 --- a/libavcodec/ylc.c +++ b/libavcodec/ylc.c @@ -69,7 +69,7 @@ static void get_tree_codes(uint32_t *bits, int16_t *lens, uint8_t *xlat, s = nodes[node].sym; if (s != -1) { - bits[*pos] = (~pfx) & ((1 << FFMAX(pl, 1)) - 1); + bits[*pos] = (~pfx) & ((1U << FFMAX(pl, 1)) - 1); lens[*pos] = FFMAX(pl, 1); xlat[*pos] = s + (pl == 0); (*pos)++; From 1667b3ea0fae18c52b227ba8ffc845d268ddddce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jul 2017 15:19:18 +0200 Subject: [PATCH 343/818] avcodec/aacps (fixed point): Fix multiple signed integer overflows Fixes: runtime error: signed integer overflow: 1421978265 - -1810326882 cannot be represented in type 'int' Fixes: 2527/clusterfuzz-testcase-minimized-5260915396050944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 80b9e40b6f1e15db9f36c195e7375e65f6b4924f) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 01f6d1f076..8b2cb9f02c 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -692,26 +692,17 @@ static void decorrelation(PSContext *ps, INTFLOAT (*out)[32][2], const INTFLOAT for (i = 0; i < NR_PAR_BANDS[is34]; i++) { for (n = n0; n < nL; n++) { int decayed_peak; - int denom; - decayed_peak = (int)(((int64_t)peak_decay_factor * \ peak_decay_nrg[i] + 0x40000000) >> 31); peak_decay_nrg[i] = FFMAX(decayed_peak, power[i][n]); - power_smooth[i] += (power[i][n] - power_smooth[i] + 2) >> 2; - peak_decay_diff_smooth[i] += (peak_decay_nrg[i] - power[i][n] - \ - peak_decay_diff_smooth[i] + 2) >> 2; - denom = peak_decay_diff_smooth[i] + (peak_decay_diff_smooth[i] >> 1); - if (denom > power_smooth[i]) { - int p = power_smooth[i]; - while (denom < 0x40000000) { - denom <<= 1; - p <<= 1; - } - transient_gain[i][n] = p / (denom >> 16); - } - else { - transient_gain[i][n] = 1 << 16; - } + power_smooth[i] += (power[i][n] + 2LL - power_smooth[i]) >> 2; + peak_decay_diff_smooth[i] += (peak_decay_nrg[i] + 2LL - power[i][n] - \ + peak_decay_diff_smooth[i]) >> 2; + + if (peak_decay_diff_smooth[i]) { + transient_gain[i][n] = FFMIN(power_smooth[i]*43691LL / peak_decay_diff_smooth[i], 1<<16); + } else + transient_gain[i][n] = 1 << 16; } } #else From dbb121688cecabf2210f598b17a1567506d5c634 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Jul 2017 16:24:18 +0200 Subject: [PATCH 344/818] avcodec/mjpegdec: Clip DC also on the negative side. Fixes: runtime error: signed integer overflow: -16711425 + -2130772346 cannot be represented in type 'int' Fixes: 2533/clusterfuzz-testcase-minimized-5372857678823424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c28f648b19dd36ff9bc869ad527a1569a0b623e2) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 6cc9473309..bd6dd7ef47 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -697,7 +697,7 @@ static int decode_block(MJpegDecodeContext *s, int16_t *block, int component, return AVERROR_INVALIDDATA; } val = val * quant_matrix[0] + s->last_dc[component]; - val = FFMIN(val, 32767); + val = av_clip_int16(val); s->last_dc[component] = val; block[0] = val; /* AC coefs */ From 6ae1b70cb42bccf4255a5f41cee3369295ed294c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Jul 2017 17:25:16 +0200 Subject: [PATCH 345/818] avcodec/magicyuv: Check that vlc len is not too large Fixes: runtime error: shift exponent -95 is negative Fixes: 2568/clusterfuzz-testcase-minimized-4926115716005888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 341f01290c2353669ed2263f56e1a9f4c67cc597) Signed-off-by: Michael Niedermayer --- libavcodec/magicyuv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index 5f09c0be53..acb94f57ee 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -97,7 +97,7 @@ static int huff_build10(VLC *vlc, uint8_t *len) for (i = 0; i < 1024; i++) { he[i].sym = 1023 - i; he[i].len = len[i]; - if (len[i] == 0) + if (len[i] == 0 || len[i] > 32) return AVERROR_INVALIDDATA; } AV_QSORT(he, 1024, HuffEntry, huff_cmp_len10); @@ -129,7 +129,7 @@ static int huff_build(VLC *vlc, uint8_t *len) for (i = 0; i < 256; i++) { he[i].sym = 255 - i; he[i].len = len[i]; - if (len[i] == 0) + if (len[i] == 0 || len[i] > 32) return AVERROR_INVALIDDATA; } AV_QSORT(he, 256, HuffEntry, huff_cmp_len); From 9ce4350c48d508b1881d2038a4e2764dde514d54 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 14 Jul 2017 00:45:29 +0200 Subject: [PATCH 346/818] avcodec/aacdec_template: Fix undefined integer overflow in apply_tns() Fixes: runtime error: signed integer overflow: -2147483648 - 1202286525 cannot be represented in type 'int' Fixes: 2071/clusterfuzz-testcase-minimized-6036414271586304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ef8f03133a0bd83c74200a8cf30982c0f574016) Signed-off-by: Michael Niedermayer --- libavcodec/aac_defines.h | 2 ++ libavcodec/aacdec_template.c | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/aac_defines.h b/libavcodec/aac_defines.h index 3c79a8a4a1..438d78a7aa 100644 --- a/libavcodec/aac_defines.h +++ b/libavcodec/aac_defines.h @@ -35,6 +35,7 @@ #define AAC_RENAME(x) x ## _fixed #define AAC_RENAME_32(x) x ## _fixed_32 typedef int INTFLOAT; +typedef unsigned UINTFLOAT; ///< Equivalent to INTFLOAT, Used as temporal cast to avoid undefined sign overflow operations. typedef int64_t INT64FLOAT; typedef int16_t SHORTFLOAT; typedef SoftFloat AAC_FLOAT; @@ -83,6 +84,7 @@ typedef int AAC_SIGNE; #define AAC_RENAME(x) x #define AAC_RENAME_32(x) x typedef float INTFLOAT; +typedef float UINTFLOAT; typedef float INT64FLOAT; typedef float SHORTFLOAT; typedef float AAC_FLOAT; diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 978df68c42..f8ea327fa1 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2389,7 +2389,7 @@ static int decode_extension_payload(AACContext *ac, GetBitContext *gb, int cnt, * @param decode 1 if tool is used normally, 0 if tool is used in LTP. * @param coef spectral coefficients */ -static void apply_tns(INTFLOAT coef[1024], TemporalNoiseShaping *tns, +static void apply_tns(INTFLOAT coef_param[1024], TemporalNoiseShaping *tns, IndividualChannelStream *ics, int decode) { const int mmm = FFMIN(ics->tns_max_bands, ics->max_sfb); @@ -2397,6 +2397,7 @@ static void apply_tns(INTFLOAT coef[1024], TemporalNoiseShaping *tns, int bottom, top, order, start, end, size, inc; INTFLOAT lpc[TNS_MAX_ORDER]; INTFLOAT tmp[TNS_MAX_ORDER+1]; + UINTFLOAT *coef = coef_param; for (w = 0; w < ics->num_windows; w++) { bottom = ics->num_swb; @@ -2426,7 +2427,7 @@ static void apply_tns(INTFLOAT coef[1024], TemporalNoiseShaping *tns, // ar filter for (m = 0; m < size; m++, start += inc) for (i = 1; i <= FFMIN(m, order); i++) - coef[start] -= AAC_MUL26(coef[start - i * inc], lpc[i - 1]); + coef[start] -= AAC_MUL26((INTFLOAT)coef[start - i * inc], lpc[i - 1]); } else { // ma filter for (m = 0; m < size; m++, start += inc) { From 064d0c64628216b06ff96a0ddea494dfb09b0535 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jul 2017 02:08:50 +0200 Subject: [PATCH 347/818] avcodec/ffv1dec_template: Fix signed integer overflow Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 2634/clusterfuzz-testcase-minimized-4540890636877824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4de4308d2aa3bfaa286ab566caf087d523cf9a85) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec_template.c b/libavcodec/ffv1dec_template.c index 21af155bba..892ccf22fa 100644 --- a/libavcodec/ffv1dec_template.c +++ b/libavcodec/ffv1dec_template.c @@ -96,7 +96,7 @@ static av_always_inline void RENAME(decode_line)(FFV1Context *s, int w, } if (sign) - diff = -diff; + diff = -(unsigned)diff; sample[1][x] = av_mod_uintp2(RENAME(predict)(sample[1] + x, sample[0] + x) + diff, bits); } From 2f2904030f22e288977745542852df9e64cbbfd6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Jul 2017 22:22:52 +0200 Subject: [PATCH 348/818] avcodec/aacdec_template (fixed point): Check gain in decode_cce() to avoid undefined shifts later Fixes: runtime error: shift exponent 47 is too large for 32-bit type 'int' Fixes: 2581/clusterfuzz-testcase-minimized-4681474395602944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2886142e0c3b5f4304c6e2a2bd282770a8a47f93) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index f8ea327fa1..194572793e 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2199,6 +2199,10 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che) cge = coup->coupling_point == AFTER_IMDCT ? 1 : get_bits1(gb); gain = cge ? get_vlc2(gb, vlc_scalefactors.table, 7, 3) - 60: 0; gain_cache = GET_GAIN(scale, gain); +#if USE_FIXED + if ((abs(gain_cache)-1024) >> 3 > 30) + return AVERROR(ERANGE); +#endif } if (coup->coupling_point == AFTER_IMDCT) { coup->gain[c][0] = gain_cache; @@ -2216,6 +2220,10 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che) t >>= 1; } gain_cache = GET_GAIN(scale, t) * s; +#if USE_FIXED + if ((abs(gain_cache)-1024) >> 3 > 30) + return AVERROR(ERANGE); +#endif } } coup->gain[c][idx] = gain_cache; From ab81ea10350c24d64cda8bcc36756598096451fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jul 2017 15:28:08 +0200 Subject: [PATCH 349/818] Update for 3.3.3 Signed-off-by: Michael Niedermayer --- Changelog | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 67 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index d719317dd6..5a9d620d8c 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,71 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.3.3: +- avcodec/aacdec_template (fixed point): Check gain in decode_cce() to avoid undefined shifts later +- avcodec/ffv1dec_template: Fix signed integer overflow +- avcodec/aacdec_template: Fix undefined integer overflow in apply_tns() +- avcodec/magicyuv: Check that vlc len is not too large +- avcodec/mjpegdec: Clip DC also on the negative side. +- avcodec/aacps (fixed point): Fix multiple signed integer overflows +- avcodec/ylc: Fix vlc of 31 bits +- avcodec/sbrdsp_fixed: Fix integer overflow in sbr_hf_apply_noise() +- avcodec/hevcdec: do not let updated extradata corrupt state +- avcodec/wavpack: Fix invalid shift +- avcodec/h264_slice: Fix signed integer overflow +- avcodec/hevc_ps: Fix integer overflow with beta/tc offsets +- avcodec/cfhd: Fix invalid left shift of negative value +- avcodec/vb: Check vertical GMC component before multiply +- avcodec/hevcdec: do basic validity check on delta_chroma_weight and offset +- avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int() +- avcodec/apedec: Fix integer overflow +- avcodec/wavpack: Fix integer overflow in wv_unpack_stereo() +- avcodec/hevc_ps: Fix max_dec_buffer check +- avcodec/mpeg4videodec: Fix GMC with videos of dimension 1 +- avcodec/wavpack: Fix integer overflow +- avcodec/takdec: Fix integer overflow +- avcodec/tiff: Update pointer only when the result is used +- avcodec/cfhd: Check bpc before setting bpc in context +- avcodec/cfhd: Fix undefined shift +- avcodec/hevc_filter: Fix invalid shift +- avcodec/mpeg4videodec: Fix overflow in virtual_ref computation +- avcodec/lpc: signed integer overflow in compute_lpc_coefs() (aacdec_fixed) +- avcodec/wavpack: Fix undefined integer negation +- avcodec/aacdec_fixed: Check s for being too small +- avcodec/htmlsubtitles: Replace very slow redundant sscanf() calls by cleaner and faster code +- avcodec/h264: Fix mix of lossless and lossy MBs decoding +- avcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264 +- avcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4 +- avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output +- avcodec/jpeg2000dsp: Reorder operations in ict_int() to avoid 2 integer overflows +- avcodec/hevcpred_template: Fix left shift of negative value +- avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps() +- avcodec/jpeg2000dec: Check nonzerobits more completely +- avcodec/shorten: Sanity check maxnlpc +- avcodec/truemotion2: Move skip computation after checks +- avcodec/jpeg2000: Fixes integer overflow in ff_jpeg2000_ceildivpow2() +- avcodec/dnxhd_parser: Do not return invalid value from dnxhd_find_frame_end() on error +- avcodec/hevcdec: Check nb_sps +- avcodec/hevc_refs: Check nb_refs in add_candidate_ref() +- avcodec/mpeg4videodec: Check sprite delta upshift against overflowing. +- avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case +- avcodec/aacsbr_fixed: Check shift in sbr_hf_assemble() +- avcodec/sbrdsp_fixed: Return an error from sbr_hf_apply_noise() if operations are impossible +- avcodec/libvpxdec: Check that display dimensions fit in the storage dimensions +- avcodec/jpeg2000dwt: Fix runtime error: left shift of negative value -123 +- avcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640 cannot be represented in type 'int' +- avcodec/snowdec: Fix runtime error: left shift of negative value -1 +- avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1297616 +- avcodec/tiff: Fix leak of geotags[].val +- avcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot be represented in type 'int' +- avcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot be represented in type 'int' +- avcodec/cfhd: Check band parameters before storing them +- avcodec/h264_parse: Check picture structure when initializig weight table +- avcodec/indeo4: Check remaining data in Pic hdr extension parsing code +- avcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008 * 59 cannot be represented in type 'int' +- lavc/aarch64/simple_idct: fix idct_col4_top coefficient + + version 3.3.2: - avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int' - avcodec/pafvideo: Fix assertion failure diff --git a/RELEASE b/RELEASE index 4772543317..619b537668 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.3.2 +3.3.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index baddcb8d8a..3ab8192e16 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.3.2 +PROJECT_NUMBER = 3.3.3 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 20c440edbc898af4dd99decb62e0fcecabab7784 Mon Sep 17 00:00:00 2001 From: Vodyannikov Aleksandr Date: Fri, 21 Jul 2017 11:49:45 +0200 Subject: [PATCH 350/818] avcodec/cfhd: Fix decoding regression due to height check Fixes: Ticket6546 Regression since: 54aaadf648073149f1ac34f56cbde4e6c5aa22ef Reviewed-by: Muhammad Faiz Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 47c93657249f1a4bc8a7aaf2f9f3a33510bee38c) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index f78bad9ae1..5ea8f24821 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -332,7 +332,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->plane[s->channel_num].band[0][0].stride = data; } else if (tag == 28) { av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data); - if (data < 3 || data > s->plane[s->channel_num].band[0][0].height) { + if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_height) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n"); ret = AVERROR(EINVAL); break; From 4627033a236c538f76abb83f84d021af3eacd907 Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Sat, 22 Jul 2017 00:09:29 +0200 Subject: [PATCH 351/818] doc/filters: typo in frei0r Signed-off-by: Brice Waegeneire Signed-off-by: Michael Niedermayer (cherry picked from commit 6a6eec485d23b0c47a7cfeb94995db1be91c0e1a) Signed-off-by: Michael Niedermayer --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index b1e063f63b..ed4d6c48c6 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -8263,7 +8263,7 @@ It accepts the following parameters: @item filter_name The name of the frei0r effect to load. If the environment variable @env{FREI0R_PATH} is defined, the frei0r effect is searched for in each of the -directories specified by the colon-separated list in @env{FREIOR_PATH}. +directories specified by the colon-separated list in @env{FREI0R_PATH}. Otherwise, the standard frei0r paths are searched, in this order: @file{HOME/.frei0r-1/lib/}, @file{/usr/local/lib/frei0r-1/}, @file{/usr/lib/frei0r-1/}. From f10252e47d81ac043cd3a9e5d04e38f6e8ed4e26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jul 2017 01:43:24 +0200 Subject: [PATCH 352/818] avcodec/dirac_vlc: Fix undefined shift Fixes: runtime error: shift exponent 64 is too large for 64-bit type 'residual' (aka 'unsigned long') Fixes: 2674/clusterfuzz-testcase-minimized-4999700518273024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 69e7daf6ce2a5893936ba18572c58180b29d67f9) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_vlc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_vlc.c b/libavcodec/dirac_vlc.c index 336d22a182..773f720858 100644 --- a/libavcodec/dirac_vlc.c +++ b/libavcodec/dirac_vlc.c @@ -216,9 +216,14 @@ static void generate_offset_lut(DiracGolombLUT *lut, int off) INIT_RESIDUE(res); SET_RESIDUE(res, idx, LUT_BITS); - l->preamble = CONVERT_TO_RESIDUE(res >> (RSIZE_BITS - off), off); l->preamble_bits = off; - l->sign = ((l->preamble >> (RSIZE_BITS - l->preamble_bits)) & 1) ? -1 : +1; + if (off) { + l->preamble = CONVERT_TO_RESIDUE(res >> (RSIZE_BITS - off), off); + l->sign = ((l->preamble >> (RSIZE_BITS - l->preamble_bits)) & 1) ? -1 : +1; + } else { + l->preamble = 0; + l->sign = 1; + } search_for_golomb(l, res << off, LUT_BITS - off); } From a930db5c829919511e15694dd03d1b9ded8a705e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jul 2017 16:52:47 +0200 Subject: [PATCH 353/818] avcodec/aacdec_fixed: fix: left shift of negative value -1 Fixes: 2699/clusterfuzz-testcase-minimized-5631303862976512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2dfb8c417891e0cc3670f8e0791ea0c7071314fe) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 0cac3bf4eb..ccc82057e1 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -430,7 +430,7 @@ static void apply_independent_coupling_fixed(AACContext *ac, else { for (i = 0; i < len; i++) { tmp = (int)(((int64_t)src[i] * c + (int64_t)0x1000000000) >> 37); - dest[i] += tmp << shift; + dest[i] += tmp * (1 << shift); } } } From b44a3cd06e220e4650fcf196815873c27b31acf5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Jul 2017 00:44:14 +0200 Subject: [PATCH 354/818] avcodec/aacps: Fix multiple integer overflow in map_val_34_to_20() Fixes: avcodec/aacps.c:511:40: runtime error: signed integer overflow: 1509077651 + 758068176 cannot be represented in type 'int' Fixes: 2678/clusterfuzz-testcase-minimized-4702787684270080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0764fe1d09833ae4dcf9e427df09378d0d6a3386) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 8b2cb9f02c..aa0220b147 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -499,13 +499,13 @@ static void map_idx_34_to_20(int8_t *par_mapped, const int8_t *par, int full) static void map_val_34_to_20(INTFLOAT par[PS_MAX_NR_IIDICC]) { #if USE_FIXED - par[ 0] = (int)(((int64_t)(par[ 0] + (par[ 1]>>1)) * 1431655765 + \ + par[ 0] = (int)(((int64_t)(par[ 0] + (unsigned)(par[ 1]>>1)) * 1431655765 + \ 0x40000000) >> 31); - par[ 1] = (int)(((int64_t)((par[ 1]>>1) + par[ 2]) * 1431655765 + \ + par[ 1] = (int)(((int64_t)((par[ 1]>>1) + (unsigned)par[ 2]) * 1431655765 + \ 0x40000000) >> 31); - par[ 2] = (int)(((int64_t)(par[ 3] + (par[ 4]>>1)) * 1431655765 + \ + par[ 2] = (int)(((int64_t)(par[ 3] + (unsigned)(par[ 4]>>1)) * 1431655765 + \ 0x40000000) >> 31); - par[ 3] = (int)(((int64_t)((par[ 4]>>1) + par[ 5]) * 1431655765 + \ + par[ 3] = (int)(((int64_t)((par[ 4]>>1) + (unsigned)par[ 5]) * 1431655765 + \ 0x40000000) >> 31); #else par[ 0] = (2*par[ 0] + par[ 1]) * 0.33333333f; From b120685dcae98173646031fc30690858555777e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Jul 2017 02:57:12 +0200 Subject: [PATCH 355/818] avcodec/ylc: Fix shift overflow Fixes: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 2698/clusterfuzz-testcase-minimized-4713541443518464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 03a9e6ff303ad82e75b734edbe4917ca5fd60159) Signed-off-by: Michael Niedermayer --- libavcodec/ylc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ylc.c b/libavcodec/ylc.c index ae46b3b8c2..11333222b9 100644 --- a/libavcodec/ylc.c +++ b/libavcodec/ylc.c @@ -69,7 +69,7 @@ static void get_tree_codes(uint32_t *bits, int16_t *lens, uint8_t *xlat, s = nodes[node].sym; if (s != -1) { - bits[*pos] = (~pfx) & ((1U << FFMAX(pl, 1)) - 1); + bits[*pos] = (~pfx) & ((1ULL << FFMAX(pl, 1)) - 1); lens[*pos] = FFMAX(pl, 1); xlat[*pos] = s + (pl == 0); (*pos)++; From a9081b36f4d2193b2d9df059bf668f752dbfd636 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Jul 2017 03:19:07 +0200 Subject: [PATCH 356/818] avformat/oggparsecelt: Do not re-allocate os->private Fixes: double free Fixes: clusterfuzz-testcase-minimized-5080550145785856 Found-by: ClusterFuzz Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 7140761481e4296723a592019a0244ebe6c1a8cf) Signed-off-by: Michael Niedermayer --- libavformat/oggparsecelt.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/oggparsecelt.c b/libavformat/oggparsecelt.c index 6d567f988a..9c438a096a 100644 --- a/libavformat/oggparsecelt.c +++ b/libavformat/oggparsecelt.c @@ -65,9 +65,14 @@ static int celt_header(AVFormatContext *s, int idx) st->codecpar->channels = nb_channels; if (sample_rate) avpriv_set_pts_info(st, 64, 1, sample_rate); - priv->extra_headers_left = 1 + extra_headers; - av_free(os->private); + + if (os->private) { + av_free(priv); + priv = os->private; + } os->private = priv; + priv->extra_headers_left = 1 + extra_headers; + AV_WL32(st->codecpar->extradata + 0, overlap); AV_WL32(st->codecpar->extradata + 4, version); return 1; From 2f75ebe24a775b00236f34a083a806f60e162c57 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Jul 2017 15:48:37 +0200 Subject: [PATCH 357/818] avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2 Fixes: runtime error: signed integer overflow: -2147483647 - 2 cannot be represented in type 'int' Fixes: 2702/clusterfuzz-testcase-minimized-4511932591636480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74c1c22d7f0d25f527ed2ebf62493be5ad52c972) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 65de6f0f81..19e61977b5 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1438,6 +1438,7 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, int i, ret = 0; unsigned int pps_id = 0; ptrdiff_t nal_size; + unsigned log2_parallel_merge_level_minus2; AVBufferRef *pps_buf; HEVCPPS *pps = av_mallocz(sizeof(*pps)); @@ -1635,13 +1636,14 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, goto err; } pps->lists_modification_present_flag = get_bits1(gb); - pps->log2_parallel_merge_level = get_ue_golomb_long(gb) + 2; - if (pps->log2_parallel_merge_level > sps->log2_ctb_size) { + log2_parallel_merge_level_minus2 = get_ue_golomb_long(gb); + if (log2_parallel_merge_level_minus2 > sps->log2_ctb_size) { av_log(avctx, AV_LOG_ERROR, "log2_parallel_merge_level_minus2 out of range: %d\n", - pps->log2_parallel_merge_level - 2); + log2_parallel_merge_level_minus2); ret = AVERROR_INVALIDDATA; goto err; } + pps->log2_parallel_merge_level = log2_parallel_merge_level_minus2 + 2; pps->slice_header_extension_present_flag = get_bits1(gb); From 47c0626ec721749b28df1c61c481e318e50058e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Jul 2017 03:26:59 +0200 Subject: [PATCH 358/818] avcodec/dnxhddec: Move mb height check out of non hr branch Fixes: out of array access Fixes: poc.dnxhd Found-by: Bingchang, Liu@VARAS of IIE Signed-off-by: Michael Niedermayer (cherry picked from commit 296debd213bd6dce7647cedd34eb64e5b94cdc92) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 383e64ca9e..7cb6a75261 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -298,14 +298,18 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, if (ctx->mb_height > 68 && ff_dnxhd_check_header_prefix_hr(header_prefix)) { ctx->data_offset = 0x170 + (ctx->mb_height << 2); } else { - if (ctx->mb_height > 68 || - (ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) { + if (ctx->mb_height > 68) { av_log(ctx->avctx, AV_LOG_ERROR, "mb height too big: %d\n", ctx->mb_height); return AVERROR_INVALIDDATA; } ctx->data_offset = 0x280; } + if ((ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) { + av_log(ctx->avctx, AV_LOG_ERROR, + "mb height too big: %d\n", ctx->mb_height); + return AVERROR_INVALIDDATA; + } if (buf_size < ctx->data_offset) { av_log(ctx->avctx, AV_LOG_ERROR, From aadfec7d6ca9b56b2bc0e24fa0aa4a29e301d664 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Jul 2017 20:10:28 +0200 Subject: [PATCH 359/818] avcodec/pixlet: Simplify nbits computation Fixes multiple integer overflows Fixes: runtime error: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit aeddb3607be94b1d6fef41b602b07f08223ea565) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 0e541a9ccb..a9661d3ab6 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -206,8 +206,8 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, i if ((ret = init_get_bits8(b, src, bytestream2_get_bytes_left(&ctx->gb))) < 0) return ret; - if ((a >= 0) + (a ^ (a >> 31)) - (a >> 31) != 1) { - nbits = 33 - ff_clz((a >= 0) + (a ^ (a >> 31)) - (a >> 31) - 1); + if (a ^ (a >> 31)) { + nbits = 33 - ff_clz(a ^ (a >> 31)); if (nbits > 16) return AVERROR_INVALIDDATA; } else { From d40bb6f5e93423c460f3ef079fae08633ed9df6b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Jul 2017 20:26:43 +0200 Subject: [PATCH 360/818] avcodec/diracdec: Fix integer overflow in signed multiplication in UNPACK_ARITH() Fixes: runtime error: signed integer overflow: 1073741823 * 4 cannot be represented in type 'int' Fixes: 2729/clusterfuzz-testcase-minimized-5902915464069120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e275a74b09cc87f4334ed572f919b7647d4bea1) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 39f062eb8e..42ccbb5746 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -454,7 +454,8 @@ static inline int coeff_unpack_golomb(GetBitContext *gb, int qfactor, int qoffse static inline void coeff_unpack_arith_##n(DiracArith *c, int qfactor, int qoffset, \ SubBand *b, type *buf, int x, int y) \ { \ - int coeff, sign, sign_pred = 0, pred_ctx = CTX_ZPZN_F1; \ + int sign, sign_pred = 0, pred_ctx = CTX_ZPZN_F1; \ + unsigned coeff; \ const int mstride = -(b->stride >> (1+b->pshift)); \ if (b->parent) { \ const type *pbuf = (type *)b->parent->ibuf; \ From 0d2b67d17c9b5faec1ca223c91128b8de9eb299c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Jul 2017 13:41:59 +0200 Subject: [PATCH 361/818] avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2 Fixes: out of array accesses Fixes: crash-9238fa9e8d4fde3beda1f279626f53812cb001cb-SEGV Found-by: JunDong Xie of Ant-financial Light-Year Security Lab Signed-off-by: Michael Niedermayer (cherry picked from commit 08c073434e25cba8c43aae5ed9554fdd594adfb0) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 68 ++++++++++++++++++++++++++++++------------- 1 file changed, 48 insertions(+), 20 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index cde0da78ce..2ea88d09c5 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -433,50 +433,78 @@ void ff_rtmp_packet_destroy(RTMPPacket *pkt) pkt->size = 0; } -int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) +static int amf_tag_skip(GetByteContext *gb) { - const uint8_t *base = data; AMFDataType type; unsigned nb = -1; int parse_key = 1; - if (data >= data_end) + if (bytestream2_get_bytes_left(gb) < 1) return -1; - switch ((type = *data++)) { - case AMF_DATA_TYPE_NUMBER: return 9; - case AMF_DATA_TYPE_BOOL: return 2; - case AMF_DATA_TYPE_STRING: return 3 + AV_RB16(data); - case AMF_DATA_TYPE_LONG_STRING: return 5 + AV_RB32(data); - case AMF_DATA_TYPE_NULL: return 1; - case AMF_DATA_TYPE_DATE: return 11; + + type = bytestream2_get_byte(gb); + switch (type) { + case AMF_DATA_TYPE_NUMBER: + bytestream2_get_be64(gb); + return 0; + case AMF_DATA_TYPE_BOOL: + bytestream2_get_byte(gb); + return 0; + case AMF_DATA_TYPE_STRING: + bytestream2_skip(gb, bytestream2_get_be16(gb)); + return 0; + case AMF_DATA_TYPE_LONG_STRING: + bytestream2_skip(gb, bytestream2_get_be32(gb)); + return 0; + case AMF_DATA_TYPE_NULL: + return 0; + case AMF_DATA_TYPE_DATE: + bytestream2_skip(gb, 10); + return 0; case AMF_DATA_TYPE_ARRAY: parse_key = 0; case AMF_DATA_TYPE_MIXEDARRAY: - nb = bytestream_get_be32(&data); + nb = bytestream2_get_be32(gb); case AMF_DATA_TYPE_OBJECT: while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) { int t; if (parse_key) { - int size = bytestream_get_be16(&data); + int size = bytestream2_get_be16(gb); if (!size) { - data++; + bytestream2_get_byte(gb); break; } - if (size < 0 || size >= data_end - data) + if (size < 0 || size >= bytestream2_get_bytes_left(gb)) return -1; - data += size; + bytestream2_skip(gb, size); } - t = ff_amf_tag_size(data, data_end); - if (t < 0 || t >= data_end - data) + t = amf_tag_skip(gb); + if (t < 0 || bytestream2_get_bytes_left(gb) <= 0) return -1; - data += t; } - return data - base; - case AMF_DATA_TYPE_OBJECT_END: return 1; + return 0; + case AMF_DATA_TYPE_OBJECT_END: return 0; default: return -1; } } +int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) +{ + GetByteContext gb; + int ret; + + if (data >= data_end) + return -1; + + bytestream2_init(&gb, data, data_end - data); + + ret = amf_tag_skip(&gb); + if (ret < 0 || bytestream2_get_bytes_left(&gb) <= 0) + return -1; + av_assert0(bytestream2_tell(&gb) >= 0 && bytestream2_tell(&gb) <= data_end - data); + return bytestream2_tell(&gb); +} + int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, const uint8_t *name, uint8_t *dst, int dst_size) { From 6de5ec8ef818774c58a1c4cd9548534be0e54ecc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Jul 2017 14:37:26 +0200 Subject: [PATCH 362/818] avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2 Fixes: out of array accesses Found-by: JunDong Xie of Ant-financial Light-Year Security Lab Signed-off-by: Michael Niedermayer (cherry picked from commit ffcc82219cef0928bed2d558b19ef6ea35634130) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 57 ++++++++++++++++++++++++++++--------------- 1 file changed, 37 insertions(+), 20 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 2ea88d09c5..ca7838868e 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -505,53 +505,70 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) return bytestream2_tell(&gb); } -int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, +static int amf_get_field_value2(GetByteContext *gb, const uint8_t *name, uint8_t *dst, int dst_size) { int namelen = strlen(name); int len; - while (*data != AMF_DATA_TYPE_OBJECT && data < data_end) { - len = ff_amf_tag_size(data, data_end); - if (len < 0) - len = data_end - data; - data += len; + while (bytestream2_peek_byte(gb) != AMF_DATA_TYPE_OBJECT && bytestream2_get_bytes_left(gb) > 0) { + int ret = amf_tag_skip(gb); + if (ret < 0) + return -1; } - if (data_end - data < 3) + if (bytestream2_get_bytes_left(gb) < 3) return -1; - data++; + bytestream2_get_byte(gb); + for (;;) { - int size = bytestream_get_be16(&data); + int size = bytestream2_get_be16(gb); if (!size) break; - if (size < 0 || size >= data_end - data) + if (size < 0 || size >= bytestream2_get_bytes_left(gb)) return -1; - data += size; - if (size == namelen && !memcmp(data-size, name, namelen)) { - switch (*data++) { + bytestream2_skip(gb, size); + if (size == namelen && !memcmp(gb->buffer-size, name, namelen)) { + switch (bytestream2_get_byte(gb)) { case AMF_DATA_TYPE_NUMBER: - snprintf(dst, dst_size, "%g", av_int2double(AV_RB64(data))); + snprintf(dst, dst_size, "%g", av_int2double(bytestream2_get_be64(gb))); break; case AMF_DATA_TYPE_BOOL: - snprintf(dst, dst_size, "%s", *data ? "true" : "false"); + snprintf(dst, dst_size, "%s", bytestream2_get_byte(gb) ? "true" : "false"); break; case AMF_DATA_TYPE_STRING: - len = bytestream_get_be16(&data); - av_strlcpy(dst, data, FFMIN(len+1, dst_size)); + len = bytestream2_get_be16(gb); + if (dst_size < 1) + return -1; + if (dst_size < len + 1) + len = dst_size - 1; + bytestream2_get_buffer(gb, dst, len); + dst[len] = 0; break; default: return -1; } return 0; } - len = ff_amf_tag_size(data, data_end); - if (len < 0 || len >= data_end - data) + len = amf_tag_skip(gb); + if (len < 0 || bytestream2_get_bytes_left(gb) <= 0) return -1; - data += len; } return -1; } +int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, + const uint8_t *name, uint8_t *dst, int dst_size) +{ + GetByteContext gb; + + if (data >= data_end) + return -1; + + bytestream2_init(&gb, data, data_end - data); + + return amf_get_field_value2(&gb, name, dst, dst_size); +} + static const char* rtmp_packet_type(int type) { switch (type) { From 38d9a782a585f82e8ee543d8e806a6a282322e5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Jul 2017 23:49:26 +0200 Subject: [PATCH 363/818] avcodec/takdec: Fix integer overflow in decode_subframe() Fixes: runtime error: signed integer overflow: -536870912 - 1972191120 cannot be represented in type 'int' Fixes: 2711/clusterfuzz-testcase-minimized-4975142398590976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c630d159ffe8a9822e81f9c041652762b37e068) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 3583a31210..c7b3fc03ef 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -491,7 +491,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, s->residues[i + j + 1] * s->filter[j + 1] + s->residues[i + j ] * s->filter[j ]; } - v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - *decoded; + v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - (unsigned)*decoded; *decoded++ = v; s->residues[filter_order + i] = v >> dshift; } From 934878f2a62f6744e44b1ef8085ffdfa6d4a5007 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Jul 2017 23:49:27 +0200 Subject: [PATCH 364/818] avcodec/diracdec: Fix integer overflow in divide3() Fixes: runtime error: signed integer overflow: -1073746548 * 21845 cannot be represented in type 'int' Fixes: 2729/clusterfuzz-testcase-minimized-5902915464069120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0220c768c7fc933a76c863ebbb0abdf68a88533) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 42ccbb5746..6ab3c5f7f4 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -249,7 +249,7 @@ enum dirac_subband { /* magic number division by 3 from schroedinger */ static inline int divide3(int x) { - return ((x+1)*21845 + 10922) >> 16; + return (int)((x+1U)*21845 + 10922) >> 16; } static DiracFrame *remove_frame(DiracFrame *framelist[], int picnum) From 4f714352488dad2fa8da6cdf3fe0365869ab8c6e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Jul 2017 03:22:40 +0200 Subject: [PATCH 365/818] avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0() Fixes: runtime error: signed integer overflow: 9 * 335544320 cannot be represented in type 'int' Fixes: 2739/clusterfuzz-testcase-minimized-6737297955356672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf8ab72ae95bb11f2c281d464594c2f6ba70326b) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 4d338651fa..62f8472b41 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -99,7 +99,7 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b1 + ((b0 + b2 + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ - (b2 + ((-b0 + 9*b1 + 9*b3 - b4 + 8) >> 4)) + (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ (b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5)) From 9079c70d2095643af6954001d0627445650b85a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Jul 2017 19:17:56 +0200 Subject: [PATCH 366/818] Changelog:update Signed-off-by: Michael Niedermayer --- Changelog | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/Changelog b/Changelog index 5a9d620d8c..8dc2104d10 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,22 @@ releases are sorted from youngest to oldest. version 3.3.3: +- avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0() +- avcodec/diracdec: Fix integer overflow in divide3() +- avcodec/takdec: Fix integer overflow in decode_subframe() +- avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2 +- avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2 +- avcodec/diracdec: Fix integer overflow in signed multiplication in UNPACK_ARITH() +- avcodec/pixlet: Simplify nbits computation +- avcodec/dnxhddec: Move mb height check out of non hr branch +- avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2 +- avformat/oggparsecelt: Do not re-allocate os->private +- avcodec/ylc: Fix shift overflow +- avcodec/aacps: Fix multiple integer overflow in map_val_34_to_20() +- avcodec/aacdec_fixed: fix: left shift of negative value -1 +- avcodec/dirac_vlc: Fix undefined shift +- doc/filters: typo in frei0r +- avcodec/cfhd: Fix decoding regression due to height check - avcodec/aacdec_template (fixed point): Check gain in decode_cce() to avoid undefined shifts later - avcodec/ffv1dec_template: Fix signed integer overflow - avcodec/aacdec_template: Fix undefined integer overflow in apply_tns() From e51e07c34eb704453d88e84752ca95294060c09a Mon Sep 17 00:00:00 2001 From: Muhammad Faiz Date: Thu, 3 Aug 2017 07:59:09 +0700 Subject: [PATCH 367/818] avfilter/vf_ssim: fix temp size calculation Also use av_mallocz_array. Fix Ticket6519. Reviewed-by: Tobias Rapp Signed-off-by: Muhammad Faiz (cherry picked from commit f2d23ec03f28c6233059687c65a9124f65f8c312) --- libavfilter/vf_ssim.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_ssim.c b/libavfilter/vf_ssim.c index cf925bd211..51328d8d38 100644 --- a/libavfilter/vf_ssim.c +++ b/libavfilter/vf_ssim.c @@ -219,6 +219,8 @@ static float ssim_endn_8bit(const int (*sum0)[4], const int (*sum1)[4], int widt return ssim; } +#define SUM_LEN(w) (((w) >> 2) + 3) + static float ssim_plane_16bit(SSIMDSPContext *dsp, uint8_t *main, int main_stride, uint8_t *ref, int ref_stride, @@ -228,7 +230,7 @@ static float ssim_plane_16bit(SSIMDSPContext *dsp, int z = 0, y; float ssim = 0.0; int64_t (*sum0)[4] = temp; - int64_t (*sum1)[4] = sum0 + (width >> 2) + 3; + int64_t (*sum1)[4] = sum0 + SUM_LEN(width); width >>= 2; height >>= 2; @@ -256,7 +258,7 @@ static float ssim_plane(SSIMDSPContext *dsp, int z = 0, y; float ssim = 0.0; int (*sum0)[4] = temp; - int (*sum1)[4] = sum0 + (width >> 2) + 3; + int (*sum1)[4] = sum0 + SUM_LEN(width); width >>= 2; height >>= 2; @@ -402,7 +404,7 @@ static int config_input_ref(AVFilterLink *inlink) for (i = 0; i < s->nb_components; i++) s->coefs[i] = (double) s->planeheight[i] * s->planewidth[i] / sum; - s->temp = av_malloc_array((2 * inlink->w + 12), sizeof(*s->temp) * (1 + (desc->comp[0].depth > 8))); + s->temp = av_mallocz_array(2 * SUM_LEN(inlink->w), (desc->comp[0].depth > 8) ? sizeof(int64_t[4]) : sizeof(int[4])); if (!s->temp) return AVERROR(ENOMEM); s->max = (1 << desc->comp[0].depth) - 1; From bab4cb3fb55e32d2f01bfb8c06f8e9fbd2d3f65d Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Wed, 30 Aug 2017 21:12:23 +0200 Subject: [PATCH 368/818] avcodec/nvenc: only push cuda context on encoder close if encoder exists Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index b7957867d7..e4f6f0f927 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1262,17 +1262,17 @@ av_cold int ff_nvenc_encode_close(AVCodecContext *avctx) CUcontext dummy; int i; - cu_res = dl_fn->cuda_dl->cuCtxPushCurrent(ctx->cu_context); - if (cu_res != CUDA_SUCCESS) { - av_log(avctx, AV_LOG_ERROR, "cuCtxPushCurrent failed\n"); - return AVERROR_EXTERNAL; - } - /* the encoder has to be flushed before it can be closed */ if (ctx->nvencoder) { NV_ENC_PIC_PARAMS params = { .version = NV_ENC_PIC_PARAMS_VER, .encodePicFlags = NV_ENC_PIC_FLAG_EOS }; + cu_res = dl_fn->cuda_dl->cuCtxPushCurrent(ctx->cu_context); + if (cu_res != CUDA_SUCCESS) { + av_log(avctx, AV_LOG_ERROR, "cuCtxPushCurrent failed\n"); + return AVERROR_EXTERNAL; + } + p_nvenc->nvEncEncodePicture(ctx->nvencoder, ¶ms); } @@ -1304,15 +1304,16 @@ av_cold int ff_nvenc_encode_close(AVCodecContext *avctx) av_freep(&ctx->surfaces); ctx->nb_surfaces = 0; - if (ctx->nvencoder) + if (ctx->nvencoder) { p_nvenc->nvEncDestroyEncoder(ctx->nvencoder); - ctx->nvencoder = NULL; - cu_res = dl_fn->cuda_dl->cuCtxPopCurrent(&dummy); - if (cu_res != CUDA_SUCCESS) { - av_log(avctx, AV_LOG_ERROR, "cuCtxPopCurrent failed\n"); - return AVERROR_EXTERNAL; + cu_res = dl_fn->cuda_dl->cuCtxPopCurrent(&dummy); + if (cu_res != CUDA_SUCCESS) { + av_log(avctx, AV_LOG_ERROR, "cuCtxPopCurrent failed\n"); + return AVERROR_EXTERNAL; + } } + ctx->nvencoder = NULL; if (ctx->cu_context_internal) dl_fn->cuda_dl->cuCtxDestroy(ctx->cu_context_internal); From 4306ddd87d0969a2a6856987fdacd5ec9dba193c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Jul 2017 15:46:50 +0200 Subject: [PATCH 369/818] avcodec/diracdec: Check weight_log2denom Fixes: runtime error: shift exponent -1 is negative Fixes: 2742/clusterfuzz-testcase-minimized-5724322402402304 Fixes: 2744/clusterfuzz-testcase-minimized-4672435653705728 Fixes: 2749/clusterfuzz-testcase-minimized-5298741273690112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 880f5c59139e1d85d3a0b3433103f3fea17ff2d3) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 6ab3c5f7f4..281be1172b 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1179,6 +1179,11 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) if (get_bits1(gb)) { s->weight_log2denom = get_interleaved_ue_golomb(gb); + if (s->weight_log2denom < 1 || s->weight_log2denom > 8) { + av_log(s->avctx, AV_LOG_ERROR, "weight_log2denom unsupported or invalid\n"); + s->weight_log2denom = 1; + return AVERROR_INVALIDDATA; + } s->weight[0] = dirac_get_se_golomb(gb); if (s->num_refs == 2) s->weight[1] = dirac_get_se_golomb(gb); From c55478835275240d67c8af9b22de2ecb7e65e444 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Jul 2017 15:55:36 +0200 Subject: [PATCH 370/818] avcodec/diracdsp: fix integer overflow Fixes: runtime error: signed integer overflow: 11 * 225726413 cannot be represented in type 'int' Fixes: 2764/clusterfuzz-testcase-minimized-5382561922547712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b2d9d7226943d6229a17e31714ce5162bdf88b33) Signed-off-by: Michael Niedermayer --- libavcodec/diracdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c index cd1209e209..8bc79b788c 100644 --- a/libavcodec/diracdsp.c +++ b/libavcodec/diracdsp.c @@ -199,7 +199,7 @@ static void dequant_subband_ ## PX ## _c(uint8_t *src, uint8_t *dst, ptrdiff_t s for (i = 0; i < tot_h; i++) { \ c = *src_r++; \ sign = FFSIGN(c)*(!!c); \ - c = (FFABS(c)*qf + qs) >> 2; \ + c = (FFABS(c)*(unsigned)qf + qs) >> 2; \ *dst_r++ = c*sign; \ } \ src += tot_h << (sizeof(PX) >> 1); \ From ef8db67c92953e6222e0b42d8fbef4c70e1cba68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Aug 2017 19:56:07 +0200 Subject: [PATCH 371/818] avcodec/h264idct_template: Fix integer overflow in ff_h264_idct_add() Fixes: runtime error: signed integer overflow: 26215360 + 2121330944 cannot be represented in type 'int' Fixes: 2809/clusterfuzz-testcase-minimized-4785181833560064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit d1bfa80ec464d475a0de3f513bbb62bcd356099a) Signed-off-by: Michael Niedermayer --- libavcodec/h264idct_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index e1ef68756c..288107d5a4 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -40,10 +40,10 @@ void FUNCC(ff_h264_idct_add)(uint8_t *_dst, int16_t *_block, int stride) block[0] += 1 << 5; for(i=0; i<4; i++){ - const SUINT z0= block[i + 4*0] + block[i + 4*2]; - const SUINT z1= block[i + 4*0] - block[i + 4*2]; - const SUINT z2= (block[i + 4*1]>>1) - block[i + 4*3]; - const SUINT z3= block[i + 4*1] + (block[i + 4*3]>>1); + const SUINT z0= block[i + 4*0] + (unsigned)block[i + 4*2]; + const SUINT z1= block[i + 4*0] - (unsigned)block[i + 4*2]; + const SUINT z2= (block[i + 4*1]>>1) - (unsigned)block[i + 4*3]; + const SUINT z3= block[i + 4*1] + (unsigned)(block[i + 4*3]>>1); block[i + 4*0]= z0 + z3; block[i + 4*1]= z1 + z2; From 8aa32a8d5c6ba5611cbb4c5329d1c6e8441d64e7 Mon Sep 17 00:00:00 2001 From: James Cowgill Date: Thu, 3 Aug 2017 16:21:54 +0100 Subject: [PATCH 372/818] swscale: fix gbrap16 alpha channel issues Fixes filter-pixfmts-scale test failing on big-endian systems due to alpSrc not being cast to (const int32_t**). Also fixes distortions in the output alpha channel values by copying the alpha channel code from the rgba64 case found elsewhere in output.c. Fixes ticket 6555. Signed-off-by: James Cowgill Signed-off-by: Michael Niedermayer (cherry picked from commit 013ec23cbe5d78a04b1b6c00c43f45773e45e7e5) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 16 ++++++++-------- tests/ref/fate/filter-pixfmts-scale | 4 ++-- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 9774e9f327..f30bce8dd3 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -2026,24 +2026,24 @@ yuv2gbrp16_full_X_c(SwsContext *c, const int16_t *lumFilter, const int16_t **lumSrcx, int lumFilterSize, const int16_t *chrFilter, const int16_t **chrUSrcx, const int16_t **chrVSrcx, int chrFilterSize, - const int16_t **alpSrc, uint8_t **dest, + const int16_t **alpSrcx, uint8_t **dest, int dstW, int y) { const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(c->dstFormat); int i; - int hasAlpha = (desc->flags & AV_PIX_FMT_FLAG_ALPHA) && alpSrc; + int hasAlpha = (desc->flags & AV_PIX_FMT_FLAG_ALPHA) && alpSrcx; uint16_t **dest16 = (uint16_t**)dest; const int32_t **lumSrc = (const int32_t**)lumSrcx; const int32_t **chrUSrc = (const int32_t**)chrUSrcx; const int32_t **chrVSrc = (const int32_t**)chrVSrcx; - int A = 0; // init to silence warning + const int32_t **alpSrc = (const int32_t**)alpSrcx; for (i = 0; i < dstW; i++) { int j; int Y = -0x40000000; int U = -(128 << 23); int V = -(128 << 23); - int R, G, B; + int R, G, B, A; for (j = 0; j < lumFilterSize; j++) Y += lumSrc[j][i] * (unsigned)lumFilter[j]; @@ -2059,13 +2059,13 @@ yuv2gbrp16_full_X_c(SwsContext *c, const int16_t *lumFilter, V >>= 14; if (hasAlpha) { - A = 1 << 18; + A = -0x40000000; for (j = 0; j < lumFilterSize; j++) A += alpSrc[j][i] * lumFilter[j]; - if (A & 0xF8000000) - A = av_clip_uintp2(A, 27); + A >>= 1; + A += 0x20002000; } Y -= c->yuv2rgb_y_offset; @@ -2083,7 +2083,7 @@ yuv2gbrp16_full_X_c(SwsContext *c, const int16_t *lumFilter, dest16[1][i] = B >> 14; dest16[2][i] = R >> 14; if (hasAlpha) - dest16[3][i] = A >> 11; + dest16[3][i] = av_clip_uintp2(A, 30) >> 14; } if ((!isBE(c->dstFormat)) != (!HAVE_BIGENDIAN)) { for (i = 0; i < dstW; i++) { diff --git a/tests/ref/fate/filter-pixfmts-scale b/tests/ref/fate/filter-pixfmts-scale index 6ab39aea21..c5f590f894 100644 --- a/tests/ref/fate/filter-pixfmts-scale +++ b/tests/ref/fate/filter-pixfmts-scale @@ -23,8 +23,8 @@ gbrap10be 6d89abb9248006c3e9017545e9474654 gbrap10le cf974e23f485a10740f5de74a5c8c3df gbrap12be 1d9b57766ba9c2192403f43967cb9af0 gbrap12le bb1ba1c157717db3dd612a76d38a018e -gbrap16be 81542b96575d1fe3b239d23899f5ece3 -gbrap16le 6feb8b9da131917abe867e0eaaf07b90 +gbrap16be c72b935a6e57a8e1c37bff08c2db55b1 +gbrap16le 13eb0e62b1ac9c1c86c81521eaefab5f gbrp dc3387f925f972c61aae7eb23cdc19f0 gbrp10be 0277d4c3a8498d75e2783fb81379e481 gbrp10le f3d70f8ab845c3c9b8f7452e4a6e285a From fd871e24e65b2d3d91b060b5e878f37c9ee5cdff Mon Sep 17 00:00:00 2001 From: Steven Siloti Date: Tue, 18 Jul 2017 11:26:39 -0700 Subject: [PATCH 373/818] avformat/utils: fix memory leak in avformat_free_context The pointer to the packet queue is stored in the internal structure so the queue needs to be flushed before internal is freed. Signed-off-by: Steven Siloti Signed-off-by: Michael Niedermayer (cherry picked from commit 949debd1d1df3a96315b3a3083831162845c1188) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index a9f8cf6f84..ff55fc8d97 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4199,8 +4199,8 @@ void avformat_free_context(AVFormatContext *s) av_dict_free(&s->metadata); av_dict_free(&s->internal->id3v2_meta); av_freep(&s->streams); - av_freep(&s->internal); flush_packet_queue(s); + av_freep(&s->internal); av_free(s); } From 1dbfcd65b26d93d4beaca0c0fc60c31092e555bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Aug 2017 02:41:05 +0200 Subject: [PATCH 374/818] avcodec/h264_slice: Fix overflow in slice offset Fixes: runtime error: signed integer overflow: 1610612736 * 2 cannot be represented in type 'int' Fixes: 2817/clusterfuzz-testcase-minimized-5289691240726528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f53bde6d817ae13a47748f321adbdfa79e15982) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 86b72dff7f..3f3a3e4067 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1835,17 +1835,19 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl, sl->deblocking_filter ^= 1; // 1<->0 if (sl->deblocking_filter) { - sl->slice_alpha_c0_offset = get_se_golomb(&sl->gb) * 2; - sl->slice_beta_offset = get_se_golomb(&sl->gb) * 2; - if (sl->slice_alpha_c0_offset > 12 || - sl->slice_alpha_c0_offset < -12 || - sl->slice_beta_offset > 12 || - sl->slice_beta_offset < -12) { + int slice_alpha_c0_offset_div2 = get_se_golomb(&sl->gb); + int slice_beta_offset_div2 = get_se_golomb(&sl->gb); + if (slice_alpha_c0_offset_div2 > 6 || + slice_alpha_c0_offset_div2 < -6 || + slice_beta_offset_div2 > 6 || + slice_beta_offset_div2 < -6) { av_log(h->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", - sl->slice_alpha_c0_offset, sl->slice_beta_offset); + slice_alpha_c0_offset_div2, slice_beta_offset_div2); return AVERROR_INVALIDDATA; } + sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2; + sl->slice_beta_offset = slice_beta_offset_div2 * 2; } } From 818f73542daf9a125b58e284f5ae3c9b35721f5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Aug 2017 03:26:30 +0200 Subject: [PATCH 375/818] avcodec/aacdec_fixed: fix invalid shift in predict() Fixes: runtime error: shift exponent -2 is negative Fixes: 2818/clusterfuzz-testcase-minimized-5062943676825600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e443051b277f73b94a2f660d3fd31a1a7beab52) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index ccc82057e1..e7c2d2d299 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -305,8 +305,12 @@ static av_always_inline void predict(PredictorState *ps, int *coef, if (output_enable) { int shift = 28 - pv.exp; - if (shift < 31) - *coef += (pv.mant + (1 << (shift - 1))) >> shift; + if (shift < 31) { + if (shift > 0) { + *coef += (pv.mant + (1 << (shift - 1))) >> shift; + } else + *coef += pv.mant << -shift; + } } e0 = av_int2sf(*coef, 2); From 86b5a3d35dd2b9528eaf1c36397a31ae111c30c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Aug 2017 05:01:45 +0200 Subject: [PATCH 376/818] avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97* Fix multiple: runtime error: signed integer overflow: 6497 * 3409630 cannot be represented in type 'int' Fixes: 2819/clusterfuzz-testcase-minimized-4743700301217792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a5380f9c1c460acccb2edaa8609e4a57c0456088) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 62f8472b41..e715e53bc4 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ - (b1 - ((1817*(b0 + b2) + 2048) >> 12)) + (b1 - ((int)(1817U*(b0 + b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ - (b1 - (( 113*(b0 + b2) + 64) >> 7)) + (b1 - ((int)( 113U*(b0 + b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ - (b1 + (( 217*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)( 217U*(b0 + b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ - (b1 + ((6497*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)(6497U*(b0 + b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ From dcf02ee6c6917e9de00a148778be554c0eb7a679 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Aug 2017 13:32:54 +0200 Subject: [PATCH 377/818] avcodec/mpeg4videodec: Clear mcsel before decoding an image Fixes: runtime error: signed integer overflow: 2146467840 + 1032192 cannot be represented in type 'int' Fixes: 2826/clusterfuzz-testcase-minimized-5901511613743104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7735ed29741d985e1e670249ca56e7a1ce18b729) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 89c4b367f7..8f85e9362d 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2290,6 +2290,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) int time_incr, time_increment; int64_t pts; + s->mcsel = 0; s->pict_type = get_bits(gb, 2) + AV_PICTURE_TYPE_I; /* pict type: I = 0 , P = 1 */ if (s->pict_type == AV_PICTURE_TYPE_B && s->low_delay && ctx->vol_control_parameters == 0 && !(s->avctx->flags & AV_CODEC_FLAG_LOW_DELAY)) { From f5c6ce899fa51bc9c8687196506ff549a966ed68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Aug 2017 18:20:03 +0200 Subject: [PATCH 378/818] avcodec/ffv1dec_template: Fix undefined shift Fixes: runtime error: left shift of negative value -127 Fixes: 2834/clusterfuzz-testcase-minimized-5988039123795968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 62702eebded6c6341d214405812a981f80e46ea2) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec_template.c b/libavcodec/ffv1dec_template.c index 892ccf22fa..f2f7432339 100644 --- a/libavcodec/ffv1dec_template.c +++ b/libavcodec/ffv1dec_template.c @@ -149,7 +149,7 @@ static void RENAME(decode_rgb_frame)(FFV1Context *s, uint8_t *src[3], int w, int } if (lbd) - *((uint32_t*)(src[0] + x*4 + stride[0]*y)) = b + (g<<8) + (r<<16) + (a<<24); + *((uint32_t*)(src[0] + x*4 + stride[0]*y)) = b + ((unsigned)g<<8) + ((unsigned)r<<16) + ((unsigned)a<<24); else if (sizeof(TYPE) == 4) { *((uint16_t*)(src[0] + x*2 + stride[0]*y)) = g; *((uint16_t*)(src[1] + x*2 + stride[1]*y)) = b; From a33e375d7d4c8c309c85aa1a53e98bfc62ace5a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Aug 2017 03:32:43 +0200 Subject: [PATCH 379/818] avcodec/diracdec: Check perspective_exp and zrs_exp. Fixes: undefined shift Fixes: runtime error: shift exponent 264 is too large for 32-bit type 'int' Fixes: 2860/clusterfuzz-testcase-minimized-4672811689836544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e6cab874512070b36267a5a53fd053f90072fa2) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 281be1172b..19bcc350bf 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1161,6 +1161,10 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) s->globalmc[ref].perspective[0] = dirac_get_se_golomb(gb); s->globalmc[ref].perspective[1] = dirac_get_se_golomb(gb); } + if (s->globalmc[ref].perspective_exp + (uint64_t)s->globalmc[ref].zrs_exp > 30) { + return AVERROR_INVALIDDATA; + } + } } From 02d224406f40f45803efd69b8cfe1602649821bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Aug 2017 03:32:44 +0200 Subject: [PATCH 380/818] avcodec/diracdec: Fixes integer overflow Fixes: runtime error: signed integer overflow: 340018243 * 27 cannot be represented in type 'int' Fixes: 2861/clusterfuzz-testcase-minimized-5361070510178304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 92da23093c784b1d9f0db4db51d28ea80a59e759) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 19bcc350bf..b5aa22c690 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -442,7 +442,7 @@ static av_cold int dirac_decode_end(AVCodecContext *avctx) static inline int coeff_unpack_golomb(GetBitContext *gb, int qfactor, int qoffset) { int coeff = dirac_get_se_golomb(gb); - const int sign = FFSIGN(coeff); + const unsigned sign = FFSIGN(coeff); if (coeff) coeff = sign*((sign * coeff * qfactor + qoffset) >> 2); return coeff; From 99491bd260d3847decb417ede86eb872586f2a6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Aug 2017 16:03:23 +0200 Subject: [PATCH 381/818] avcodec/zmbv: Check decomp_size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: OOM Fixes: 2710/clusterfuzz-testcase-minimized-4750001420894208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 931c0ac95cebe62f2bdd53a81bf40e3916be6476) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index f126515bd1..b09dc41ebd 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -589,6 +589,11 @@ static av_cold int decode_init(AVCodecContext *avctx) // Needed if zlib unused or init aborted before inflateInit memset(&c->zstream, 0, sizeof(z_stream)); + if ((avctx->width + 255ULL) * (avctx->height + 64ULL) > FFMIN(avctx->max_pixels, INT_MAX / 4) ) { + av_log(avctx, AV_LOG_ERROR, "Internal buffer (decomp_size) larger than max_pixels or too large\n"); + return AVERROR_INVALIDDATA; + } + c->decomp_size = (avctx->width + 255) * 4 * (avctx->height + 64); /* Allocate decompression buffer */ From 53dae9585f1fefb80794112f348df9ea6bc134ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Aug 2017 03:54:56 +0200 Subject: [PATCH 382/818] avcodec/pixlet: fixes integer overflow in read_highpass() Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: 2879/clusterfuzz-testcase-minimized-6317542639403008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cadab5a2a74d715fc16325bd89f8b8091def1083) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index a9661d3ab6..088226bdda 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -331,6 +331,9 @@ static int read_highpass(AVCodecContext *avctx, uint8_t *ptr, int plane, AVFrame return AVERROR_INVALIDDATA; } + if (a == INT32_MIN) + return AVERROR_INVALIDDATA; + ret = read_high_coeffs(avctx, ptr + bytestream2_tell(&ctx->gb), dest, size, c, (b >= FFABS(a)) ? b : a, d, ctx->band[plane][i + 1].width, stride); From 16772e43ef5a71156a2a599ea81595edf40ace34 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Aug 2017 20:32:03 +0200 Subject: [PATCH 383/818] avcodec/snowdec: Fix off by 1 error Fixes: runtime error: index 4 out of bounds for type 'int8_t [4]' Fixes: 3023/clusterfuzz-testcase-minimized-6421736130084864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d132683ddd4050d3fe103ca88c73258c3442dc34) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 7d6d7ff44f..4ebfa07c6a 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -355,7 +355,7 @@ static int decode_header(SnowContext *s){ Plane *p= &s->plane[plane_index]; p->diag_mc= get_rac(&s->c, s->header_state); htaps= get_symbol(&s->c, s->header_state, 0)*2 + 2; - if((unsigned)htaps > HTAPS_MAX || htaps==0) + if((unsigned)htaps >= HTAPS_MAX || htaps==0) return AVERROR_INVALIDDATA; p->htaps= htaps; for(i= htaps/2; i; i--){ From f5227c50b7396be373103a1861cd70e9bb8c81cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Aug 2017 18:24:37 +0200 Subject: [PATCH 384/818] avcodec/fic: Fixes signed integer overflow Fixes: runtime error: signed integer overflow: 1037142357 + 1227025305 cannot be represented in type 'int' Fixes: 3024/clusterfuzz-testcase-minimized-5885660323905536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9d5b015c2022e8deebb93367f8ee8a8eb779e8) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index f19b5d4974..8691d49932 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -85,12 +85,12 @@ static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' }; static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd) { - const int t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; - const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; - const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; - const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; - const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12); - const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12); + const unsigned t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; + const unsigned t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; + const unsigned t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; + const unsigned t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; + const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12); + const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12); const unsigned t6 = t2 - t0; const unsigned t7 = t3 - t1; const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; From 253b7829e4f547ebd5b95a3154ae2e5b3f200b13 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Aug 2017 16:42:58 +0200 Subject: [PATCH 385/818] avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0() Fixes: runtime error: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int' Fixes: 3013/clusterfuzz-testcase-minimized-4644084197097472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a165b53daa8a3a526d2328ca72c4aa9e7f163045) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 972c711cff..e436c247a1 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_ TYPE *b1 = (TYPE *)_b1; TYPE *b2 = (TYPE *)_b2; for (i = 0; i < width; i++) - b1[i] -= (b0[i] + b2[i] + 2) >> 2; + b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2; } static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2, From 736ef73f9c04e8c614e56c15d192dd1f194fe721 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Aug 2017 16:42:59 +0200 Subject: [PATCH 386/818] avcodec/pixlet: Fixes: undefined shift in av_mod_uintp2() Fixes: runtime error: shift exponent 4294967289 is too large for 32-bit type 'int' Fixes: 3030/clusterfuzz-testcase-minimized-4649809254285312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8754ccd3b319fdf4e2beed5657a3e327999c64ce) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 088226bdda..a9cfe085c9 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -262,7 +262,7 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, i flag = 0; - if (state * 4ULL > 0xFF || i >= size) + if ((uint64_t)state > 0xFF / 4 || i >= size) continue; pfx = ((state + 8) >> 5) + (state ? ff_clz(state): 32) - 24; From 4a122a0879d5d237cdfc4087871643a884be5ce3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Aug 2017 23:38:58 +0200 Subject: [PATCH 387/818] avcodec/me_cmp: Fix crashes on ARM due to misalignment Adds a diff_pixels_unaligned() Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872503 Signed-off-by: Michael Niedermayer (cherry picked from commit bc488ec28aec4bc91ba47283c49c9f7f25696eaa) Signed-off-by: Michael Niedermayer --- libavcodec/me_cmp.c | 10 +++++----- libavcodec/pixblockdsp.c | 1 + libavcodec/pixblockdsp.h | 5 +++++ libavcodec/x86/pixblockdsp_init.c | 2 ++ 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/me_cmp.c b/libavcodec/me_cmp.c index 6639b919ff..5e34a11593 100644 --- a/libavcodec/me_cmp.c +++ b/libavcodec/me_cmp.c @@ -628,7 +628,7 @@ static int dct_sad8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); return s->mecc.sum_abs_dctelem(temp); } @@ -668,7 +668,7 @@ static int dct264_sad8x8_c(MpegEncContext *s, uint8_t *src1, int16_t dct[8][8]; int i, sum = 0; - s->pdsp.diff_pixels(dct[0], src1, src2, stride); + s->pdsp.diff_pixels_unaligned(dct[0], src1, src2, stride); #define SRC(x) dct[i][x] #define DST(x, v) dct[i][x] = v @@ -695,7 +695,7 @@ static int dct_max8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); for (i = 0; i < 64; i++) @@ -714,7 +714,7 @@ static int quant_psnr8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); s->mb_intra = 0; - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); memcpy(bak, temp, 64 * sizeof(int16_t)); @@ -817,7 +817,7 @@ static int bit8x8_c(MpegEncContext *s, uint8_t *src1, uint8_t *src2, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->block_last_index[0 /* FIXME */] = last = diff --git a/libavcodec/pixblockdsp.c b/libavcodec/pixblockdsp.c index 417c944e00..50e1d1d735 100644 --- a/libavcodec/pixblockdsp.c +++ b/libavcodec/pixblockdsp.c @@ -82,6 +82,7 @@ av_cold void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx) { const unsigned high_bit_depth = avctx->bits_per_raw_sample > 8; + c->diff_pixels_unaligned = c->diff_pixels = diff_pixels_c; switch (avctx->bits_per_raw_sample) { diff --git a/libavcodec/pixblockdsp.h b/libavcodec/pixblockdsp.h index 3ba1596a88..e036700ff0 100644 --- a/libavcodec/pixblockdsp.h +++ b/libavcodec/pixblockdsp.h @@ -33,6 +33,11 @@ typedef struct PixblockDSPContext { const uint8_t *s1 /* align 8 */, const uint8_t *s2 /* align 8 */, ptrdiff_t stride); + void (*diff_pixels_unaligned)(int16_t *av_restrict block /* align 16 */, + const uint8_t *s1, + const uint8_t *s2, + ptrdiff_t stride); + } PixblockDSPContext; void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx); diff --git a/libavcodec/x86/pixblockdsp_init.c b/libavcodec/x86/pixblockdsp_init.c index fa9578a2d3..ade55e01a3 100644 --- a/libavcodec/x86/pixblockdsp_init.c +++ b/libavcodec/x86/pixblockdsp_init.c @@ -39,12 +39,14 @@ av_cold void ff_pixblockdsp_init_x86(PixblockDSPContext *c, if (EXTERNAL_MMX(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_mmx; + c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_mmx; } if (EXTERNAL_SSE2(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_sse2; + c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_sse2; } } From 6ce9b2c1fec171ff823df45e1d288eabcb79397b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Aug 2017 02:15:49 +0200 Subject: [PATCH 388/818] avcodec/aacdec_template: Fix running cleanup in decode_ics_info() Fixes: out of array read Fixes: 2873/clusterfuzz-testcase-minimized-5924145713905664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Previous version reviewed-by: Alex Converse Signed-off-by: Michael Niedermayer (cherry picked from commit 6f03ffb47d51368a4bbc87702df8446e4660845d) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 194572793e..e6f0a36f61 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1281,6 +1281,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, const MPEG4AudioConfig *const m4ac = &ac->oc[1].m4ac; const int aot = m4ac->object_type; const int sampling_index = m4ac->sampling_index; + int ret_fail = AVERROR_INVALIDDATA; + if (aot != AOT_ER_AAC_ELD) { if (get_bits1(gb)) { av_log(ac->avctx, AV_LOG_ERROR, "Reserved bit set.\n"); @@ -1331,8 +1333,10 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, ics->num_swb = ff_aac_num_swb_512[sampling_index]; ics->tns_max_bands = ff_tns_max_bands_512[sampling_index]; } - if (!ics->num_swb || !ics->swb_offset) - return AVERROR_BUG; + if (!ics->num_swb || !ics->swb_offset) { + ret_fail = AVERROR_BUG; + goto fail; + } } else { ics->swb_offset = ff_swb_offset_1024[sampling_index]; ics->num_swb = ff_aac_num_swb_1024[sampling_index]; @@ -1356,7 +1360,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, if (aot == AOT_ER_AAC_LD) { av_log(ac->avctx, AV_LOG_ERROR, "LTP in ER AAC LD not yet implemented.\n"); - return AVERROR_PATCHWELCOME; + ret_fail = AVERROR_PATCHWELCOME; + goto fail; } if ((ics->ltp.present = get_bits(gb, 1))) decode_ltp(&ics->ltp, gb, ics->max_sfb); @@ -1375,7 +1380,7 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, return 0; fail: ics->max_sfb = 0; - return AVERROR_INVALIDDATA; + return ret_fail; } /** From b6a79b841dcdf8edebc38579088bf48a418c82dc Mon Sep 17 00:00:00 2001 From: Vitaly Buka Date: Sun, 20 Aug 2017 11:56:47 -0700 Subject: [PATCH 389/818] avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit 8c2bb10ddfef1f151b9455d152c9aca91140a4b0) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 0c6883686e..9363026695 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1568,7 +1568,7 @@ FF_ENABLE_DEPRECATION_WARNINGS } if (!avctx->rc_initial_buffer_occupancy) - avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4; + avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3LL / 4; if (avctx->ticks_per_frame && avctx->time_base.num && avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) { From c8890413520a0a07cfc1d2856baae466522690c1 Mon Sep 17 00:00:00 2001 From: Vitaly Buka Date: Sun, 20 Aug 2017 11:56:47 -0700 Subject: [PATCH 390/818] avformat/mov: Fix signed integer overflows with total_size Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit 4a404cb5b90b878cbe1bb528fac65cf508668cc5) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 036693a652..6b1cee8d6c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5362,7 +5362,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (atom.size < 0) atom.size = INT64_MAX; - while (total_size + 8 <= atom.size && !avio_feof(pb)) { + while (total_size <= atom.size - 8 && !avio_feof(pb)) { int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL; a.size = atom.size; a.type=0; From 9739a269fb4d94b93ebcae31cd11d61b68407633 Mon Sep 17 00:00:00 2001 From: Vitaly Buka Date: Sun, 20 Aug 2017 11:56:47 -0700 Subject: [PATCH 391/818] avformat/aviobuf: Fix signed integer overflow in avio_seek() Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit eca2a49716ae1f42804dd3545da2f740edf03250) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index ef6a0d4e9b..9afe9b3a68 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -251,6 +251,8 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) offset1 = pos + (s->buf_ptr - s->buffer); if (offset == 0) return offset1; + if (offset > INT64_MAX - offset1) + return AVERROR(EINVAL); offset += offset1; } if (offset < 0) From deca5e7349139abb7c0d3970833ffd989606ca26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Aug 2017 21:30:37 +0200 Subject: [PATCH 392/818] avformat/rtpdec_h264: Fix heap-buffer-overflow Fixes: rtp_sdp/poc.sdp Found-by: Bingchang Signed-off-by: Michael Niedermayer (cherry picked from commit c42a1388a6d1bfd8001bf6a4241d8ca27e49326d) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec_h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtpdec_h264.c b/libavformat/rtpdec_h264.c index 8dd56a549e..6f8148ab6d 100644 --- a/libavformat/rtpdec_h264.c +++ b/libavformat/rtpdec_h264.c @@ -166,7 +166,7 @@ static int sdp_parse_fmtp_config_h264(AVFormatContext *s, parse_profile_level_id(s, h264_data, value); } else if (!strcmp(attr, "sprop-parameter-sets")) { int ret; - if (value[strlen(value) - 1] == ',') { + if (*value == 0 || value[strlen(value) - 1] == ',') { av_log(s, AV_LOG_WARNING, "Missing PPS in sprop-parameter-sets, ignoring\n"); return 0; } From eea01de3ff157180d04782cea9a09072408d723a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Aug 2017 00:18:48 +0200 Subject: [PATCH 393/818] avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps() Fixes: integer overflow Fixes: 2893/clusterfuzz-testcase-minimized-5809330567774208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b44dcbc44e99daf9515753e9fd4c2e1ea53a2fa) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 19e61977b5..f34d9e342f 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -225,6 +225,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, prev = 0; for (i = 0; i < rps->num_negative_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; + if (delta_poc < 1 || delta_poc > 32768) { + av_log(avctx, AV_LOG_ERROR, + "Invalid value of delta_poc: %d\n", + delta_poc); + return AVERROR_INVALIDDATA; + } prev -= delta_poc; rps->delta_poc[i] = prev; rps->used[i] = get_bits1(gb); @@ -232,6 +238,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, prev = 0; for (i = 0; i < nb_positive_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; + if (delta_poc < 1 || delta_poc > 32768) { + av_log(avctx, AV_LOG_ERROR, + "Invalid value of delta_poc: %d\n", + delta_poc); + return AVERROR_INVALIDDATA; + } prev += delta_poc; rps->delta_poc[rps->num_negative_pics + i] = prev; rps->used[rps->num_negative_pics + i] = get_bits1(gb); From 5474a7e93b8ea0be1157ac9cf93c1511eccae7b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Aug 2017 11:02:38 +0200 Subject: [PATCH 394/818] ffprobe: Fix null pointer dereference with color primaries Found-by: AD-lab of venustech Signed-off-by: Michael Niedermayer (cherry picked from commit 837cb4325b712ff1aab531bf41668933f61d75d2) Signed-off-by: Michael Niedermayer --- ffprobe.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/ffprobe.c b/ffprobe.c index a219fc10b0..86e2bfbdbe 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -1899,6 +1899,16 @@ static void print_pkt_side_data(WriterContext *w, writer_print_section_footer(w); } +static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries) +{ + const char *val = av_color_primaries_name(color_primaries); + if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) { + print_str_opt("color_primaries", "unknown"); + } else { + print_str("color_primaries", val); + } +} + static void clear_log(int need_lock) { int i; @@ -2420,10 +2430,7 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id else print_str_opt("color_transfer", av_color_transfer_name(par->color_trc)); - if (par->color_primaries != AVCOL_PRI_UNSPECIFIED) - print_str("color_primaries", av_color_primaries_name(par->color_primaries)); - else - print_str_opt("color_primaries", av_color_primaries_name(par->color_primaries)); + print_primaries(w, par->color_primaries); if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED) print_str("chroma_location", av_chroma_location_name(par->chroma_location)); From 85ffdcd8ffe4a10c52469abcdc8371173f41d7b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Aug 2017 17:27:17 +0200 Subject: [PATCH 395/818] ffprobe: Fix NULL pointer handling in color parameter printing Signed-off-by: Michael Niedermayer (cherry picked from commit 351e28f9a799d9bbbb33dd10c964dca7219fa13b) Signed-off-by: Michael Niedermayer --- ffprobe.c | 63 +++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 45 insertions(+), 18 deletions(-) diff --git a/ffprobe.c b/ffprobe.c index 86e2bfbdbe..fc147fe32a 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -1899,6 +1899,26 @@ static void print_pkt_side_data(WriterContext *w, writer_print_section_footer(w); } +static void print_color_range(WriterContext *w, enum AVColorRange color_range, const char *fallback) +{ + const char *val = av_color_range_name(color_range); + if (!val || color_range == AVCOL_RANGE_UNSPECIFIED) { + print_str_opt("color_range", fallback); + } else { + print_str("color_range", val); + } +} + +static void print_color_space(WriterContext *w, enum AVColorSpace color_space) +{ + const char *val = av_color_space_name(color_space); + if (!val || color_space == AVCOL_SPC_UNSPECIFIED) { + print_str_opt("color_space", "unknown"); + } else { + print_str("color_space", val); + } +} + static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries) { const char *val = av_color_primaries_name(color_primaries); @@ -1909,6 +1929,27 @@ static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primar } } +static void print_color_trc(WriterContext *w, enum AVColorTransferCharacteristic color_trc) +{ + const char *val = av_color_transfer_name(color_trc); + if (!val || color_trc == AVCOL_TRC_UNSPECIFIED) { + print_str_opt("color_transfer", "unknown"); + } else { + print_str("color_transfer", val); + } +} + +static void print_chroma_location(WriterContext *w, enum AVChromaLocation chroma_location) +{ + const char *val = av_chroma_location_name(chroma_location); + if (!val || chroma_location == AVCHROMA_LOC_UNSPECIFIED) { + print_str_opt("chroma_location", "unspecified"); + } else { + print_str("chroma_location", val); + } +} + + static void clear_log(int need_lock) { int i; @@ -2416,26 +2457,12 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id if (s) print_str ("pix_fmt", s); else print_str_opt("pix_fmt", "unknown"); print_int("level", par->level); - if (par->color_range != AVCOL_RANGE_UNSPECIFIED) - print_str ("color_range", av_color_range_name(par->color_range)); - else - print_str_opt("color_range", "N/A"); - - s = av_get_colorspace_name(par->color_space); - if (s) print_str ("color_space", s); - else print_str_opt("color_space", "unknown"); - - if (par->color_trc != AVCOL_TRC_UNSPECIFIED) - print_str("color_transfer", av_color_transfer_name(par->color_trc)); - else - print_str_opt("color_transfer", av_color_transfer_name(par->color_trc)); + print_color_range(w, par->color_range, "N/A"); + print_color_space(w, par->color_space); + print_color_trc(w, par->color_trc); print_primaries(w, par->color_primaries); - - if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED) - print_str("chroma_location", av_chroma_location_name(par->chroma_location)); - else - print_str_opt("chroma_location", av_chroma_location_name(par->chroma_location)); + print_chroma_location(w, par->chroma_location); if (par->field_order == AV_FIELD_PROGRESSIVE) print_str("field_order", "progressive"); From 305f37e5be009c66e0af3064855c8509aafba719 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Aug 2017 01:26:58 +0200 Subject: [PATCH 396/818] avformat/hls: Fix DoS due to infinite loop Fixes: loop.m3u The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome Found-by: Xiaohei and Wangchu from Alibaba Security Team Previous version reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit 7ec414892ddcad88313848494b6fc5f437c9ca4a) Signed-off-by: Michael Niedermayer --- doc/demuxers.texi | 18 ++++++++++++++++++ libavformat/hls.c | 7 +++++++ 2 files changed, 25 insertions(+) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index 29a23d48b2..73dc0feec1 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -300,6 +300,24 @@ used to end the output video at the length of the shortest input file, which in this case is @file{input.mp4} as the GIF in this example loops infinitely. +@section hls + +HLS demuxer + +It accepts the following options: + +@table @option +@item live_start_index +segment index to start live streams at (negative values are from the end). + +@item allowed_extensions +',' separated list of file extensions that hls is allowed to access. + +@item max_reload +Maximum number of times a insufficient list is attempted to be reloaded. +Default value is 1000. +@end table + @section image2 Image file demuxer. diff --git a/libavformat/hls.c b/libavformat/hls.c index 73d3ee46f6..56566d5810 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -205,6 +205,7 @@ typedef struct HLSContext { AVDictionary *avio_opts; int strict_std_compliance; char *allowed_extensions; + int max_reload; } HLSContext; static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) @@ -1263,6 +1264,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size) HLSContext *c = v->parent->priv_data; int ret, i; int just_opened = 0; + int reload_count = 0; restart: if (!v->needed) @@ -1294,6 +1296,9 @@ restart: reload_interval = default_reload_interval(v); reload: + reload_count++; + if (reload_count > c->max_reload) + return AVERROR_EOF; if (!v->finished && av_gettime_relative() - v->last_load_time >= reload_interval) { if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) { @@ -2150,6 +2155,8 @@ static const AVOption hls_options[] = { OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, INT_MIN, INT_MAX, FLAGS}, + {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, {NULL} }; From 6447815dfbbe5036c7fa29d285b59896d76f4f9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= Date: Fri, 25 Aug 2017 12:37:25 +0200 Subject: [PATCH 397/818] avformat/asfdec: Fix DoS due to lack of eof check Fixes: loop.asf Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 7f9ec5593e04827249e7aeb466da06a98a0d7329) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index be09a92bd1..f3acbae280 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) count = avio_rl32(pb); // markers count avio_rl16(pb); // reserved 2 bytes name_len = avio_rl16(pb); // name length - for (i = 0; i < name_len; i++) - avio_r8(pb); // skip the name + avio_skip(pb, name_len); for (i = 0; i < count; i++) { int64_t pres_time; int name_len; + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time pres_time -= asf->hdr.preroll * 10000; From 4ff1fcd3caa2e59c3d4cec8e4c64c9ac79b09a1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= Date: Fri, 25 Aug 2017 01:15:27 +0200 Subject: [PATCH 398/818] avformat/cinedec: Fix DoS due to lack of eof check Fixes: loop.cine Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 7e80b63ecd259d69d383623e75b318bf2bd491f6) Signed-off-by: Michael Niedermayer --- libavformat/cinedec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c index 763b93ba2e..de34fb9638 100644 --- a/libavformat/cinedec.c +++ b/libavformat/cinedec.c @@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx) /* parse image offsets */ avio_seek(pb, offImageOffsets, SEEK_SET); - for (i = 0; i < st->duration; i++) + for (i = 0; i < st->duration; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME); + } return 0; } From 6bd562e04440c48eb79e24c36800791bbb1ba0b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= Date: Fri, 25 Aug 2017 01:15:28 +0200 Subject: [PATCH 399/818] avformat/rmdec: Fix DoS due to lack of eof check Fixes: loop.ivr Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 124eb202e70678539544f6268efc98131f19fa49) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 178eaea57d..d6d7d9cd84 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1223,8 +1223,11 @@ static int ivr_read_header(AVFormatContext *s) av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val); } else if (type == 4) { av_log(s, AV_LOG_DEBUG, "%s = '0x", key); - for (j = 0; j < len; j++) + for (j = 0; j < len; j++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb)); + } av_log(s, AV_LOG_DEBUG, "'\n"); } else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", tlen)) { nb_streams = value = avio_rb32(pb); From 8cb0f2c4e55d1d8ba9dbc80dd19ad139d0200c2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= Date: Fri, 25 Aug 2017 01:15:29 +0200 Subject: [PATCH 400/818] avformat/rl2: Fix DoS due to lack of eof check Fixes: loop.rl2 Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de) Signed-off-by: Michael Niedermayer --- libavformat/rl2.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavformat/rl2.c b/libavformat/rl2.c index 0bec8f1d9a..eb1682dfcb 100644 --- a/libavformat/rl2.c +++ b/libavformat/rl2.c @@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s) } /** read offset and size tables */ - for(i=0; i < frame_count;i++) + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_size[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_offset[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; audio_size[i] = avio_rl32(pb) & 0xFFFF; + } /** build the sample index */ for(i=0;i Date: Fri, 25 Aug 2017 01:15:30 +0200 Subject: [PATCH 401/818] avformat/mvdec: Fix DoS due to lack of eof check Fixes: loop.mv Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 0e12c8c6c1..f7aa4cbaec 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -342,6 +342,8 @@ static int mv_read_header(AVFormatContext *avctx) uint32_t pos = avio_rb32(pb); uint32_t asize = avio_rb32(pb); uint32_t vsize = avio_rb32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); From b5f0302eeb742923709d469f24cce83edf779926 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Aug 2017 14:00:55 +0200 Subject: [PATCH 402/818] avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate() Fixes: runtime error: signed integer overflow: 8903997421129740175 + 354481484684609529 cannot be represented in type 'long' Fixes: 2045/clusterfuzz-testcase-minimized-6751255865065472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eefb68c9c335dda423c9115ba11dc4bb3e73e3f9) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 7d593a18b8..f45bb847a8 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -136,19 +136,19 @@ static av_always_inline void autocorrelate(const int x[40][2], SoftFloat phi[3][ if (lag) { for (i = 1; i < 38; i++) { - accu_re += (int64_t)x[i][0] * x[i+lag][0]; - accu_re += (int64_t)x[i][1] * x[i+lag][1]; - accu_im += (int64_t)x[i][0] * x[i+lag][1]; - accu_im -= (int64_t)x[i][1] * x[i+lag][0]; + accu_re += (uint64_t)x[i][0] * x[i+lag][0]; + accu_re += (uint64_t)x[i][1] * x[i+lag][1]; + accu_im += (uint64_t)x[i][0] * x[i+lag][1]; + accu_im -= (uint64_t)x[i][1] * x[i+lag][0]; } real_sum = accu_re; imag_sum = accu_im; - accu_re += (int64_t)x[ 0][0] * x[lag][0]; - accu_re += (int64_t)x[ 0][1] * x[lag][1]; - accu_im += (int64_t)x[ 0][0] * x[lag][1]; - accu_im -= (int64_t)x[ 0][1] * x[lag][0]; + accu_re += (uint64_t)x[ 0][0] * x[lag][0]; + accu_re += (uint64_t)x[ 0][1] * x[lag][1]; + accu_im += (uint64_t)x[ 0][0] * x[lag][1]; + accu_im -= (uint64_t)x[ 0][1] * x[lag][0]; phi[2-lag][1][0] = autocorr_calc(accu_re); phi[2-lag][1][1] = autocorr_calc(accu_im); @@ -156,28 +156,28 @@ static av_always_inline void autocorrelate(const int x[40][2], SoftFloat phi[3][ if (lag == 1) { accu_re = real_sum; accu_im = imag_sum; - accu_re += (int64_t)x[38][0] * x[39][0]; - accu_re += (int64_t)x[38][1] * x[39][1]; - accu_im += (int64_t)x[38][0] * x[39][1]; - accu_im -= (int64_t)x[38][1] * x[39][0]; + accu_re += (uint64_t)x[38][0] * x[39][0]; + accu_re += (uint64_t)x[38][1] * x[39][1]; + accu_im += (uint64_t)x[38][0] * x[39][1]; + accu_im -= (uint64_t)x[38][1] * x[39][0]; phi[0][0][0] = autocorr_calc(accu_re); phi[0][0][1] = autocorr_calc(accu_im); } } else { for (i = 1; i < 38; i++) { - accu_re += (int64_t)x[i][0] * x[i][0]; - accu_re += (int64_t)x[i][1] * x[i][1]; + accu_re += (uint64_t)x[i][0] * x[i][0]; + accu_re += (uint64_t)x[i][1] * x[i][1]; } real_sum = accu_re; - accu_re += (int64_t)x[ 0][0] * x[ 0][0]; - accu_re += (int64_t)x[ 0][1] * x[ 0][1]; + accu_re += (uint64_t)x[ 0][0] * x[ 0][0]; + accu_re += (uint64_t)x[ 0][1] * x[ 0][1]; phi[2][1][0] = autocorr_calc(accu_re); accu_re = real_sum; - accu_re += (int64_t)x[38][0] * x[38][0]; - accu_re += (int64_t)x[38][1] * x[38][1]; + accu_re += (uint64_t)x[38][0] * x[38][0]; + accu_re += (uint64_t)x[38][1] * x[38][1]; phi[1][0][0] = autocorr_calc(accu_re); } From 25ff26aaac973f608cd3ffbe4a0dbed8670a6788 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Aug 2017 23:59:09 +0200 Subject: [PATCH 403/818] avcodec/hevc_ps: Fix undefined shift in pcm code Fixes: runtime error: shift exponent -1 is negative Fixes: 3091/clusterfuzz-testcase-minimized-6229767969832960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a83866c9f9531eb096c9b9fe0550e742b931ad1) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index f34d9e342f..c0eefedd5d 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1026,10 +1026,10 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, sps->pcm.log2_min_pcm_cb_size = get_ue_golomb_long(gb) + 3; sps->pcm.log2_max_pcm_cb_size = sps->pcm.log2_min_pcm_cb_size + get_ue_golomb_long(gb); - if (sps->pcm.bit_depth > sps->bit_depth) { + if (FFMAX(sps->pcm.bit_depth, sps->pcm.bit_depth_chroma) > sps->bit_depth) { av_log(avctx, AV_LOG_ERROR, - "PCM bit depth (%d) is greater than normal bit depth (%d)\n", - sps->pcm.bit_depth, sps->bit_depth); + "PCM bit depth (%d, %d) is greater than normal bit depth (%d)\n", + sps->pcm.bit_depth, sps->pcm.bit_depth_chroma, sps->bit_depth); return AVERROR_INVALIDDATA; } From cd221a86a6a322b85cd0db2ef14c669afcbb8887 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Aug 2017 00:30:33 +0200 Subject: [PATCH 404/818] avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered() Fixes: runtime error: signed integer overflow: 267 * 8388608 cannot be represented in type 'int' Fixes: 2743/clusterfuzz-testcase-minimized-5820652076400640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 732f9764561558a388c05483ed6a722a5c67b05c) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 4ebfa07c6a..0ac0b55012 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -140,7 +140,7 @@ static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, sli v = b->x_coeff[new_index].coeff; x = b->x_coeff[new_index++].x; while(x < w){ - register int t= ( (v>>1)*qmul + qadd)>>QEXPSHIFT; + register int t= (int)( (v>>1)*(unsigned)qmul + qadd)>>QEXPSHIFT; register int u= -(v&1); line[x] = (t^u) - u; From e6a8d110d7e8e938913a0a85ca933b415f8ed24d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= Date: Tue, 29 Aug 2017 23:59:21 +0200 Subject: [PATCH 405/818] avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 20170829.nsv Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit c24bcb553650b91e9eff15ef6e54ca73de2453b7) Signed-off-by: Michael Niedermayer --- libavformat/nsvdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index c6ddb67bbd..d8ce656817 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -335,8 +335,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) if (!nsv->nsvs_file_offset) return AVERROR(ENOMEM); - for(i=0;insvs_file_offset[i] = avio_rl32(pb) + size; + } if(table_entries > table_entries_used && avio_rl32(pb) == MKTAG('T','O','C','2')) { From c01f799314c3254a98c415ccf99acd501bdbd9f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= Date: Tue, 29 Aug 2017 23:59:21 +0200 Subject: [PATCH 406/818] avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 20170829A.mxf Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 900f39692ca0337a98a7cf047e4e2611071810c2) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index f8d0f9e057..6adb77d81f 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -899,6 +899,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); + if(segment->nb_index_entries && length < 11) + return AVERROR_INVALIDDATA; if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) || !(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) || @@ -909,6 +911,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg } for (i = 0; i < segment->nb_index_entries; i++) { + if(avio_feof(pb)) + return AVERROR_INVALIDDATA; segment->temporal_offset_entries[i] = avio_r8(pb); avio_r8(pb); /* KeyFrameOffset */ segment->flag_entries[i] = avio_r8(pb); From 9d3a7c82a669a1a1c8e3904c65ded19e80d16edc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= Date: Tue, 29 Aug 2017 23:59:21 +0200 Subject: [PATCH 407/818] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 20170829B.mxf Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 6adb77d81f..91731a7533 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -500,7 +500,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U avpriv_request_sample(pb, "Primer pack item length %d", item_len); return AVERROR_PATCHWELCOME; } - if (item_num > 65536) { + if (item_num > 65536 || item_num < 0) { av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num); return AVERROR_INVALIDDATA; } From 73427f5c7499bcc07444abced9b79df5b2a27229 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Sep 2017 19:56:10 +0200 Subject: [PATCH 408/818] avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED() Fixes: runtime error: signed integer overflow: 1168175789 + 1168178473 cannot be represented in type 'int' Fixes: 3081/clusterfuzz-testcase-minimized-4807564879462400 Fixes: 2844/clusterfuzz-testcase-minimized-5561715838156800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a0823ae966be3ad40e5dba6ec4c4dc1e8c6bcad) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index b5aa22c690..1498dbde0a 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -586,7 +586,7 @@ static inline void codeblock(DiracContext *s, SubBand *b, } \ INTRA_DC_PRED(8, int16_t) -INTRA_DC_PRED(10, int32_t) +INTRA_DC_PRED(10, uint32_t) /** * Dirac Specification -> From fef0ccc40132b6a583ec6838e5823baf5649a83d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Sep 2017 19:56:11 +0200 Subject: [PATCH 409/818] avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting Fixes: runtime error: signed integer overflow: 1073901567 + 1073901567 cannot be represented in type 'int' Fixes: 3124/clusterfuzz-testcase-minimized-454643435752652 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f71cd44147e7a914f80fcfacca46c9e7b0374362) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index e715e53bc4..adf5178714 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ - (b1 - ((int)(1817U*(b0 + b2) + 2048) >> 12)) + (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ - (b1 - ((int)( 113U*(b0 + b2) + 64) >> 7)) + (b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ - (b1 + ((int)( 217U*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ - (b1 + ((int)(6497U*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ From 8a640fc7cb5e7110c679102007f795846e2a64e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Sep 2017 19:56:12 +0200 Subject: [PATCH 410/818] avcodec/dirac_vlc: Fix invalid shift in ff_dirac_golomb_read_32bit() Fixes: runtime error: shift exponent 64 is too large for 64-bit type 'residual' (aka 'unsigned long') Fixes: 2838/clusterfuzz-testcase-minimized-6260066086813696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c595139f1fdb5ce5ee128c317ed9e4e836282436) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_vlc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dirac_vlc.c b/libavcodec/dirac_vlc.c index 773f720858..b642ee8599 100644 --- a/libavcodec/dirac_vlc.c +++ b/libavcodec/dirac_vlc.c @@ -56,6 +56,9 @@ int ff_dirac_golomb_read_32bit(DiracGolombLUT *lut_ctx, const uint8_t *buf, if ((c_idx + 1) > coeffs) return c_idx; + if (res_bits >= RSIZE_BITS) + res_bits = res = 0; + /* res_bits is a hint for better branch prediction */ if (res_bits && l->sign) { int32_t coeff = 1; From d9cf9f5af82228b588828ae2692acccec588fdac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Sep 2017 00:16:29 +0200 Subject: [PATCH 411/818] avformat/mov: Fix DoS in read_tfra() Fixes: Missing EOF check in loop No testcase Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 9cb4eb772839c5e1de2855d126bf74ff16d13382) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6b1cee8d6c..90b068f091 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5873,6 +5873,13 @@ static int read_tfra(MOVContext *mov, AVIOContext *f) } for (i = 0; i < index->item_count; i++) { int64_t time, offset; + + if (avio_feof(f)) { + index->item_count = 0; + av_freep(&index->items); + return AVERROR_INVALIDDATA; + } + if (version == 1) { time = avio_rb64(f); offset = avio_rb64(f); From b61e5a878c845b8bee1267fdb75c293feb00ae0d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Sep 2017 00:16:29 +0200 Subject: [PATCH 412/818] avformat/asfdec: Fix DoS in asf_build_simple_index() Fixes: Missing EOF check in loop No testcase Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit afc9c683ed9db01edb357bc8c19edad4282b3a97) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index f3acbae280..cc648b9a2f 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -1610,6 +1610,11 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index) int64_t pos = s->internal->data_offset + s->packet_size * (int64_t)pktnum; int64_t index_pts = FFMAX(av_rescale(itime, i, 10000) - asf->hdr.preroll, 0); + if (avio_feof(s->pb)) { + ret = AVERROR_INVALIDDATA; + goto end; + } + if (pos != last_pos) { av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d pts: %"PRId64"\n", pktnum, pktct, index_pts); From 1df91b48a39abfa62bc40ca53b1225631ba110ca Mon Sep 17 00:00:00 2001 From: Mark Wachsler Date: Thu, 7 Sep 2017 09:42:07 -0400 Subject: [PATCH 413/818] libavcodec/h264_parse: don't use uninitialized value when chroma_format_idc==0 When parsing a monochrome file, chroma_log2_weight_denom was used without being initialized, which could lead to a bogus error message being printed, e.g. [h264 @ 0x61a000026480] chroma_log2_weight_denom 24576 is out of range It also could led to warnings using AddressSanitizer. Signed-off-by: Michael Niedermayer (cherry picked from commit fde5c7dc79eb017790ba232442ad2a4eecea4bf1) Signed-off-by: Michael Niedermayer --- libavcodec/h264_parse.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c index 3d20075f6a..a7c71d9bbb 100644 --- a/libavcodec/h264_parse.c +++ b/libavcodec/h264_parse.c @@ -34,21 +34,22 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, pwt->use_weight = 0; pwt->use_weight_chroma = 0; - pwt->luma_log2_weight_denom = get_ue_golomb(gb); - if (sps->chroma_format_idc) - pwt->chroma_log2_weight_denom = get_ue_golomb(gb); + pwt->luma_log2_weight_denom = get_ue_golomb(gb); if (pwt->luma_log2_weight_denom > 7U) { av_log(logctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is out of range\n", pwt->luma_log2_weight_denom); pwt->luma_log2_weight_denom = 0; } - if (pwt->chroma_log2_weight_denom > 7U) { - av_log(logctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", pwt->chroma_log2_weight_denom); - pwt->chroma_log2_weight_denom = 0; - } + luma_def = 1 << pwt->luma_log2_weight_denom; - luma_def = 1 << pwt->luma_log2_weight_denom; - chroma_def = 1 << pwt->chroma_log2_weight_denom; + if (sps->chroma_format_idc) { + pwt->chroma_log2_weight_denom = get_ue_golomb(gb); + if (pwt->chroma_log2_weight_denom > 7U) { + av_log(logctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", pwt->chroma_log2_weight_denom); + pwt->chroma_log2_weight_denom = 0; + } + chroma_def = 1 << pwt->chroma_log2_weight_denom; + } for (list = 0; list < 2; list++) { pwt->luma_weight_flag[list] = 0; @@ -102,9 +103,11 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, if (picture_structure == PICT_FRAME) { pwt->luma_weight[16 + 2 * i][list][0] = pwt->luma_weight[16 + 2 * i + 1][list][0] = pwt->luma_weight[i][list][0]; pwt->luma_weight[16 + 2 * i][list][1] = pwt->luma_weight[16 + 2 * i + 1][list][1] = pwt->luma_weight[i][list][1]; - for (j = 0; j < 2; j++) { - pwt->chroma_weight[16 + 2 * i][list][j][0] = pwt->chroma_weight[16 + 2 * i + 1][list][j][0] = pwt->chroma_weight[i][list][j][0]; - pwt->chroma_weight[16 + 2 * i][list][j][1] = pwt->chroma_weight[16 + 2 * i + 1][list][j][1] = pwt->chroma_weight[i][list][j][1]; + if (sps->chroma_format_idc) { + for (j = 0; j < 2; j++) { + pwt->chroma_weight[16 + 2 * i][list][j][0] = pwt->chroma_weight[16 + 2 * i + 1][list][j][0] = pwt->chroma_weight[i][list][j][0]; + pwt->chroma_weight[16 + 2 * i][list][j][1] = pwt->chroma_weight[16 + 2 * i + 1][list][j][1] = pwt->chroma_weight[i][list][j][1]; + } } } } From 8eb8882af5ccc6efd715783a151ddedba4587b9d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Sep 2017 15:51:45 +0200 Subject: [PATCH 414/818] avcodec/dirac_vlc: limit res_bits in APPEND_RESIDUE() Fixes: runtime error: left shift of 1073741838 by 1 places cannot be represented in type 'int32_t' (aka 'int') Fixes: 3279/clusterfuzz-testcase-minimized-4564805744590848 Suggested-by: Reviewed-by: Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d98d29a775d6de9357731fec872642644e57b233) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_vlc.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/dirac_vlc.c b/libavcodec/dirac_vlc.c index b642ee8599..496d8177cd 100644 --- a/libavcodec/dirac_vlc.c +++ b/libavcodec/dirac_vlc.c @@ -37,7 +37,7 @@ #define APPEND_RESIDUE(N, M) \ N |= M >> (N ## _bits); \ - N ## _bits += (M ## _bits) + N ## _bits = (N ## _bits + (M ## _bits)) & 0x3F int ff_dirac_golomb_read_32bit(DiracGolombLUT *lut_ctx, const uint8_t *buf, int bytes, uint8_t *_dst, int coeffs) @@ -56,9 +56,6 @@ int ff_dirac_golomb_read_32bit(DiracGolombLUT *lut_ctx, const uint8_t *buf, if ((c_idx + 1) > coeffs) return c_idx; - if (res_bits >= RSIZE_BITS) - res_bits = res = 0; - /* res_bits is a hint for better branch prediction */ if (res_bits && l->sign) { int32_t coeff = 1; From b590758298cc6f7bac710ebaecb99a4de878c7f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Sep 2017 23:29:13 +0200 Subject: [PATCH 415/818] avcodec/scpr: optimize shift loop. Speeds code up from 50sec to 15sec Fixes Timeout Fixes: 3242/clusterfuzz-testcase-5811951672229888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 981f04b2ae2d6e0355386aaff39840eb5d390a36) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index b4cc7df07f..78a6d5c0cd 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -824,8 +824,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (ret < 0) return ret; + // scale up each sample by 8 for (y = 0; y < avctx->height; y++) { - for (x = 0; x < avctx->width * 4; x++) { + // If the image is sufficiently aligned, compute 8 samples at once + if (!(((uintptr_t)dst) & 7)) { + uint64_t *dst64 = (uint64_t *)dst; + int w = avctx->width>>1; + for (x = 0; x < w; x++) { + dst64[x] = (dst64[x] << 3) & 0xFCFCFCFCFCFCFCFCULL; + } + x *= 8; + } else + x = 0; + for (; x < avctx->width * 4; x++) { dst[x] = dst[x] << 3; } dst += frame->linesize[0]; From a295d1870a8cc98e397ec51458ef5ed514ee7ee2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2017 01:32:50 +0200 Subject: [PATCH 416/818] avcodec/diracdec: Fix overflow in DC computation Fixes: runtime error: signed integer overflow: 11896 + 2147483646 cannot be represented in type 'int' Fixes: 3053/clusterfuzz-testcase-minimized-6355082062856192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5995856a4236c27f231210bb08d70688e045192) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 1498dbde0a..791b7f9928 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1422,7 +1422,7 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock if (!block->ref) { pred_block_dc(block, stride, x, y); for (i = 0; i < 3; i++) - block->u.dc[i] += dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); + block->u.dc[i] += (unsigned)dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); return; } From 32fa6ce64afdc8b3ac51f61cd1ec94d3c45d2020 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2017 01:32:51 +0200 Subject: [PATCH 417/818] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels Fixes: runtime error: left shift of negative value -95 Fixes: 3077/clusterfuzz-testcase-minimized-4684917524922368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c225da68cffbea11270a758ff42859194c980863) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 25f1a81202..75763ce85e 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -593,7 +593,7 @@ static void FUNC(put_hevc_pel_bi_w_pixels)(uint8_t *_dst, ptrdiff_t _dststride, ox1 = ox1 * (1 << (BIT_DEPTH - 8)); for (y = 0; y < height; y++) { for (x = 0; x < width; x++) { - dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + (ox0 + ox1 + 1) * (1 << log2Wd)) >> (log2Wd + 1)); } src += srcstride; dst += dststride; From 4f97556f5489503d5bdf85a4009984aecb22e1a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Sep 2017 23:29:12 +0200 Subject: [PATCH 418/818] avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int() Fixes: runtime error: signed integer overflow: 22553 * -188962 cannot be represented in type 'int' Fixes: 3042/clusterfuzz-testcase-minimized-5174210131394560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2d025e742843ca3532bd49ebbfebeacd51337347) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c index c746aed924..85a12d0e9b 100644 --- a/libavcodec/jpeg2000dsp.c +++ b/libavcodec/jpeg2000dsp.c @@ -65,9 +65,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize) for (i = 0; i < csize; i++) { i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16); - i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16) + i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16) - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16); - i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16); + i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16); *src0++ = i0; *src1++ = i1; *src2++ = i2; From eca53fd52bdc22a74ab6552bcc2c50ee591c43f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Sep 2017 14:54:47 +0200 Subject: [PATCH 419/818] Update for 3.3.4 Signed-off-by: Michael Niedermayer --- Changelog | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 56 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 8dc2104d10..3107e1b60b 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,60 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.3.4: +- avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels +- avcodec/diracdec: Fix overflow in DC computation +- avcodec/scpr: optimize shift loop. +- avcodec/dirac_vlc: limit res_bits in APPEND_RESIDUE() +- libavcodec/h264_parse: don't use uninitialized value when chroma_format_idc==0 +- avformat/asfdec: Fix DoS in asf_build_simple_index() +- avformat/mov: Fix DoS in read_tfra() +- avcodec/dirac_vlc: Fix invalid shift in ff_dirac_golomb_read_32bit() +- avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting +- avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED() +- avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() +- avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() +- avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. +- avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered() +- avcodec/hevc_ps: Fix undefined shift in pcm code +- avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate() +- avformat/mvdec: Fix DoS due to lack of eof check +- avformat/rl2: Fix DoS due to lack of eof check +- avformat/rmdec: Fix DoS due to lack of eof check +- avformat/cinedec: Fix DoS due to lack of eof check +- avformat/asfdec: Fix DoS due to lack of eof check +- avformat/hls: Fix DoS due to infinite loop +- ffprobe: Fix NULL pointer handling in color parameter printing +- ffprobe: Fix null pointer dereference with color primaries +- avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps() +- avformat/rtpdec_h264: Fix heap-buffer-overflow +- avformat/aviobuf: Fix signed integer overflow in avio_seek() +- avformat/mov: Fix signed integer overflows with total_size +- avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization +- avcodec/aacdec_template: Fix running cleanup in decode_ics_info() +- avcodec/me_cmp: Fix crashes on ARM due to misalignment +- avcodec/pixlet: Fixes: undefined shift in av_mod_uintp2() +- avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0() +- avcodec/fic: Fixes signed integer overflow +- avcodec/snowdec: Fix off by 1 error +- avcodec/pixlet: fixes integer overflow in read_highpass() +- avcodec/zmbv: Check decomp_size +- avcodec/diracdec: Fixes integer overflow +- avcodec/diracdec: Check perspective_exp and zrs_exp. +- avcodec/ffv1dec_template: Fix undefined shift +- avcodec/mpeg4videodec: Clear mcsel before decoding an image +- avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97* +- avcodec/aacdec_fixed: fix invalid shift in predict() +- avcodec/h264_slice: Fix overflow in slice offset +- avformat/utils: fix memory leak in avformat_free_context +- swscale: fix gbrap16 alpha channel issues +- avcodec/h264idct_template: Fix integer overflow in ff_h264_idct_add() +- avcodec/diracdsp: fix integer overflow +- avcodec/diracdec: Check weight_log2denom +- avcodec/nvenc: only push cuda context on encoder close if encoder exists +- avfilter/vf_ssim: fix temp size calculation + version 3.3.3: - avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0() - avcodec/diracdec: Fix integer overflow in divide3() diff --git a/RELEASE b/RELEASE index 619b537668..a0891f563f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.3.3 +3.3.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index 3ab8192e16..c66da8086d 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.3.3 +PROJECT_NUMBER = 3.3.4 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 0c5eb03aac6fd31ebb3e4ec263b18de30836c5a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2017 21:10:16 +0200 Subject: [PATCH 420/818] avcodec/shorten: Move buffer allocation and offset init to end of read_header() They are time consuming operations, performing them after the other checks improves the speed with damaged input dramatically. Fixes: Timeout Fixes: 2928/clusterfuzz-testcase-4992812120539136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 380659604f2692b625928a3a76a1c046f473c9f6) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 920887b2a0..3b0fa272e7 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -462,12 +462,6 @@ static int read_header(ShortenContext *s) } s->nwrap = FFMAX(NWRAP, maxnlpc); - if ((ret = allocate_buffers(s)) < 0) - return ret; - - if ((ret = init_offset(s)) < 0) - return ret; - if (s->version > 1) s->lpcqoffset = V2LPCQOFFSET; @@ -504,6 +498,13 @@ static int read_header(ShortenContext *s) } end: + + if ((ret = allocate_buffers(s)) < 0) + return ret; + + if ((ret = init_offset(s)) < 0) + return ret; + s->cur_chan = 0; s->bitshift = 0; From de260c7b34de9d34a6201cc7ad62f8e19d072b75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2017 21:10:17 +0200 Subject: [PATCH 421/818] avcodec/hevc_ps: Fix c?_qp_offset_list size Fixes: runtime error: index 5 out of bounds for type 'int8_t const[5]' Fixes:3175/clusterfuzz-testcase-minimized-4736774054084608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit abf3f9fa232409c00b60041464604a91fa5612c0) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc_ps.h b/libavcodec/hevc_ps.h index b0a17bc8f0..44de3980e1 100644 --- a/libavcodec/hevc_ps.h +++ b/libavcodec/hevc_ps.h @@ -285,8 +285,8 @@ typedef struct HEVCPPS { uint8_t chroma_qp_offset_list_enabled_flag; uint8_t diff_cu_chroma_qp_offset_depth; uint8_t chroma_qp_offset_list_len_minus1; - int8_t cb_qp_offset_list[5]; - int8_t cr_qp_offset_list[5]; + int8_t cb_qp_offset_list[6]; + int8_t cr_qp_offset_list[6]; uint8_t log2_sao_offset_scale_luma; uint8_t log2_sao_offset_scale_chroma; From 41479c83aea06c9b9f0e6e016c3bdf18db97bf8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Sep 2017 02:32:11 +0200 Subject: [PATCH 422/818] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog b/Changelog index 3107e1b60b..c011583eb0 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,8 @@ releases are sorted from youngest to oldest. version 3.3.4: +- avcodec/hevc_ps: Fix c?_qp_offset_list size +- avcodec/shorten: Move buffer allocation and offset init to end of read_header() - avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int() - avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels - avcodec/diracdec: Fix overflow in DC computation From e3a1c0491fa2beb6562f9960e9cb3af673f3bf94 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 7 Sep 2017 21:23:04 -0300 Subject: [PATCH 423/818] avcodec/hevc_ps: improve check for missing default display window bitstream Fixes ticket #6644 Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit c9a1cd08eafe57d1fecaaf605929b3e68165a6e4) --- Changelog | 1 + libavcodec/hevc_ps.c | 33 +++++++++++++++++++++++++++------ 2 files changed, 28 insertions(+), 6 deletions(-) diff --git a/Changelog b/Changelog index c011583eb0..78df5df5fa 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,7 @@ releases are sorted from youngest to oldest. version 3.3.4: +- avcodec/hevc_ps: improve check for missing default display window bitstream - avcodec/hevc_ps: Fix c?_qp_offset_list size - avcodec/shorten: Move buffer allocation and offset init to end of read_header() - avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int() diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index c0eefedd5d..f2c26c4598 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -550,7 +550,7 @@ err: static void decode_vui(GetBitContext *gb, AVCodecContext *avctx, int apply_defdispwin, HEVCSPS *sps) { - VUI *vui = &sps->vui; + VUI backup_vui, *vui = &sps->vui; GetBitContext backup; int sar_present, alt = 0; @@ -618,13 +618,14 @@ static void decode_vui(GetBitContext *gb, AVCodecContext *avctx, vui->field_seq_flag = get_bits1(gb); vui->frame_field_info_present_flag = get_bits1(gb); + // Backup context in case an alternate header is detected + memcpy(&backup, gb, sizeof(backup)); + memcpy(&backup_vui, vui, sizeof(backup_vui)); if (get_bits_left(gb) >= 68 && show_bits_long(gb, 21) == 0x100000) { vui->default_display_window_flag = 0; av_log(avctx, AV_LOG_WARNING, "Invalid default display window\n"); } else vui->default_display_window_flag = get_bits1(gb); - // Backup context in case an alternate header is detected - memcpy(&backup, gb, sizeof(backup)); if (vui->default_display_window_flag) { int vert_mult = 1 + (sps->chroma_format_idc < 2); @@ -651,18 +652,19 @@ static void decode_vui(GetBitContext *gb, AVCodecContext *avctx, } } +timing_info: vui->vui_timing_info_present_flag = get_bits1(gb); if (vui->vui_timing_info_present_flag) { - if( get_bits_left(gb) < 66) { + if( get_bits_left(gb) < 66 && !alt) { // The alternate syntax seem to have timing info located // at where def_disp_win is normally located av_log(avctx, AV_LOG_WARNING, "Strange VUI timing information, retrying...\n"); - vui->default_display_window_flag = 0; - memset(&vui->def_disp_win, 0, sizeof(vui->def_disp_win)); + memcpy(vui, &backup_vui, sizeof(backup_vui)); memcpy(gb, &backup, sizeof(backup)); alt = 1; + goto timing_info; } vui->vui_num_units_in_tick = get_bits_long(gb, 32); vui->vui_time_scale = get_bits_long(gb, 32); @@ -680,6 +682,15 @@ static void decode_vui(GetBitContext *gb, AVCodecContext *avctx, vui->bitstream_restriction_flag = get_bits1(gb); if (vui->bitstream_restriction_flag) { + if (get_bits_left(gb) < 8 && !alt) { + av_log(avctx, AV_LOG_WARNING, + "Strange VUI bitstream restriction information, retrying" + " from timing information...\n"); + memcpy(vui, &backup_vui, sizeof(backup_vui)); + memcpy(gb, &backup, sizeof(backup)); + alt = 1; + goto timing_info; + } vui->tiles_fixed_structure_flag = get_bits1(gb); vui->motion_vectors_over_pic_boundaries_flag = get_bits1(gb); vui->restricted_ref_pic_lists_flag = get_bits1(gb); @@ -689,6 +700,16 @@ static void decode_vui(GetBitContext *gb, AVCodecContext *avctx, vui->log2_max_mv_length_horizontal = get_ue_golomb_long(gb); vui->log2_max_mv_length_vertical = get_ue_golomb_long(gb); } + + if (get_bits_left(gb) < 1 && !alt) { + // XXX: Alternate syntax when sps_range_extension_flag != 0? + av_log(avctx, AV_LOG_WARNING, + "Overread in VUI, retrying from timing information...\n"); + memcpy(vui, &backup_vui, sizeof(backup_vui)); + memcpy(gb, &backup, sizeof(backup)); + alt = 1; + goto timing_info; + } } static void set_default_scaling_list_data(ScalingList *sl) From 9f7042f9cd0f4911bc5cebfcb4489bbd77826841 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 13 Sep 2017 17:03:56 -0300 Subject: [PATCH 424/818] avcodec/extract_extradata: return an error when buffer allocation fails ret is 0 by default. Reviewed-by: Mark Thompson Signed-off-by: James Almer (cherry picked from commit 7bae17e37ab63d1cfcea22c68c455f859db3663c) --- libavcodec/extract_extradata_bsf.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/extract_extradata_bsf.c b/libavcodec/extract_extradata_bsf.c index 4cd0ca1137..ed6509c681 100644 --- a/libavcodec/extract_extradata_bsf.c +++ b/libavcodec/extract_extradata_bsf.c @@ -101,14 +101,17 @@ static int extract_extradata_h2645(AVBSFContext *ctx, AVPacket *pkt, if (s->remove) { filtered_buf = av_buffer_alloc(pkt->size + AV_INPUT_BUFFER_PADDING_SIZE); - if (!filtered_buf) + if (!filtered_buf) { + ret = AVERROR(ENOMEM); goto fail; + } filtered_data = filtered_buf->data; } extradata = av_malloc(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); if (!extradata) { av_buffer_unref(&filtered_buf); + ret = AVERROR(ENOMEM); goto fail; } From bf6cd808bed4060de3d30c729cc29feee5d6f47a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Sep 2017 02:42:11 +0200 Subject: [PATCH 425/818] avcodec/pngdec: Clean up on av_frame_ref() failure Fixes: memleak Fixes: 3203/clusterfuzz-testcase-minimized-4514553595428864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 5480e82d77770e81e897a8c217f3c7f0c13a6de1) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index c2359b8a4d..67a6e3f9d0 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1366,7 +1366,7 @@ static int decode_frame_png(AVCodecContext *avctx, } if ((ret = av_frame_ref(data, s->picture.f)) < 0) - return ret; + goto the_end; *got_frame = 1; From 4e341bd90411b98f395ea9744e90e00765f04e2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Sep 2017 17:03:55 +0200 Subject: [PATCH 426/818] avcodec/svq3: Fix overflow in svq3_add_idct_c() Fixes: runtime error: signed integer overflow: 2147392585 + 524288 cannot be represented in type 'int' Fixes: 3348/clusterfuzz-testcase-minimized-4809500517203968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c933c51687db958d8045d25ed87848342e869f6) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index a766fa49ad..5cb5bd45b7 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -285,7 +285,7 @@ static void svq3_add_idct_c(uint8_t *dst, int16_t *block, const unsigned z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); const unsigned z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; const unsigned z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; - const int rr = (dc + 0x80000); + const int rr = (dc + 0x80000u); dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((int)((z0 + z3) * qmul + rr) >> 20)); dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((int)((z1 + z2) * qmul + rr) >> 20)); From 6d1ebb9def18ee95f08fa63428d31b9742809e21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Sep 2017 17:26:09 +0200 Subject: [PATCH 427/818] avcodec/ffv1dec: Fix integer overflow in read_quant_table() Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 3361/clusterfuzz-testcase-minimized-5065842955911168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d00fc952b6c261dd8eb0f7552b9ccf985dbc2b20) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 20921c6adf..8a0a82e62b 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -354,7 +354,7 @@ static int read_quant_table(RangeCoder *c, int16_t *quant_table, int scale) memset(state, 128, sizeof(state)); for (v = 0; i < 128; v++) { - unsigned len = get_symbol(c, state, 0) + 1; + unsigned len = get_symbol(c, state, 0) + 1U; if (len > 128 - i || !len) return AVERROR_INVALIDDATA; From 940659036f4793a507f0ce741cc44c8350e8ca27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Sep 2017 02:53:25 +0200 Subject: [PATCH 428/818] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*() Fixes: runtime error: signed integer overflow: 161 * 13872281 cannot be represented in type 'int' Fixes: 3295/clusterfuzz-testcase-minimized-4738998142500864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 67da2685e03805230207daab83ab43a390fbb887) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index adf5178714..755d5e5d2d 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -111,10 +111,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b0 + b1) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 - ((-8*(b0+b8) + 21*(b1+b7) - 46*(b2+b6) + 161*(b3+b5) + 128) >> 8)) + (b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) + (b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) From b5b52c0ca726200d64d1b7a547c06066719e2865 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Sep 2017 20:45:26 +0200 Subject: [PATCH 429/818] avcodec/takdec: Fix integer overflows in decode_subframe() Fixes: runtime error: signed integer overflow: -1562477869 + -691460395 cannot be represented in type 'int' Fixes: 3196/clusterfuzz-testcase-minimized-4528307146063872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3dabb9c69db114b1f30c30e0a2788cffc50bac40) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index c7b3fc03ef..41f30442d8 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -486,10 +486,10 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, v += (unsigned)s->adsp.scalarproduct_int16(&s->residues[i], s->filter, filter_order & -16); for (j = filter_order & -16; j < filter_order; j += 4) { - v += s->residues[i + j + 3] * s->filter[j + 3] + - s->residues[i + j + 2] * s->filter[j + 2] + - s->residues[i + j + 1] * s->filter[j + 1] + - s->residues[i + j ] * s->filter[j ]; + v += s->residues[i + j + 3] * (unsigned)s->filter[j + 3] + + s->residues[i + j + 2] * (unsigned)s->filter[j + 2] + + s->residues[i + j + 1] * (unsigned)s->filter[j + 1] + + s->residues[i + j ] * (unsigned)s->filter[j ]; } v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - (unsigned)*decoded; *decoded++ = v; From 4bc16930efdb56dc53caf615cec7085435bf10e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Sep 2017 20:45:28 +0200 Subject: [PATCH 430/818] avcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift Fixes: runtime error: shift exponent 42 is too large for 32-bit type 'unsigned int' Fixes: 3410/clusterfuzz-testcase-minimized-5313377960198144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f5eaf0b5956e492ee5023929669b1d09aaf6299) Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index ff46bcfde0..779ae6a999 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -267,6 +267,8 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons \ if (q > switch_bits) { /* exp golomb */ \ bits = exp_order - switch_bits + (q<<1); \ + if (bits > MIN_CACHE_BITS) \ + return AVERROR_INVALIDDATA; \ val = SHOW_UBITS(re, gb, bits) - (1 << exp_order) + \ ((switch_bits + 1) << rice_order); \ SKIP_BITS(re, gb, bits); \ @@ -286,7 +288,7 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons static const uint8_t dc_codebook[7] = { 0x04, 0x28, 0x28, 0x4D, 0x4D, 0x70, 0x70}; -static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out, +static av_always_inline int decode_dc_coeffs(GetBitContext *gb, int16_t *out, int blocks_per_slice) { int16_t prev_dc; @@ -310,6 +312,7 @@ static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out, out[0] = prev_dc; } CLOSE_READER(re, gb); + return 0; } // adaptive codebook switching lut according to previous run/level values @@ -376,7 +379,8 @@ static int decode_slice_luma(AVCodecContext *avctx, SliceContext *slice, init_get_bits(&gb, buf, buf_size << 3); - decode_dc_coeffs(&gb, blocks, blocks_per_slice); + if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0) + return ret; if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0) return ret; @@ -409,7 +413,8 @@ static int decode_slice_chroma(AVCodecContext *avctx, SliceContext *slice, init_get_bits(&gb, buf, buf_size << 3); - decode_dc_coeffs(&gb, blocks, blocks_per_slice); + if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0) + return ret; if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0) return ret; From ab845587d135e64ce09bf360c23c956695db357a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Sep 2017 20:45:27 +0200 Subject: [PATCH 431/818] avcodec/takdec: Fix integer overflow in decode_lpc() Fixes: runtime error: signed integer overflow: 16748560 + 2143729712 cannot be represented in type 'int' Fixes: 3202/clusterfuzz-testcase-minimized-4988291642294272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d31f03a0264cac24434c8108daef4ccba6d28f9) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 41f30442d8..6f32f8859e 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -206,7 +206,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length) int a1 = *coeffs++; for (i = 0; i < length - 1 >> 1; i++) { *coeffs += a1; - coeffs[1] += *coeffs; + coeffs[1] += (unsigned)*coeffs; a1 = coeffs[1]; coeffs += 2; } From c54317a17e576700e0d936f0bf6b89dba77b4c73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Sep 2017 22:23:26 +0200 Subject: [PATCH 432/818] avcodec/jpeg2000: Check that codsty->log2_prec_widths/heights has been initialized Fixes: OOM Fixes: 2225/clusterfuzz-testcase-minimized-5505632079708160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 64e034da954125ef98fb8f9153f9706cdb8a96fe) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index 94efc94c4d..afeb9df27c 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -506,6 +506,9 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, // update precincts size: 2^n value reslevel->log2_prec_width = codsty->log2_prec_widths[reslevelno]; reslevel->log2_prec_height = codsty->log2_prec_heights[reslevelno]; + if (!reslevel->log2_prec_width || !reslevel->log2_prec_height) { + return AVERROR_INVALIDDATA; + } /* Number of bands for each resolution level */ if (reslevelno == 0) From 520daf8c0ec493d30a8737e667b2602a6aa9a802 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2017 04:18:21 +0200 Subject: [PATCH 433/818] avcodec/hevcdsp_template: Fix undefined shift Fixes: runtime error: left shift of negative value -255 Fixes: 3373/clusterfuzz-testcase-minimized-5604083912146944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fbdab6eca7874fbeba6aa79c269f345e4d43f5d4) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 75763ce85e..e09c661759 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1486,7 +1486,7 @@ static void FUNC(put_hevc_epel_bi_w_hv)(uint8_t *_dst, ptrdiff_t _dststride, uin for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); tmp += MAX_PB_SIZE; dst += dststride; src2 += MAX_PB_SIZE; From 6b9ffcdb2bac691ff76febb7f0b60f31109f3fb0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2017 04:18:22 +0200 Subject: [PATCH 434/818] avcodec/proresdec2: SKIP_BITS() does not work with len=32 Fixes: invalid shift Fixes: 3482/clusterfuzz-testcase-minimized-5446915875405824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c37138e01a93da2f9dd2cc5d4b77e5a38581d130) Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index 779ae6a999..fe5fddc747 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -267,7 +267,7 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons \ if (q > switch_bits) { /* exp golomb */ \ bits = exp_order - switch_bits + (q<<1); \ - if (bits > MIN_CACHE_BITS) \ + if (bits > FFMIN(MIN_CACHE_BITS, 31)) \ return AVERROR_INVALIDDATA; \ val = SHOW_UBITS(re, gb, bits) - (1 << exp_order) + \ ((switch_bits + 1) << rice_order); \ From 4768b30b5bdf02cbfa6235f167ed2246009ed6f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2017 18:54:05 +0200 Subject: [PATCH 435/818] avcodec/aacdec_template: Clear tns present flag on error Fixes: 3444/clusterfuzz-testcase-minimized-6270352105668608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dcf9bae4a93f54cb5767bc97db4a809efd396f8b) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 44 +++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index e6f0a36f61..6a93aed2e8 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1967,16 +1967,17 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, global_gain = get_bits(gb, 8); if (!common_window && !scale_flag) { - if (decode_ics_info(ac, ics, gb) < 0) - return AVERROR_INVALIDDATA; + ret = decode_ics_info(ac, ics, gb); + if (ret < 0) + goto fail; } if ((ret = decode_band_types(ac, sce->band_type, sce->band_type_run_end, gb, ics)) < 0) - return ret; + goto fail; if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics, sce->band_type, sce->band_type_run_end)) < 0) - return ret; + goto fail; pulse_present = 0; if (!scale_flag) { @@ -1984,37 +1985,48 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (decode_pulses(&pulse, gb, ics->swb_offset, ics->num_swb)) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } } tns->present = get_bits1(gb); - if (tns->present && !er_syntax) - if (decode_tns(ac, tns, gb, ics) < 0) - return AVERROR_INVALIDDATA; + if (tns->present && !er_syntax) { + ret = decode_tns(ac, tns, gb, ics); + if (ret < 0) + goto fail; + } if (!eld_syntax && get_bits1(gb)) { avpriv_request_sample(ac->avctx, "SSR"); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto fail; } // I see no textual basis in the spec for this occurring after SSR gain // control, but this is what both reference and real implmentations do - if (tns->present && er_syntax) - if (decode_tns(ac, tns, gb, ics) < 0) - return AVERROR_INVALIDDATA; + if (tns->present && er_syntax) { + ret = decode_tns(ac, tns, gb, ics); + if (ret < 0) + goto fail; + } } - if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, - &pulse, ics, sce->band_type) < 0) - return AVERROR_INVALIDDATA; + ret = decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, + &pulse, ics, sce->band_type); + if (ret < 0) + goto fail; if (ac->oc[1].m4ac.object_type == AOT_AAC_MAIN && !common_window) apply_prediction(ac, sce); return 0; +fail: + tns->present = 0; + return ret; } /** From ab43bc50c017a3d2fc9915c012ab4393623f6e72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2017 18:54:06 +0200 Subject: [PATCH 436/818] avcodec/truemotion2: Fix integer overflows in tm2_high_chroma() Fixes: runtime error: signed integer overflow: -1408475220 + -1408475220 cannot be represented in type 'int' Fixes: 3336/clusterfuzz-testcase-minimized-5656839179993088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44874b4f5ec2c605c70393573b9d85540ebc2d81) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index a463a925fd..f077f0e4bd 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -465,7 +465,7 @@ static inline void tm2_apply_deltas(TM2Context *ctx, int* Y, int stride, int *de } } -static inline void tm2_high_chroma(int *data, int stride, int *last, int *CD, int *deltas) +static inline void tm2_high_chroma(int *data, int stride, int *last, unsigned *CD, int *deltas) { int i, j; for (j = 0; j < 2; j++) { From 0a231e7dd32bdea4b2fc1c48040047986d1d4925 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2017 00:20:09 +0200 Subject: [PATCH 437/818] avcodec/x86/lossless_videoencdsp: Fix handling of small widths MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes out of array access Fixes: crash-huf.avi Regression since: 6b41b4414934cc930468ccd5db598dd6ef643987 This could also be fixed by adding checks in the C code that calls the dsp Found-by: Zhibin Hu and 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit df62b70de8aaa285168e72fe8f6e740843ca91fa) Signed-off-by: Michael Niedermayer --- libavcodec/x86/lossless_videoencdsp.asm | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/x86/lossless_videoencdsp.asm b/libavcodec/x86/lossless_videoencdsp.asm index 63fd72174a..41ab23eae5 100644 --- a/libavcodec/x86/lossless_videoencdsp.asm +++ b/libavcodec/x86/lossless_videoencdsp.asm @@ -42,10 +42,11 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w %define i t0q %endmacro -; label to jump to if w < regsize -%macro DIFF_BYTES_LOOP_PREP 1 +; labels to jump to if w < regsize and w < 0 +%macro DIFF_BYTES_LOOP_PREP 2 mov i, wq and i, -2 * regsize + js %2 jz %1 add dstq, i add src1q, i @@ -87,7 +88,7 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w %if mmsize > 16 ; fall back to narrower xmm %define regsize mmsize / 2 - DIFF_BYTES_LOOP_PREP .setup_loop_gpr_aa + DIFF_BYTES_LOOP_PREP .setup_loop_gpr_aa, .end_aa .loop2_%1%2: DIFF_BYTES_LOOP_CORE %1, %2, xm0, xm1 add i, 2 * regsize @@ -114,7 +115,7 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w INIT_MMX mmx DIFF_BYTES_PROLOGUE %define regsize mmsize - DIFF_BYTES_LOOP_PREP .skip_main_aa + DIFF_BYTES_LOOP_PREP .skip_main_aa, .end_aa DIFF_BYTES_BODY a, a %undef i %endif @@ -122,7 +123,7 @@ DIFF_BYTES_PROLOGUE INIT_XMM sse2 DIFF_BYTES_PROLOGUE %define regsize mmsize - DIFF_BYTES_LOOP_PREP .skip_main_aa + DIFF_BYTES_LOOP_PREP .skip_main_aa, .end_aa test dstq, regsize - 1 jnz .loop_uu test src1q, regsize - 1 @@ -138,7 +139,7 @@ DIFF_BYTES_PROLOGUE %define regsize mmsize ; Directly using unaligned SSE2 version is marginally faster than ; branching based on arguments. - DIFF_BYTES_LOOP_PREP .skip_main_uu + DIFF_BYTES_LOOP_PREP .skip_main_uu, .end_uu test dstq, regsize - 1 jnz .loop_uu test src1q, regsize - 1 From 7cc854ce153190cf5c62cee31406088c66c37ba8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2017 00:26:51 +0200 Subject: [PATCH 438/818] avcodec/x86/lossless_videoencdsp: Fix warning: signed dword value exceeds bounds Add () to regsize define Suggested-by: Henrik Gramner Signed-off-by: Michael Niedermayer (cherry picked from commit 26ea142658a8be16d13bb430ced14ef544f8afe9) Signed-off-by: Michael Niedermayer --- libavcodec/x86/lossless_videoencdsp.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/lossless_videoencdsp.asm b/libavcodec/x86/lossless_videoencdsp.asm index 41ab23eae5..7b82285df1 100644 --- a/libavcodec/x86/lossless_videoencdsp.asm +++ b/libavcodec/x86/lossless_videoencdsp.asm @@ -87,7 +87,7 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w jz .end_%1%2 %if mmsize > 16 ; fall back to narrower xmm - %define regsize mmsize / 2 + %define regsize (mmsize / 2) DIFF_BYTES_LOOP_PREP .setup_loop_gpr_aa, .end_aa .loop2_%1%2: DIFF_BYTES_LOOP_CORE %1, %2, xm0, xm1 From 0009272f943af76c8bad7c676ce4e9c41c4ac042 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Oct 2017 21:41:54 +0200 Subject: [PATCH 439/818] avcodec/mpeg4videodec: Use 64 bit intermediates for sprite delta Fixes: runtime error: signed integer overflow: -104713 * 65536 cannot be represented in type 'int' Fixes: 3453/clusterfuzz-testcase-minimized-5555554657239040 Fixes: 3528/clusterfuzz-testcase-minimized-6283628420005888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e38f280fece38e270a6462a02cc034f4116a7912) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 79 +++++++++++++++++++------------------- 1 file changed, 40 insertions(+), 39 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 8f85e9362d..cd39131d55 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -179,6 +179,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int sprite_ref[4][2]; int virtual_ref[2][2]; int64_t sprite_offset[2][2]; + int64_t sprite_delta[2][2]; // only true for rectangle shapes const int vop_ref[4][2] = { { 0, 0 }, { s->width, 0 }, @@ -262,10 +263,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g sprite_offset[0][1] = sprite_offset[1][0] = sprite_offset[1][1] = 0; - s->sprite_delta[0][0] = a; - s->sprite_delta[0][1] = - s->sprite_delta[1][0] = 0; - s->sprite_delta[1][1] = a; + sprite_delta[0][0] = a; + sprite_delta[0][1] = + sprite_delta[1][0] = 0; + sprite_delta[1][1] = a; ctx->sprite_shift[0] = ctx->sprite_shift[1] = 0; break; @@ -276,10 +277,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g a * (vop_ref[0][0] / 2); sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - a * (vop_ref[0][1] / 2); - s->sprite_delta[0][0] = a; - s->sprite_delta[0][1] = - s->sprite_delta[1][0] = 0; - s->sprite_delta[1][1] = a; + sprite_delta[0][0] = a; + sprite_delta[0][1] = + sprite_delta[1][0] = 0; + sprite_delta[1][1] = a; ctx->sprite_shift[0] = ctx->sprite_shift[1] = 0; break; @@ -304,10 +305,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * (int64_t) sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); - s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); - s->sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]); - s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]); - s->sprite_delta[1][1] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); + sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); + sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]); + sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]); + sprite_delta[1][1] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); ctx->sprite_shift[0] = alpha + rho; ctx->sprite_shift[1] = alpha + rho + 2; @@ -332,28 +333,28 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-2 * vop_ref[0][1] + 1) + (int64_t)2 * w2 * h3 * r * sprite_ref[0][1] - 16 * w2 * h3 + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); - s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3; - s->sprite_delta[0][1] = (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3; - s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3; - s->sprite_delta[1][1] = (-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3; + sprite_delta[0][0] = (-r * (int64_t)sprite_ref[0][0] + virtual_ref[0][0]) * h3; + sprite_delta[0][1] = (-r * (int64_t)sprite_ref[0][0] + virtual_ref[1][0]) * w3; + sprite_delta[1][0] = (-r * (int64_t)sprite_ref[0][1] + virtual_ref[0][1]) * h3; + sprite_delta[1][1] = (-r * (int64_t)sprite_ref[0][1] + virtual_ref[1][1]) * w3; ctx->sprite_shift[0] = alpha + beta + rho - min_ab; ctx->sprite_shift[1] = alpha + beta + rho - min_ab + 2; break; } /* try to simplify the situation */ - if (s->sprite_delta[0][0] == a << ctx->sprite_shift[0] && - s->sprite_delta[0][1] == 0 && - s->sprite_delta[1][0] == 0 && - s->sprite_delta[1][1] == a << ctx->sprite_shift[0]) { + if (sprite_delta[0][0] == a << ctx->sprite_shift[0] && + sprite_delta[0][1] == 0 && + sprite_delta[1][0] == 0 && + sprite_delta[1][1] == a << ctx->sprite_shift[0]) { sprite_offset[0][0] >>= ctx->sprite_shift[0]; sprite_offset[0][1] >>= ctx->sprite_shift[0]; sprite_offset[1][0] >>= ctx->sprite_shift[1]; sprite_offset[1][1] >>= ctx->sprite_shift[1]; - s->sprite_delta[0][0] = a; - s->sprite_delta[0][1] = 0; - s->sprite_delta[1][0] = 0; - s->sprite_delta[1][1] = a; + sprite_delta[0][0] = a; + sprite_delta[0][1] = 0; + sprite_delta[1][0] = 0; + sprite_delta[1][1] = a; ctx->sprite_shift[0] = 0; ctx->sprite_shift[1] = 0; s->real_sprite_warping_points = 1; @@ -365,8 +366,8 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g if (shift_c < 0 || shift_y < 0 || FFABS( sprite_offset[0][i]) >= INT_MAX >> shift_y || FFABS( sprite_offset[1][i]) >= INT_MAX >> shift_c || - FFABS(s->sprite_delta[0][i]) >= INT_MAX >> shift_y || - FFABS(s->sprite_delta[1][i]) >= INT_MAX >> shift_y + FFABS( sprite_delta[0][i]) >= INT_MAX >> shift_y || + FFABS( sprite_delta[1][i]) >= INT_MAX >> shift_y ) { avpriv_request_sample(s->avctx, "Too large sprite shift, delta or offset"); goto overflow; @@ -376,22 +377,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g for (i = 0; i < 2; i++) { sprite_offset[0][i] *= 1 << shift_y; sprite_offset[1][i] *= 1 << shift_c; - s->sprite_delta[0][i] *= 1 << shift_y; - s->sprite_delta[1][i] *= 1 << shift_y; + sprite_delta[0][i] *= 1 << shift_y; + sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; } for (i = 0; i < 2; i++) { int64_t sd[2] = { - s->sprite_delta[i][0] - a * (1LL<<16), - s->sprite_delta[i][1] - a * (1LL<<16) + sprite_delta[i][0] - a * (1LL<<16), + sprite_delta[i][1] - a * (1LL<<16) }; - if (llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || - llabs(sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || - llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || - llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || - llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX || + if (llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL) + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(sprite_delta[i][1] * (w+16LL)) >= INT_MAX || llabs(sd[0]) >= INT_MAX || llabs(sd[1]) >= INT_MAX || llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || @@ -405,10 +406,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->real_sprite_warping_points = ctx->num_sprite_warping_points; } - s->sprite_offset[0][0] = sprite_offset[0][0]; - s->sprite_offset[0][1] = sprite_offset[0][1]; - s->sprite_offset[1][0] = sprite_offset[1][0]; - s->sprite_offset[1][1] = sprite_offset[1][1]; + for (i = 0; i < 4; i++) { + s->sprite_offset[i&1][i>>1] = sprite_offset[i&1][i>>1]; + s->sprite_delta [i&1][i>>1] = sprite_delta [i&1][i>>1]; + } return 0; overflow: From aa6c44c33399a8dd5799dc57d18e0f8235b17f86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Oct 2017 00:32:30 +0200 Subject: [PATCH 440/818] avcodec/mpeg_er: Clear mcsel in mpeg_er_decode_mb() Fixes out of array read Should fix: 3516/clusterfuzz-testcase-minimized-4608518562775040 (not reprodoceable) Found-by: Insu Yun, Georgia Tech. Signed-off-by: Michael Niedermayer (cherry picked from commit 127a362630e11fe724e2e63fc871791fdcbcfa64) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg_er.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpeg_er.c b/libavcodec/mpeg_er.c index ee8b2a5e7b..0c5c44cf4f 100644 --- a/libavcodec/mpeg_er.c +++ b/libavcodec/mpeg_er.c @@ -71,6 +71,7 @@ static void mpeg_er_decode_mb(void *opaque, int ref, int mv_dir, int mv_type, s->mb_skipped = mb_skipped; s->mb_x = mb_x; s->mb_y = mb_y; + s->mcsel = 0; memcpy(s->mv, mv, sizeof(*mv)); ff_init_block_index(s); From d13d3feba2d05490a83fe4dfb88125d8dfc00d63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Oct 2017 01:46:28 +0200 Subject: [PATCH 441/818] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_53iL0() Fixes: runtime error: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int' Fixes: 3485/clusterfuzz-testcase-minimized-4940429332054016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bdee75a4e750735ab3039f004275ac8479072048) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 755d5e5d2d..35ed8857e9 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -93,10 +93,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); // shared stuff for simd optimizations #define COMPOSE_53iL0(b0, b1, b2)\ - (b1 - ((b0 + b2 + 2) >> 2)) + (b1 - ((int)(b0 + (unsigned)(b2) + 2) >> 2)) #define COMPOSE_DIRAC53iH0(b0, b1, b2)\ - (b1 + ((b0 + b2 + 1) >> 1)) + (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) From 48933f28c2a8dce024bef8110e907811b3d4c9f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Oct 2017 11:49:28 +0200 Subject: [PATCH 442/818] avcodec/ffv1dec: Fix out of array read in slice counting MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: test-201710.mp4 Found-by: 连一汉 and Zhibin Hu Signed-off-by: Michael Niedermayer (cherry picked from commit c20f4fcb74da2d0432c7b54499bb98f48236b904) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 8a0a82e62b..aefa64e9b4 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -699,7 +699,7 @@ static int read_header(FFV1Context *f) } else { const uint8_t *p = c->bytestream_end; for (f->slice_count = 0; - f->slice_count < MAX_SLICES && 3 < p - c->bytestream_start; + f->slice_count < MAX_SLICES && 3 + 5*!!f->ec < p - c->bytestream_start; f->slice_count++) { int trailer = 3 + 5*!!f->ec; int size = AV_RB24(p-trailer); From 20fd9217d8ae6da92417057e4fb9391ac72ae151 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Oct 2017 03:06:53 +0200 Subject: [PATCH 443/818] avcodec/pafvideo: Check for bitstream end in decode_0() Fixes: Timeout Fixes: 3529/clusterfuzz-testcase-5057068371279872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c85329cd02e9284892bf263ce6133b2fc479792) Signed-off-by: Michael Niedermayer --- libavcodec/pafvideo.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index 91bfe16376..6980ae1b35 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -181,6 +181,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code) dend = c->frame[page] + c->frame_size; offset = (x & 0x7F) * 2; j = bytestream2_get_le16(&c->gb) + offset; + if (bytestream2_get_bytes_left(&c->gb) < (j - offset) * 16) + return AVERROR_INVALIDDATA; do { offset++; if (dst + 3 * c->width + 4 > dend) @@ -198,7 +200,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code) do { set_src_position(c, &src, &send); if ((src + 3 * c->width + 4 > send) || - (dst + 3 * c->width + 4 > dend)) + (dst + 3 * c->width + 4 > dend) || + bytestream2_get_bytes_left(&c->gb) < 4) return AVERROR_INVALIDDATA; copy_block4(dst, src, c->width, c->width, 4); i++; From e8fd32b69ffdf7e3eba7b1223c1f66e69687307f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Oct 2017 03:06:54 +0200 Subject: [PATCH 444/818] avcodec/snowdec: Check mv_scale Fixes: runtime error: signed integer overflow: 2 * -1094995530 cannot be represented in type 'int' Fixes: 3512/clusterfuzz-testcase-minimized-4812747210489856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 393d6fc7395611a38792e3c271b2be42ac45e672) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 0ac0b55012..6eff729a19 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -394,9 +394,10 @@ static int decode_header(SnowContext *s){ s->mv_scale += get_symbol(&s->c, s->header_state, 1); s->qbias += get_symbol(&s->c, s->header_state, 1); s->block_max_depth+= get_symbol(&s->c, s->header_state, 1); - if(s->block_max_depth > 1 || s->block_max_depth < 0){ + if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){ av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", s->block_max_depth); s->block_max_depth= 0; + s->mv_scale = 0; return AVERROR_INVALIDDATA; } if (FFABS(s->qbias) > 127) { From 0ccb27e0942701622d1065db58d6adf0d0643d32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Oct 2017 17:11:20 +0200 Subject: [PATCH 445/818] ffserver: Fix off by 1 error in path Code suggested by ubitux Signed-off-by: Michael Niedermayer (cherry picked from commit 617f0c65e1bac8983a5b6521818c1b9b57f0804b) Signed-off-by: Michael Niedermayer --- ffserver.c | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/ffserver.c b/ffserver.c index 8b819b6934..193f63bd7a 100644 --- a/ffserver.c +++ b/ffserver.c @@ -476,7 +476,7 @@ static int compute_datarate(DataRateData *drd, int64_t count) static void start_children(FFServerStream *feed) { char *pathname; - char *slash; + char *dirname, *prog; int i; size_t cmd_length; @@ -495,22 +495,18 @@ static void start_children(FFServerStream *feed) return; } - slash = strrchr(my_program_name, '/'); - if (!slash) { - pathname = av_mallocz(sizeof("ffmpeg")); - } else { - pathname = av_mallocz(slash - my_program_name + sizeof("ffmpeg")); - if (pathname != NULL) { - memcpy(pathname, my_program_name, slash - my_program_name); - } + /* use "ffmpeg" in the path of current program. Ignore user provided path */ + prog = av_strdup(my_program_name); + if (prog) { + dirname = av_dirname(prog); + pathname = *dirname ? av_asprintf("%s/%s", dirname, "ffmpeg") + : av_asprintf("ffmpeg"); + av_free(prog); } - if (!pathname) { + if (!prog || !pathname) { http_log("Could not allocate memory for children cmd line\n"); return; } - /* use "ffmpeg" in the path of current program. Ignore user provided path */ - - strcat(pathname, "ffmpeg"); for (; feed; feed = feed->next) { From b33434ec62a4c95e37f4cb36d55e5210cc2e62ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Oct 2017 17:11:21 +0200 Subject: [PATCH 446/818] tests/ffserver.regression.ref: update checksums to what ffserver currently produces Signed-off-by: Michael Niedermayer (cherry picked from commit 431eccd61e155190a7762314938799076cffeb67) Signed-off-by: Michael Niedermayer --- tests/ffserver.regression.ref | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/ffserver.regression.ref b/tests/ffserver.regression.ref index 398c285156..fd8536c853 100644 --- a/tests/ffserver.regression.ref +++ b/tests/ffserver.regression.ref @@ -1,11 +1,11 @@ 0c9639f09decbc54c9f091dcf1ca0e8f *ff-test_h.avi e28ba75853caf975e06d92955c9f7f73 *ff-test_l.avi a767dbdf5d1bded3450279f812f97b37 *ff-test.swf -dc16f607e13328a832e73801cd21ec98 *ff-test_h.asf -69337d6c8cd7ac7e626338decdbf41d3 *ff-test_l.asf +ca209a0c67afbd3bc3bcde0840f313fc *ff-test_h.asf +f97a91609bfc8a1857455f17c5ec101c *ff-test_l.asf 06f5a6a4c5d1c6735f4d0068e825c91f *ff-test_h.rm 1f57580f02f0317407b3b82a3d5e093f *ff-test_l.rm -4c887dfc1dd0f6ea1a3a2be6dd32e495 *ff-test.jpg -1d04b73b04aad27793cc762d5afabac1 *ff-test_small.jpg -bc36c40ee34ebee6ffe50f3094aab733 *ff-test.mjpg +e04e6ebf9584654df131f5eec881ac38 *ff-test.jpg +f15d43e9d3630601b61a024023249bb8 *ff-test_small.jpg +4735c72cde67000f12e9d1dbfbd975a7 *ff-test.mjpg fd038af80560e15271ce42651093ee43 *ff-stat From 60b385a5bf9f0d4b59012d6b2e9483eece35204e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Oct 2017 17:36:17 +0200 Subject: [PATCH 447/818] Update for 3.3.5 Signed-off-by: Michael Niedermayer --- Changelog | 23 +++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 78df5df5fa..1c3a366dc5 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,29 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.3.5: +- ffserver: Fix off by 1 error in path +- avcodec/snowdec: Check mv_scale +- avcodec/pafvideo: Check for bitstream end in decode_0() +- avcodec/ffv1dec: Fix out of array read in slice counting +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_53iL0() +- avcodec/mpeg_er: Clear mcsel in mpeg_er_decode_mb() +- avcodec/mpeg4videodec: Use 64 bit intermediates for sprite delta +- avcodec/x86/lossless_videoencdsp: Fix warning: signed dword value exceeds bounds +- avcodec/x86/lossless_videoencdsp: Fix handling of small widths +- avcodec/truemotion2: Fix integer overflows in tm2_high_chroma() +- avcodec/aacdec_template: Clear tns present flag on error +- avcodec/proresdec2: SKIP_BITS() does not work with len=32 +- avcodec/hevcdsp_template: Fix undefined shift +- avcodec/jpeg2000: Check that codsty->log2_prec_widths/heights has been initialized +- avcodec/takdec: Fix integer overflow in decode_lpc() +- avcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift +- avcodec/takdec: Fix integer overflows in decode_subframe() +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*() +- avcodec/ffv1dec: Fix integer overflow in read_quant_table() +- avcodec/svq3: Fix overflow in svq3_add_idct_c() +- avcodec/pngdec: Clean up on av_frame_ref() failure + version 3.3.4: - avcodec/hevc_ps: improve check for missing default display window bitstream - avcodec/hevc_ps: Fix c?_qp_offset_list size diff --git a/RELEASE b/RELEASE index a0891f563f..fa7adc7ac7 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.3.4 +3.3.5 diff --git a/doc/Doxyfile b/doc/Doxyfile index c66da8086d..3a239ea70d 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.3.4 +PROJECT_NUMBER = 3.3.5 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 670d3189e9ef674e4167cec3145ea4c4c172d581 Mon Sep 17 00:00:00 2001 From: Fredrik Hubinette Date: Tue, 7 Feb 2017 12:19:38 -0800 Subject: [PATCH 448/818] avformat/id3v2: fix leak in chapter parsing Reviewed-on: https://chromium-review.googlesource.com/439405 Reviewed-by: Dale Curtis Signed-off-by: James Almer --- libavformat/id3v2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index f7fa3ef856..aa0a1cbcfd 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -688,9 +688,9 @@ static void read_chapter(AVFormatContext *s, AVIOContext *pb, int len, const cha } if (decode_str(s, pb, 0, &dst, &len) < 0) - return; + goto end; if (len < 16) - return; + goto end; start = avio_rb32(pb); end = avio_rb32(pb); From a7aac19933a91e22d77b0b4dd4ecd61edf52d43f Mon Sep 17 00:00:00 2001 From: Rostislav Pehlivanov Date: Wed, 8 Nov 2017 23:50:04 +0000 Subject: [PATCH 449/818] vc2enc_dwt: pad the temporary buffer by the slice size Since non-Haar wavelets need to look into pixels outside the frame, we need to pad the buffer. The old factor of two seemed to be a workaround that fact and only padded to the left and bottom. This correctly pads by the slice size and as such reduces memory usage and potential exploits. Reported by Liu Bingchang. Ideally, there should be no temporary buffer but the encoder is designed to deinterleave the coefficients into the classical wavelet structure with the lower frequency values in the top left corner. Signed-off-by: Rostislav Pehlivanov (cherry picked from commit 3228ac730c11eca49d5680d5550128e397061c85) --- libavcodec/vc2enc.c | 3 ++- libavcodec/vc2enc_dwt.c | 12 +++++++++--- libavcodec/vc2enc_dwt.h | 4 +++- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index eda390163f..745c6e974d 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -1190,7 +1190,8 @@ static av_cold int vc2_encode_init(AVCodecContext *avctx) /* DWT init */ if (ff_vc2enc_init_transforms(&s->transform_args[i].t, s->plane[i].coef_stride, - s->plane[i].dwt_height)) + s->plane[i].dwt_height, + s->slice_width, s->slice_height)) goto alloc_fail; } diff --git a/libavcodec/vc2enc_dwt.c b/libavcodec/vc2enc_dwt.c index c60b003a31..d22af8a313 100644 --- a/libavcodec/vc2enc_dwt.c +++ b/libavcodec/vc2enc_dwt.c @@ -255,21 +255,27 @@ static void vc2_subband_dwt_haar_shift(VC2TransformContext *t, dwtcoef *data, dwt_haar(t, data, stride, width, height, 1); } -av_cold int ff_vc2enc_init_transforms(VC2TransformContext *s, int p_width, int p_height) +av_cold int ff_vc2enc_init_transforms(VC2TransformContext *s, int p_stride, + int p_height, int slice_w, int slice_h) { s->vc2_subband_dwt[VC2_TRANSFORM_9_7] = vc2_subband_dwt_97; s->vc2_subband_dwt[VC2_TRANSFORM_5_3] = vc2_subband_dwt_53; s->vc2_subband_dwt[VC2_TRANSFORM_HAAR] = vc2_subband_dwt_haar; s->vc2_subband_dwt[VC2_TRANSFORM_HAAR_S] = vc2_subband_dwt_haar_shift; - s->buffer = av_malloc(2*p_width*p_height*sizeof(dwtcoef)); + /* Pad by the slice size, only matters for non-Haar wavelets */ + s->buffer = av_calloc((p_stride + slice_w)*(p_height + slice_h), sizeof(dwtcoef)); if (!s->buffer) return 1; + s->padding = (slice_h >> 1)*p_stride + (slice_w >> 1); + s->buffer += s->padding; + return 0; } av_cold void ff_vc2enc_free_transforms(VC2TransformContext *s) { - av_freep(&s->buffer); + av_free(s->buffer - s->padding); + s->buffer = NULL; } diff --git a/libavcodec/vc2enc_dwt.h b/libavcodec/vc2enc_dwt.h index 7fbbfbe0ed..a6932bcdaf 100644 --- a/libavcodec/vc2enc_dwt.h +++ b/libavcodec/vc2enc_dwt.h @@ -41,12 +41,14 @@ enum VC2TransformType { typedef struct VC2TransformContext { dwtcoef *buffer; + int padding; void (*vc2_subband_dwt[VC2_TRANSFORMS_NB])(struct VC2TransformContext *t, dwtcoef *data, ptrdiff_t stride, int width, int height); } VC2TransformContext; -int ff_vc2enc_init_transforms(VC2TransformContext *t, int p_width, int p_height); +int ff_vc2enc_init_transforms(VC2TransformContext *t, int p_stride, int p_height, + int slice_w, int slice_h); void ff_vc2enc_free_transforms(VC2TransformContext *t); #endif /* AVCODEC_VC2ENC_DWT_H */ From ca47e9ffdc656f31d5a79df74ec7a78fc4a938ee Mon Sep 17 00:00:00 2001 From: Michael Roitzsch Date: Sat, 18 Nov 2017 13:33:08 +0100 Subject: [PATCH 450/818] lavfi/af_pan: fix sign handling in channel coefficient parser When a channel formula ends with a subtraction, the next formula will otherwise have its first coefficient negated. (cherry picked from commit 4f4e19914ddca5096bf7639c7c99a9045e436e8b) --- libavfilter/af_pan.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index a477bde460..e54f715147 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -166,6 +166,7 @@ static av_cold int init(AVFilterContext *ctx) goto fail; } /* gains */ + sign = 1; while (1) { gain = 1; if (sscanf(arg, "%lf%n *%n", &gain, &len, &len)) From b33d3021954cb81a7291f8a00efa1ffebd13bfca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Oct 2017 00:02:56 +0200 Subject: [PATCH 451/818] avcodec/jpeglsdec: Check ilv for being a supported value Fixes: 1773/clusterfuzz-testcase-minimized-4832523987189760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe533628b9604e2f8e5179d5c5dd17c3cb764265) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 64505321af..cb2f89a88c 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -443,6 +443,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, avpriv_report_missing_feature(s->avctx, "Sample interleaved images"); ret = AVERROR_PATCHWELCOME; goto end; + } else { /* unknown interleaving */ + avpriv_report_missing_feature(s->avctx, "Unknown interleaved images"); + ret = AVERROR_PATCHWELCOME; + goto end; } if (s->xfrm && s->nb_components == 3) { From 3d6ffa2bb50a99434a1e54f1212b266189245cdb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Oct 2017 00:02:57 +0200 Subject: [PATCH 452/818] avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line() Fixes: 1773/clusterfuzz-testcase-minimized-4832523987189760 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f80224ed19a4c012549fd460d529c7c04e68cf21) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index cb2f89a88c..5308b744df 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -233,6 +233,9 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, while (x < w) { int err, pred; + if (get_bits_left(&s->gb) <= 0) + return; + /* compute gradients */ Ra = x ? R(dst, x - stride) : R(last, x); Rb = R(last, x); From 18fbf2622cd53985da438f0de06552c6cc49320d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Oct 2017 02:23:20 +0200 Subject: [PATCH 453/818] avcodec/aacdec_fixed: Fix integer overflow in predict() Fixes: runtime error: signed integer overflow: -2110708110 + -82837504 cannot be represented in type 'int' Fixes: 3547/clusterfuzz-testcase-minimized-6009386439802880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0976752420706c0a8b3cb8fd61497a47c7d7270f) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index e7c2d2d299..06bfa87e28 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -307,9 +307,9 @@ static av_always_inline void predict(PredictorState *ps, int *coef, if (shift < 31) { if (shift > 0) { - *coef += (pv.mant + (1 << (shift - 1))) >> shift; + *coef += (unsigned)((pv.mant + (1 << (shift - 1))) >> shift); } else - *coef += pv.mant << -shift; + *coef += (unsigned)(pv.mant << -shift); } } From 02612c3e3eb54cdf60392929d17909e4a4f80f89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Oct 2017 02:23:21 +0200 Subject: [PATCH 454/818] avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed() Fixes: runtime error: signed integer overflow: 623487 * 536870912 cannot be represented in type 'int' Fixes: 3594/clusterfuzz-testcase-minimized-4650622935629824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 41d96af2a74cb5df50346b160067facd43149667) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 06bfa87e28..1aaa6a2cb1 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -394,7 +394,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac, for (k = offsets[i]; k < offsets[i + 1]; k++) { tmp = (int)(((int64_t)src[group * 128 + k] * c + \ (int64_t)0x1000000000) >> 37); - dest[group * 128 + k] += tmp * (1 << shift); + dest[group * 128 + k] += tmp * (1U << shift); } } } From faa84a0c0667927b89f20f8c5af64129ccbb18ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Oct 2017 23:21:40 +0100 Subject: [PATCH 455/818] avcodec/xan: Improve overlapping check Fixes: memcpy-param-overlap Fixes: 3612/clusterfuzz-testcase-minimized-6393461273001984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e8fafef1db43ead4eae5a6301ccc300e73aa47da) Signed-off-by: Michael Niedermayer --- libavcodec/xan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 4c01c0013f..8b4ec82405 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -263,7 +263,7 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, AVFrame *frame, prevframe_index = (y + motion_y) * stride + x + motion_x; prevframe_x = x + motion_x; - if (prev_palette_plane == palette_plane && FFABS(curframe_index - prevframe_index) < pixel_count) { + if (prev_palette_plane == palette_plane && FFABS(motion_x + width*motion_y) < pixel_count) { avpriv_request_sample(s->avctx, "Overlapping copy"); return ; } From 6fb7e324fee1b26f5c0ff41eab81c0a0ddd49fe5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Oct 2017 23:21:41 +0100 Subject: [PATCH 456/818] avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() Fixes: runtime error: signed integer overflow: 924846844 + 1457520640 cannot be represented in type 'int' Fixes: 3416/clusterfuzz-testcase-minimized-6125587682820096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b739e1cb8f6ce8baead03ce5c999103ba78f24f) Signed-off-by: Michael Niedermayer --- libavcodec/h264idct_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index 288107d5a4..ec8a3d083a 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -107,10 +107,10 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, int16_t *_block, int stride){ } for( i = 0; i < 8; i++ ) { - const unsigned a0 = block[0+i*8] + block[4+i*8]; - const unsigned a2 = block[0+i*8] - block[4+i*8]; - const unsigned a4 = (block[2+i*8]>>1) - block[6+i*8]; - const unsigned a6 = (block[6+i*8]>>1) + block[2+i*8]; + const unsigned a0 = block[0+i*8] + (unsigned)block[4+i*8]; + const unsigned a2 = block[0+i*8] - (unsigned)block[4+i*8]; + const unsigned a4 = (block[2+i*8]>>1) - (unsigned)block[6+i*8]; + const unsigned a6 = (block[6+i*8]>>1) + (unsigned)block[2+i*8]; const unsigned b0 = a0 + a6; const unsigned b2 = a2 + a4; From 912448efc110d4249e9ec7ff7b19bd7dab0c6e50 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 12 Apr 2017 01:46:30 +0200 Subject: [PATCH 457/818] avformat: Free the internal codec context at the end Avoid a use after free in avformat_find_stream_info. (cherry picked from commit 9e4a5eb51b9f3b2bff0ef08e0074b7fe4893075d) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index ff55fc8d97..5200c7d2e7 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3763,12 +3763,6 @@ FF_ENABLE_DEPRECATION_WARNINGS } } - // close codecs which were opened in try_decode_frame() - for (i = 0; i < ic->nb_streams; i++) { - st = ic->streams[i]; - avcodec_close(st->internal->avctx); - } - ff_rfps_calculate(ic); for (i = 0; i < ic->nb_streams; i++) { @@ -3949,6 +3943,7 @@ find_stream_info_err: st = ic->streams[i]; if (st->info) av_freep(&st->info->duration_error); + avcodec_close(ic->streams[i]->internal->avctx); av_freep(&ic->streams[i]->info); } if (ic->pb) From 4a47195d2a88113877d28ffac5917491bb501883 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Nov 2017 01:19:19 +0100 Subject: [PATCH 458/818] avcodec/exr: fix undefined shift in pxr24_uncompress() Fixes: runtime error: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 3787/clusterfuzz-testcase-minimized-5728764920070144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 66f0c958bfd5475658b432d1af4d2e174b2dfcda) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index ec940222b2..b4063f8fa4 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -866,7 +866,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src, in = ptr[2] + td->xsize; for (j = 0; j < td->xsize; ++j) { - uint32_t diff = (*(ptr[0]++) << 24) | + uint32_t diff = ((unsigned)*(ptr[0]++) << 24) | (*(ptr[1]++) << 16) | (*(ptr[2]++) << 8); pixel += diff; From ffa2d60ac5af229268607b6530ff4e32baa1b2fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Nov 2017 17:48:29 +0100 Subject: [PATCH 459/818] avcodec/xan: Check for bitstream end in xan_huffman_decode() Fixes: Timeout Fixes: 3707/clusterfuzz-testcase-6465922706440192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4b51437dccd62fc5491280db44e3c21b44aeeb3f) Signed-off-by: Michael Niedermayer --- libavcodec/xan.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 8b4ec82405..1ccf164847 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -131,7 +131,10 @@ static int xan_huffman_decode(uint8_t *dest, int dest_len, return ret; while (val != 0x16) { - unsigned idx = val - 0x17 + get_bits1(&gb) * byte; + unsigned idx; + if (get_bits_left(&gb) < 1) + return AVERROR_INVALIDDATA; + idx = val - 0x17 + get_bits1(&gb) * byte; if (idx >= 2 * byte) return AVERROR_INVALIDDATA; val = src[idx]; From d3264c496a0ed8edfe940eb197ceb5b650b8a17e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Nov 2017 01:19:20 +0100 Subject: [PATCH 460/818] avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() Fixes: runtime error: signed integer overflow: -503316480 + -2013265038 cannot be represented in type 'int' Fixes: 3805/clusterfuzz-testcase-minimized-6578427831255040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e131b8cedb00043dcc97cc05ca04749ec8ff57de) Signed-off-by: Michael Niedermayer --- libavcodec/h264idct_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index ec8a3d083a..e6f40fccd9 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -91,10 +91,10 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, int16_t *_block, int stride){ const int a5 = -block[i+1*8] + block[i+7*8] + block[i+5*8] + (block[i+5*8]>>1); const int a7 = block[i+3*8] + block[i+5*8] + block[i+1*8] + (block[i+1*8]>>1); - const int b1 = (a7>>2) + a1; - const int b3 = a3 + (a5>>2); - const int b5 = (a3>>2) - a5; - const int b7 = a7 - (a1>>2); + const int b1 = (a7>>2) + (unsigned)a1; + const int b3 = (unsigned)a3 + (a5>>2); + const int b5 = (a3>>2) - (unsigned)a5; + const int b7 = (unsigned)a7 - (a1>>2); block[i+0*8] = b0 + b7; block[i+7*8] = b0 - b7; From 56a56c0cb564aa20e6f91f257beccf1a907674d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Nov 2017 14:00:18 +0100 Subject: [PATCH 461/818] avutil/softfloat: Add FLOAT_MIN Signed-off-by: Michael Niedermayer (cherry picked from commit e34fe61bf45331d2e6d2840604f799fa4b55c843) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index c50aaf5285..4789b209cd 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -43,6 +43,7 @@ static const SoftFloat FLOAT_EPSILON = { 0x29F16B12, -16}; static const SoftFloat FLOAT_1584893192 = { 0x32B771ED, 1}; ///< 1.584893192 (10^.2) static const SoftFloat FLOAT_100000 = { 0x30D40000, 17}; ///< 100000 static const SoftFloat FLOAT_0999999 = { 0x3FFFFBCE, 0}; ///< 0.999999 +static const SoftFloat FLOAT_MIN = { 0x20000000, MIN_EXP}; /** From 67208cf992ef20c987a1342a5157c8d48881da0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Nov 2017 14:00:19 +0100 Subject: [PATCH 462/818] avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc() Fixes: 3642/clusterfuzz-testcase-minimized-5443853801750528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7d1dec466895eed12f2c79b7ab5447f5390fe869) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 1f5ff410d1..2a679491b0 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -437,6 +437,7 @@ static void sbr_gain_calc(AACContext *ac, SpectralBandReplication *sbr, av_add_sf(FLOAT_1, sbr->e_curr[e][m]), av_add_sf(FLOAT_1, sbr->q_mapped[e][m])))); } + sbr->gain[e][m] = av_add_sf(sbr->gain[e][m], FLOAT_MIN); } for (m = sbr->f_tablelim[k] - sbr->kx[1]; m < sbr->f_tablelim[k + 1] - sbr->kx[1]; m++) { sum[0] = av_add_sf(sum[0], sbr->e_origmapped[e][m]); From 19fb467fcbbfdb9cba784fd0cd05d6e8333bc3fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Nov 2017 14:00:20 +0100 Subject: [PATCH 463/818] avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c() Fixes: runtime error: shift exponent 66 is too large for 64-bit type 'long long' Fixes: 3642/clusterfuzz-testcase-minimized-5443853801750528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 981e99ab99986935affad7c164ebdfe28e8ea7f8) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index f45bb847a8..07ef12117c 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -233,12 +233,14 @@ static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2], int64_t accu; for (m = 0; m < m_max; m++) { - int64_t r = 1LL << (22-g_filt[m].exp); - accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7); - Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp)); + if (22 - g_filt[m].exp < 61) { + int64_t r = 1LL << (22-g_filt[m].exp); + accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7); + Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp)); - accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7); - Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp)); + accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7); + Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp)); + } } } From 286e3bf17429e3d8eee4fbe36110c9c0764fa74d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Nov 2017 18:34:09 +0100 Subject: [PATCH 464/818] avcodec/cngdec: Fix integer clipping Fixes: runtime error: value -36211.7 is outside the range of representable values of type 'short' Fixes: 2992/clusterfuzz-testcase-6649611793989632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51090133b31bc719ea868db15d3ee38e9dbe90f1) Signed-off-by: Michael Niedermayer --- libavcodec/cngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cngdec.c b/libavcodec/cngdec.c index 34f881448d..42ef5bb3db 100644 --- a/libavcodec/cngdec.c +++ b/libavcodec/cngdec.c @@ -147,7 +147,7 @@ static int cng_decode_frame(AVCodecContext *avctx, void *data, return ret; buf_out = (int16_t *)frame->data[0]; for (i = 0; i < avctx->frame_size; i++) - buf_out[i] = p->filter_out[i + p->order]; + buf_out[i] = av_clip_int16(p->filter_out[i + p->order]); memcpy(p->filter_out, p->filter_out + avctx->frame_size, p->order * sizeof(*p->filter_out)); From c8027878d024394fc59184ffdf7182fae0bf38dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Nov 2017 21:20:05 +0100 Subject: [PATCH 465/818] avcodec/snowdec: Fix integer overflow in header parsing Fixes: 3984/clusterfuzz-testcase-minimized-5265759929368576 Fixes: runtime error: signed integer overflow: -1085585801 + -1094995529 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c897a9285846b6a072b9650976afd4f091b7a71f) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 6eff729a19..2b92ed3de0 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -374,7 +374,7 @@ static int decode_header(SnowContext *s){ } } - s->spatial_decomposition_type+= get_symbol(&s->c, s->header_state, 1); + s->spatial_decomposition_type+= (unsigned)get_symbol(&s->c, s->header_state, 1); if(s->spatial_decomposition_type > 1U){ av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_type %d not supported\n", s->spatial_decomposition_type); return AVERROR_INVALIDDATA; @@ -390,10 +390,10 @@ static int decode_header(SnowContext *s){ } - s->qlog += get_symbol(&s->c, s->header_state, 1); - s->mv_scale += get_symbol(&s->c, s->header_state, 1); - s->qbias += get_symbol(&s->c, s->header_state, 1); - s->block_max_depth+= get_symbol(&s->c, s->header_state, 1); + s->qlog += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->mv_scale += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->qbias += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->block_max_depth+= (unsigned)get_symbol(&s->c, s->header_state, 1); if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){ av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", s->block_max_depth); s->block_max_depth= 0; From c1d31ccfac480d4dd8b6aa20f8f0e6e183d620c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Nov 2017 21:20:06 +0100 Subject: [PATCH 466/818] avcodec/mdct_*: Fix integer overflow in addition in RESCALE() Fixes: runtime error: signed integer overflow: 1219998458 - -1469874012 cannot be represented in type 'int' Fixes: 3443/clusterfuzz-testcase-minimized-5369987105554432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 770c934fa1635f4fadf5db4fc5cc5ad15d82455a) Signed-off-by: Michael Niedermayer --- libavcodec/mdct_fixed.c | 8 ++++---- libavcodec/mdct_template.c | 14 +++++++------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/libavcodec/mdct_fixed.c b/libavcodec/mdct_fixed.c index a32cb00ca0..aabf0c88f8 100644 --- a/libavcodec/mdct_fixed.c +++ b/libavcodec/mdct_fixed.c @@ -39,13 +39,13 @@ void ff_mdct_calcw_c(FFTContext *s, FFTDouble *out, const FFTSample *input) /* pre rotation */ for(i=0;i> 6) +# define RSCALE(x, y) ((int)((x) + (unsigned)(y) + 32) >> 6) #else /* FFT_FIXED_32 */ -# define RSCALE(x) ((x) >> 1) +# define RSCALE(x, y) ((int)((x) + (unsigned)(y)) >> 1) #endif /* FFT_FIXED_32 */ #endif @@ -181,13 +181,13 @@ void ff_mdct_calc_c(FFTContext *s, FFTSample *out, const FFTSample *input) /* pre rotation */ for(i=0;i Date: Sun, 5 Nov 2017 21:20:07 +0100 Subject: [PATCH 467/818] avcodec/aacdec_fixed: Fix undefined shift Fixes: runtime error: left shift of negative value -801112064 Fixes: 3492/clusterfuzz-testcase-minimized-5784775283441664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fca198fb5bf42ba6b765b3f75b11738e4b4fc2a9) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 1aaa6a2cb1..6ba0e63325 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -309,7 +309,7 @@ static av_always_inline void predict(PredictorState *ps, int *coef, if (shift > 0) { *coef += (unsigned)((pv.mant + (1 << (shift - 1))) >> shift); } else - *coef += (unsigned)(pv.mant << -shift); + *coef += (unsigned)pv.mant << -shift; } } From b3067f95c9802a1219abe7dea3aa93419c8cc0f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Nov 2017 21:20:08 +0100 Subject: [PATCH 468/818] avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c() Fixes: runtime error: signed integer overflow: 1939661764 - -454942263 cannot be represented in type 'int' Fixes: 3191/clusterfuzz-testcase-minimized-5688798451073024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2afe05402f05d485f0c356b04dc562f0510d317d) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsdsp_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c index 3049ce8b79..0e532fcf84 100644 --- a/libavcodec/aacpsdsp_template.c +++ b/libavcodec/aacpsdsp_template.c @@ -129,12 +129,12 @@ static void ps_decorrelate_c(INTFLOAT (*out)[2], INTFLOAT (*delay)[2], INTFLOAT apd_im = in_im; in_re = AAC_MSUB30(link_delay_re, fractional_delay_re, link_delay_im, fractional_delay_im); - in_re -= a_re; + in_re -= (UINTFLOAT)a_re; in_im = AAC_MADD30(link_delay_re, fractional_delay_im, link_delay_im, fractional_delay_re); - in_im -= a_im; - ap_delay[m][n+5][0] = apd_re + AAC_MUL31(ag[m], in_re); - ap_delay[m][n+5][1] = apd_im + AAC_MUL31(ag[m], in_im); + in_im -= (UINTFLOAT)a_im; + ap_delay[m][n+5][0] = apd_re + (UINTFLOAT)AAC_MUL31(ag[m], in_re); + ap_delay[m][n+5][1] = apd_im + (UINTFLOAT)AAC_MUL31(ag[m], in_im); } out[n][0] = AAC_MUL16(transient_gain[n], in_re); out[n][1] = AAC_MUL16(transient_gain[n], in_im); From 96fe37a3390aaa07a1798d8daa6aa2d622c4870b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Nov 2017 20:47:48 +0100 Subject: [PATCH 469/818] avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu Fixes: out of array read Fixes: 3516/attachment-311488.dat Found-by: Insu Yun, Georgia Tech. Tested-by: wuninsu@gmail.com Signed-off-by: Michael Niedermayer (cherry picked from commit 58cf31cee7a456057f337b3102a03206d833d5e8) Signed-off-by: Michael Niedermayer --- libavcodec/x86/mpegvideodsp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/x86/mpegvideodsp.c b/libavcodec/x86/mpegvideodsp.c index e0498f3849..6009b64e07 100644 --- a/libavcodec/x86/mpegvideodsp.c +++ b/libavcodec/x86/mpegvideodsp.c @@ -52,8 +52,9 @@ static void gmc_mmx(uint8_t *dst, uint8_t *src, const int dyh = (dyy - (1 << (16 + shift))) * (h - 1); const int dxh = dxy * (h - 1); const int dyw = dyx * (w - 1); - int need_emu = (unsigned) ix >= width - w || - (unsigned) iy >= height - h; + int need_emu = (unsigned) ix >= width - w || width < w || + (unsigned) iy >= height - h || height< h + ; if ( // non-constant fullpel offset (3% of blocks) ((ox ^ (ox + dxw)) | (ox ^ (ox + dxh)) | (ox ^ (ox + dxw + dxh)) | From aac7ca7a36da5d1dfdd2aec3f52417ead783eaed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Oct 2017 18:04:44 +0200 Subject: [PATCH 470/818] avcodec/h264dec: Fix potential array overread add padding before scantable arrays See: 522d850e68ec4b77d3477b3c8f55b1ba00a9d69a Signed-off-by: Michael Niedermayer (cherry picked from commit 380b48fb9fdc7b0c40d67e026f9b3accb12794eb) Signed-off-by: Michael Niedermayer --- libavcodec/h264dec.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264dec.h b/libavcodec/h264dec.h index e994f7e7fe..af3d98bb32 100644 --- a/libavcodec/h264dec.h +++ b/libavcodec/h264dec.h @@ -415,6 +415,7 @@ typedef struct H264Context { uint8_t (*mvd_table[2])[2]; uint8_t *direct_table; + uint8_t scan_padding[16]; uint8_t zigzag_scan[16]; uint8_t zigzag_scan8x8[64]; uint8_t zigzag_scan8x8_cavlc[64]; From 066c65737682817611ad2f30a4895acb5f47629b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 16:53:34 +0100 Subject: [PATCH 471/818] avcodec/vc2enc: Clear coef_buf on allocation Fixes: Use of uninitialized memory Fixes: assertion failure Reviewed-by: Signed-off-by: Michael Niedermayer (cherry picked from commit 6d00905f8134a2932e5c00dd1ec8b2a1f0a38035) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index 745c6e974d..3dbdf57a12 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -1171,7 +1171,7 @@ static av_cold int vc2_encode_init(AVCodecContext *avctx) p->dwt_width = w = FFALIGN(p->width, (1 << s->wavelet_depth)); p->dwt_height = h = FFALIGN(p->height, (1 << s->wavelet_depth)); p->coef_stride = FFALIGN(p->dwt_width, 32); - p->coef_buf = av_malloc(p->coef_stride*p->dwt_height*sizeof(dwtcoef)); + p->coef_buf = av_mallocz(p->coef_stride*p->dwt_height*sizeof(dwtcoef)); if (!p->coef_buf) goto alloc_fail; for (level = s->wavelet_depth-1; level >= 0; level--) { From 74104d2dc05d903a2b94e3457fc1a2cf8fe224a2 Mon Sep 17 00:00:00 2001 From: Fredrik Hubinette Date: Wed, 15 Nov 2017 17:24:30 -0800 Subject: [PATCH 472/818] avformat/mov: Check size of STSC allocation Signed-off-by: Michael Niedermayer (cherry picked from commit a6fdd75fe6440d2f4150cb456a9078aa68b00fdb) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 90b068f091..6ebdf8a4b7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2411,6 +2411,8 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb24(pb); /* flags */ entries = avio_rb32(pb); + if ((uint64_t)entries * 12 + 4 > atom.size) + return AVERROR_INVALIDDATA; av_log(c->fc, AV_LOG_TRACE, "track[%u].stsc.entries = %u\n", c->fc->nb_streams - 1, entries); From 488c2e8487e5dae6ddb27e2b75d0a9eb4155ea34 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 21:17:15 +0100 Subject: [PATCH 473/818] avcodec/snowdec: Check intra block dc differences. Fixes: Timeout Fixes: 3142/clusterfuzz-testcase-5007853163118592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c3b9bbcc6edf2d83fe4857484cfa0839872188c6) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 2b92ed3de0..af92cb0070 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -183,13 +183,22 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ int my_context= av_log2(2*FFABS(left->my - top->my)) + 0*av_log2(2*FFABS(tr->my - top->my)); type= get_rac(&s->c, &s->block_state[1 + left->type + top->type]) ? BLOCK_INTRA : 0; - if(type){ + int ld, cbd, crd; pred_mv(s, &mx, &my, 0, left, top, tr); - l += get_symbol(&s->c, &s->block_state[32], 1); + ld = get_symbol(&s->c, &s->block_state[32], 1); + if (ld < -255 || ld > 255) { + return AVERROR_INVALIDDATA; + } + l += ld; if (s->nb_planes > 2) { - cb+= get_symbol(&s->c, &s->block_state[64], 1); - cr+= get_symbol(&s->c, &s->block_state[96], 1); + cbd = get_symbol(&s->c, &s->block_state[64], 1); + crd = get_symbol(&s->c, &s->block_state[96], 1); + if (cbd < -255 || cbd > 255 || crd < -255 || crd > 255) { + return AVERROR_INVALIDDATA; + } + cb += cbd; + cr += crd; } }else{ if(s->ref_frames > 1) From 01439fe1e139b42fa218688c3a6be398bc809294 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 21:17:16 +0100 Subject: [PATCH 474/818] avcodec/snowdec: Check for remaining bitstream in decode_blocks() Fixes: Timeout Fixes: 3142/clusterfuzz-testcase-5007853163118592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4527ec2216109867498edc3ac8a17fd879b5d017) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index af92cb0070..df425b8cf3 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -437,6 +437,8 @@ static int decode_blocks(SnowContext *s){ for(y=0; yc.bytestream >= s->c.bytestream_end) + return AVERROR_INVALIDDATA; if ((res = decode_q_branch(s, 0, x, y)) < 0) return res; } From 4a412dc6ad195eaf1bf43c8a77b622923aacf99a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Sep 2017 01:28:07 +0200 Subject: [PATCH 475/818] avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb() Fixes: Timeout Fixes: 3200/clusterfuzz-testcase-5750022136135680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65e0a7c473f23f1833538ffecf53c81fe500b5e4) Signed-off-by: Michael Niedermayer --- libavcodec/wmv2dec.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c index 20dbee5703..225e30ab5a 100644 --- a/libavcodec/wmv2dec.c +++ b/libavcodec/wmv2dec.c @@ -30,7 +30,7 @@ #include "wmv2.h" -static void parse_mb_skip(Wmv2Context *w) +static int parse_mb_skip(Wmv2Context *w) { int mb_x, mb_y; MpegEncContext *const s = &w->s; @@ -45,6 +45,8 @@ static void parse_mb_skip(Wmv2Context *w) MB_TYPE_16x16 | MB_TYPE_L0; break; case SKIP_TYPE_MPEG: + if (get_bits_left(&s->gb) < s->mb_height * s->mb_width) + return AVERROR_INVALIDDATA; for (mb_y = 0; mb_y < s->mb_height; mb_y++) for (mb_x = 0; mb_x < s->mb_width; mb_x++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -52,6 +54,8 @@ static void parse_mb_skip(Wmv2Context *w) break; case SKIP_TYPE_ROW: for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -65,6 +69,8 @@ static void parse_mb_skip(Wmv2Context *w) break; case SKIP_TYPE_COL: for (mb_x = 0; mb_x < s->mb_width; mb_x++) { + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) { for (mb_y = 0; mb_y < s->mb_height; mb_y++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -77,6 +83,7 @@ static void parse_mb_skip(Wmv2Context *w) } break; } + return 0; } static int decode_ext_header(Wmv2Context *w) @@ -170,9 +177,12 @@ int ff_wmv2_decode_secondary_picture_header(MpegEncContext *s) } } else { int cbp_index; + int ret; w->j_type = 0; - parse_mb_skip(w); + ret = parse_mb_skip(w); + if (ret < 0) + return ret; cbp_index = decode012(&s->gb); w->cbp_table_index = wmv2_get_cbp_table_index(s, cbp_index); @@ -359,6 +369,8 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t block[6][64]) w->hshift = 0; return 0; } + if (get_bits_left(&s->gb) <= 0) + return AVERROR_INVALIDDATA; code = get_vlc2(&s->gb, ff_mb_non_intra_vlc[w->cbp_table_index].table, MB_NON_INTRA_VLC_BITS, 3); @@ -369,6 +381,8 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t block[6][64]) cbp = code & 0x3f; } else { s->mb_intra = 1; + if (get_bits_left(&s->gb) <= 0) + return AVERROR_INVALIDDATA; code = get_vlc2(&s->gb, ff_msmp4_mb_i_vlc.table, MB_INTRA_VLC_BITS, 2); if (code < 0) { av_log(s->avctx, AV_LOG_ERROR, From 78a0356fae83e4b7624e11032663aaef45038d3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Nov 2017 03:40:07 +0100 Subject: [PATCH 476/818] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0() Fixes: 4035/clusterfuzz-testcase-minimized-6479308925173760 Fixes: runtime error: signed integer overflow: 9 * 402653183 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 73964680d7bce6d81ddc553a24d73e9a1c9156f9) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 35ed8857e9..f9a9e9e1b3 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -102,7 +102,7 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ - (b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5)) + (b2 - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)) #define COMPOSE_HAARiL0(b0, b1)\ (b0 - ((b1 + 1) >> 1)) From 1c9af4d7a888eca8eb7908e21cea557607f8c56b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 17:11:12 +0100 Subject: [PATCH 477/818] avcodec/zmbv: Check that the buffer is large enough for mvec Fixes: Timeout Fixes: 4143/clusterfuzz-testcase-4736864637419520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ab9568a2c3349039eec29fb960fe39de354b514) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index b09dc41ebd..f91d2e3931 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -539,6 +539,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } else { frame->key_frame = 0; frame->pict_type = AV_PICTURE_TYPE_P; + if (c->decomp_len < 2LL * ((c->width + c->bw - 1) / c->bw) * ((c->height + c->bh - 1) / c->bh)) + return AVERROR_INVALIDDATA; if (c->decomp_len) c->decode_xor(c); } From f4e25620a1fc815eceafebf6d3c8a52351b2049b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 03:38:37 +0100 Subject: [PATCH 478/818] avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output() Fixes: runtime error: left shift of negative value -7862264 Fixes: 4074/clusterfuzz-testcase-minimized-4516104123711488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f7f70738e8dd77a698a5e28bba552ea7064af21) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index fbafa92d72..4e3a16c781 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -117,7 +117,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) - *data_32++ = sample << 8; + *data_32++ = sample * 256; else *data_16++ = sample >> 8; } From fa29141e34c99763f091435f74c81d4fbb718fad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Nov 2017 22:01:29 +0100 Subject: [PATCH 479/818] avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v() Fixes: runtime error: left shift of negative value -255 Fixes: 4037/clusterfuzz-testcase-minimized-5290998163832832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7d88586e4728e97349f98e07ff782bb168ab96c3) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index e09c661759..46a0da2045 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1407,7 +1407,7 @@ static void FUNC(put_hevc_epel_bi_w_v)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; From a0eccf673cda83697e8e42d13e10d31a60a45346 Mon Sep 17 00:00:00 2001 From: Jacob Trimble Date: Mon, 20 Nov 2017 12:05:02 -0800 Subject: [PATCH 480/818] avformat/mov: Propagate errors in mov_switch_root. Signed-off-by: Jacob Trimble Signed-off-by: Michael Niedermayer (cherry picked from commit 2d9cf3bf16b94cd9db10dabad695c69c5cff4f58) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6ebdf8a4b7..2f6965eabb 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6171,6 +6171,7 @@ static int should_retry(AVIOContext *pb, int error_code) { static int mov_switch_root(AVFormatContext *s, int64_t target) { + int ret; MOVContext *mov = s->priv_data; int i, j; int already_read = 0; @@ -6207,8 +6208,10 @@ static int mov_switch_root(AVFormatContext *s, int64_t target) mov->found_mdat = 0; - if (mov_read_default(mov, s->pb, (MOVAtom){ AV_RL32("root"), INT64_MAX }) < 0 || - avio_feof(s->pb)) + ret = mov_read_default(mov, s->pb, (MOVAtom){ AV_RL32("root"), INT64_MAX }); + if (ret < 0) + return ret; + if (avio_feof(s->pb)) return AVERROR_EOF; av_log(s, AV_LOG_TRACE, "read fragments, offset 0x%"PRIx64"\n", avio_tell(s->pb)); From 362967fec6a4c4772e56b50efba49dab06f49de6 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Fri, 17 Nov 2017 14:53:25 -0800 Subject: [PATCH 481/818] Fix leak of frame_duration_buffer in mov_fix_index(). Should be unconditionally freed at the end of mov_fix_index() in case it hasn't been used during the fix up. Signed-off-by: Dale Curtis Reviewed-by: Sasi Inguva Signed-off-by: Michael Niedermayer (cherry picked from commit d073be2291e40129d107ca4573097d6d6d2dbf68) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 2f6965eabb..f2eb22eb3d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3296,6 +3296,7 @@ static void mov_fix_index(MOVContext *mov, AVStream *st) // Free the old index and the old CTTS structures av_free(e_old); av_free(ctts_data_old); + av_freep(&frame_duration_buffer); // Null terminate the index ranges array current_index_range++; From edd0cd21f41e6b0b8b39b5a53891d4a2c61fafff Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Fri, 17 Nov 2017 14:51:09 -0800 Subject: [PATCH 482/818] Use ff_thread_once for fixed, float table init. These tables are static so they should only be initialized once instead of on every call to ff_mpadsp_init(). Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 5eaaffaf64d1854493f0fe9ec822eed1b3cd9fe1) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudiodsp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegaudiodsp.c b/libavcodec/mpegaudiodsp.c index a5d20df629..3cafca27bf 100644 --- a/libavcodec/mpegaudiodsp.c +++ b/libavcodec/mpegaudiodsp.c @@ -20,17 +20,21 @@ #include "config.h" #include "libavutil/attributes.h" +#include "libavutil/thread.h" #include "mpegaudiodsp.h" #include "dct.h" #include "dct32.h" +static AVOnce mpadsp_float_table_init = AV_ONCE_INIT; +static AVOnce mpadsp_fixed_table_init = AV_ONCE_INIT; + av_cold void ff_mpadsp_init(MPADSPContext *s) { DCTContext dct; ff_dct_init(&dct, 5, DCT_II); - ff_init_mpadsp_tabs_float(); - ff_init_mpadsp_tabs_fixed(); + ff_thread_once(&mpadsp_float_table_init, &ff_init_mpadsp_tabs_float); + ff_thread_once(&mpadsp_fixed_table_init, &ff_init_mpadsp_tabs_fixed); s->apply_window_float = ff_mpadsp_apply_window_float; s->apply_window_fixed = ff_mpadsp_apply_window_fixed; From 11a940adbcabd2dbbd78bd95023e8853985aa525 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Fri, 17 Nov 2017 16:05:30 -0800 Subject: [PATCH 483/818] Fix undefined shift on assumed 8-bit input. decode_user_data() attempts to create an integer |build| value with 8 bits of spacing for 3 components. However each component is an int32_t, so shifting each component is undefined for values outside of the 8 bit range. This patch simply clamps input to 8-bits per component and prints out a warning that the values were clamped. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 7010dd98b575d2e39fca947e609b85be7490b269) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index cd39131d55..5ae724bed1 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2149,8 +2149,15 @@ static int decode_user_data(Mpeg4DecContext *ctx, GetBitContext *gb) e = sscanf(buf, "FFmpeg v%d.%d.%d / libavcodec build: %d", &ver, &ver2, &ver3, &build); if (e != 4) { e = sscanf(buf, "Lavc%d.%d.%d", &ver, &ver2, &ver3) + 1; - if (e > 1) - build = (ver << 16) + (ver2 << 8) + ver3; + if (e > 1) { + if (ver > 0xFF || ver2 > 0xFF || ver3 > 0xFF) { + av_log(s->avctx, AV_LOG_WARNING, + "Unknown Lavc version string encountered, %d.%d.%d; " + "clamping sub-version values to 8-bits.\n", + ver, ver2, ver3); + } + build = ((ver & 0xFF) << 16) + ((ver2 & 0xFF) << 8) + (ver3 & 0xFF); + } } if (e != 4) { if (strcmp(buf, "ffmpeg") == 0) From 2de4eb6fec18808f08f0ea8a5f8940eb842662c1 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Mon, 20 Nov 2017 12:07:57 -0800 Subject: [PATCH 484/818] Close ogg stream upon error when using AV_EF_EXPLODE. Without this there can be multiple memory leaks for unrecognized ogg streams. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit bce8fc0754c4b31f574a4372c6d7996ed29f7c2a) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 97ad1a27d1..193a286e43 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -719,8 +719,10 @@ static int ogg_read_header(AVFormatContext *s) "Headers mismatch for stream %d: " "expected %d received %d.\n", i, os->codec->nb_header, os->nb_header); - if (s->error_recognition & AV_EF_EXPLODE) + if (s->error_recognition & AV_EF_EXPLODE) { + ogg_read_close(s); return AVERROR_INVALIDDATA; + } } if (os->start_granule != OGG_NOGRANULE_VALUE) os->lastpts = s->streams[i]->start_time = From 70dc266342ee2972b31f0eda5905ec8ebf3b2584 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Nov 2017 03:15:53 +0100 Subject: [PATCH 485/818] avcodec/mpeg4videodec: Check also for negative versions in the validity check Signed-off-by: Michael Niedermayer (cherry picked from commit 0e7865ce4152f8b04cda6a698bbee4fd4a94009d) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 5ae724bed1..8eafc783b8 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2150,7 +2150,7 @@ static int decode_user_data(Mpeg4DecContext *ctx, GetBitContext *gb) if (e != 4) { e = sscanf(buf, "Lavc%d.%d.%d", &ver, &ver2, &ver3) + 1; if (e > 1) { - if (ver > 0xFF || ver2 > 0xFF || ver3 > 0xFF) { + if (ver > 0xFFU || ver2 > 0xFFU || ver3 > 0xFFU) { av_log(s->avctx, AV_LOG_WARNING, "Unknown Lavc version string encountered, %d.%d.%d; " "clamping sub-version values to 8-bits.\n", From 7bc064d461659553f7785d5b7d72a1518fc2aae3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Nov 2017 03:15:16 +0100 Subject: [PATCH 486/818] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi* Fixes: runtime error: signed integer overflow: -2143827186 - 7404944 cannot be represented in type 'int' Fixes: 4354/clusterfuzz-testcase-minimized-4671122764201984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b6964f764382742bb052a1ee3b7167cac35332f) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index f9a9e9e1b3..eb5aebc878 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -111,10 +111,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b0 + b1) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) + ((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) + ((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) From d5bdcd8a2702623af06a0db76a7f7f68f08c457b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Nov 2017 20:14:54 +0100 Subject: [PATCH 487/818] avcodec/kgv1dec: Check that there is enough input for maximum RLE compression Fixes: Timeout Fixes: 4271/clusterfuzz-testcase-4676667768307712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3aad94bf2b140cfba8ae69d018da05d4948ef37f) Signed-off-by: Michael Niedermayer --- libavcodec/kgv1dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index 5359411c76..a6bd9400ac 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, h = (buf[1] + 1) * 8; buf += 2; + if (avpkt->size < 2 + w*h / 513) + return AVERROR_INVALIDDATA; + if (w != avctx->width || h != avctx->height) { av_freep(&c->frame_buffer); av_freep(&c->last_frame_buffer); From cead6c94c502a90f1318ddc47885bfaa407068dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Nov 2017 18:45:45 +0100 Subject: [PATCH 488/818] avcodec/mlpdsp: Fix signed integer overflow, 2nd try The outputted bits should match what is used in the lossless check Fixes: runtime error: signed integer overflow: -538697856 * 256 cannot be represented in type 'int' Fixes: 4326/clusterfuzz-testcase-minimized-5689449645080576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97c00edaa043043c29d985653e7e1687b56dfa23) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 4e3a16c781..32a4503b64 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -117,7 +117,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) - *data_32++ = sample * 256; + *data_32++ = sample * 256U; else *data_16++ = sample >> 8; } From c8bbddf057e6f26df1f45bad15d1a339ad9289e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Nov 2017 21:27:37 +0100 Subject: [PATCH 489/818] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h() Fixes: runtime error: left shift of negative value -127 Fixes: 4397/clusterfuzz-testcase-minimized-4779061080489984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0409d333115e623b5ccdbb364d64ca2a52fd8467) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 46a0da2045..0623cfad89 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1355,7 +1355,7 @@ static void FUNC(put_hevc_epel_bi_w_h)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; From 79ec6381151c0db5619555cc2d75988d8f8805f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Nov 2017 23:42:04 +0100 Subject: [PATCH 490/818] avcodec/j2kenc: Fix out of array access in encode_cblk() Fixes: 4427/clusterfuzz-testcase-minimized-5106919271301120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0674087004538599797688785f6ac82358abc23b) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index c8d3861732..baaf47422c 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -688,7 +688,8 @@ static void encode_cblk(Jpeg2000EncoderContext *s, Jpeg2000T1Context *t1, Jpeg20 cblk->npasses = passno; cblk->ninclpasses = passno; - cblk->passes[passno-1].rate = ff_mqc_flush_to(&t1->mqc, cblk->passes[passno-1].flushed, &cblk->passes[passno-1].flushed_len); + if (passno) + cblk->passes[passno-1].rate = ff_mqc_flush_to(&t1->mqc, cblk->passes[passno-1].flushed, &cblk->passes[passno-1].flushed_len); } /* tier-2 routines: */ From 85ea121684a7b128c39373845506e6016daa60cc Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Fri, 17 Nov 2017 13:35:56 -0800 Subject: [PATCH 491/818] avformat/utils: Prevent undefined shift with wrap_bits > 64. 2LL << (wrap_bits=64 - 1) does not fit in int64_t; change the code to use a uint64_t (2ULL) and add an av_assert2() to ensure wrap_bits <= 64. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 03fbc0daa7e37af024f8b017a28105c32bbe25ca) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 5200c7d2e7..2c622d2c56 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1732,13 +1732,14 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt) if (next_pkt->dts != AV_NOPTS_VALUE) { int wrap_bits = s->streams[next_pkt->stream_index]->pts_wrap_bits; + av_assert2(wrap_bits <= 64); // last dts seen for this stream. if any of packets following // current one had no dts, we will set this to AV_NOPTS_VALUE. int64_t last_dts = next_pkt->dts; while (pktl && next_pkt->pts == AV_NOPTS_VALUE) { if (pktl->pkt.stream_index == next_pkt->stream_index && - (av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2LL << (wrap_bits - 1)) < 0)) { - if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2LL << (wrap_bits - 1))) { + av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << (wrap_bits - 1)) < 0) { + if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2ULL << (wrap_bits - 1))) { // not B-frame next_pkt->pts = pktl->pkt.dts; } From 9bc2f44c27a315e783a10ca59396c93f568982c0 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Wed, 22 Nov 2017 10:58:39 -0800 Subject: [PATCH 492/818] avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 9648cc6d7fdbb0a260bed1e3e23300569cff9579) Signed-off-by: Michael Niedermayer --- libavcodec/vorbis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 399020eec5..f710c23450 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -91,7 +91,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) exit_at_level[i] = 0; // construct code (append 0s to end) and introduce new exits for (j = i + 1 ;j <= bits[p]; ++j) - exit_at_level[j] = code + (1 << (j - 1)); + exit_at_level[j] = code + (1u << (j - 1)); codes[p] = code; } From 272a9687a73c44e5c27b969dd454b3e04cc32279 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Tue, 28 Nov 2017 14:26:55 -0800 Subject: [PATCH 493/818] Don't manipulate duration when it's AV_NOPTS_VALUE. This leads to signed integer overflow. Signed-off-by: Dale Curtis Signed-off-by: James Almer (cherry picked from commit c5fd57f483d2ad8e34551b78509f1e14136f73c0) Signed-off-by: Michael Niedermayer --- libavformat/oggparsevp8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparsevp8.c b/libavformat/oggparsevp8.c index c534ab117d..b76ac71cc5 100644 --- a/libavformat/oggparsevp8.c +++ b/libavformat/oggparsevp8.c @@ -125,7 +125,7 @@ static int vp8_packet(AVFormatContext *s, int idx) os->lastdts = vp8_gptopts(s, idx, os->granule, NULL) - duration; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; - if (s->streams[idx]->duration) + if (s->streams[idx]->duration && s->streams[idx]->duration != AV_NOPTS_VALUE) s->streams[idx]->duration -= s->streams[idx]->start_time; } } From 39db2f95145f6b13f77acd05bd684a7f81ccad1b Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 30 Nov 2017 12:20:36 -0800 Subject: [PATCH 494/818] avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u. Didn't notice this one when 9648cc6d was landed. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 95bacb521af8cd28f146f045437c9f75717a493a) Signed-off-by: Michael Niedermayer --- libavcodec/vorbis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index f710c23450..aabd9bbd19 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -67,7 +67,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) if (bits[p] > 32) return AVERROR_INVALIDDATA; for (i = 0; i < bits[p]; ++i) - exit_at_level[i+1] = 1 << i; + exit_at_level[i+1] = 1u << i; ++p; From 01ab4117dc034e3407d16da0439861bd0d9ec039 Mon Sep 17 00:00:00 2001 From: Nikolas Bowe Date: Tue, 5 Dec 2017 15:11:26 -0800 Subject: [PATCH 495/818] avcodec/extract_extradata_bsf: Fix leak discovered via fuzzing Signed-off-by: Michael Niedermayer (cherry picked from commit 5a412a5c3cc216ae1d15e6b884bda7214b73a5b0) Signed-off-by: Michael Niedermayer --- libavcodec/extract_extradata_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/extract_extradata_bsf.c b/libavcodec/extract_extradata_bsf.c index ed6509c681..d40907a675 100644 --- a/libavcodec/extract_extradata_bsf.c +++ b/libavcodec/extract_extradata_bsf.c @@ -78,7 +78,7 @@ static int extract_extradata_h2645(AVBSFContext *ctx, AVPacket *pkt, ret = ff_h2645_packet_split(&h2645_pkt, pkt->data, pkt->size, ctx, 0, 0, ctx->par_in->codec_id, 1); if (ret < 0) - return ret; + goto fail; for (i = 0; i < h2645_pkt.nb_nals; i++) { H2645NAL *nal = &h2645_pkt.nals[i]; From 454a2405ce80dcfa85d38f18e3b9788d0b57e40c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Dec 2017 21:48:04 +0100 Subject: [PATCH 496/818] avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97* Fixes: 4478/clusterfuzz-testcase-minimized-4752113767809024 Fixes: runtime error: signed integer overflow: -2147483626 + -319489 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5e9a13a5a33bf7566591216e335f2529612100bb) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index eb5aebc878..50c8b1e394 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); ((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ - (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) + ((unsigned)(b1) - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ - (b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) + ((unsigned)(b1) - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ - (b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) + ((unsigned)(b1) + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ - (b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) + ((unsigned)(b1) + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ From 054188db10873fa23cd7739bb468850b23dbe8ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Dec 2017 21:53:22 +0100 Subject: [PATCH 497/818] avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED() Fixes: runtime error: signed integer overflow: 2147483646 + 2048 cannot be represented in type 'int' Fixes: 4479/clusterfuzz-testcase-minimized-6529894147162112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 610dd74502a58e8bb0f1d8fcbc7015f86b78d70e) Signed-off-by: Michael Niedermayer --- libavcodec/diracdsp.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c index 8bc79b788c..2dd56f83f3 100644 --- a/libavcodec/diracdsp.c +++ b/libavcodec/diracdsp.c @@ -159,10 +159,10 @@ static void put_signed_rect_clamped_ ## PX ## bit_c(uint8_t *_dst, int dst_strid int32_t *src = (int32_t *)_src; \ for (y = 0; y < height; y++) { \ for (x = 0; x < width; x+=4) { \ - dst[x ] = av_clip_uintp2(src[x ] + (1 << (PX - 1)), PX); \ - dst[x+1] = av_clip_uintp2(src[x+1] + (1 << (PX - 1)), PX); \ - dst[x+2] = av_clip_uintp2(src[x+2] + (1 << (PX - 1)), PX); \ - dst[x+3] = av_clip_uintp2(src[x+3] + (1 << (PX - 1)), PX); \ + dst[x ] = av_clip_uintp2(src[x ] + (1U << (PX - 1)), PX); \ + dst[x+1] = av_clip_uintp2(src[x+1] + (1U << (PX - 1)), PX); \ + dst[x+2] = av_clip_uintp2(src[x+2] + (1U << (PX - 1)), PX); \ + dst[x+3] = av_clip_uintp2(src[x+3] + (1U << (PX - 1)), PX); \ } \ dst += dst_stride >> 1; \ src += src_stride >> 2; \ From 3d297038a9ab1f518890491765a4771221a7b0cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Dec 2017 15:32:54 +0100 Subject: [PATCH 498/818] avcodec/amrwbdec: Fix division by 0 in voice_factor() The added value matches "Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; Extended Adaptive Multi-Rate - Wideband (AMR-WB+) codec; Floating-point ANSI-C code (3GPP TS 26.304 version 14.0.0 Release 14) Extended Adaptive Multi-Rate - Wideband (AMR-WB+) codec; Floating-point ANSI-C code" Fixes: runtime error: division by zero Fixes: 4415/clusterfuzz-testcase-minimized-4677752314658816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d0817d56b66797118880358ea7d7a2acfdca429) Signed-off-by: Michael Niedermayer --- libavcodec/amrwbdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 57aed874cc..7f2874d35f 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -611,7 +611,7 @@ static float voice_factor(float *p_vector, float p_gain, AMRWB_SFR_SIZE) * f_gain * f_gain; - return (p_ener - f_ener) / (p_ener + f_ener); + return (p_ener - f_ener) / (p_ener + f_ener + 0.01); } /** From 603845225cb3214d6107b22a8f884559c4b7ea9d Mon Sep 17 00:00:00 2001 From: Jun Zhao Date: Mon, 4 Dec 2017 12:50:34 +0800 Subject: [PATCH 499/818] avfilter/formats: fix wrong function name in error message Use perdefined micro __FUNCTION__ rather than hard coding function name to fix wrong function name in error message. Signed-off-by: Jun Zhao Signed-off-by: Michael Niedermayer (cherry picked from commit 4280948702bc256e21c375790b889c735d233b0d) Signed-off-by: Michael Niedermayer --- libavfilter/formats.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/formats.c b/libavfilter/formats.c index d4de862237..20a2c89719 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -72,7 +72,7 @@ do { for (j = 0; j < b->nb; j++) \ if (a->fmts[i] == b->fmts[j]) { \ if(k >= FFMIN(a->nb, b->nb)){ \ - av_log(NULL, AV_LOG_ERROR, "Duplicate formats in avfilter_merge_formats() detected\n"); \ + av_log(NULL, AV_LOG_ERROR, "Duplicate formats in %s detected\n", __FUNCTION__); \ av_free(ret->fmts); \ av_free(ret); \ return NULL; \ From b7c9f27ad6e8e3bb8693548da6901af20e128b0e Mon Sep 17 00:00:00 2001 From: Kelly Ledford Date: Tue, 12 Dec 2017 11:31:23 -0800 Subject: [PATCH 500/818] libavfilter/af_dcshift.c: Fixed repeated spelling error 'threshhold' should be 'threshold' Signed-off-by: Kelly Ledford Signed-off-by: Michael Niedermayer (cherry picked from commit bc219082bb04b9a4725bfe7e78ce0950244e6e84) Signed-off-by: Michael Niedermayer --- libavfilter/af_dcshift.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavfilter/af_dcshift.c b/libavfilter/af_dcshift.c index 7332c12b19..5dbe40824c 100644 --- a/libavfilter/af_dcshift.c +++ b/libavfilter/af_dcshift.c @@ -28,7 +28,7 @@ typedef struct DCShiftContext { const AVClass *class; double dcshift; - double limiterthreshhold; + double limiterthreshold; double limitergain; } DCShiftContext; @@ -47,7 +47,7 @@ static av_cold int init(AVFilterContext *ctx) { DCShiftContext *s = ctx->priv; - s->limiterthreshhold = INT32_MAX * (1.0 - (fabs(s->dcshift) - s->limitergain)); + s->limiterthreshold = INT32_MAX * (1.0 - (fabs(s->dcshift) - s->limitergain)); return 0; } @@ -106,14 +106,14 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) d = src[j]; - if (d > s->limiterthreshhold && dcshift > 0) { - d = (d - s->limiterthreshhold) * s->limitergain / - (INT32_MAX - s->limiterthreshhold) + - s->limiterthreshhold + dcshift; - } else if (d < -s->limiterthreshhold && dcshift < 0) { - d = (d + s->limiterthreshhold) * s->limitergain / - (INT32_MAX - s->limiterthreshhold) - - s->limiterthreshhold + dcshift; + if (d > s->limiterthreshold && dcshift > 0) { + d = (d - s->limiterthreshold) * s->limitergain / + (INT32_MAX - s->limiterthreshold) + + s->limiterthreshold + dcshift; + } else if (d < -s->limiterthreshold && dcshift < 0) { + d = (d + s->limiterthreshold) * s->limitergain / + (INT32_MAX - s->limiterthreshold) - + s->limiterthreshold + dcshift; } else { d = dcshift * INT32_MAX + d; } From badca11741ea9bd0b4aa1b3af69f38754d4c69e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2017 13:06:30 +0100 Subject: [PATCH 501/818] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv() Fixes: runtime error: left shift of negative value -3 Fixes: 4524/clusterfuzz-testcase-minimized-6055590120914944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 439fbb9c8b2a90e97c44c7c57245e01ca84c865d) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 0623cfad89..4017af8eb0 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1051,7 +1051,7 @@ static void FUNC(put_hevc_qpel_bi_w_hv)(uint8_t *_dst, ptrdiff_t _dststride, uin for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); tmp += MAX_PB_SIZE; dst += dststride; src2 += MAX_PB_SIZE; From bdba0f6786d57356c2ead515338fb44754aa91c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2017 17:50:12 +0100 Subject: [PATCH 502/818] avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message() Fixes: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' Fixes: 4554/clusterfuzz-testcase-minimized-4843714515042304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 991ef6e5b9a6a9d95e274ff6bff52db1c82b3808) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_sei.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index d4a82fd456..31813aae2c 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -344,11 +344,15 @@ static int decode_nal_sei_message(HEVCContext *s) av_log(s->avctx, AV_LOG_DEBUG, "Decoding SEI\n"); while (byte == 0xFF) { + if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255) + return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_type += byte; } byte = 0xFF; while (byte == 0xFF) { + if (get_bits_left(gb) < 8 + 8LL*payload_size) + return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_size += byte; } From 7a5c73896394c3f53371b7c91f0da99dbf0c2ae2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Dec 2017 21:05:40 +0100 Subject: [PATCH 503/818] tests/audiomatch: Add missing return code at the end of main() Signed-off-by: Michael Niedermayer (cherry picked from commit 65da5c56e661a839e017db4c51c73d6f3d8a8fcb) Signed-off-by: Michael Niedermayer --- tests/audiomatch.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/audiomatch.c b/tests/audiomatch.c index ca56df09b3..9671789a37 100644 --- a/tests/audiomatch.c +++ b/tests/audiomatch.c @@ -107,4 +107,6 @@ int main(int argc, char **argv){ } } printf("presig: %d postsig:%d c:%7.4f lenerr:%d\n", bestpos, datlen - siglen - bestpos, bestc / sigamp, datlen - siglen); + + return 0; } From 41a706b9125c0c27dda50996723ceade871b0a9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2017 18:17:13 +0100 Subject: [PATCH 504/818] avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs() Fixes: signed integer overflow: 2147483647 + 1073741824 cannot be represented in type 'int' Fixes: 4555/clusterfuzz-testcase-minimized-4505532481142784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ee143558d55b590774dba69cff5a16eda089a4d) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index e27c54ed4b..3c22e30faa 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -635,8 +635,10 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s) suffix_val += 1 << k; k++; } - if (k == CABAC_MAX_BIN) + if (k == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); + return AVERROR_INVALIDDATA; + } while (k--) suffix_val += get_cabac_bypass(&s->HEVClc->cc) << k; From 1d9830cba30dfa1ff44f5227763e9d5257841854 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2017 03:06:14 +0100 Subject: [PATCH 505/818] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0() Fixes: runtime error: signed integer overflow: 2147483646 + 33554433 cannot be represented in type 'int' Fixes: 4563/clusterfuzz-testcase-minimized-5438979567517696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4d70fbeec8cbab072b3a9b9f760b8deaaef240f2) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 50c8b1e394..f9828d95a4 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -99,10 +99,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ - (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) + (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ - (b2 - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)) + (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ (b0 - ((b1 + 1) >> 1)) From b66e3e321f64a659a534e520c5fad085e8c293f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2017 03:12:03 +0100 Subject: [PATCH 506/818] avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant) Fixes: runtime error: left shift of negative value -180 Fixes: 4626/clusterfuzz-testcase-minimized-5647837887987712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9ab5ef9c1ee852c80c859c9e07efe8730b57ed) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 4017af8eb0..903aa3fe95 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -121,7 +121,7 @@ static void FUNC(dequant)(int16_t *coeffs, int16_t log2_size) } else { for (y = 0; y < size; y++) { for (x = 0; x < size; x++) { - *coeffs = *coeffs << -shift; + *coeffs = *(uint16_t*)coeffs << -shift; coeffs++; } } From 0da741ba6b30799d282554a8cec1b4b2859cc8b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Dec 2017 23:24:43 +0100 Subject: [PATCH 507/818] avcodec/flacdec: avoid undefined shift Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 4688/clusterfuzz-testcase-minimized-6572210748653568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 560daf88913b0de59a4d845bcd19254b406388dd) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 581c73efc8..5bbb8ee5b9 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -456,7 +456,7 @@ static inline int decode_subframe(FLACContext *s, int channel) return AVERROR_INVALIDDATA; } - if (wasted) { + if (wasted && wasted < 32) { int i; for (i = 0; i < s->blocksize; i++) decoded[i] = (unsigned)decoded[i] << wasted; From 2cde8dc055c0ffbd27e10f095598873328a21a72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Dec 2017 23:24:45 +0100 Subject: [PATCH 508/818] avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w() Fixes: left shift of negative value -1 Fixes: 4690/clusterfuzz-testcase-minimized-6117482428366848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d135f3c514ac1723256c8e0f5cdd466fe98a2578) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 903aa3fe95..56cd9e605d 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -915,7 +915,7 @@ static void FUNC(put_hevc_qpel_bi_w_h)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; @@ -970,7 +970,7 @@ static void FUNC(put_hevc_qpel_bi_w_v)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; From 1bc06771d83e2f6b049520dc3a5596ba9766dccb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Dec 2017 23:24:44 +0100 Subject: [PATCH 509/818] avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed() Fixes: signed integer overflow: 2 * 1629495328 cannot be represented in type 'int' Fixes: 4716/clusterfuzz-testcase-minimized-5835915940331520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d23f7a0969bf76ad6dcdc2c4a5cd3ae884745a8) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 5bbb8ee5b9..3d41a1af7f 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -298,7 +298,7 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded, if (pred_order > 2) c = b - decoded[pred_order-2] + decoded[pred_order-3]; if (pred_order > 3) - d = c - decoded[pred_order-2] + 2*decoded[pred_order-3] - decoded[pred_order-4]; + d = c - decoded[pred_order-2] + 2U*decoded[pred_order-3] - decoded[pred_order-4]; switch (pred_order) { case 0: From f2b83f4aba2b9e248fb62cdfffb0842332b0e068 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Dec 2017 03:00:19 +0100 Subject: [PATCH 510/818] avcodec/exr: Check buf_size more completely Fixes: Out of heap array read Fixes: 4683/clusterfuzz-testcase-minimized-6152313673613312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 903be5e4f66268273dc6e3c42a7fdeaab32066ef) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index b4063f8fa4..7fa17ca887 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1062,7 +1062,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, line_offset = AV_RL64(s->gb.buffer + jobnr * 8); if (s->is_tile) { - if (line_offset > buf_size - 20) + if (buf_size < 20 || line_offset > buf_size - 20) return AVERROR_INVALIDDATA; src = buf + line_offset + 20; @@ -1073,7 +1073,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, tileLevelY = AV_RL32(src - 8); data_size = AV_RL32(src - 4); - if (data_size <= 0 || data_size > buf_size) + if (data_size <= 0 || data_size > buf_size - line_offset - 20) return AVERROR_INVALIDDATA; if (tileLevelX || tileLevelY) { /* tile level, is not the full res level */ @@ -1106,7 +1106,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */ } else { - if (line_offset > buf_size - 8) + if (buf_size < 8 || line_offset > buf_size - 8) return AVERROR_INVALIDDATA; src = buf + line_offset + 8; @@ -1116,7 +1116,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, return AVERROR_INVALIDDATA; data_size = AV_RL32(src - 4); - if (data_size <= 0 || data_size > buf_size) + if (data_size <= 0 || data_size > buf_size - line_offset - 8) return AVERROR_INVALIDDATA; td->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */ From 54897d74663f2b3e440c200657718bab3273dc37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2017 21:13:19 +0100 Subject: [PATCH 511/818] Update for 3.3.6 Signed-off-by: Michael Niedermayer --- Changelog | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 65 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 1c3a366dc5..4564611d77 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,69 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.3.6: +- avcodec/exr: Check buf_size more completely +- avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed() +- avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w() +- avcodec/flacdec: avoid undefined shift +- avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant) +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0() +- avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs() +- tests/audiomatch: Add missing return code at the end of main() +- avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv() +- libavfilter/af_dcshift.c: Fixed repeated spelling error +- avfilter/formats: fix wrong function name in error message +- avcodec/amrwbdec: Fix division by 0 in voice_factor() +- avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED() +- avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97* +- avcodec/extract_extradata_bsf: Fix leak discovered via fuzzing +- avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u. +- Don't manipulate duration when it's AV_NOPTS_VALUE. +- avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead. +- avformat/utils: Prevent undefined shift with wrap_bits > 64. +- avcodec/j2kenc: Fix out of array access in encode_cblk() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h() +- avcodec/mlpdsp: Fix signed integer overflow, 2nd try +- avcodec/kgv1dec: Check that there is enough input for maximum RLE compression +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi* +- avcodec/mpeg4videodec: Check also for negative versions in the validity check +- Close ogg stream upon error when using AV_EF_EXPLODE. +- Fix undefined shift on assumed 8-bit input. +- Use ff_thread_once for fixed, float table init. +- Fix leak of frame_duration_buffer in mov_fix_index(). +- avformat/mov: Propagate errors in mov_switch_root. +- avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v() +- avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output() +- avcodec/zmbv: Check that the buffer is large enough for mvec +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0() +- avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb() +- avcodec/snowdec: Check for remaining bitstream in decode_blocks() +- avcodec/snowdec: Check intra block dc differences. +- avformat/mov: Check size of STSC allocation +- avcodec/vc2enc: Clear coef_buf on allocation +- avcodec/h264dec: Fix potential array overread +- avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu +- avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c() +- avcodec/aacdec_fixed: Fix undefined shift +- avcodec/mdct_*: Fix integer overflow in addition in RESCALE() +- avcodec/snowdec: Fix integer overflow in header parsing +- avcodec/cngdec: Fix integer clipping +- avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c() +- avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc() +- avutil/softfloat: Add FLOAT_MIN +- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() +- avcodec/xan: Check for bitstream end in xan_huffman_decode() +- avcodec/exr: fix undefined shift in pxr24_uncompress() +- avformat: Free the internal codec context at the end +- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() +- avcodec/xan: Improve overlapping check +- avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed() +- avcodec/aacdec_fixed: Fix integer overflow in predict() +- avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line() +- avcodec/jpeglsdec: Check ilv for being a supported value +- lavfi/af_pan: fix sign handling in channel coefficient parser +- vc2enc_dwt: pad the temporary buffer by the slice siz version 3.3.5: - ffserver: Fix off by 1 error in path diff --git a/RELEASE b/RELEASE index fa7adc7ac7..9c25013dbb 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.3.5 +3.3.6 diff --git a/doc/Doxyfile b/doc/Doxyfile index 3a239ea70d..4f2b3dc57f 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.3.5 +PROJECT_NUMBER = 3.3.6 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 96e8400553ae47f8f8df5b66cc268297ba38824c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 26 Dec 2017 12:32:42 +0100 Subject: [PATCH 512/818] x264: Support version 153 It has native simultaneus 8 and 10 bit support. (cherry picked from commit c6558e8840fbb2386bf8742e4d68dd6e067d262e) --- libavcodec/libx264.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index b11ede6198..6568b25b1a 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -279,7 +279,11 @@ static int X264_frame(AVCodecContext *ctx, AVPacket *pkt, const AVFrame *frame, x264_picture_init( &x4->pic ); x4->pic.img.i_csp = x4->params.i_csp; +#if X264_BUILD >= 153 + if (x4->params.i_bitdepth > 8) +#else if (x264_bit_depth > 8) +#endif x4->pic.img.i_csp |= X264_CSP_HIGH_DEPTH; x4->pic.img.i_plane = avfmt2_num_planes(ctx->pix_fmt); @@ -490,6 +494,9 @@ static av_cold int X264_init(AVCodecContext *avctx) x4->params.p_log_private = avctx; x4->params.i_log_level = X264_LOG_DEBUG; x4->params.i_csp = convert_pix_fmt(avctx->pix_fmt); +#if X264_BUILD >= 153 + x4->params.i_bitdepth = av_pix_fmt_desc_get(avctx->pix_fmt)->comp[0].depth; +#endif PARSE_X264_OPT("weightp", wpredp); @@ -878,6 +885,24 @@ static const enum AVPixelFormat pix_fmts_10bit[] = { AV_PIX_FMT_NV20, AV_PIX_FMT_NONE }; +static const enum AVPixelFormat pix_fmts_all[] = { + AV_PIX_FMT_YUV420P, + AV_PIX_FMT_YUVJ420P, + AV_PIX_FMT_YUV422P, + AV_PIX_FMT_YUVJ422P, + AV_PIX_FMT_YUV444P, + AV_PIX_FMT_YUVJ444P, + AV_PIX_FMT_NV12, + AV_PIX_FMT_NV16, +#ifdef X264_CSP_NV21 + AV_PIX_FMT_NV21, +#endif + AV_PIX_FMT_YUV420P10, + AV_PIX_FMT_YUV422P10, + AV_PIX_FMT_YUV444P10, + AV_PIX_FMT_NV20, + AV_PIX_FMT_NONE +}; #if CONFIG_LIBX264RGB_ENCODER static const enum AVPixelFormat pix_fmts_8bit_rgb[] = { AV_PIX_FMT_BGR0, @@ -889,12 +914,16 @@ static const enum AVPixelFormat pix_fmts_8bit_rgb[] = { static av_cold void X264_init_static(AVCodec *codec) { +#if X264_BUILD < 153 if (x264_bit_depth == 8) codec->pix_fmts = pix_fmts_8bit; else if (x264_bit_depth == 9) codec->pix_fmts = pix_fmts_9bit; else if (x264_bit_depth == 10) codec->pix_fmts = pix_fmts_10bit; +#else + codec->pix_fmts = pix_fmts_all; +#endif } #define OFFSET(x) offsetof(X264Context, x) From 03292829aa2e7a7db36de490c6cc19a4792ab3cc Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 30 Dec 2017 19:38:23 -0300 Subject: [PATCH 513/818] changelog: update with previous commit Signed-off-by: James Almer --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index 4564611d77..cd95ddab50 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,7 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.3.6: +- x264: Support version 153 - avcodec/exr: Check buf_size more completely - avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed() - avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w() From f85b102c8011bcccaa938f76c43287afb6e4832a Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 11 Jun 2017 14:17:30 -0300 Subject: [PATCH 514/818] avformat/libssh: check the user provided a password before trying to use it Fixes ticket #6413 Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 8ddb6820bd52df6ed616abc3d8be200b126aa8c1) --- libavformat/libssh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/libssh.c b/libavformat/libssh.c index 49e92e7516..9e3d4da45e 100644 --- a/libavformat/libssh.c +++ b/libavformat/libssh.c @@ -103,7 +103,7 @@ static av_cold int libssh_authentication(LIBSSHContext *libssh, const char *user } } - if (!authorized && (auth_methods & SSH_AUTH_METHOD_PASSWORD)) { + if (!authorized && password && (auth_methods & SSH_AUTH_METHOD_PASSWORD)) { if (ssh_userauth_password(libssh->session, NULL, password) == SSH_AUTH_SUCCESS) { av_log(libssh, AV_LOG_DEBUG, "Authentication successful with password.\n"); authorized = 1; From 802ebfae3b5b95a8e12c4a182923745823ac703f Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Fri, 26 Jan 2018 20:16:53 +0100 Subject: [PATCH 515/818] avcodec/nvenc: refcount input frame mappings If some logic like vsync in ffmpeg.c duplicates frames, it might pass the same frame twice, which will result in a crash due it being effectively mapped and unmapped twice. Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 39 +++++++++++++++++++++++---------------- libavcodec/nvenc.h | 2 +- 2 files changed, 24 insertions(+), 17 deletions(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index e4f6f0f927..c357a6f46a 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1281,12 +1281,9 @@ av_cold int ff_nvenc_encode_close(AVCodecContext *avctx) av_fifo_freep(&ctx->output_surface_queue); if (ctx->surfaces && avctx->pix_fmt == AV_PIX_FMT_CUDA) { - for (i = 0; i < ctx->nb_surfaces; ++i) { - if (ctx->surfaces[i].input_surface) { - p_nvenc->nvEncUnmapInputResource(ctx->nvencoder, ctx->surfaces[i].in_map.mappedResource); - } - } for (i = 0; i < ctx->nb_registered_frames; i++) { + if (ctx->registered_frames[i].mapped) + p_nvenc->nvEncUnmapInputResource(ctx->nvencoder, ctx->registered_frames[i].in_map.mappedResource); if (ctx->registered_frames[i].regptr) p_nvenc->nvEncUnregisterResource(ctx->nvencoder, ctx->registered_frames[i].regptr); } @@ -1503,19 +1500,23 @@ static int nvenc_upload_frame(AVCodecContext *avctx, const AVFrame *frame, if (res < 0) return res; - nvenc_frame->in_map.version = NV_ENC_MAP_INPUT_RESOURCE_VER; - nvenc_frame->in_map.registeredResource = ctx->registered_frames[reg_idx].regptr; - nv_status = p_nvenc->nvEncMapInputResource(ctx->nvencoder, &nvenc_frame->in_map); - if (nv_status != NV_ENC_SUCCESS) { - av_frame_unref(nvenc_frame->in_ref); - return nvenc_print_error(avctx, nv_status, "Error mapping an input resource"); + if (!ctx->registered_frames[reg_idx].mapped) { + ctx->registered_frames[reg_idx].in_map.version = NV_ENC_MAP_INPUT_RESOURCE_VER; + ctx->registered_frames[reg_idx].in_map.registeredResource = ctx->registered_frames[reg_idx].regptr; + nv_status = p_nvenc->nvEncMapInputResource(ctx->nvencoder, &ctx->registered_frames[reg_idx].in_map); + if (nv_status != NV_ENC_SUCCESS) { + av_frame_unref(nvenc_frame->in_ref); + return nvenc_print_error(avctx, nv_status, "Error mapping an input resource"); + } } - ctx->registered_frames[reg_idx].mapped = 1; + ctx->registered_frames[reg_idx].mapped += 1; + nvenc_frame->reg_idx = reg_idx; - nvenc_frame->input_surface = nvenc_frame->in_map.mappedResource; - nvenc_frame->format = nvenc_frame->in_map.mappedBufferFmt; + nvenc_frame->input_surface = ctx->registered_frames[reg_idx].in_map.mappedResource; + nvenc_frame->format = ctx->registered_frames[reg_idx].in_map.mappedBufferFmt; nvenc_frame->pitch = frame->linesize[0]; + return 0; } else { NV_ENC_LOCK_INPUT_BUFFER lockBufferParams = { 0 }; @@ -1665,9 +1666,15 @@ static int process_output_surface(AVCodecContext *avctx, AVPacket *pkt, NvencSur if (avctx->pix_fmt == AV_PIX_FMT_CUDA) { - p_nvenc->nvEncUnmapInputResource(ctx->nvencoder, tmpoutsurf->in_map.mappedResource); + ctx->registered_frames[tmpoutsurf->reg_idx].mapped -= 1; + if (ctx->registered_frames[tmpoutsurf->reg_idx].mapped == 0) { + p_nvenc->nvEncUnmapInputResource(ctx->nvencoder, ctx->registered_frames[tmpoutsurf->reg_idx].in_map.mappedResource); + } else if (ctx->registered_frames[tmpoutsurf->reg_idx].mapped < 0) { + res = AVERROR_BUG; + goto error; + } + av_frame_unref(tmpoutsurf->in_ref); - ctx->registered_frames[tmpoutsurf->reg_idx].mapped = 0; tmpoutsurf->input_surface = NULL; } diff --git a/libavcodec/nvenc.h b/libavcodec/nvenc.h index 7dec5cc685..e7bb14b4da 100644 --- a/libavcodec/nvenc.h +++ b/libavcodec/nvenc.h @@ -35,7 +35,6 @@ typedef struct NvencSurface { NV_ENC_INPUT_PTR input_surface; AVFrame *in_ref; - NV_ENC_MAP_INPUT_RESOURCE in_map; int reg_idx; int width; int height; @@ -118,6 +117,7 @@ typedef struct NvencContext CUdeviceptr ptr; NV_ENC_REGISTERED_PTR regptr; int mapped; + NV_ENC_MAP_INPUT_RESOURCE in_map; } registered_frames[MAX_REGISTERED_FRAMES]; int nb_registered_frames; From 4bb40c32ee09c5f08f56b2715177c3707c7e8ec5 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sun, 28 Jan 2018 12:39:03 +0100 Subject: [PATCH 516/818] avcodec/nvenc: unregister input resource when unmapping Currently the resource is only ever unregistered when the registered_frames array is fully in use and an unmapped entry is re-used and cleaned up. I'm pretty sure the frame will have been cleaned up before that happens, so I'm kinda surprised this never blew up. Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index c357a6f46a..bb059a2726 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1669,6 +1669,8 @@ static int process_output_surface(AVCodecContext *avctx, AVPacket *pkt, NvencSur ctx->registered_frames[tmpoutsurf->reg_idx].mapped -= 1; if (ctx->registered_frames[tmpoutsurf->reg_idx].mapped == 0) { p_nvenc->nvEncUnmapInputResource(ctx->nvencoder, ctx->registered_frames[tmpoutsurf->reg_idx].in_map.mappedResource); + p_nvenc->nvEncUnregisterResource(ctx->nvencoder, ctx->registered_frames[tmpoutsurf->reg_idx].regptr); + ctx->registered_frames[tmpoutsurf->reg_idx].regptr = NULL; } else if (ctx->registered_frames[tmpoutsurf->reg_idx].mapped < 0) { res = AVERROR_BUG; goto error; From d68d537f0a782b10f34023aca987a47f4c872fd8 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sun, 28 Jan 2018 12:51:20 +0100 Subject: [PATCH 517/818] avcodec/nvenc: add some more error case checks Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index bb059a2726..5bc97835d6 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1413,6 +1413,7 @@ static int nvenc_find_free_reg_resource(AVCodecContext *avctx) NvencContext *ctx = avctx->priv_data; NvencDynLoadFunctions *dl_fn = &ctx->nvenc_dload_funcs; NV_ENCODE_API_FUNCTION_LIST *p_nvenc = &dl_fn->nvenc_funcs; + NVENCSTATUS nv_status; int i; @@ -1420,8 +1421,9 @@ static int nvenc_find_free_reg_resource(AVCodecContext *avctx) for (i = 0; i < ctx->nb_registered_frames; i++) { if (!ctx->registered_frames[i].mapped) { if (ctx->registered_frames[i].regptr) { - p_nvenc->nvEncUnregisterResource(ctx->nvencoder, - ctx->registered_frames[i].regptr); + nv_status = p_nvenc->nvEncUnregisterResource(ctx->nvencoder, ctx->registered_frames[i].regptr); + if (nv_status != NV_ENC_SUCCESS) + return nvenc_print_error(avctx, nv_status, "Failed unregistering unused input resource"); ctx->registered_frames[i].regptr = NULL; } return i; @@ -1661,15 +1663,25 @@ static int process_output_surface(AVCodecContext *avctx, AVPacket *pkt, NvencSur memcpy(pkt->data, lock_params.bitstreamBufferPtr, lock_params.bitstreamSizeInBytes); nv_status = p_nvenc->nvEncUnlockBitstream(ctx->nvencoder, tmpoutsurf->output_surface); - if (nv_status != NV_ENC_SUCCESS) - nvenc_print_error(avctx, nv_status, "Failed unlocking bitstream buffer, expect the gates of mordor to open"); + if (nv_status != NV_ENC_SUCCESS) { + res = nvenc_print_error(avctx, nv_status, "Failed unlocking bitstream buffer, expect the gates of mordor to open"); + goto error; + } if (avctx->pix_fmt == AV_PIX_FMT_CUDA) { ctx->registered_frames[tmpoutsurf->reg_idx].mapped -= 1; if (ctx->registered_frames[tmpoutsurf->reg_idx].mapped == 0) { - p_nvenc->nvEncUnmapInputResource(ctx->nvencoder, ctx->registered_frames[tmpoutsurf->reg_idx].in_map.mappedResource); - p_nvenc->nvEncUnregisterResource(ctx->nvencoder, ctx->registered_frames[tmpoutsurf->reg_idx].regptr); + nv_status = p_nvenc->nvEncUnmapInputResource(ctx->nvencoder, ctx->registered_frames[tmpoutsurf->reg_idx].in_map.mappedResource); + if (nv_status != NV_ENC_SUCCESS) { + res = nvenc_print_error(avctx, nv_status, "Failed unmapping input resource"); + goto error; + } + nv_status = p_nvenc->nvEncUnregisterResource(ctx->nvencoder, ctx->registered_frames[tmpoutsurf->reg_idx].regptr); + if (nv_status != NV_ENC_SUCCESS) { + res = nvenc_print_error(avctx, nv_status, "Failed unregistering input resource"); + goto error; + } ctx->registered_frames[tmpoutsurf->reg_idx].regptr = NULL; } else if (ctx->registered_frames[tmpoutsurf->reg_idx].mapped < 0) { res = AVERROR_BUG; From dfd2f4ee265e8027bf425424145396e6dc5e184e Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sun, 28 Jan 2018 13:05:09 +0100 Subject: [PATCH 518/818] avcodec/nvenc: also clear data pointer after unregistering a resource Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 5bc97835d6..5185342a7f 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1424,6 +1424,7 @@ static int nvenc_find_free_reg_resource(AVCodecContext *avctx) nv_status = p_nvenc->nvEncUnregisterResource(ctx->nvencoder, ctx->registered_frames[i].regptr); if (nv_status != NV_ENC_SUCCESS) return nvenc_print_error(avctx, nv_status, "Failed unregistering unused input resource"); + ctx->registered_frames[i].ptr = 0; ctx->registered_frames[i].regptr = NULL; } return i; @@ -1682,6 +1683,7 @@ static int process_output_surface(AVCodecContext *avctx, AVPacket *pkt, NvencSur res = nvenc_print_error(avctx, nv_status, "Failed unregistering input resource"); goto error; } + ctx->registered_frames[tmpoutsurf->reg_idx].ptr = 0; ctx->registered_frames[tmpoutsurf->reg_idx].regptr = NULL; } else if (ctx->registered_frames[tmpoutsurf->reg_idx].mapped < 0) { res = AVERROR_BUG; From 09419de21620f1ef3af91e2c591a08c36b8c7ba3 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Tue, 29 Aug 2017 13:30:29 +0200 Subject: [PATCH 519/818] configure: add support for libnpp* from cuda sdk 9 Signed-off-by: Timo Rothenpieler --- configure | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 23823e3b70..97aab62990 100755 --- a/configure +++ b/configure @@ -5797,7 +5797,9 @@ enabled libmfx && require_pkg_config libmfx "mfx/mfxvideo.h" MFXInit enabled libmodplug && require_pkg_config libmodplug libmodplug/modplug.h ModPlug_Load enabled libmp3lame && require "libmp3lame >= 3.98.3" lame/lame.h lame_set_VBR_quality -lmp3lame enabled libnut && require libnut libnut.h nut_demuxer_init -lnut -enabled libnpp && require libnpp npp.h nppGetLibVersion -lnppi -lnppc +enabled libnpp && { check_lib npp.h nppGetLibVersion -lnppig -lnppicc -lnppc || + check_lib npp.h nppGetLibVersion -lnppi -lnppc || + die "ERROR: libnpp not found"; } enabled libopencore_amrnb && require libopencore_amrnb opencore-amrnb/interf_dec.h Decoder_Interface_init -lopencore-amrnb enabled libopencore_amrwb && require libopencore_amrwb opencore-amrwb/dec_if.h D_IF_init -lopencore-amrwb enabled libopencv && { check_header opencv2/core/core_c.h && From fea559c3d5575bce51acdb17cf83a1a8fd237feb Mon Sep 17 00:00:00 2001 From: Tobias Rapp Date: Wed, 14 Feb 2018 17:01:08 +0100 Subject: [PATCH 520/818] swresample/rematrix: fix update of channel matrix if input or output layout is undefined Prefer direct in/out channel count values over channel layout, when available. Fixes a pan filter bug (ticket #6790). Signed-off-by: Tobias Rapp (cherry picked from commit 6325bd3717348615adafb52e4da2fd01a3007d0a) --- libswresample/rematrix.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c index 03b9b20900..584ce69efd 100644 --- a/libswresample/rematrix.c +++ b/libswresample/rematrix.c @@ -69,8 +69,10 @@ int swr_set_matrix(struct SwrContext *s, const double *matrix, int stride) return AVERROR(EINVAL); memset(s->matrix, 0, sizeof(s->matrix)); memset(s->matrix_flt, 0, sizeof(s->matrix_flt)); - nb_in = av_get_channel_layout_nb_channels(s->user_in_ch_layout); - nb_out = av_get_channel_layout_nb_channels(s->user_out_ch_layout); + nb_in = (s->user_in_ch_count > 0) ? s->user_in_ch_count : + av_get_channel_layout_nb_channels(s->user_in_ch_layout); + nb_out = (s->user_out_ch_count > 0) ? s->user_out_ch_count : + av_get_channel_layout_nb_channels(s->user_out_ch_layout); for (out = 0; out < nb_out; out++) { for (in = 0; in < nb_in; in++) s->matrix_flt[out][in] = s->matrix[out][in] = matrix[in]; From e2edfff9a8f1e0d10af1251f3c90eb806d841c7e Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 23 Feb 2018 00:03:15 -0300 Subject: [PATCH 521/818] avformat/hvcc: zero initialize the nal buffers past the last written byte Prevents use of uninitialized values. Fixes ticket #7038. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 9482ec1b203e4cf51d7f60c85d261cc13f9a9d2f) --- libavformat/hevc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 1a2d6cdd2b..25898937a5 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -669,6 +669,8 @@ static uint8_t *nal_unit_extract_rbsp(const uint8_t *src, uint32_t src_len, while (i < src_len) dst[len++] = src[i++]; + memset(dst + len, 0, AV_INPUT_BUFFER_PADDING_SIZE); + *dst_len = len; return dst; } From 05a92668942f1a7bb04815e88043ed5c24d068c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Jan 2018 23:42:00 +0100 Subject: [PATCH 522/818] avcodec/dnxhddec: Check dc vlc Fixes: signed integer overflow: 1024 + 2147483640 cannot be represented in type 'int' Fixes: 4671/clusterfuzz-testcase-minimized-6027464343027712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit b2be76c0a472b729756ed7a91225c209d0dd1d2e) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 7cb6a75261..cd475bc170 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -377,6 +377,10 @@ static av_always_inline int dnxhd_decode_dct_block(const DNXHDContext *ctx, UPDATE_CACHE(bs, &row->gb); GET_VLC(len, bs, &row->gb, ctx->dc_vlc.table, DNXHD_DC_VLC_BITS, 1); + if (len < 0) { + ret = len; + goto error; + } if (len) { level = GET_CACHE(bs, &row->gb); LAST_SKIP_BITS(bs, &row->gb, len); @@ -430,7 +434,7 @@ static av_always_inline int dnxhd_decode_dct_block(const DNXHDContext *ctx, GET_VLC(index1, bs, &row->gb, ctx->ac_vlc.table, DNXHD_VLC_BITS, 2); } - +error: CLOSE_READER(bs, &row->gb); return ret; } From d81bfc042cea588213d7ce2162d9c7fd1b23b98f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Jan 2018 23:42:01 +0100 Subject: [PATCH 523/818] avcodec/h264_slice: Do not attempt to render into frames already output Fixes: null pointer dereference Fixes: 4698/clusterfuzz-testcase-minimized-5096956322906112 This testcase does not reproduce the issue before 03b82b3ab9883cef017e513c7d0b3b986b3b3e7b Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 476665d4de989dba48ec1195215ccc8db54538f4) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 3f3a3e4067..d83ba000ce 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1552,6 +1552,12 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl, * one except for reference purposes. */ h->first_field = 1; h->cur_pic_ptr = NULL; + } else if (h->cur_pic_ptr->reference & DELAYED_PIC_REF) { + /* This frame was already output, we cannot draw into it + * anymore. + */ + h->first_field = 1; + h->cur_pic_ptr = NULL; } else { /* Second field in complementary pair */ h->first_field = 0; From e4afafaa7effe5086373790639c1d0a962d4d007 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jan 2018 04:12:57 +0100 Subject: [PATCH 524/818] avcodec/jpeg2000dsp: Fix integer overflows in ict_int() Fixes: signed integer overflow: 46802 * -71230 cannot be represented in type 'int' Fixes: 4756/clusterfuzz-testcase-minimized-4812495563784192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b3192c64b5bdcb0474cda437d2d5f9421d68811e) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c index 85a12d0e9b..90e73b1e20 100644 --- a/libavcodec/jpeg2000dsp.c +++ b/libavcodec/jpeg2000dsp.c @@ -64,9 +64,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize) int i; for (i = 0; i < csize; i++) { - i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16); + i0 = *src0 + *src2 + ((int)((26345U * *src2) + (1 << 15)) >> 16); i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16) - - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16); + - ((int)(((unsigned)i_ict_params[2] * *src2) + (1 << 15)) >> 16); i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16); *src0++ = i0; *src1++ = i1; From ba2f8469ba951db28c7d7ede25908cb8beeacfae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jan 2018 22:12:07 +0100 Subject: [PATCH 525/818] avcodec/opus_parser: Check payload_len in parse_opus_ts_header() Fixes: clusterfuzz-testcase-minimized-6134545979277312 Fixes: crbug 797469 Reported-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 1bcd7fefcb3c1ec47978fdc64a9e8dfb9512ae62) Signed-off-by: Michael Niedermayer --- libavcodec/opus_parser.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/libavcodec/opus_parser.c b/libavcodec/opus_parser.c index 893573eb82..28b0933900 100644 --- a/libavcodec/opus_parser.c +++ b/libavcodec/opus_parser.c @@ -43,6 +43,7 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le const uint8_t *buf = start + 1; int start_trim_flag, end_trim_flag, control_extension_flag, control_extension_length; uint8_t flags; + uint64_t payload_len_tmp; GetByteContext gb; bytestream2_init(&gb, buf, buf_len); @@ -52,11 +53,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le end_trim_flag = (flags >> 3) & 1; control_extension_flag = (flags >> 2) & 1; - *payload_len = 0; + payload_len_tmp = *payload_len = 0; while (bytestream2_peek_byte(&gb) == 0xff) - *payload_len += bytestream2_get_byte(&gb); + payload_len_tmp += bytestream2_get_byte(&gb); - *payload_len += bytestream2_get_byte(&gb); + payload_len_tmp += bytestream2_get_byte(&gb); if (start_trim_flag) bytestream2_skip(&gb, 2); @@ -67,6 +68,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le bytestream2_skip(&gb, control_extension_length); } + if (bytestream2_tell(&gb) + payload_len_tmp > buf_len) + return NULL; + + *payload_len = payload_len_tmp; + return buf + bytestream2_tell(&gb); } @@ -104,6 +110,10 @@ static int opus_find_frame_end(AVCodecParserContext *ctx, AVCodecContext *avctx, state = (state << 8) | payload[i]; if ((state & OPUS_TS_MASK) == OPUS_TS_HEADER) { payload = parse_opus_ts_header(payload, &payload_len, buf_size - i); + if (!payload) { + av_log(avctx, AV_LOG_ERROR, "Error parsing Ogg TS header.\n"); + return AVERROR_INVALIDDATA; + } *header_len = payload - buf; start_found = 1; break; From 347744121bc88c82088234ce8cc086453b077179 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jan 2018 20:43:24 +0100 Subject: [PATCH 526/818] avcodec/diracdec: Fix integer overflow with quant Fixes: signed integer overflow: 2 + 2147483646 cannot be represented in type 'int' Fixes: 4792/clusterfuzz-testcase-minimized-6322450775146496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eaa93175895568ef6c2542b13104874907d9c4ef) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 791b7f9928..9df70c3f7a 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -508,16 +508,16 @@ static inline void codeblock(DiracContext *s, SubBand *b, } if (s->codeblock_mode && !(s->old_delta_quant && blockcnt_one)) { - int quant = b->quant; + int quant; if (is_arith) - quant += dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA); + quant = dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA); else - quant += dirac_get_se_golomb(gb); - if (quant < 0) { + quant = dirac_get_se_golomb(gb); + if (quant > INT_MAX - b->quant || b->quant + quant < 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid quant\n"); return; } - b->quant = quant; + b->quant += quant; } if (b->quant > (DIRAC_MAX_QUANT_INDEX - 1)) { From bf7715fd29d5701d68379a37c59465096717ed15 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jan 2018 20:58:49 +0100 Subject: [PATCH 527/818] avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0 Fixes: 4830/clusterfuzz-testcase-minimized-5255392054476800 Fixes: signed integer overflow: 2147483646 - -7 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0e62a2373475f58c72c0faf5568be00b26909585) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index f9828d95a4..1af41e0702 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -105,10 +105,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ - (b0 - ((b1 + 1) >> 1)) + ((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1))) #define COMPOSE_HAARiH0(b0, b1)\ - (b0 + b1) + ((int)(b0 + (unsigned)(b1))) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ ((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) From 014ba5c73758298366feda73e9f6c97a5af860e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jan 2018 03:48:43 +0100 Subject: [PATCH 528/818] avcodec/h264addpx_template: Fixes integer overflows Fixes: signed integer overflow: 512 + 2147483491 cannot be represented in type 'int' Fixes: 4780/clusterfuzz-testcase-minimized-4709066174627840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d6945aeee419a8417b8019c7c92227e12e45b7ad) Signed-off-by: Michael Niedermayer --- libavcodec/h264addpx_template.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/h264addpx_template.c b/libavcodec/h264addpx_template.c index b71aaea439..9a1e6a2f2f 100644 --- a/libavcodec/h264addpx_template.c +++ b/libavcodec/h264addpx_template.c @@ -35,10 +35,10 @@ static void FUNCC(ff_h264_add_pixels4)(uint8_t *_dst, int16_t *_src, int stride) stride /= sizeof(pixel); for (i = 0; i < 4; i++) { - dst[0] += src[0]; - dst[1] += src[1]; - dst[2] += src[2]; - dst[3] += src[3]; + dst[0] += (unsigned)src[0]; + dst[1] += (unsigned)src[1]; + dst[2] += (unsigned)src[2]; + dst[3] += (unsigned)src[3]; dst += stride; src += 4; @@ -55,14 +55,14 @@ static void FUNCC(ff_h264_add_pixels8)(uint8_t *_dst, int16_t *_src, int stride) stride /= sizeof(pixel); for (i = 0; i < 8; i++) { - dst[0] += src[0]; - dst[1] += src[1]; - dst[2] += src[2]; - dst[3] += src[3]; - dst[4] += src[4]; - dst[5] += src[5]; - dst[6] += src[6]; - dst[7] += src[7]; + dst[0] += (unsigned)src[0]; + dst[1] += (unsigned)src[1]; + dst[2] += (unsigned)src[2]; + dst[3] += (unsigned)src[3]; + dst[4] += (unsigned)src[4]; + dst[5] += (unsigned)src[5]; + dst[6] += (unsigned)src[6]; + dst[7] += (unsigned)src[7]; dst += stride; src += 8; From d8e501de42d9c3dfe4a1f38b23a55f761866a6a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jan 2018 22:47:10 +0100 Subject: [PATCH 529/818] avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one Fixes high pitched shriek Fixes: 25420848_1478428308873746_4255813235963330560_n.mp4 Reported-by: Dale Curtis Reviewed-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 7dbbb75ee32f87108ca9e15f5551dbbe69fe2641) Signed-off-by: Michael Niedermayer --- libavcodec/arm/sbrdsp_neon.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/arm/sbrdsp_neon.S b/libavcodec/arm/sbrdsp_neon.S index e66abd682a..003b04ea05 100644 --- a/libavcodec/arm/sbrdsp_neon.S +++ b/libavcodec/arm/sbrdsp_neon.S @@ -336,11 +336,11 @@ function ff_sbr_hf_apply_noise_0_neon, export=1 vld1.32 {d0}, [r0,:64] vld1.32 {d6}, [lr,:64] vld1.32 {d2[]}, [r1,:32]! - vld1.32 {d3[]}, [r2,:32]! + vld1.32 {d18[]}, [r2,:32]! vceq.f32 d4, d2, #0 veor d2, d2, d3 vmov d1, d0 - vmla.f32 d0, d6, d3 + vmla.f32 d0, d6, d18 vadd.f32 s2, s2, s4 vbif d0, d1, d4 vst1.32 {d0}, [r0,:64]! From 7965ffbeb111af1a8c676ca587e0ab5927c374d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 01:53:58 +0200 Subject: [PATCH 530/818] avcodec/utils: Avoid hardcoding duplicated types in sizeof() Signed-off-by: Michael Niedermayer (cherry picked from commit 860d991fcd715233b5b9eb1f6c7bf0aadefb6061) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 9363026695..9064cb31d6 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1270,7 +1270,7 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code if (ret < 0) return ret; - avctx->internal = av_mallocz(sizeof(AVCodecInternal)); + avctx->internal = av_mallocz(sizeof(*avctx->internal)); if (!avctx->internal) { ret = AVERROR(ENOMEM); goto end; @@ -2795,7 +2795,7 @@ void avsubtitle_free(AVSubtitle *sub) av_freep(&sub->rects); - memset(sub, 0, sizeof(AVSubtitle)); + memset(sub, 0, sizeof(*sub)); } static int do_decode(AVCodecContext *avctx, AVPacket *pkt) From 68ca7aefb26cba079c9a963235e3d7bbb6001dc0 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 1 Jan 2018 18:05:55 +0100 Subject: [PATCH 531/818] configure: bump year Happy new year! (cherry picked from commit bddf31ba7570325dd2c8d033eae3d0dd74127f96) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 97aab62990..a48f7858bf 100755 --- a/configure +++ b/configure @@ -6799,7 +6799,7 @@ cat > $TMPH < Date: Thu, 18 Jan 2018 15:21:56 -0800 Subject: [PATCH 532/818] avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks() Signed-off-by: Michael Niedermayer (cherry picked from commit e07649e618caedc07eaf2f4d09253de7f77d14f0) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 3ec1636584..cd6db9ebac 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2071,8 +2071,16 @@ static int matroska_parse_tracks(AVFormatContext *s) } if (track->type == MATROSKA_TRACK_TYPE_VIDEO) { - if (!track->default_duration && track->video.frame_rate > 0) - track->default_duration = 1000000000 / track->video.frame_rate; + if (!track->default_duration && track->video.frame_rate > 0) { + double default_duration = 1000000000 / track->video.frame_rate; + if (default_duration > UINT64_MAX || default_duration < 0) { + av_log(matroska->ctx, AV_LOG_WARNING, + "Invalid frame rate %e. Cannot calculate default duration.\n", + track->video.frame_rate); + } else { + track->default_duration = default_duration; + } + } if (track->video.display_width == -1) track->video.display_width = track->video.pixel_width; if (track->video.display_height == -1) From 68f9a9fe4bcba2db62a3cb43b3013bf58368fb6d Mon Sep 17 00:00:00 2001 From: Nikolas Bowe Date: Fri, 19 Jan 2018 13:17:07 -0800 Subject: [PATCH 533/818] avformat/lrcdec: Fix memory leak in lrc_read_header() Signed-off-by: Michael Niedermayer (cherry picked from commit ef5994e09d07ace62a672fcdc84761231288edad) Signed-off-by: Michael Niedermayer --- libavformat/lrcdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c index 12f74b22a0..f4e9a4efa9 100644 --- a/libavformat/lrcdec.c +++ b/libavformat/lrcdec.c @@ -212,6 +212,7 @@ static int lrc_read_header(AVFormatContext *s) } ff_subtitles_queue_finalize(s, &lrc->q); ff_metadata_conv_ctx(s, NULL, ff_lrc_metadata_conv); + av_bprint_finalize(&line, NULL); return 0; } From eecb0ecf51ed9f270832a66c85949d5731e626af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Jan 2018 00:39:39 +0100 Subject: [PATCH 534/818] avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs() Fixes: runtime error: signed integer overflow: 2147483520 + 128 cannot be represented in type 'int' Fixes: 4800/clusterfuzz-testcase-minimized-6110372403609600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a1f38c75893c852cf19dcf3e4553549ba1e70950) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index 9a6d7a08b1..bd66175d50 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -64,8 +64,8 @@ static void scale_coefs ( int dynrng, int len) { - int i, shift, round; - unsigned mul; + int i, shift; + unsigned mul, round; int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7; mul = (dynrng & 0x1f) + 0x20; From 488a6ae7e5e8ffbcddcdda62174b898bbe6a8b4d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Jan 2018 00:39:40 +0100 Subject: [PATCH 535/818] avcodec/jpeg2000: Check sum of sizes of band->prec before allocating Fixes: OOM Fixes: 4810/clusterfuzz-testcase-minimized-6034253235093504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6887e412434776eb260ad3904f565be491dd5726) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index afeb9df27c..026b2db56f 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -543,6 +543,9 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, if (!reslevel->band) return AVERROR(ENOMEM); + if (reslevel->num_precincts_x * (uint64_t)reslevel->num_precincts_y * reslevel->nbands > avctx->max_pixels / sizeof(*reslevel->band->prec)) + return AVERROR(ENOMEM); + for (bandno = 0; bandno < reslevel->nbands; bandno++, gbandno++) { ret = init_band(avctx, reslevel, comp, codsty, qntsty, From a9fb2f8c80d4c76854773bf654175573942312a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jan 2018 19:03:48 +0100 Subject: [PATCH 536/818] avcodec/ulti: Check number of blocks at init Fixes: Timeout Fixes: 4832/clusterfuzz-testcase-4699096590843904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 725353525e73bbe5b6b4d01528252675f2417a02) Signed-off-by: Michael Niedermayer --- libavcodec/ulti.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ulti.c b/libavcodec/ulti.c index e6f4374981..9e4c088b10 100644 --- a/libavcodec/ulti.c +++ b/libavcodec/ulti.c @@ -50,6 +50,8 @@ static av_cold int ulti_decode_init(AVCodecContext *avctx) s->width = avctx->width; s->height = avctx->height; s->blocks = (s->width / 8) * (s->height / 8); + if (s->blocks == 0) + return AVERROR_INVALIDDATA; avctx->pix_fmt = AV_PIX_FMT_YUV410P; s->ulti_codebook = ulti_codebook; From 60bc7a6ec08a662c02e10eb1660d15e2a65ff0f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jan 2018 03:03:36 +0100 Subject: [PATCH 537/818] avcodec/snowdec: Fix integer overflow before htaps check Fixes: runtime error: signed integer overflow: -1094995529 * 2 cannot be represented in type 'int' Fixes: 4828/clusterfuzz-testcase-minimized-5100849937252352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2eecf3cf8eeae67697934df326e98df2149881e5) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index df425b8cf3..00fa064102 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -363,9 +363,10 @@ static int decode_header(SnowContext *s){ int htaps, i, sum=0; Plane *p= &s->plane[plane_index]; p->diag_mc= get_rac(&s->c, s->header_state); - htaps= get_symbol(&s->c, s->header_state, 0)*2 + 2; - if((unsigned)htaps >= HTAPS_MAX || htaps==0) + htaps= get_symbol(&s->c, s->header_state, 0); + if((unsigned)htaps >= HTAPS_MAX/2 - 1) return AVERROR_INVALIDDATA; + htaps = htaps*2 + 2; p->htaps= htaps; for(i= htaps/2; i; i--){ p->hcoeff[i]= get_symbol(&s->c, s->header_state, 0) * (1-2*(i&1)); From 162bbc22e2032db4bf9fc3aadeb9b4e05924e76b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Jan 2018 04:10:50 +0100 Subject: [PATCH 538/818] avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK() Fixes: signed integer overflow: 1477974040 - -1877995504 cannot be represented in type 'int' Fixes: 4861/clusterfuzz-testcase-minimized-4570316383715328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 56a53340ed4cc55898e49c07081311ebb2816630) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index f077f0e4bd..97c38f7f08 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -441,8 +441,8 @@ static inline int GET_TOK(TM2Context *ctx,int type) /* recalculate last and delta values for next blocks */ #define TM2_RECALC_BLOCK(CHR, stride, last, CD) {\ - CD[0] = CHR[1] - last[1];\ - CD[1] = (int)CHR[stride + 1] - (int)CHR[1];\ + CD[0] = (unsigned)CHR[ 1] - (unsigned)last[1];\ + CD[1] = (unsigned)CHR[stride + 1] - (unsigned) CHR[1];\ last[0] = (int)CHR[stride + 0];\ last[1] = (int)CHR[stride + 1];} From fb27cebc93cb2999c31f9a0dc7f843d5b71187a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jan 2018 23:42:57 +0100 Subject: [PATCH 539/818] avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down Signed-off-by: Michael Niedermayer (cherry picked from commit 94d4237a7a294ce80e1e577b38e9c93e8882aff9) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 3c22e30faa..5e46c59a24 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -979,16 +979,19 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int while (prefix < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) prefix++; - if (prefix == CABAC_MAX_BIN) { - av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); - return 0; - } + if (prefix < 3) { for (i = 0; i < rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc); last_coeff_abs_level_remaining = (prefix << rc_rice_param) + suffix; } else { int prefix_minus3 = prefix - 3; + + if (prefix == CABAC_MAX_BIN) { + av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); + return 0; + } + for (i = 0; i < prefix_minus3 + rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc); last_coeff_abs_level_remaining = (((1 << prefix_minus3) + 3 - 1) From ce82d4722bde503f899521519d3a8e8c2200c205 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jan 2018 14:02:59 +0100 Subject: [PATCH 540/818] avcodec/dxtory: Fix bits left checks Fixes: Timeout Fixes: 4863/clusterfuzz-testcase-6347354178322432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e1a167c5564085385488b4f579e9efb987d4bfa) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 6f8652ad49..e736cec8db 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -326,7 +326,7 @@ static int dx2_decode_slice_5x5(GetBitContext *gb, AVFrame *frame, int stride = frame->linesize[0]; uint8_t *dst = frame->data[0] + stride * line; - for (y = 0; y < left && get_bits_left(gb) > 16; y++) { + for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) { for (x = 0; x < width; x++) { b = decode_sym_565(gb, lru[0], 5); g = decode_sym_565(gb, lru[1], is_565 ? 6 : 5); @@ -392,7 +392,7 @@ static int dx2_decode_slice_rgb(GetBitContext *gb, AVFrame *frame, int stride = frame->linesize[0]; uint8_t *dst = frame->data[0] + stride * line; - for (y = 0; y < left && get_bits_left(gb) > 16; y++) { + for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) { for (x = 0; x < width; x++) { dst[x * 3 + 0] = decode_sym(gb, lru[0]); dst[x * 3 + 1] = decode_sym(gb, lru[1]); @@ -437,7 +437,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame, uint8_t *U = frame->data[1] + (ustride >> 2) * line; uint8_t *V = frame->data[2] + (vstride >> 2) * line; - for (y = 0; y < left - 3 && get_bits_left(gb) > 16; y += 4) { + for (y = 0; y < left - 3 && get_bits_left(gb) > 9 * width; y += 4) { for (x = 0; x < width; x += 4) { for (j = 0; j < 4; j++) for (i = 0; i < 4; i++) @@ -481,7 +481,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame, uint8_t *V = frame->data[2] + (vstride >> 1) * line; - for (y = 0; y < left - 1 && get_bits_left(gb) > 16; y += 2) { + for (y = 0; y < left - 1 && get_bits_left(gb) > 6 * width; y += 2) { for (x = 0; x < width; x += 2) { Y[x + 0 + 0 * ystride] = decode_sym(gb, lru[0]); Y[x + 1 + 0 * ystride] = decode_sym(gb, lru[0]); @@ -524,7 +524,7 @@ static int dx2_decode_slice_444(GetBitContext *gb, AVFrame *frame, uint8_t *U = frame->data[1] + ustride * line; uint8_t *V = frame->data[2] + vstride * line; - for (y = 0; y < left && get_bits_left(gb) > 16; y++) { + for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) { for (x = 0; x < width; x++) { Y[x] = decode_sym(gb, lru[0]); U[x] = decode_sym(gb, lru[1]) ^ 0x80; From dbe356a00974632a18612c7a395366cee4c49118 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jan 2018 03:28:49 +0100 Subject: [PATCH 541/818] avcodec/mjpegdec: Fix integer overflow in DC dequantization Fixes: runtime error: signed integer overflow: -65535 * 65312 cannot be represented in type 'int' Fixes: 4900/clusterfuzz-testcase-minimized-5769019744321536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1bfc1aa004950c5ad527d823a08b8a19eef34eb0) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index bd6dd7ef47..31c8fb422d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -696,7 +696,7 @@ static int decode_block(MJpegDecodeContext *s, int16_t *block, int component, av_log(s->avctx, AV_LOG_ERROR, "error dc\n"); return AVERROR_INVALIDDATA; } - val = val * quant_matrix[0] + s->last_dc[component]; + val = val * (unsigned)quant_matrix[0] + s->last_dc[component]; val = av_clip_int16(val); s->last_dc[component] = val; block[0] = val; From aec30d0da9dc66de0d05b0c9d65022611bbf3f9b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jan 2018 23:46:44 +0100 Subject: [PATCH 542/818] avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode() I suspect that this can be limited tighter, but i failed to find anything in the spec that would confirm that. Fixes: 4833/clusterfuzz-testcase-minimized-5302840101699584 Fixes: runtime error: left shift of 134217730 by 4 places cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a026a3efaeb9c2026668dccbbda339a21ab3206b) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 5e46c59a24..29485dc64c 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -987,7 +987,7 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int } else { int prefix_minus3 = prefix - 3; - if (prefix == CABAC_MAX_BIN) { + if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); return 0; } From d74839d793ebf8c6c7c4a2a8a22ae2bd695d2c41 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jan 2018 19:38:05 +0100 Subject: [PATCH 543/818] avfilter/vf_transpose: Fix used plane count. Fixes out of array access Fixes: poc.mp4 Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit c6939f65a116b1ffed345d29d8621ee4ffb32235) (cherry picked from commit 3f621455d62e46745453568d915badd5b1e5bcd5) Signed-off-by: Michael Niedermayer --- libavfilter/vf_transpose.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_transpose.c b/libavfilter/vf_transpose.c index 75b4dda41f..1e5505b713 100644 --- a/libavfilter/vf_transpose.c +++ b/libavfilter/vf_transpose.c @@ -27,6 +27,7 @@ #include +#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" @@ -54,6 +55,7 @@ enum TransposeDir { typedef struct TransContext { const AVClass *class; int hsub, vsub; + int planes; int pixsteps[4]; int passthrough; ///< PassthroughType, landscape passthrough mode enabled @@ -106,6 +108,10 @@ static int config_props_output(AVFilterLink *outlink) s->hsub = desc_in->log2_chroma_w; s->vsub = desc_in->log2_chroma_h; + s->planes = av_pix_fmt_count_planes(outlink->format); + + av_assert0(desc_in->nb_components == desc_out->nb_components); + av_image_fill_max_pixsteps(s->pixsteps, NULL, desc_out); @@ -148,7 +154,7 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, AVFrame *in = td->in; int plane; - for (plane = 0; out->data[plane]; plane++) { + for (plane = 0; plane < s->planes; plane++) { int hsub = plane == 1 || plane == 2 ? s->hsub : 0; int vsub = plane == 1 || plane == 2 ? s->vsub : 0; int pixstep = s->pixsteps[plane]; From 61a911d0073b19974ea289b1594e2bf8bba56007 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jan 2018 02:29:00 +0100 Subject: [PATCH 544/818] avcodec/mpeg4videodec: Check mb_num also against 0 The spec implies that 0 is invalid in addition to the existing checks Found-by: Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 05f4703a168a336363750e32bcfdd6f303fbdbc3) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 8eafc783b8..afa41a8641 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -460,7 +460,7 @@ int ff_mpeg4_decode_video_packet_header(Mpeg4DecContext *ctx) } mb_num = get_bits(&s->gb, mb_num_bits); - if (mb_num >= s->mb_num) { + if (mb_num >= s->mb_num || !mb_num) { av_log(s->avctx, AV_LOG_ERROR, "illegal mb_num in video packet (%d %d) \n", mb_num, s->mb_num); return -1; From 093c80747ba4b3a6ca1a1532d1404dafa421b2b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jan 2018 02:29:01 +0100 Subject: [PATCH 545/818] avcodec/get_bits: Document the return code of get_vlc2() Found-by: kierank Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 4a94ff4ccd4f2329c599e37cabe4152dae60359e) Signed-off-by: Michael Niedermayer --- libavcodec/get_bits.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index c530015169..0c7f5ff0c6 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -550,6 +550,7 @@ static inline const uint8_t *align_get_bits(GetBitContext *s) * @param max_depth is the number of times bits bits must be read to completely * read the longest vlc code * = (max_vlc_length + bits - 1) / bits + * @returns the code parsed or -1 if no vlc matches */ static av_always_inline int get_vlc2(GetBitContext *s, VLC_TYPE (*table)[2], int bits, int max_depth) From 90cfaff0bbc79f133a2d8c9f67763ba90072c9f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jan 2018 02:29:02 +0100 Subject: [PATCH 546/818] avcodec/mpeg4videodec: Avoid possibly aliasing violating casts Found-by: kierank Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit d4967c04e040b3b2f937cad88599af825147ec94) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index afa41a8641..d0162d1074 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1251,10 +1251,12 @@ not_coded: */ static int mpeg4_decode_partitioned_mb(MpegEncContext *s, int16_t block[6][64]) { - Mpeg4DecContext *ctx = (Mpeg4DecContext *)s; + Mpeg4DecContext *ctx = s->avctx->priv_data; int cbp, mb_type; const int xy = s->mb_x + s->mb_y * s->mb_stride; + av_assert2(s == (void*)ctx); + mb_type = s->current_picture.mb_type[xy]; cbp = s->cbp_table[xy]; @@ -1336,12 +1338,13 @@ static int mpeg4_decode_partitioned_mb(MpegEncContext *s, int16_t block[6][64]) static int mpeg4_decode_mb(MpegEncContext *s, int16_t block[6][64]) { - Mpeg4DecContext *ctx = (Mpeg4DecContext *)s; + Mpeg4DecContext *ctx = s->avctx->priv_data; int cbpc, cbpy, i, cbp, pred_x, pred_y, mx, my, dquant; int16_t *mot_val; static const int8_t quant_tab[4] = { -1, -2, 1, 2 }; const int xy = s->mb_x + s->mb_y * s->mb_stride; + av_assert2(s == (void*)ctx); av_assert2(s->h263_pred); if (s->pict_type == AV_PICTURE_TYPE_P || From bb5748ec9d244e22e783e2914b64abf64c0808e3 Mon Sep 17 00:00:00 2001 From: Aman Gupta Date: Tue, 26 Sep 2017 18:04:12 -0700 Subject: [PATCH 547/818] avcodec/hevc_ps: extract SPS fields required for hvcC construction Signed-off-by: Aman Gupta Reviewed-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 3 ++- libavcodec/hevc_ps.h | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index f2c26c4598..dc1429fa73 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -891,7 +891,7 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, return AVERROR_INVALIDDATA; } - skip_bits1(gb); // temporal_id_nesting_flag + sps->temporal_id_nesting_flag = get_bits(gb, 1); if ((ret = parse_ptl(gb, avctx, &sps->ptl, sps->max_sub_layers)) < 0) return ret; @@ -954,6 +954,7 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, sps->bit_depth, bit_depth_chroma); return AVERROR_INVALIDDATA; } + sps->bit_depth_chroma = bit_depth_chroma; ret = map_pixel_format(avctx, sps); if (ret < 0) diff --git a/libavcodec/hevc_ps.h b/libavcodec/hevc_ps.h index 44de3980e1..26842ef189 100644 --- a/libavcodec/hevc_ps.h +++ b/libavcodec/hevc_ps.h @@ -151,6 +151,7 @@ typedef struct HEVCSPS { HEVCWindow pic_conf_win; int bit_depth; + int bit_depth_chroma; int pixel_shift; enum AVPixelFormat pix_fmt; @@ -163,6 +164,7 @@ typedef struct HEVCSPS { int num_reorder_pics; int max_latency_increase; } temporal_layer[HEVC_MAX_SUB_LAYERS]; + uint8_t temporal_id_nesting_flag; VUI vui; PTL ptl; From 4019c2a67c6aafeadb93aa8fc741cc3915817597 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jan 2018 03:15:23 +0100 Subject: [PATCH 548/818] avcodec/hevc_ps: Check log2_sao_offset_scale_* Fixes: 4868/clusterfuzz-testcase-minimized-6236542906400768 Fixes: runtime error: shift exponent 126 is too large for 32-bit type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a75a75c62efc645ec28444e4675c325b8f2bb1a) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index dc1429fa73..b64dc68919 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1330,6 +1330,11 @@ static int pps_range_extensions(GetBitContext *gb, AVCodecContext *avctx, pps->log2_sao_offset_scale_luma = get_ue_golomb_long(gb); pps->log2_sao_offset_scale_chroma = get_ue_golomb_long(gb); + if ( pps->log2_sao_offset_scale_luma > FFMAX(sps->bit_depth - 10, 0) + || pps->log2_sao_offset_scale_chroma > FFMAX(sps->bit_depth_chroma - 10, 0) + ) + return AVERROR_INVALIDDATA; + return(0); } From 38384cdd991cf6c7d28f365c368523d8c8066d3e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jan 2018 00:24:49 +0100 Subject: [PATCH 549/818] avcodec/indeo5: Do not leave frame_type set to an invalid value Fixes: null pointer dereference Fixes: 5264/clusterfuzz-testcase-minimized-4621956621008896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ff9f178519b68d4d1d606eb5451ad81da948efc) Signed-off-by: Michael Niedermayer --- libavcodec/indeo5.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 5f931c8b98..5028def4bc 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -324,6 +324,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) ctx->frame_type = get_bits(&ctx->gb, 3); if (ctx->frame_type >= 5) { av_log(avctx, AV_LOG_ERROR, "Invalid frame type: %d \n", ctx->frame_type); + ctx->frame_type = FRAMETYPE_INTRA; return AVERROR_INVALIDDATA; } From 55f9c21363af98b0f00c927b7d9c9a92f2f378d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Jan 2018 23:14:37 +0100 Subject: [PATCH 550/818] avcodec/dirac_dwt: Fix several integer overflows Fixes: runtime error: signed integer overflow: -2146071175 + -268479557 cannot be represented in type 'int' Fixes: 5237/clusterfuzz-testcase-minimized-4569895275593728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe1e6c06d03432c3e9208f019533c1d701f485d0) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- libavcodec/dirac_dwt_template.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 1af41e0702..68ebd19560 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -93,10 +93,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); // shared stuff for simd optimizations #define COMPOSE_53iL0(b0, b1, b2)\ - (b1 - ((int)(b0 + (unsigned)(b2) + 2) >> 2)) + (b1 - (unsigned)((int)(b0 + (unsigned)(b2) + 2) >> 2)) #define COMPOSE_DIRAC53iH0(b0, b1, b2)\ - (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) + (b1 + (unsigned)((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index e436c247a1..e68cc4d530 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_ TYPE *b1 = (TYPE *)_b1; TYPE *b2 = (TYPE *)_b2; for (i = 0; i < width; i++) - b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2; + b1[i] -= (unsigned)((int)(b0[i] + (unsigned)b2[i] + 2) >> 2); } static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2, From d07a0ae1af038ad6d4a4084d22940b4efbea141e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2018 17:50:21 +0100 Subject: [PATCH 551/818] avcodec/exr: Fix memleaks in decode_header() Fixes: 4793/clusterfuzz-testcase-minimized-5707366629638144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a2560a9775be7c5df09c85c9908b05e711a54a3) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 82 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 56 insertions(+), 26 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 7fa17ca887..fe978805c5 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1317,6 +1317,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) AVDictionary *metadata = NULL; int magic_number, version, i, flags, sar = 0; int layer_match = 0; + int ret; s->current_channel_offset = 0; s->xmin = ~0; @@ -1375,8 +1376,10 @@ static int decode_header(EXRContext *s, AVFrame *frame) if ((var_size = check_header_variable(s, "channels", "chlist", 38)) >= 0) { GetByteContext ch_gb; - if (!var_size) - return AVERROR_INVALIDDATA; + if (!var_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } bytestream2_init(&ch_gb, s->gb.buffer, var_size); @@ -1435,14 +1438,16 @@ static int decode_header(EXRContext *s, AVFrame *frame) if (bytestream2_get_bytes_left(&ch_gb) < 4) { av_log(s->avctx, AV_LOG_ERROR, "Incomplete header.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } current_pixel_type = bytestream2_get_le32(&ch_gb); if (current_pixel_type >= EXR_UNKNOWN) { avpriv_report_missing_feature(s->avctx, "Pixel type %d", current_pixel_type); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto fail; } bytestream2_skip(&ch_gb, 4); @@ -1453,7 +1458,8 @@ static int decode_header(EXRContext *s, AVFrame *frame) avpriv_report_missing_feature(s->avctx, "Subsampling %dx%d", xsub, ysub); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto fail; } if (channel_index >= 0 && s->channel_offsets[channel_index] == -1) { /* channel has not been previously assigned */ @@ -1461,7 +1467,8 @@ static int decode_header(EXRContext *s, AVFrame *frame) s->pixel_type != current_pixel_type) { av_log(s->avctx, AV_LOG_ERROR, "RGB channels not of the same depth.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } s->pixel_type = current_pixel_type; s->channel_offsets[channel_index] = s->current_channel_offset; @@ -1469,8 +1476,10 @@ static int decode_header(EXRContext *s, AVFrame *frame) s->channels = av_realloc(s->channels, ++s->nb_channels * sizeof(EXRChannel)); - if (!s->channels) - return AVERROR(ENOMEM); + if (!s->channels) { + ret = AVERROR(ENOMEM); + goto fail; + } channel = &s->channels[s->nb_channels - 1]; channel->pixel_type = current_pixel_type; channel->xsub = xsub; @@ -1495,7 +1504,8 @@ static int decode_header(EXRContext *s, AVFrame *frame) av_log(s->avctx, AV_LOG_ERROR, "Missing green channel.\n"); if (s->channel_offsets[2] < 0) av_log(s->avctx, AV_LOG_ERROR, "Missing blue channel.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } } @@ -1504,8 +1514,10 @@ static int decode_header(EXRContext *s, AVFrame *frame) continue; } else if ((var_size = check_header_variable(s, "dataWindow", "box2i", 31)) >= 0) { - if (!var_size) - return AVERROR_INVALIDDATA; + if (!var_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } s->xmin = bytestream2_get_le32(&s->gb); s->ymin = bytestream2_get_le32(&s->gb); @@ -1517,8 +1529,10 @@ static int decode_header(EXRContext *s, AVFrame *frame) continue; } else if ((var_size = check_header_variable(s, "displayWindow", "box2i", 34)) >= 0) { - if (!var_size) - return AVERROR_INVALIDDATA; + if (!var_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } bytestream2_skip(&s->gb, 8); s->w = bytestream2_get_le32(&s->gb) + 1; @@ -1528,29 +1542,36 @@ static int decode_header(EXRContext *s, AVFrame *frame) } else if ((var_size = check_header_variable(s, "lineOrder", "lineOrder", 25)) >= 0) { int line_order; - if (!var_size) - return AVERROR_INVALIDDATA; + if (!var_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } line_order = bytestream2_get_byte(&s->gb); av_log(s->avctx, AV_LOG_DEBUG, "line order: %d.\n", line_order); if (line_order > 2) { av_log(s->avctx, AV_LOG_ERROR, "Unknown line order.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } continue; } else if ((var_size = check_header_variable(s, "pixelAspectRatio", "float", 31)) >= 0) { - if (!var_size) - return AVERROR_INVALIDDATA; + if (!var_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } sar = bytestream2_get_le32(&s->gb); continue; } else if ((var_size = check_header_variable(s, "compression", "compression", 29)) >= 0) { - if (!var_size) - return AVERROR_INVALIDDATA; + if (!var_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } if (s->compression == EXR_UNKN) s->compression = bytestream2_get_byte(&s->gb); @@ -1577,13 +1598,15 @@ static int decode_header(EXRContext *s, AVFrame *frame) if (s->tile_attr.level_mode >= EXR_TILE_LEVEL_UNKNOWN){ avpriv_report_missing_feature(s->avctx, "Tile level mode %d", s->tile_attr.level_mode); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto fail; } if (s->tile_attr.level_round >= EXR_TILE_ROUND_UNKNOWN) { avpriv_report_missing_feature(s->avctx, "Tile level round %d", s->tile_attr.level_round); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto fail; } continue; @@ -1600,7 +1623,8 @@ static int decode_header(EXRContext *s, AVFrame *frame) // Check if there are enough bytes for a header if (bytestream2_get_bytes_left(&s->gb) <= 9) { av_log(s->avctx, AV_LOG_ERROR, "Incomplete header\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } // Process unknown variables @@ -1615,19 +1639,22 @@ static int decode_header(EXRContext *s, AVFrame *frame) if (s->compression == EXR_UNKN) { av_log(s->avctx, AV_LOG_ERROR, "Missing compression attribute.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (s->is_tile) { if (s->tile_attr.xSize < 1 || s->tile_attr.ySize < 1) { av_log(s->avctx, AV_LOG_ERROR, "Invalid tile attribute.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } } if (bytestream2_get_bytes_left(&s->gb) <= 0) { av_log(s->avctx, AV_LOG_ERROR, "Incomplete frame.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } av_frame_set_metadata(frame, metadata); @@ -1635,6 +1662,9 @@ static int decode_header(EXRContext *s, AVFrame *frame) // aaand we are done bytestream2_skip(&s->gb, 1); return 0; +fail: + av_dict_free(&metadata); + return ret; } static int decode_frame(AVCodecContext *avctx, void *data, From a97335b1b3aec9fb449ddf1a8b33cdaf418bf1a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2018 18:13:07 +0100 Subject: [PATCH 552/818] avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble() Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be represented in type 'int' Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b1bef755f617af9685b592d866b3eb7f3c4b02b1) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 2a679491b0..0622d2ff7c 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -572,7 +572,8 @@ static void sbr_hf_assemble(int Y1[38][64][2], int A = (1-((indexsine+(kx & 1))&2)); int B = (A^(-idx)) + idx; int *out = &Y1[i][kx][idx]; - int shift, round; + int shift; + unsigned round; SoftFloat *in = sbr->s_m[e]; for (m = 0; m+1 < m_max; m+=2) { @@ -585,12 +586,12 @@ static void sbr_hf_assemble(int Y1[38][64][2], } if (shift < 32) { round = 1 << (shift-1); - out[2*m ] += (in[m ].mant * A + round) >> shift; + out[2*m ] += (int)(in[m ].mant * A + round) >> shift; } if (shift2 < 32) { round = 1 << (shift2-1); - out[2*m+2] += (in[m+1].mant * B + round) >> shift2; + out[2*m+2] += (int)(in[m+1].mant * B + round) >> shift2; } } if(m_max&1) @@ -601,7 +602,7 @@ static void sbr_hf_assemble(int Y1[38][64][2], return; } else if (shift < 32) { round = 1 << (shift-1); - out[2*m ] += (in[m ].mant * A + round) >> shift; + out[2*m ] += (int)(in[m ].mant * A + round) >> shift; } } } From 4d4656e8cd094188ec2ada7f5bd6dbba14b52dd9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2018 02:50:18 +0100 Subject: [PATCH 553/818] avcodec/wavpack: Fix integer overflow in FFABS Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 5396/clusterfuzz-testcase-minimized-6558555529281536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e50bd61e4ff97bd7fc6cbd7ec4ca514e17a70c4) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 27d631c4e9..e0440959ff 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -480,7 +480,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, } if (type == AV_SAMPLE_FMT_S16P) { - if (FFABS(L) + (unsigned)FFABS(R) > (1<<19)) { + if (FFABS((int64_t)L) + FFABS((int64_t)R) > (1<<19)) { av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, R); return AVERROR_INVALIDDATA; } From 0322f781777d4413bd57815ee9b5a7d6a0cfe716 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Feb 2018 21:44:57 +0100 Subject: [PATCH 554/818] avcodec/utvideodec: Fix bytes left check in decode_frame() Fixes: out of array read Fixes: poc-2017.avi Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit 118e1b0b3370dd1c0da442901b486689efd1654b) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 7c65d779c3..fda5de0732 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -638,7 +638,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for (j = 0; j < c->slices; j++) { slice_end = bytestream2_get_le32u(&gb); if (slice_end < 0 || slice_end < slice_start || - bytestream2_get_bytes_left(&gb) < slice_end) { + bytestream2_get_bytes_left(&gb) < slice_end + 1024LL) { av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n"); return AVERROR_INVALIDDATA; } From 838d02fcff8d08dfe138db572eaff01193f388ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2018 19:20:10 +0100 Subject: [PATCH 555/818] avcodec/huffyuvdec: Check input buffer size Fixes: Timeout Fixes: 5487/clusterfuzz-testcase-4696837035393024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 08c220d26cff51ca2f6896b65aebfa3accc67290) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 979c4b9d5c..66357bfb40 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -919,6 +919,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVFrame *const p = data; int table_size = 0, ret; + if (buf_size < (width * height + 7)/8) + return AVERROR_INVALIDDATA; + av_fast_padded_malloc(&s->bitstream_buffer, &s->bitstream_buffer_size, buf_size); From 66881cf2b58b8021e9e7f4271e30deeba0c6cb7f Mon Sep 17 00:00:00 2001 From: Nekopanda Date: Sat, 10 Feb 2018 18:36:32 +0900 Subject: [PATCH 556/818] avcodec/mpeg2dec: Fix field selection for skipped macroblocks For B field pictures, the spec says, > The prediction shall be made from the field of the same parity as the field being predicted. I did it. Signed-off-by: Michael Niedermayer (cherry picked from commit 8b154cb3e90a3e599cadf477d815a9854b7bb4e1) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 + tests/ref/fate/mpeg2-ticket186 | 328 ++++++++++++++++----------------- 2 files changed, 166 insertions(+), 164 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 186fbd27b6..3786dc61b3 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1983,6 +1983,8 @@ static int mpeg_decode_slice(MpegEncContext *s, int mb_y, s->mv[0][0][1] = s->last_mv[0][0][1]; s->mv[1][0][0] = s->last_mv[1][0][0]; s->mv[1][0][1] = s->last_mv[1][0][1]; + s->field_select[0][0] = (s->picture_structure - 1) & 1; + s->field_select[1][0] = (s->picture_structure - 1) & 1; } } } diff --git a/tests/ref/fate/mpeg2-ticket186 b/tests/ref/fate/mpeg2-ticket186 index b716ca5611..31afda15e8 100644 --- a/tests/ref/fate/mpeg2-ticket186 +++ b/tests/ref/fate/mpeg2-ticket186 @@ -3,354 +3,354 @@ #codec_id 0: rawvideo #dimensions 0: 352x288 #sar 0: 12/11 -0, 0, 0, 1, 152064, 0xd23ffc59 +0, 0, 0, 1, 152064, 0x8f9d00c1 0, 1, 1, 1, 152064, 0x899fb8b1 -0, 2, 2, 1, 152064, 0x5958d070 +0, 2, 2, 1, 152064, 0x7225cb39 0, 3, 3, 1, 152064, 0xf2becd8f -0, 4, 4, 1, 152064, 0xb47bbed7 +0, 4, 4, 1, 152064, 0xd56bc556 0, 5, 5, 1, 152064, 0x7ca54f36 -0, 6, 6, 1, 152064, 0x02389610 +0, 6, 6, 1, 152064, 0x06d7805c 0, 7, 7, 1, 152064, 0x469f3f87 -0, 8, 8, 1, 152064, 0x935a780e +0, 8, 8, 1, 152064, 0xdb2f57d5 0, 9, 9, 1, 152064, 0x3876c20c -0, 10, 10, 1, 152064, 0x49df265f +0, 10, 10, 1, 152064, 0x5b670e79 0, 11, 11, 1, 152064, 0xdfe420e0 -0, 12, 12, 1, 152064, 0x6e34a0c4 +0, 12, 12, 1, 152064, 0x17578222 0, 13, 13, 1, 152064, 0x47e1cb26 -0, 14, 14, 1, 152064, 0x68e74188 +0, 14, 14, 1, 152064, 0x168e35d6 0, 15, 15, 1, 152064, 0xe9d34b4e -0, 16, 16, 1, 152064, 0xa8665e1a +0, 16, 16, 1, 152064, 0x5e395308 0, 17, 17, 1, 152064, 0x88e3b39f -0, 18, 18, 1, 152064, 0x1c1ab2c3 +0, 18, 18, 1, 152064, 0x6b099c51 0, 19, 19, 1, 152064, 0xb1a24ddf -0, 20, 20, 1, 152064, 0x030d5afc +0, 20, 20, 1, 152064, 0xcea840fc 0, 21, 21, 1, 152064, 0x98306d64 -0, 22, 22, 1, 152064, 0x5ce0548d +0, 22, 22, 1, 152064, 0xb05354d3 0, 23, 23, 1, 152064, 0xacac26f3 -0, 24, 24, 1, 152064, 0xf167f698 +0, 24, 24, 1, 152064, 0xbccdf14b 0, 25, 25, 1, 152064, 0xd9398539 -0, 26, 26, 1, 152064, 0xd7aec2c4 +0, 26, 26, 1, 152064, 0x07aec13a 0, 27, 27, 1, 152064, 0xa6ef9440 -0, 28, 28, 1, 152064, 0xc289b278 +0, 28, 28, 1, 152064, 0x0e7ab64e 0, 29, 29, 1, 152064, 0x3796939d -0, 30, 30, 1, 152064, 0x48c09366 +0, 30, 30, 1, 152064, 0xcc219365 0, 31, 31, 1, 152064, 0xf4cc815a -0, 32, 32, 1, 152064, 0x1c63cdc2 +0, 32, 32, 1, 152064, 0x8b91c622 0, 33, 33, 1, 152064, 0xd3a8ad8e -0, 34, 34, 1, 152064, 0x70f94bc0 +0, 34, 34, 1, 152064, 0x658e498f 0, 35, 35, 1, 152064, 0xf9c115ea -0, 36, 36, 1, 152064, 0x44a2f607 +0, 36, 36, 1, 152064, 0xb639f8d2 0, 37, 37, 1, 152064, 0x7e9eaa64 -0, 38, 38, 1, 152064, 0x37b86b68 +0, 38, 38, 1, 152064, 0x8a546bcf 0, 39, 39, 1, 152064, 0x59d22dd4 -0, 40, 40, 1, 152064, 0x5d0d0e8d +0, 40, 40, 1, 152064, 0x80a10edc 0, 41, 41, 1, 152064, 0x5c97d4a1 -0, 42, 42, 1, 152064, 0xd44ef54d +0, 42, 42, 1, 152064, 0x4f1bf025 0, 43, 43, 1, 152064, 0x42721789 -0, 44, 44, 1, 152064, 0x27597277 +0, 44, 44, 1, 152064, 0x39e6700d 0, 45, 45, 1, 152064, 0xdf4af8b4 -0, 46, 46, 1, 152064, 0x5df7390c +0, 46, 46, 1, 152064, 0xacf839bb 0, 47, 47, 1, 152064, 0xbebfbf7c -0, 48, 48, 1, 152064, 0x753959bb +0, 48, 48, 1, 152064, 0x09c7630d 0, 49, 49, 1, 152064, 0x3331ab18 -0, 50, 50, 1, 152064, 0xec4a0f33 +0, 50, 50, 1, 152064, 0xae0f0f28 0, 51, 51, 1, 152064, 0xbb085737 -0, 52, 52, 1, 152064, 0x3938abf4 +0, 52, 52, 1, 152064, 0x1e23ad39 0, 53, 53, 1, 152064, 0x18d46683 -0, 54, 54, 1, 152064, 0xb12ace0c +0, 54, 54, 1, 152064, 0x4eadd0a0 0, 55, 55, 1, 152064, 0x09b13430 -0, 56, 56, 1, 152064, 0x85bd5e88 +0, 56, 56, 1, 152064, 0x240a607b 0, 57, 57, 1, 152064, 0xec0f8a67 -0, 58, 58, 1, 152064, 0x51a4fc74 +0, 58, 58, 1, 152064, 0x6c37fc08 0, 59, 59, 1, 152064, 0xded4cda7 -0, 60, 60, 1, 152064, 0xb69412a9 +0, 60, 60, 1, 152064, 0xc5df1477 0, 61, 61, 1, 152064, 0x3c9de6f9 -0, 62, 62, 1, 152064, 0x223fcc41 +0, 62, 62, 1, 152064, 0xefd1cdbd 0, 63, 63, 1, 152064, 0x5df7b89c -0, 64, 64, 1, 152064, 0x1e58b37a +0, 64, 64, 1, 152064, 0x1b04af5f 0, 65, 65, 1, 152064, 0xbbff2c09 -0, 66, 66, 1, 152064, 0x4e0f4d4a +0, 66, 66, 1, 152064, 0x23b04553 0, 67, 67, 1, 152064, 0x3d99caa3 -0, 68, 68, 1, 152064, 0xcc329c2f +0, 68, 68, 1, 152064, 0x35139bf8 0, 69, 69, 1, 152064, 0x49207c0a -0, 70, 70, 1, 152064, 0x489f2d50 +0, 70, 70, 1, 152064, 0xa78e2efa 0, 71, 71, 1, 152064, 0x5a50b0df -0, 72, 72, 1, 152064, 0x509eb79e +0, 72, 72, 1, 152064, 0x3255b306 0, 73, 73, 1, 152064, 0x60622c61 0, 74, 74, 1, 152064, 0x8c8cde9f 0, 75, 75, 1, 152064, 0xe8c0bb6c -0, 76, 76, 1, 152064, 0xb03581b6 +0, 76, 76, 1, 152064, 0xbc698473 0, 77, 77, 1, 152064, 0x398525c2 0, 78, 78, 1, 152064, 0x87983ab0 0, 79, 79, 1, 152064, 0x032af6b5 -0, 80, 80, 1, 152064, 0x7434baa4 +0, 80, 80, 1, 152064, 0x4878bb11 0, 81, 81, 1, 152064, 0xff5dd044 -0, 82, 82, 1, 152064, 0x45b2bb36 +0, 82, 82, 1, 152064, 0xe675bfe0 0, 83, 83, 1, 152064, 0x1af29008 0, 84, 84, 1, 152064, 0x07aa8975 0, 85, 85, 1, 152064, 0x17957756 0, 86, 86, 1, 152064, 0x48b5825e 0, 87, 87, 1, 152064, 0x169d70bc -0, 88, 88, 1, 152064, 0x803b30c6 +0, 88, 88, 1, 152064, 0x326730c8 0, 89, 89, 1, 152064, 0x6158c971 -0, 90, 90, 1, 152064, 0xb126e53e +0, 90, 90, 1, 152064, 0x1035e3ee 0, 91, 91, 1, 152064, 0xef49ba53 -0, 92, 92, 1, 152064, 0xfcfd7f17 +0, 92, 92, 1, 152064, 0x261081fa 0, 93, 93, 1, 152064, 0x5280779e -0, 94, 94, 1, 152064, 0x638d6f48 +0, 94, 94, 1, 152064, 0x8a6d6df3 0, 95, 95, 1, 152064, 0xdb0f1ed5 -0, 96, 96, 1, 152064, 0x2cb959b0 +0, 96, 96, 1, 152064, 0x5162570a 0, 97, 97, 1, 152064, 0x0841547c -0, 98, 98, 1, 152064, 0x412a555b +0, 98, 98, 1, 152064, 0xf0694fcd 0, 99, 99, 1, 152064, 0xfe525057 -0, 100, 100, 1, 152064, 0xa8cf0cbc +0, 100, 100, 1, 152064, 0xb4ec0c96 0, 101, 101, 1, 152064, 0xbf2dcaee -0, 102, 102, 1, 152064, 0x636cc494 +0, 102, 102, 1, 152064, 0x7860c418 0, 103, 103, 1, 152064, 0xc9e288bc -0, 104, 104, 1, 152064, 0xe77f4d03 +0, 104, 104, 1, 152064, 0xb0514dc3 0, 105, 105, 1, 152064, 0x722a4bd0 -0, 106, 106, 1, 152064, 0x5271f5ef +0, 106, 106, 1, 152064, 0x5277f52d 0, 107, 107, 1, 152064, 0x05208e75 -0, 108, 108, 1, 152064, 0xb8845f88 +0, 108, 108, 1, 152064, 0x0b596089 0, 109, 109, 1, 152064, 0x47aa117c -0, 110, 110, 1, 152064, 0xe695fe27 +0, 110, 110, 1, 152064, 0x12edfe8b 0, 111, 111, 1, 152064, 0x2e50f864 -0, 112, 112, 1, 152064, 0x52d2b719 +0, 112, 112, 1, 152064, 0x4cedb882 0, 113, 113, 1, 152064, 0xdbf48285 -0, 114, 114, 1, 152064, 0xe0b2ba93 +0, 114, 114, 1, 152064, 0x9071b0e6 0, 115, 115, 1, 152064, 0x1c85a5ce 0, 116, 116, 1, 152064, 0x8ef9a8e8 0, 117, 117, 1, 152064, 0x41e8ae26 0, 118, 118, 1, 152064, 0x3328d571 0, 119, 119, 1, 152064, 0xce7d4da2 -0, 120, 120, 1, 152064, 0x7a6f7416 +0, 120, 120, 1, 152064, 0x032d7575 0, 121, 121, 1, 152064, 0xb3fc65a6 -0, 122, 122, 1, 152064, 0xc5a261e9 +0, 122, 122, 1, 152064, 0xe5a266b4 0, 123, 123, 1, 152064, 0x943c5925 -0, 124, 124, 1, 152064, 0x259180b2 +0, 124, 124, 1, 152064, 0xe6138024 0, 125, 125, 1, 152064, 0x3acd4e1b -0, 126, 126, 1, 152064, 0x692090b4 +0, 126, 126, 1, 152064, 0x9de7903e 0, 127, 127, 1, 152064, 0xea1184d0 -0, 128, 128, 1, 152064, 0x3e0038d5 +0, 128, 128, 1, 152064, 0x9e323818 0, 129, 129, 1, 152064, 0xf77872a2 -0, 130, 130, 1, 152064, 0xe4cb7bb5 +0, 130, 130, 1, 152064, 0x8f7c75c7 0, 131, 131, 1, 152064, 0x9d6d2623 -0, 132, 132, 1, 152064, 0xb9056247 +0, 132, 132, 1, 152064, 0x3d8e62ab 0, 133, 133, 1, 152064, 0xcd8b3dc5 -0, 134, 134, 1, 152064, 0x13ea1b6d +0, 134, 134, 1, 152064, 0x57681ebc 0, 135, 135, 1, 152064, 0x764f3233 -0, 136, 136, 1, 152064, 0x54c00ba8 +0, 136, 136, 1, 152064, 0x8c8b0a4b 0, 137, 137, 1, 152064, 0x2d9aedac -0, 138, 138, 1, 152064, 0x1af00532 +0, 138, 138, 1, 152064, 0x0afe03ae 0, 139, 139, 1, 152064, 0xcecae31b 0, 140, 140, 1, 152064, 0x0e6ea17f 0, 141, 141, 1, 152064, 0x66b0b8c4 -0, 142, 142, 1, 152064, 0x0ee879bb +0, 142, 142, 1, 152064, 0xd44f7976 0, 143, 143, 1, 152064, 0xf7f029cc -0, 144, 144, 1, 152064, 0xdd5d08d6 +0, 144, 144, 1, 152064, 0xada307a9 0, 145, 145, 1, 152064, 0x936ae367 -0, 146, 146, 1, 152064, 0xf0f4aba0 +0, 146, 146, 1, 152064, 0xa019ad8a 0, 147, 147, 1, 152064, 0x5233a9e7 -0, 148, 148, 1, 152064, 0x02af732b +0, 148, 148, 1, 152064, 0x6fd5737f 0, 149, 149, 1, 152064, 0xb2eb2476 -0, 150, 150, 1, 152064, 0x998732b4 +0, 150, 150, 1, 152064, 0x36a53280 0, 151, 151, 1, 152064, 0xf025230f -0, 152, 152, 1, 152064, 0x474f3b12 +0, 152, 152, 1, 152064, 0x48373a3e 0, 153, 153, 1, 152064, 0xe4e950e2 -0, 154, 154, 1, 152064, 0xa3f87fb3 +0, 154, 154, 1, 152064, 0x63d37fc4 0, 155, 155, 1, 152064, 0x1e465fda -0, 156, 156, 1, 152064, 0x9e8caab2 +0, 156, 156, 1, 152064, 0xc47ea97e 0, 157, 157, 1, 152064, 0x0224aca7 -0, 158, 158, 1, 152064, 0x24fcec49 +0, 158, 158, 1, 152064, 0x909dedcc 0, 159, 159, 1, 152064, 0x1c1df7ea -0, 160, 160, 1, 152064, 0xc466f68f +0, 160, 160, 1, 152064, 0x5e43f7f1 0, 161, 161, 1, 152064, 0xdb11d8fa -0, 162, 162, 1, 152064, 0xa0f61157 +0, 162, 162, 1, 152064, 0xa66710f5 0, 163, 163, 1, 152064, 0x352013b0 -0, 164, 164, 1, 152064, 0xc14243c7 +0, 164, 164, 1, 152064, 0xc8e745f1 0, 165, 165, 1, 152064, 0xb18b6810 -0, 166, 166, 1, 152064, 0x040942e6 +0, 166, 166, 1, 152064, 0xb1c243e2 0, 167, 167, 1, 152064, 0x6fe129f9 -0, 168, 168, 1, 152064, 0xc3d64c5f +0, 168, 168, 1, 152064, 0x92814bde 0, 169, 169, 1, 152064, 0x50954752 -0, 170, 170, 1, 152064, 0xa4d24c64 +0, 170, 170, 1, 152064, 0x48634df3 0, 171, 171, 1, 152064, 0x3af254c0 0, 172, 172, 1, 152064, 0x6fde4801 0, 173, 173, 1, 152064, 0xf8fe19b4 -0, 174, 174, 1, 152064, 0x97b34958 +0, 174, 174, 1, 152064, 0x57004906 0, 175, 175, 1, 152064, 0x916e2ff4 -0, 176, 176, 1, 152064, 0x60c528e2 +0, 176, 176, 1, 152064, 0xbc0d28f0 0, 177, 177, 1, 152064, 0x4522435e 0, 178, 178, 1, 152064, 0x861f5d1b 0, 179, 179, 1, 152064, 0x42c3bf28 -0, 180, 180, 1, 152064, 0x9772db11 +0, 180, 180, 1, 152064, 0xbd6adb19 0, 181, 181, 1, 152064, 0x0692f5b8 -0, 182, 182, 1, 152064, 0xb06b4aed +0, 182, 182, 1, 152064, 0x1e1e4bfb 0, 183, 183, 1, 152064, 0xdc852986 -0, 184, 184, 1, 152064, 0xa7a025fb +0, 184, 184, 1, 152064, 0x61c5259e 0, 185, 185, 1, 152064, 0xe28f365a -0, 186, 186, 1, 152064, 0xcbf3830e +0, 186, 186, 1, 152064, 0x19388308 0, 187, 187, 1, 152064, 0x043bace9 -0, 188, 188, 1, 152064, 0x5dd0b5df +0, 188, 188, 1, 152064, 0x4bebb678 0, 189, 189, 1, 152064, 0x6bd6d112 -0, 190, 190, 1, 152064, 0xa585ceb6 +0, 190, 190, 1, 152064, 0x3c9dc401 0, 191, 191, 1, 152064, 0x91e7556a -0, 192, 192, 1, 152064, 0x8f2a0404 +0, 192, 192, 1, 152064, 0xae60f7e7 0, 193, 193, 1, 152064, 0x14066893 -0, 194, 194, 1, 152064, 0x8f715862 +0, 194, 194, 1, 152064, 0x7f5a5f0a 0, 195, 195, 1, 152064, 0xb1063958 -0, 196, 196, 1, 152064, 0x014c40f0 +0, 196, 196, 1, 152064, 0xadf13b9f 0, 197, 197, 1, 152064, 0x7ddcf94d -0, 198, 198, 1, 152064, 0x25473a22 +0, 198, 198, 1, 152064, 0x91393730 0, 199, 199, 1, 152064, 0xcd150536 -0, 200, 200, 1, 152064, 0x2d24d974 +0, 200, 200, 1, 152064, 0x52e0d7bd 0, 201, 201, 1, 152064, 0x9130b2ce -0, 202, 202, 1, 152064, 0x9450a62a +0, 202, 202, 1, 152064, 0xa07fa62a 0, 203, 203, 1, 152064, 0x7da258cd -0, 204, 204, 1, 152064, 0x6c2770de +0, 204, 204, 1, 152064, 0x984071a6 0, 205, 205, 1, 152064, 0xd5fa731a -0, 206, 206, 1, 152064, 0x93757c14 +0, 206, 206, 1, 152064, 0x593d7910 0, 207, 207, 1, 152064, 0x4b754c71 0, 208, 208, 1, 152064, 0x51544841 0, 209, 209, 1, 152064, 0xf466910e -0, 210, 210, 1, 152064, 0xe818c675 +0, 210, 210, 1, 152064, 0x6535c9c4 0, 211, 211, 1, 152064, 0x6d45b6d8 -0, 212, 212, 1, 152064, 0xa3de9aec +0, 212, 212, 1, 152064, 0xe77998a2 0, 213, 213, 1, 152064, 0x56023275 -0, 214, 214, 1, 152064, 0xa1af21cb +0, 214, 214, 1, 152064, 0x779b20cc 0, 215, 215, 1, 152064, 0x1ff1b05e -0, 216, 216, 1, 152064, 0x142ecbdb +0, 216, 216, 1, 152064, 0xb9e2c3f0 0, 217, 217, 1, 152064, 0xdfc6d541 -0, 218, 218, 1, 152064, 0x8d8f7a4c +0, 218, 218, 1, 152064, 0x301a7948 0, 219, 219, 1, 152064, 0x03d611ca -0, 220, 220, 1, 152064, 0x999e6d3f +0, 220, 220, 1, 152064, 0xe9426f2a 0, 221, 221, 1, 152064, 0x304c95df -0, 222, 222, 1, 152064, 0xbdcff306 +0, 222, 222, 1, 152064, 0x60e7f924 0, 223, 223, 1, 152064, 0x6408670c -0, 224, 224, 1, 152064, 0xa6d4d038 +0, 224, 224, 1, 152064, 0xbf09ca74 0, 225, 225, 1, 152064, 0xf2d13572 -0, 226, 226, 1, 152064, 0x2fa8b357 +0, 226, 226, 1, 152064, 0x90ccb47d 0, 227, 227, 1, 152064, 0x24bbd269 -0, 228, 228, 1, 152064, 0x23dd31f2 +0, 228, 228, 1, 152064, 0x7ae333dd 0, 229, 229, 1, 152064, 0x90913fe2 -0, 230, 230, 1, 152064, 0x855efbca +0, 230, 230, 1, 152064, 0xc994007c 0, 231, 231, 1, 152064, 0x45a123c0 -0, 232, 232, 1, 152064, 0xec465cb2 +0, 232, 232, 1, 152064, 0xa0335bbf 0, 233, 233, 1, 152064, 0x3e79c4e9 -0, 234, 234, 1, 152064, 0xaeac4476 +0, 234, 234, 1, 152064, 0x05cf4479 0, 235, 235, 1, 152064, 0x2146392c -0, 236, 236, 1, 152064, 0x7a186239 +0, 236, 236, 1, 152064, 0x68ac5d0a 0, 237, 237, 1, 152064, 0x9d26fed8 -0, 238, 238, 1, 152064, 0x88f090ba +0, 238, 238, 1, 152064, 0x047c9082 0, 239, 239, 1, 152064, 0x518bd9f8 -0, 240, 240, 1, 152064, 0x70013bdd +0, 240, 240, 1, 152064, 0xfbd03b16 0, 241, 241, 1, 152064, 0x5317601a -0, 242, 242, 1, 152064, 0x97e91795 +0, 242, 242, 1, 152064, 0x450118c5 0, 243, 243, 1, 152064, 0x1058915b -0, 244, 244, 1, 152064, 0x3549ffeb +0, 244, 244, 1, 152064, 0x0a4a000a 0, 245, 245, 1, 152064, 0xa277707d -0, 246, 246, 1, 152064, 0xdcb6287d +0, 246, 246, 1, 152064, 0xc7cb29b2 0, 247, 247, 1, 152064, 0x371344fc -0, 248, 248, 1, 152064, 0xb7ea75c7 +0, 248, 248, 1, 152064, 0xbc9375a9 0, 249, 249, 1, 152064, 0x70c2fa2f -0, 250, 250, 1, 152064, 0x8dbec050 +0, 250, 250, 1, 152064, 0x41fbc057 0, 251, 251, 1, 152064, 0xc21a77fe -0, 252, 252, 1, 152064, 0xf7c7678e +0, 252, 252, 1, 152064, 0x51e06384 0, 253, 253, 1, 152064, 0xbee83fcb -0, 254, 254, 1, 152064, 0x6627efd7 +0, 254, 254, 1, 152064, 0xce2befdf 0, 255, 255, 1, 152064, 0x4f139865 -0, 256, 256, 1, 152064, 0x76fa5435 +0, 256, 256, 1, 152064, 0x4e0f5372 0, 257, 257, 1, 152064, 0xf0701fd6 -0, 258, 258, 1, 152064, 0x153e3763 +0, 258, 258, 1, 152064, 0x746c35f4 0, 259, 259, 1, 152064, 0xf5211469 -0, 260, 260, 1, 152064, 0xc19d24b8 +0, 260, 260, 1, 152064, 0xae8f1c2f 0, 261, 261, 1, 152064, 0xc2483a75 -0, 262, 262, 1, 152064, 0x67a149ee +0, 262, 262, 1, 152064, 0x2da24ae6 0, 263, 263, 1, 152064, 0x86f70e3a -0, 264, 264, 1, 152064, 0x281b166b +0, 264, 264, 1, 152064, 0x52b8172a 0, 265, 265, 1, 152064, 0xca810f3b -0, 266, 266, 1, 152064, 0x91c90741 +0, 266, 266, 1, 152064, 0x6d9504c4 0, 267, 267, 1, 152064, 0x4edcfbfa -0, 268, 268, 1, 152064, 0x0ca40c66 +0, 268, 268, 1, 152064, 0x292c0bfd 0, 269, 269, 1, 152064, 0xee998e3d 0, 270, 270, 1, 152064, 0xe4b6c1b2 0, 271, 271, 1, 152064, 0xbbe0a4cc -0, 272, 272, 1, 152064, 0xd080bcfd +0, 272, 272, 1, 152064, 0xcd88bcf2 0, 273, 273, 1, 152064, 0x365df7c5 -0, 274, 274, 1, 152064, 0x934f071f +0, 274, 274, 1, 152064, 0x01cd06a4 0, 275, 275, 1, 152064, 0xcfaefeef -0, 276, 276, 1, 152064, 0xedd8263e +0, 276, 276, 1, 152064, 0xe615289d 0, 277, 277, 1, 152064, 0x1d5243de -0, 278, 278, 1, 152064, 0xc0d87e50 +0, 278, 278, 1, 152064, 0x7c397dfe 0, 279, 279, 1, 152064, 0xe25845b1 -0, 280, 280, 1, 152064, 0x47006123 +0, 280, 280, 1, 152064, 0x2d6a60a8 0, 281, 281, 1, 152064, 0xf1926203 -0, 282, 282, 1, 152064, 0x494b8b9c +0, 282, 282, 1, 152064, 0x634a88c9 0, 283, 283, 1, 152064, 0xc50aa1b7 -0, 284, 284, 1, 152064, 0xb82da5e2 +0, 284, 284, 1, 152064, 0x972fa713 0, 285, 285, 1, 152064, 0xa11cd0f6 -0, 286, 286, 1, 152064, 0x7ebff98d +0, 286, 286, 1, 152064, 0xbff8f90e 0, 287, 287, 1, 152064, 0x00902e76 -0, 288, 288, 1, 152064, 0xdee41ea2 +0, 288, 288, 1, 152064, 0x5cf31cb1 0, 289, 289, 1, 152064, 0x2b026058 -0, 290, 290, 1, 152064, 0xce81051f +0, 290, 290, 1, 152064, 0x258002cc 0, 291, 291, 1, 152064, 0x0d708815 -0, 292, 292, 1, 152064, 0xd7719e35 +0, 292, 292, 1, 152064, 0xe3809ce0 0, 293, 293, 1, 152064, 0xf0239467 -0, 294, 294, 1, 152064, 0x466d98b4 +0, 294, 294, 1, 152064, 0x6e71916a 0, 295, 295, 1, 152064, 0xc1fb36e1 -0, 296, 296, 1, 152064, 0x26bc139e +0, 296, 296, 1, 152064, 0xd47f07c9 0, 297, 297, 1, 152064, 0x7fd111ea -0, 298, 298, 1, 152064, 0xa39737cb +0, 298, 298, 1, 152064, 0xc4023a80 0, 299, 299, 1, 152064, 0x8f5851ba -0, 300, 300, 1, 152064, 0xa971f6e2 +0, 300, 300, 1, 152064, 0x9982f47b 0, 301, 301, 1, 152064, 0x0e5f6f80 -0, 302, 302, 1, 152064, 0xdb8b5e06 +0, 302, 302, 1, 152064, 0x49925e53 0, 303, 303, 1, 152064, 0xf6006bcc -0, 304, 304, 1, 152064, 0x060cd1a6 +0, 304, 304, 1, 152064, 0xd4b5d0f7 0, 305, 305, 1, 152064, 0x419ef0a4 -0, 306, 306, 1, 152064, 0xe79f0b93 +0, 306, 306, 1, 152064, 0x4e610934 0, 307, 307, 1, 152064, 0x1919e999 -0, 308, 308, 1, 152064, 0xacb715bc +0, 308, 308, 1, 152064, 0x3a750d80 0, 309, 309, 1, 152064, 0x16616075 -0, 310, 310, 1, 152064, 0x09aa4f10 +0, 310, 310, 1, 152064, 0x3284519f 0, 311, 311, 1, 152064, 0x976cdd70 -0, 312, 312, 1, 152064, 0x4811dc21 +0, 312, 312, 1, 152064, 0x4ec5d1e3 0, 313, 313, 1, 152064, 0x30d31172 -0, 314, 314, 1, 152064, 0x2db60b70 +0, 314, 314, 1, 152064, 0xe33609b5 0, 315, 315, 1, 152064, 0x5377bb89 -0, 316, 316, 1, 152064, 0x6c20cab3 +0, 316, 316, 1, 152064, 0x5479cd3d 0, 317, 317, 1, 152064, 0x964dad60 -0, 318, 318, 1, 152064, 0x514df2c3 +0, 318, 318, 1, 152064, 0x3a7deaf4 0, 319, 319, 1, 152064, 0xced22332 -0, 320, 320, 1, 152064, 0x1c64bc82 +0, 320, 320, 1, 152064, 0x3b36b53f 0, 321, 321, 1, 152064, 0x10c38662 -0, 322, 322, 1, 152064, 0xe6c7ff46 +0, 322, 322, 1, 152064, 0x45d4fceb 0, 323, 323, 1, 152064, 0x359da948 -0, 324, 324, 1, 152064, 0x5a9458ee +0, 324, 324, 1, 152064, 0x60625190 0, 325, 325, 1, 152064, 0x1cda9888 -0, 326, 326, 1, 152064, 0xbd081682 +0, 326, 326, 1, 152064, 0x77ad1d8c 0, 327, 327, 1, 152064, 0x20f1510f -0, 328, 328, 1, 152064, 0x6bc261a9 +0, 328, 328, 1, 152064, 0xd11d52c6 0, 329, 329, 1, 152064, 0x9f0e5797 -0, 330, 330, 1, 152064, 0xd14ca712 +0, 330, 330, 1, 152064, 0x174ca55b 0, 331, 331, 1, 152064, 0x8df79054 -0, 332, 332, 1, 152064, 0x34efa950 +0, 332, 332, 1, 152064, 0x3844a495 0, 333, 333, 1, 152064, 0x268d9d12 -0, 334, 334, 1, 152064, 0xad91b2ed +0, 334, 334, 1, 152064, 0xf672b44f 0, 335, 335, 1, 152064, 0xe0ac87cf -0, 336, 336, 1, 152064, 0xba4cfd8e +0, 336, 336, 1, 152064, 0xbc99fd7d 0, 337, 337, 1, 152064, 0x876ef9e3 -0, 338, 338, 1, 152064, 0x45ab6684 +0, 338, 338, 1, 152064, 0xef8066f7 0, 339, 339, 1, 152064, 0x72a99564 -0, 340, 340, 1, 152064, 0xdfc8be01 +0, 340, 340, 1, 152064, 0x5921c088 0, 341, 341, 1, 152064, 0x3a6b9e74 -0, 342, 342, 1, 152064, 0xca1be9c6 +0, 342, 342, 1, 152064, 0xfb03e9b5 0, 343, 343, 1, 152064, 0xc351bfc6 -0, 344, 344, 1, 152064, 0xef30c978 +0, 344, 344, 1, 152064, 0x2faec717 0, 345, 345, 1, 152064, 0x062fc6f3 -0, 346, 346, 1, 152064, 0x8731a9ec +0, 346, 346, 1, 152064, 0xede7a97f 0, 347, 347, 1, 152064, 0x19874144 0, 348, 348, 1, 152064, 0x929650eb 0, 349, 349, 1, 152064, 0x082557a1 -0, 350, 350, 1, 152064, 0xb80510ae +0, 350, 350, 1, 152064, 0x2b25104b From 55e6c6b5feb7e2a9110fab1dc06ced23360b14e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Feb 2018 18:49:07 +0100 Subject: [PATCH 557/818] avcodec/scpr: Fix reading a pixel before the first Fixes: 5540/clusterfuzz-testcase-minimized-6122458273808384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0fb33a82890753233225c61863fff1fcc9d970d4) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index 78a6d5c0cd..694450abf0 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -679,6 +679,8 @@ static int decompress_p(AVCodecContext *avctx, return AVERROR_INVALIDDATA; if (bx == 0) { + if (by < 2) + return AVERROR_INVALIDDATA; z = backstep; } else { z = 0; @@ -708,6 +710,8 @@ static int decompress_p(AVCodecContext *avctx, return AVERROR_INVALIDDATA; if (bx == 0) { + if (by < 2) + return AVERROR_INVALIDDATA; z = backstep; } else { z = 0; From 65fc03589fb48ee1d24797ad3984199b01feec82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Feb 2018 02:14:49 +0100 Subject: [PATCH 558/818] avcodec/pafvideo: Check allocated frame size Fixes: OOM Fixes: 5549/clusterfuzz-testcase-minimized-5390553567985664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 66acb630286cf1bf03bfbdab6c7c784ff20bde61) Signed-off-by: Michael Niedermayer --- libavcodec/pafvideo.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index 6980ae1b35..7c5861dfaf 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -78,6 +78,7 @@ static av_cold int paf_video_init(AVCodecContext *avctx) { PAFVideoDecContext *c = avctx->priv_data; int i; + int ret; c->width = avctx->width; c->height = avctx->height; @@ -90,6 +91,9 @@ static av_cold int paf_video_init(AVCodecContext *avctx) } avctx->pix_fmt = AV_PIX_FMT_PAL8; + ret = av_image_check_size2(avctx->width, FFALIGN(avctx->height, 256), avctx->max_pixels, avctx->pix_fmt, 0, avctx); + if (ret < 0) + return ret; c->pic = av_frame_alloc(); if (!c->pic) From 0df3ad79c7d8d8740693deedccf82e7c28bb60b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Feb 2018 04:17:16 +0100 Subject: [PATCH 559/818] avcodec/vp3: Check eob_run Fixes: out of array access Fixes: 5919/clusterfuzz-testcase-minimized-5859311382167552 Fixes: special case for theora (untested due to lack of sample) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 570023eab3e2962b4ad8345a157c1e18ca1a6eca) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index b10cb39f8a..e46a9e6971 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -978,6 +978,9 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, if (eob_run_get_bits[token]) eob_run += get_bits(gb, eob_run_get_bits[token]); + if (!eob_run) + eob_run = INT_MAX; + // record only the number of blocks ended in this plane, // any spill will be recorded in the next plane. if (eob_run > num_coeffs - coeff_i) { From f03616d2a43833cad5bda2fdf6f605aa09aa89e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Feb 2018 22:24:58 +0100 Subject: [PATCH 560/818] avcodec/mpeg4videodec: Ignore multiple VOL headers Fixes: Ticket7005 Signed-off-by: Michael Niedermayer (cherry picked from commit 63a4bdbf3b732504e54cc2b9ec0886e6242a90bc) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index d0162d1074..319a3809ea 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2670,8 +2670,8 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb) if (startcode >= 0x120 && startcode <= 0x12F) { if (vol) { - av_log(s->avctx, AV_LOG_ERROR, "Multiple VOL headers"); - return AVERROR_INVALIDDATA; + av_log(s->avctx, AV_LOG_WARNING, "Ignoring multiple VOL headers\n"); + continue; } vol++; if ((ret = decode_vol_header(ctx, gb)) < 0) From 76a886dae364c665ee83d3eac44e28062b687baa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Feb 2018 03:38:54 +0100 Subject: [PATCH 561/818] avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs() This fixes a hypothetical integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit f2318aee8ca8df1c84092f7d6691a2d0df02c474) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index e46a9e6971..bb4e554dde 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -951,9 +951,11 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, Vp3Fragment *all_fragments = s->all_fragments; VLC_TYPE(*vlc_table)[2] = table->table; - if (num_coeffs < 0) + if (num_coeffs < 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid number of coefficients at level %d\n", coeff_index); + return AVERROR_INVALIDDATA; + } if (eob_run > num_coeffs) { coeff_i = From e8fb74c0c9cd3bad7f990b8cf98b56ab54ae3a9c Mon Sep 17 00:00:00 2001 From: Xiaohan Wang Date: Sat, 3 Feb 2018 01:43:35 -0800 Subject: [PATCH 562/818] avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc() When ff_h264_decode_mb_cavlc() failed due to wrong sl->qscale values, e.g. dquant out of range, set the qscale to be a valid value before returning -1 and exiting the function. The qscale value can be used later e.g. in loop filter. BUG=806122 Signed-off-by: Michael Niedermayer (cherry picked from commit 71f39de2a57efc8db1d607b09c162c3b806cd45d) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cavlc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index cd2e97af7e..ffed204441 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -1111,6 +1111,7 @@ decode_intra_mb: else sl->qscale -= max_qp+1; if (((unsigned)sl->qscale) > max_qp){ av_log(h->avctx, AV_LOG_ERROR, "dquant out of range (%d) at %d %d\n", dquant, sl->mb_x, sl->mb_y); + sl->qscale = max_qp; return -1; } } From 878fc42a906d13cd6a78b0820eed75f4fd8e26e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Feb 2018 00:32:30 +0100 Subject: [PATCH 563/818] avcodec/h264_cabac: Tighten allowed coeff_abs range MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: integer overflows Reported-by: "Xiaohan Wang (王消寒)" Based on limits in "8.5 Transform coefficient decoding process and picture construction process prior to deblocking filter process" Signed-off-by: Michael Niedermayer (cherry picked from commit f26a63c4ee1bdbe21d7ab462cd66f8ba20b14244) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 04b77f284f..1e05c04680 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1735,7 +1735,7 @@ decode_cabac_residual_internal(const H264Context *h, H264SliceContext *sl, \ if( coeff_abs >= 15 ) { \ int j = 0; \ - while (get_cabac_bypass(CC) && j < 30) { \ + while (get_cabac_bypass(CC) && j < 16+7) { \ j++; \ } \ \ From 519d48c861a91f3c458e37478d0e408aa608117c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Feb 2018 03:54:13 +0100 Subject: [PATCH 564/818] avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c() Fixes: 5567/clusterfuzz-testcase-minimized-5769966247739392 Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ab6f571ef71967da7c7c1cfba483d3597c7357d5) Signed-off-by: Michael Niedermayer --- libavutil/common.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/common.h b/libavutil/common.h index 8142b31fdb..53e43feb3a 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -158,7 +158,7 @@ static av_always_inline av_const int64_t av_clip64_c(int64_t a, int64_t amin, in */ static av_always_inline av_const uint8_t av_clip_uint8_c(int a) { - if (a&(~0xFF)) return (-a)>>31; + if (a&(~0xFF)) return (~a)>>31; else return a; } @@ -180,7 +180,7 @@ static av_always_inline av_const int8_t av_clip_int8_c(int a) */ static av_always_inline av_const uint16_t av_clip_uint16_c(int a) { - if (a&(~0xFFFF)) return (-a)>>31; + if (a&(~0xFFFF)) return (~a)>>31; else return a; } From 659a23e89fbaf649f8984a9d5dfd5479e5a37386 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Feb 2018 13:01:46 +0100 Subject: [PATCH 565/818] avcodec/exr: Check remaining bits in last get code loop Fixes: runtime error: shift exponent -7 is negative Fixes: 3902/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6081926122176512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dd8351b1184b8054925c28ecc5fcb6dbbc177fad) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index fe978805c5..b27132d6bb 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -574,7 +574,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, while (lc > 0) { const HufDec pl = hdecod[(c << (HUF_DECBITS - lc)) & HUF_DECMASK]; - if (pl.len) { + if (pl.len && lc >= pl.len) { lc -= pl.len; get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { From 2a85ead5a374f37bc52d716da9237f4e722dee58 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2018 04:20:52 +0100 Subject: [PATCH 566/818] avcodec/vp8: Check for bitstream end before vp7_fade_frame() Fixes: Timeout Fixes: 5653/clusterfuzz-testcase-5497680018014208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de675648cef7e451ca82fabaee0d8ec1fe653311) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 5bf601a8ef..fd036538e0 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -606,6 +606,8 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si s->fade_present = vp8_rac_get(c); } + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; /* E. Fading information for previous frame */ if (s->fade_present && vp8_rac_get(c)) { if ((ret = vp7_fade_frame(s ,c)) < 0) From 1a4f8de03d57490b6344ec2eeba3aa816cd1eb62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2018 04:20:53 +0100 Subject: [PATCH 567/818] avcodec/jpeg2000dec: Use av_image_check_size2() Fixes: OOM Fixes: 5733/clusterfuzz-testcase-minimized-4906757966004224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01370b31aced784593f2bc0836f4ba6fd8e7f6b3) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index f1abc9a5ef..404cf06ddc 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -282,7 +282,7 @@ static int get_siz(Jpeg2000DecoderContext *s) avpriv_request_sample(s->avctx, "Support for image offsets"); return AVERROR_PATCHWELCOME; } - if (av_image_check_size(s->width, s->height, 0, s->avctx)) { + if (av_image_check_size2(s->width, s->height, s->avctx->max_pixels, AV_PIX_FMT_NONE, 0, s->avctx)) { avpriv_request_sample(s->avctx, "Large Dimensions"); return AVERROR_PATCHWELCOME; } From 37cd7f3375302b2c8e35946a53db13a8bd123b8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2018 21:42:34 +0100 Subject: [PATCH 568/818] avcodec/hevcdec: Check luma/chroma_log2_weight_denom Fixes: signed integer overflow: 3 + 2147483647 cannot be represented in type 'int' Fixes: 5888/clusterfuzz-testcase-minimized-5634701067812864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f82dd4c09b2decb033f1e339d4be81efd38554f1) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 5579a4df43..db0bebfa49 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -149,12 +149,18 @@ static int pred_weight_table(HEVCContext *s, GetBitContext *gb) int luma_log2_weight_denom; luma_log2_weight_denom = get_ue_golomb_long(gb); - if (luma_log2_weight_denom < 0 || luma_log2_weight_denom > 7) + if (luma_log2_weight_denom < 0 || luma_log2_weight_denom > 7) { av_log(s->avctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is invalid\n", luma_log2_weight_denom); + return AVERROR_INVALIDDATA; + } s->sh.luma_log2_weight_denom = av_clip_uintp2(luma_log2_weight_denom, 3); if (s->ps.sps->chroma_format_idc != 0) { - int delta = get_se_golomb(gb); - s->sh.chroma_log2_weight_denom = av_clip_uintp2(s->sh.luma_log2_weight_denom + delta, 3); + int64_t chroma_log2_weight_denom = luma_log2_weight_denom + (int64_t)get_se_golomb(gb); + if (chroma_log2_weight_denom < 0 || chroma_log2_weight_denom > 7) { + av_log(s->avctx, AV_LOG_ERROR, "chroma_log2_weight_denom %"PRId64" is invalid\n", chroma_log2_weight_denom); + return AVERROR_INVALIDDATA; + } + s->sh.chroma_log2_weight_denom = chroma_log2_weight_denom; } for (i = 0; i < s->sh.nb_refs[L0]; i++) { From 93a16aebf2ac0b29956bd831417e4dbc2477dacf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2018 21:47:09 +0100 Subject: [PATCH 569/818] avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i() Fixes: 5894/clusterfuzz-testcase-minimized-5315325420634112 Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 647fa49495c39a48b7ccb92acd8fb975b1575456) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index e68cc4d530..8c25c1f822 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -95,8 +95,8 @@ static void RENAME(horizontal_compose_dd97i)(uint8_t *_b, uint8_t *_tmp, int w) tmp[w2+1] = tmp[w2] = tmp[w2-1]; for (x = 0; x < w2; x++) { - b[2*x ] = (tmp[x] + 1)>>1; - b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1)>>1; + b[2*x ] = ((int)(tmp[x] + 1U))>>1; + b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1U))>>1; } } @@ -118,8 +118,8 @@ static void RENAME(horizontal_compose_dd137i)(uint8_t *_b, uint8_t *_tmp, int w) tmp[w2+1] = tmp[w2] = tmp[w2-1]; for (x = 0; x < w2; x++) { - b[2*x ] = (tmp[x] + 1)>>1; - b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1)>>1; + b[2*x ] = ((int)(tmp[x] + 1U))>>1; + b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1U))>>1; } } From af5c12c0290b6269d178dcded041f2201a8532b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2018 21:27:16 +0100 Subject: [PATCH 570/818] avcodec/dxtory: Remove code that corrupts dimensions Fixes: Timeout Fixes: 5796/clusterfuzz-testcase-minimized-5206729085157376 Does someone have a valid sample that triggers this path ? Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3748746a4d6988484d34516f7a3c6febf7bdf488) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index e736cec8db..285ca38efb 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -305,11 +305,7 @@ static int dxtory_decode_v2(AVCodecContext *avctx, AVFrame *pic, } if (avctx->height - line) { - av_log(avctx, AV_LOG_VERBOSE, - "Not enough slice data available, " - "cropping the frame by %d pixels\n", - avctx->height - line); - avctx->height = line; + avpriv_request_sample(avctx, "Not enough slice data available"); } return 0; From 205689ae8a5e00ce2d39e9559252c020cb784e56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2018 23:54:44 +0100 Subject: [PATCH 571/818] avcodec/diracdec: Use int64 in global mv to prevent overflow Fixes: runtime error: signed integer overflow: 361 * -6295541 cannot be represented in type 'int' Fixes: 5911/clusterfuzz-testcase-minimized-6450382197751808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cbcbefdc3b4cbc917d2f8b2dd216fb12121a838b) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 9df70c3f7a..3b5eb16d87 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1399,8 +1399,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int m = (1<u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); From 1a387f1ce6ec8a8b57849adac5ffbb53c1d07c83 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Feb 2018 00:11:33 +0100 Subject: [PATCH 572/818] avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53() Fixes: 5918/clusterfuzz-testcase-minimized-5120505435652096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 793347a54579ee954b58d336b82eed4a1786de21) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index e4aa2e4a3d..8092297b8c 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -305,22 +305,22 @@ static void dwt_encode97_int(DWTContext *s, int *t) t[i] = (t[i] + ((1<>1)) >> I_PRESHIFT; } -static void sr_1d53(int *p, int i0, int i1) +static void sr_1d53(unsigned *p, int i0, int i1) { int i; if (i1 <= i0 + 1) { if (i0 == 1) - p[1] >>= 1; + p[1] = (int)p[1] >> 1; return; } extend53(p, i0, i1); for (i = (i0 >> 1); i < (i1 >> 1) + 1; i++) - p[2 * i] -= (p[2 * i - 1] + p[2 * i + 1] + 2) >> 2; + p[2 * i] -= (int)(p[2 * i - 1] + p[2 * i + 1] + 2) >> 2; for (i = (i0 >> 1); i < (i1 >> 1); i++) - p[2 * i + 1] += (p[2 * i] + p[2 * i + 2]) >> 1; + p[2 * i + 1] += (int)(p[2 * i] + p[2 * i + 2]) >> 1; } static void dwt_decode53(DWTContext *s, int *t) From b172815c3c9bb7dcaa88e388418bbbefd5aa978e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Feb 2018 16:55:52 +0100 Subject: [PATCH 573/818] avcodec/aacdec_templat: Fix integer overflow in apply_ltp() Fixes: signed integer overflow: -1625276744 + -1041893960 cannot be represented in type 'int' Fixes: 5948/clusterfuzz-testcase-minimized-5791479856365568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 33fe17bdc88d51a8e0c87aa1e8011aaaf38a7a90) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 6a93aed2e8..659b6e5a31 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2522,7 +2522,7 @@ static void apply_ltp(AACContext *ac, SingleChannelElement *sce) for (sfb = 0; sfb < FFMIN(sce->ics.max_sfb, MAX_LTP_LONG_SFB); sfb++) if (ltp->used[sfb]) for (i = offsets[sfb]; i < offsets[sfb + 1]; i++) - sce->coeffs[i] += predFreq[i]; + sce->coeffs[i] += (UINTFLOAT)predFreq[i]; } } From 4018d8586ffe1fc8d5f7f28df6c010c748d3fb75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Feb 2018 17:12:28 +0100 Subject: [PATCH 574/818] avcodec/h264_parse: Clear invalid chroma weights in ff_h264_pred_weight_table() Fixes: 6037/clusterfuzz-testcase-minimized-5030249784934400 Fixes: signed integer overflow: 256 * 16992036 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 85c85fffff3f9c75301db3eba1bd5f2fb1e6285d) Signed-off-by: Michael Niedermayer --- libavcodec/h264_parse.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c index a7c71d9bbb..dfc57076d1 100644 --- a/libavcodec/h264_parse.c +++ b/libavcodec/h264_parse.c @@ -82,8 +82,11 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, pwt->chroma_weight[i][list][j][0] = get_se_golomb(gb); pwt->chroma_weight[i][list][j][1] = get_se_golomb(gb); if ((int8_t)pwt->chroma_weight[i][list][j][0] != pwt->chroma_weight[i][list][j][0] || - (int8_t)pwt->chroma_weight[i][list][j][1] != pwt->chroma_weight[i][list][j][1]) + (int8_t)pwt->chroma_weight[i][list][j][1] != pwt->chroma_weight[i][list][j][1]) { + pwt->chroma_weight[i][list][j][0] = chroma_def; + pwt->chroma_weight[i][list][j][1] = 0; goto out_range_weight; + } if (pwt->chroma_weight[i][list][j][0] != chroma_def || pwt->chroma_weight[i][list][j][1] != 0) { pwt->use_weight_chroma = 1; From b9d5b1f05dadf6ab3062f59e7a2cbc482e655cb8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Feb 2018 21:51:38 +0100 Subject: [PATCH 575/818] avcodec/diracdec: Fix integer overflow in mv computation Fixes: signed integer overflow: -2072 + -2147483646 cannot be represented in type 'int' Fixes: 6097/clusterfuzz-testcase-minimized-5034145253163008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 47e65ad63b3d067445c4de41a7718b83fc07767c) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 3b5eb16d87..fee2b7787c 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1437,8 +1437,8 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock global_mv(s, block, x, y, i); } else { pred_mv(block, stride, x, y, i); - block->u.mv[i][0] += dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA); - block->u.mv[i][1] += dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA); + block->u.mv[i][0] += (unsigned)dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA); + block->u.mv[i][1] += (unsigned)dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA); } } } From f3562ee6fc847db3162fccfa98449ce21404608e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Feb 2018 23:11:01 +0100 Subject: [PATCH 576/818] avcodec/cavsdec: Check alpha/beta offset Fixes: Integer overflow Fixes: 6183/clusterfuzz-testcase-minimized-6269224436629504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae2eb04648839bfc6c61c32cb0f124e91bb7ff8e) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 2bcb42a6eb..79349b5005 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1067,6 +1067,11 @@ static int decode_pic(AVSContext *h) if (!h->loop_filter_disable && get_bits1(&h->gb)) { h->alpha_offset = get_se_golomb(&h->gb); h->beta_offset = get_se_golomb(&h->gb); + if ( h->alpha_offset < -64 || h->alpha_offset > 64 + || h-> beta_offset < -64 || h-> beta_offset > 64) { + h->alpha_offset = h->beta_offset = 0; + return AVERROR_INVALIDDATA; + } } else { h->alpha_offset = h->beta_offset = 0; } From bcc6d409283aebc114d674ace998016d04523ce3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Feb 2018 03:40:02 +0100 Subject: [PATCH 577/818] avcodec/smc: Check input packet size Fixes: Timeout Fixes: 6261/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-5811309653262336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0293663483ab5dbfff23602a62800d84e021b33c) Signed-off-by: Michael Niedermayer --- libavcodec/smc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index 79f9a757a0..3cb4834737 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -438,6 +438,10 @@ static int smc_decode_frame(AVCodecContext *avctx, int pal_size; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); int ret; + int total_blocks = ((s->avctx->width + 3) / 4) * ((s->avctx->height + 3) / 4); + + if (total_blocks / 1024 > avpkt->size) + return AVERROR_INVALIDDATA; bytestream2_init(&s->gb, buf, buf_size); From bafb13dc0fd60f49f613bf4c52ce88b91176755c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Feb 2018 03:02:48 +0100 Subject: [PATCH 578/818] avcodec/utvideodec: Check subsample factors Fixes: Out of array read Fixes: heap_poc Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit 7414d0bda7763f9bd69c26c068e482ab297c1c96) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index fda5de0732..2cf9ce2855 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -28,6 +28,7 @@ #include #include "libavutil/intreadwrite.h" +#include "libavutil/pixdesc.h" #include "avcodec.h" #include "bswapdsp.h" #include "bytestream.h" @@ -824,6 +825,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, static av_cold int decode_init(AVCodecContext *avctx) { UtvideoContext * const c = avctx->priv_data; + int h_shift, v_shift; c->avctx = avctx; @@ -920,6 +922,13 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &h_shift, &v_shift); + if ((avctx->width & ((1<height & ((1< Date: Mon, 26 Feb 2018 21:17:08 +0100 Subject: [PATCH 579/818] avcodec/bintext: sanity check dimensions Fixes: Timeout Fixes: 6277/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XBIN_fuzzer-6047202288861184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 090c0abff9c8b27304614f15d9464dbf4ea59833) Signed-off-by: Michael Niedermayer --- libavcodec/bintext.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/bintext.c b/libavcodec/bintext.c index 90bbe67b59..d967317671 100644 --- a/libavcodec/bintext.c +++ b/libavcodec/bintext.c @@ -35,6 +35,8 @@ #include "bintext.h" #include "internal.h" +#define FONT_WIDTH 8 + typedef struct XbinContext { AVFrame *frame; int palette[16]; @@ -91,6 +93,9 @@ static av_cold int decode_init(AVCodecContext *avctx) break; } } + if (avctx->width < FONT_WIDTH || avctx->height < s->font_height) + return AVERROR_INVALIDDATA; + s->frame = av_frame_alloc(); if (!s->frame) @@ -113,8 +118,6 @@ av_unused static void hscroll(AVCodecContext *avctx) } } -#define FONT_WIDTH 8 - /** * Draw character to screen */ From 4d45d5b606a11f6f401d7694df08e7e47989af32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Feb 2018 04:29:44 +0100 Subject: [PATCH 580/818] avcodec/exr: fix invalid shift in unpack_14() Fixes: 6154/clusterfuzz-testcase-minimized-5762231061970944 Fixes: runtime error: shift exponent 63 is too large for 32-bit type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 49062a90174b6e4104876c0257dc673a0da854ca) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index b27132d6bb..2481959a21 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -910,7 +910,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src, static void unpack_14(const uint8_t b[14], uint16_t s[16]) { - unsigned short shift = (b[ 2] >> 2); + unsigned short shift = (b[ 2] >> 2) & 15; unsigned short bias = (0x20 << shift); int i; From c3e774784bac7930743d47cbd37e0e9f06fa6e30 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Feb 2018 02:34:05 +0100 Subject: [PATCH 581/818] avcodec/g2meet: Check tile dimensions with av_image_check_size2() Fixes: OOM Fixes: 6216/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-4983807968018432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3981fb8d2a03cdb3399590da8621a7bcc22e2964) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 10b6808f81..3b8b97ab41 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -28,6 +28,7 @@ #include #include +#include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" #include "avcodec.h" @@ -1451,7 +1452,8 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data, c->tile_height = bytestream2_get_be32(&bc); if (c->tile_width <= 0 || c->tile_height <= 0 || ((c->tile_width | c->tile_height) & 0xF) || - c->tile_width * (uint64_t)c->tile_height >= INT_MAX / 4 + c->tile_width * (uint64_t)c->tile_height >= INT_MAX / 4 || + av_image_check_size2(c->tile_width, c->tile_height, avctx->max_pixels, avctx->pix_fmt, 0, avctx) < 0 ) { av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions %dx%d\n", From e908a595db8e254629cb1275fb9e17099dd2efab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Feb 2018 03:04:40 +0100 Subject: [PATCH 582/818] avcodec/truemotion2rt: Check input buffer size Fixes: Timeout Fixes: 6250/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2RT_fuzzer-5479814011027456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b5c29b6c2ab00f8fb545475238a99f575b5d81d) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2rt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/truemotion2rt.c b/libavcodec/truemotion2rt.c index d63918742d..9df0b527bb 100644 --- a/libavcodec/truemotion2rt.c +++ b/libavcodec/truemotion2rt.c @@ -116,6 +116,9 @@ static int truemotion2rt_decode_frame(AVCodecContext *avctx, void *data, if (ret < 0) return ret; + if (avctx->width / s->hscale * avctx->height * s->delta_size > avpkt->size * 8LL * 4) + return AVERROR_INVALIDDATA; + ret = init_get_bits8(gb, avpkt->data + ret, avpkt->size - ret); if (ret < 0) return ret; From 6daa205cd3fe32dcf6eb61c8949fab33a3501498 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Mar 2018 18:14:12 +0100 Subject: [PATCH 583/818] libavformat/oggparsevorbis: Fix memleak on multiple headers Fixes: Chromium bug 800123 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 3934aa495d786845d9f541c84ee405c096938f76) Signed-off-by: Michael Niedermayer --- libavformat/oggparsevorbis.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index 65b1998a02..572e5169ca 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -230,6 +230,10 @@ static int fixup_vorbis_headers(AVFormatContext *as, len = priv->len[0] + priv->len[1] + priv->len[2]; buf_len = len + len / 255 + 64; + + if (*buf) + return AVERROR_INVALIDDATA; + ptr = *buf = av_realloc(NULL, buf_len); if (!ptr) return AVERROR(ENOMEM); From fef832c188c07245c7b9a44432a89f49a4c0d2ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Mar 2018 18:14:12 +0100 Subject: [PATCH 584/818] avformat/oggdec: Fix metadata memleak on multiple headers Fixes: Chromium bug 800123 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit da069e9c68ec1a54e618940dcb9ebae9bf179a32) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 193a286e43..6a05278b52 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -128,7 +128,10 @@ static int ogg_restore(AVFormatContext *s) ogg->state = ost->next; for (i = 0; i < ogg->nstreams; i++) { - av_freep(&ogg->streams[i].buf); + struct ogg_stream *stream = &ogg->streams[i]; + av_freep(&stream->buf); + av_freep(&stream->new_metadata); + if (i >= ost->nstreams || !ost->streams[i].private) { free_stream(s, i); } From e89d8ed7cb3fc0dd1e108a5919b2c6f4f454fe60 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Mar 2018 00:10:11 +0100 Subject: [PATCH 585/818] avformat/utils: Fix integer overflow of fps_first/last_dts Fixes: runtime error: signed integer overflow: 7738135736989908991 - -7898362169240453118 cannot be represented in type 'long' Fixes: Chromium bug 796778 Reported-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 1b1362e408cd6acb63fef126b814b0d16562aa8e) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 2c622d2c56..2053c3f755 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3622,7 +3622,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (st->info->fps_last_dts != AV_NOPTS_VALUE && st->info->fps_last_dts_idx > st->info->fps_first_dts_idx && (pkt->dts - st->info->fps_last_dts) / 1000 > - (st->info->fps_last_dts - st->info->fps_first_dts) / + (st->info->fps_last_dts - (uint64_t)st->info->fps_first_dts) / (st->info->fps_last_dts_idx - st->info->fps_first_dts_idx)) { av_log(ic, AV_LOG_WARNING, "DTS discontinuity in stream %d: packet %d with DTS " From 42bd425205f464e95b2bfc1def239ee31e2becfe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Mar 2018 17:28:36 +0100 Subject: [PATCH 586/818] avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE Fixes: Chromium bug 795653 Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long' Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 02ecda4aba69670ca744ccc640391b7621f01fb0) Signed-off-by: Michael Niedermayer --- libavformat/oggparsetheora.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsetheora.c b/libavformat/oggparsetheora.c index b14f9f0669..b0c0edc7a5 100644 --- a/libavformat/oggparsetheora.c +++ b/libavformat/oggparsetheora.c @@ -181,6 +181,7 @@ static int theora_packet(AVFormatContext *s, int idx) if ((!os->lastpts || os->lastpts == AV_NOPTS_VALUE) && !(os->flags & OGG_FLAG_EOS)) { int seg; + int64_t pts; duration = 1; for (seg = os->segp; seg < os->nsegs; seg++) { @@ -188,7 +189,10 @@ static int theora_packet(AVFormatContext *s, int idx) duration ++; } - os->lastpts = os->lastdts = theora_gptopts(s, idx, os->granule, NULL) - duration; + pts = theora_gptopts(s, idx, os->granule, NULL); + if (pts != AV_NOPTS_VALUE) + pts -= duration; + os->lastpts = os->lastdts = pts; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; if (s->streams[idx]->duration > 0) From 8cf7205a72f5a330781470a28485584f7d08054d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Mar 2018 22:40:50 +0100 Subject: [PATCH 587/818] avformat/avidec: Fix integer overflow in cum_len check Fixes: signed integer overflow: 3775922176 * 4278190080 cannot be represented in type 'long' Fixes: Chromium bug 791237 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 06e092e7819b9437da32925200e7c369f93d82e7) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index ed043470f0..64a129af82 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -670,7 +670,7 @@ FF_ENABLE_DEPRECATION_WARNINGS st->start_time = 0; avio_rl32(pb); /* buffer size */ avio_rl32(pb); /* quality */ - if (ast->cum_len*ast->scale/ast->rate > 3600) { + if (ast->cum_len > 3600LL * ast->rate / ast->scale) { av_log(s, AV_LOG_ERROR, "crazy start time, iam scared, giving up\n"); ast->cum_len = 0; } From e0a08c833dd8fafa18f4f7133c2e81df22606ab5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Mar 2018 23:14:04 +0100 Subject: [PATCH 588/818] avformat/oggparseogm: Fix undefined shift in ogm_packet() Fixes: shift exponent 48 is too large for 32-bit type 'int' Fixes: Chromium bug 786793 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 010b7b30b721b90993e05e9ee6338e88bb8debb3) Signed-off-by: Michael Niedermayer --- libavformat/oggparseogm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index e7a501b5a7..4d09d174b8 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -181,7 +181,7 @@ ogm_packet(AVFormatContext *s, int idx) os->psize -= lb + 1; while (lb--) - os->pduration += p[lb+1] << (lb*8); + os->pduration += (uint64_t)p[lb+1] << (lb*8); return 0; } From e61cdbe27167434b87ff814769b54178c5a3d2a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Mar 2018 01:05:20 +0100 Subject: [PATCH 589/818] avformat/oggparseogm: Check lb against psize No testcase, this was found during code review Found-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 3e7c847aaf5a298b62afae12b4ecfb8e12385998) Signed-off-by: Michael Niedermayer --- libavformat/oggparseogm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index 4d09d174b8..03499486f7 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -177,6 +177,9 @@ ogm_packet(AVFormatContext *s, int idx) os->pflags |= AV_PKT_FLAG_KEY; lb = ((*p & 2) << 1) | ((*p >> 6) & 3); + if (os->psize < lb + 1) + return AVERROR_INVALIDDATA; + os->pstart += lb + 1; os->psize -= lb + 1; From 3a29fda42ab7da12102d8990859554abfe13996a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Mar 2018 17:28:36 +0100 Subject: [PATCH 590/818] avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE Fixes: potential signed integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit f655ddfb47e8484b205b14c7f871c643ad24d701) Signed-off-by: Michael Niedermayer --- libavformat/oggparsedaala.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsedaala.c b/libavformat/oggparsedaala.c index a373b41b4c..e944470aca 100644 --- a/libavformat/oggparsedaala.c +++ b/libavformat/oggparsedaala.c @@ -218,6 +218,7 @@ static int daala_packet(AVFormatContext *s, int idx) int seg, duration = 1; struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; + int64_t pts; /* * first packet handling: here we parse the duration of each packet in the @@ -230,7 +231,10 @@ static int daala_packet(AVFormatContext *s, int idx) if (os->segments[seg] < 255) duration++; - os->lastpts = os->lastdts = daala_gptopts(s, idx, os->granule, NULL) - duration; + pts = daala_gptopts(s, idx, os->granule, NULL); + if (pts != AV_NOPTS_VALUE) + pts -= duration; + os->lastpts = os->lastdts = pts; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; if (s->streams[idx]->duration != AV_NOPTS_VALUE) From edfe9ae63b191ea435f23628904094fdba3f1364 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Mar 2018 16:43:29 +0100 Subject: [PATCH 591/818] avformat/mov: Fix integer overflows related to sample_duration Fixes: runtime error: signed integer overflow: -9166684017437101870 + -2495066639299164439 cannot be represented in type Fixes: Chromium bug 791349 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 2f37082827a405430c40408ee2db19ea2866ce64) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f2eb22eb3d..5381dbb704 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2672,14 +2672,19 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) && total_sample_count > 100 && sample_duration/10 > duration / total_sample_count) sample_duration = duration / total_sample_count; - duration+=(int64_t)sample_duration*sample_count; + duration+=(int64_t)sample_duration*(uint64_t)sample_count; total_sample_count+=sample_count; } sc->stts_count = i; - sc->duration_for_fps += duration; - sc->nb_frames_for_fps += total_sample_count; + if (duration > 0 && + duration <= INT64_MAX - sc->duration_for_fps && + total_sample_count <= INT64_MAX - sc->nb_frames_for_fps + ) { + sc->duration_for_fps += duration; + sc->nb_frames_for_fps += total_sample_count; + } if (pb->eof_reached) return AVERROR_EOF; @@ -4340,8 +4345,13 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) dts += sample_duration; offset += sample_size; sc->data_size += sample_size; - sc->duration_for_fps += sample_duration; - sc->nb_frames_for_fps ++; + + if (sample_duration <= INT64_MAX - sc->duration_for_fps && + 1 <= INT64_MAX - sc->nb_frames_for_fps + ) { + sc->duration_for_fps += sample_duration; + sc->nb_frames_for_fps ++; + } } if (pb->eof_reached) From 02bf1c617cdd34a80a290963c23f92a7e01630dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Mar 2018 00:13:57 +0100 Subject: [PATCH 592/818] avcodec/wmalosslessdec: Reset num_saved_bits on error path Fixes: NULL pointer dereference Fixes: poc-201803.wav Found-by: GwanYeong Kim Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 64c9ce0abc0fd8774b523afda3ddb17c86caa86a) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 133a3e92d1..59e8929586 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1148,6 +1148,7 @@ static void save_bits(WmallDecodeCtx *s, GetBitContext* gb, int len, if (len <= 0 || buflen > s->max_frame_size) { avpriv_request_sample(s->avctx, "Too small input buffer"); s->packet_loss = 1; + s->num_saved_bits = 0; return; } From 719b9b673cfb723234c614a4ff8cfad7c0c4499a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Feb 2018 15:17:12 +0100 Subject: [PATCH 593/818] avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg Fixes: Timeout Fixes: 6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ee3265dbe2e85537affe3b3055b00ba8646aa70) Signed-off-by: Michael Niedermayer --- libavcodec/nuv.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index ad6c029e50..8d806dbbff 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -161,6 +161,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int orig_size = buf_size; int keyframe, ret; int size_change = 0; + int minsize = 0; int result, init_frame = !avctx->frame_number; enum { NUV_UNCOMPRESSED = '0', @@ -206,6 +207,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, keyframe = 1; break; } + switch (comptype) { + case NUV_UNCOMPRESSED: + minsize = c->width * c->height * 3 / 2; + break; + case NUV_RTJPEG: + minsize = c->width/16 * (c->height/16) * 6; + break; + } + if (buf_size < minsize / 4) + return AVERROR_INVALIDDATA; retry: // Skip the rest of the frame header. buf = &buf[12]; From 5b586f0bc87dc1c19bc722ea7386d670c33eeb71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Feb 2018 15:17:12 +0100 Subject: [PATCH 594/818] avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it Fixes: Timeout Fixes: 6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 939440ad1aa820bed51f54d273b4fa6c5016d9f9) Signed-off-by: Michael Niedermayer --- libavcodec/nuv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 8d806dbbff..32ed65899b 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -199,6 +199,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case NUV_RTJPEG_IN_LZO: case NUV_RTJPEG: keyframe = !buf[2]; + if (c->width < 16 || c->height < 16) { + return AVERROR_INVALIDDATA; + } break; case NUV_COPY_LAST: keyframe = 0; From a89b45b492dd3c82d9aab1d67dac21bf56bcf43d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Mar 2018 19:53:36 +0100 Subject: [PATCH 595/818] avformat/mov: Check STSC and remove invalid entries Fixes assertion failure Fixes: crbug 822547, crbug 822666 and crbug 823009 Affects: aark15sd_9A62E2FA.mp4 Found-by: ClusterFuzz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 9e67447a4ffacf28af8bace33faf3ea432ddc43e) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5381dbb704..6124b0b573 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2433,6 +2433,21 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) } sc->stsc_count = i; + for (i = sc->stsc_count - 1; i < UINT_MAX; i--) { + if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= sc->stsc_data[i+1].first) || + (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) || + sc->stsc_data[i].first < 1 || + sc->stsc_data[i].count < 1 || + sc->stsc_data[i].id < 1) { + av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, sc->stsc_data[i].id); + if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2) + return AVERROR_INVALIDDATA; + // We replace this entry by the next valid + sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1; + sc->stsc_data[i].count = sc->stsc_data[i+1].count; + sc->stsc_data[i].id = sc->stsc_data[i+1].id; + } + } if (pb->eof_reached) return AVERROR_EOF; @@ -3737,6 +3752,11 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->index); return 0; } + if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { + av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", + st->index); + return AVERROR_INVALIDDATA; + } fix_timescale(c, sc); From 899d40c17fefe7f7a0ba7f7a95ae61be81b6d0ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Mar 2018 01:38:53 +0100 Subject: [PATCH 596/818] avcodec/get_bits: Make sure the input bitstream with padding can be addressed Signed-off-by: Michael Niedermayer (cherry picked from commit e529fe7633762cb26a665fb6dee3be29b15285cc) Signed-off-by: Michael Niedermayer --- libavcodec/get_bits.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 0c7f5ff0c6..d7cf286378 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -32,6 +32,7 @@ #include "libavutil/intreadwrite.h" #include "libavutil/log.h" #include "libavutil/avassert.h" +#include "avcodec.h" #include "mathops.h" #include "vlc.h" @@ -428,7 +429,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer, int buffer_size; int ret = 0; - if (bit_size >= INT_MAX - 7 || bit_size < 0 || !buffer) { + if (bit_size >= INT_MAX - FFMAX(7, AV_INPUT_BUFFER_PADDING_SIZE*8) || bit_size < 0 || !buffer) { bit_size = 0; buffer = NULL; ret = AVERROR_INVALIDDATA; From 8a89cce372884c38c6f22eede59c43f486b83394 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Feb 2018 21:36:22 +0100 Subject: [PATCH 597/818] avformat/mov: Move +1 in check to avoid hypothetical overflow in add_ctts_entry() Signed-off-by: Michael Niedermayer (cherry picked from commit eb60b9d3aaaa42265fb1960be6fff6383cfdbf37) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6124b0b573..b60f8f0eac 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2970,7 +2970,7 @@ static int64_t add_ctts_entry(MOVStts** ctts_data, unsigned int* ctts_count, uns FFMAX(min_size_needed, 2 * (*allocated_size)) : min_size_needed; - if((unsigned)(*ctts_count) + 1 >= UINT_MAX / sizeof(MOVStts)) + if((unsigned)(*ctts_count) >= UINT_MAX / sizeof(MOVStts) - 1) return -1; ctts_buf_new = av_fast_realloc(*ctts_data, allocated_size, requested_size); From 769cb8973817674c65542efed68aadacb867828b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Mar 2018 01:07:24 +0200 Subject: [PATCH 598/818] avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables Found-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 5c75438b893539dd17998c489fb4c540fc5a6e48) Signed-off-by: Michael Niedermayer --- libavcodec/tableprint_vlc.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/tableprint_vlc.h b/libavcodec/tableprint_vlc.h index 675251a836..3004be3f9c 100644 --- a/libavcodec/tableprint_vlc.h +++ b/libavcodec/tableprint_vlc.h @@ -35,6 +35,7 @@ #define av_freep(p) while(0) #define AVCODEC_AVCODEC_H #define AVCODEC_INTERNAL_H +#define AV_INPUT_BUFFER_PADDING_SIZE 64 // the value does not matter for this #include "tableprint.h" #include "get_bits.h" #include "mathtables.c" From d79b274acc3a608358c0cd1ffe8ebd92bf108480 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Mar 2018 01:51:28 +0100 Subject: [PATCH 599/818] avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame() Fixes: 2018_03_23_poc.wav Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit ea15915b2dc5aaa80c91879fbd183475a7e66e54) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 59e8929586..eb1db615ae 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1256,7 +1256,9 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, (frame_size = show_bits(gb, s->log2_frame_size)) && frame_size <= remaining_bits(s, gb)) { save_bits(s, gb, frame_size, 0); - s->packet_done = !decode_frame(s); + + if (!s->packet_loss) + s->packet_done = !decode_frame(s); } else if (!s->len_prefix && s->num_saved_bits > get_bits_count(&s->gb)) { /* when the frames do not have a length prefix, we don't know the From 15d4dc0da1e9f2450b5f9e748e1704fc0e6ef3a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Mar 2018 03:10:43 +0200 Subject: [PATCH 600/818] avcodec/utvideodec: Set pro flag based on fourcc This avoids mixing 8bit variants with pro and 10bit with non pro mode. Fixes: out of array read Fixes: poc_03_30.avi Found-by: GwanYeong Kim Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 47b7c68ae54560e2308bdb6be4fb076c73b93081) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 64 +++++++++++++++++++++-------------------- 1 file changed, 33 insertions(+), 31 deletions(-) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 2cf9ce2855..50dede6de3 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -832,37 +832,6 @@ static av_cold int decode_init(AVCodecContext *avctx) ff_bswapdsp_init(&c->bdsp); ff_llviddsp_init(&c->llviddsp); - if (avctx->extradata_size >= 16) { - av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n", - avctx->extradata[3], avctx->extradata[2], - avctx->extradata[1], avctx->extradata[0]); - av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n", - AV_RB32(avctx->extradata + 4)); - c->frame_info_size = AV_RL32(avctx->extradata + 8); - c->flags = AV_RL32(avctx->extradata + 12); - - if (c->frame_info_size != 4) - avpriv_request_sample(avctx, "Frame info not 4 bytes"); - av_log(avctx, AV_LOG_DEBUG, "Encoding parameters %08"PRIX32"\n", c->flags); - c->slices = (c->flags >> 24) + 1; - c->compression = c->flags & 1; - c->interlaced = c->flags & 0x800; - } else if (avctx->extradata_size == 8) { - av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n", - avctx->extradata[3], avctx->extradata[2], - avctx->extradata[1], avctx->extradata[0]); - av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n", - AV_RB32(avctx->extradata + 4)); - c->interlaced = 0; - c->pro = 1; - c->frame_info_size = 4; - } else { - av_log(avctx, AV_LOG_ERROR, - "Insufficient extradata size %d, should be at least 16\n", - avctx->extradata_size); - return AVERROR_INVALIDDATA; - } - c->slice_bits_size = 0; switch (avctx->codec_tag) { @@ -891,14 +860,17 @@ static av_cold int decode_init(AVCodecContext *avctx) break; case MKTAG('U', 'Q', 'Y', '2'): c->planes = 3; + c->pro = 1; avctx->pix_fmt = AV_PIX_FMT_YUV422P10; break; case MKTAG('U', 'Q', 'R', 'G'): c->planes = 3; + c->pro = 1; avctx->pix_fmt = AV_PIX_FMT_GBRP10; break; case MKTAG('U', 'Q', 'R', 'A'): c->planes = 4; + c->pro = 1; avctx->pix_fmt = AV_PIX_FMT_GBRAP10; break; case MKTAG('U', 'L', 'H', '0'): @@ -929,6 +901,36 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_PATCHWELCOME; } + if (!c->pro && avctx->extradata_size >= 16) { + av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n", + avctx->extradata[3], avctx->extradata[2], + avctx->extradata[1], avctx->extradata[0]); + av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n", + AV_RB32(avctx->extradata + 4)); + c->frame_info_size = AV_RL32(avctx->extradata + 8); + c->flags = AV_RL32(avctx->extradata + 12); + + if (c->frame_info_size != 4) + avpriv_request_sample(avctx, "Frame info not 4 bytes"); + av_log(avctx, AV_LOG_DEBUG, "Encoding parameters %08"PRIX32"\n", c->flags); + c->slices = (c->flags >> 24) + 1; + c->compression = c->flags & 1; + c->interlaced = c->flags & 0x800; + } else if (c->pro && avctx->extradata_size == 8) { + av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n", + avctx->extradata[3], avctx->extradata[2], + avctx->extradata[1], avctx->extradata[0]); + av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n", + AV_RB32(avctx->extradata + 4)); + c->interlaced = 0; + c->frame_info_size = 4; + } else { + av_log(avctx, AV_LOG_ERROR, + "Insufficient extradata size %d, should be at least 16\n", + avctx->extradata_size); + return AVERROR_INVALIDDATA; + } + return 0; } From 49336482fd04541623e9418264644dd80640dbfe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Mar 2018 02:16:31 +0200 Subject: [PATCH 601/818] avfilter/vf_signature: use av_strlcpy() Fixes: out of array access Found-by: Kira Signed-off-by: Michael Niedermayer (cherry picked from commit 35eeff30caf34df835206f1c12bcf4b7c2bd6758) Signed-off-by: Michael Niedermayer --- libavfilter/vf_signature.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c index 06b1b910d4..3b117e7735 100644 --- a/libavfilter/vf_signature.c +++ b/libavfilter/vf_signature.c @@ -573,7 +573,8 @@ static int export(AVFilterContext *ctx, StreamContext *sc, int input) /* error already handled */ av_assert0(av_get_frame_filename(filename, sizeof(filename), sic->filename, input) == 0); } else { - strcpy(filename, sic->filename); + if (av_strlcpy(filename, sic->filename, sizeof(filename)) >= sizeof(filename)) + return AVERROR(EINVAL); } if (sic->format == FORMAT_XML) { return xml_export(ctx, sc, filename); From 3f949b7a6461679204159eb7a9fbcd206484649b Mon Sep 17 00:00:00 2001 From: heimdallr Date: Sat, 31 Mar 2018 19:37:23 +0700 Subject: [PATCH 602/818] avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list() example: AVPixelFormat pixFmts[] = { AV_PIX_FMT_RGB24, AV_PIX_FMT_RGBA }; int loss = 0; AVPixelFormat best = avcodec_find_best_pix_fmt_of_list(pixFmts, AV_PIX_FMT_BGRA, 1, &loss); best is AV_PIX_FMT_RGB24. But AV_PIX_FMT_RGBA is better. Signed-off-by: Michael Niedermayer (cherry picked from commit 354b26a3945eadd4ed8fcd801dfefad2566241de) Signed-off-by: Michael Niedermayer --- libavcodec/imgconvert.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 1547f18966..7b0005b308 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -69,10 +69,14 @@ enum AVPixelFormat avcodec_find_best_pix_fmt_of_list(const enum AVPixelFormat *p int i; enum AVPixelFormat best = AV_PIX_FMT_NONE; + int loss; - for(i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) - best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, loss_ptr); + for (i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) { + loss = *loss_ptr; + best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, &loss); + } + *loss_ptr = loss; return best; } From 1d3c141af4f0fa693cf86d0d7a70265beace4cb5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Mar 2018 00:05:04 +0100 Subject: [PATCH 603/818] avcodec/cscd: Error out when LZ* decompression fails Fixes: Timeout Fixes: 6304/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5754772461191168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d52be5d4e91871a22dac70af3e0ab429e95a2d10) Signed-off-by: Michael Niedermayer --- libavcodec/cscd.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index 9e1dec9d96..35c4ee08c3 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -81,15 +81,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; - if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen)) + if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen)) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); + return AVERROR_INVALIDDATA; + } break; } case 1: { // zlib compression #if CONFIG_ZLIB unsigned long dlen = c->decomp_size; - if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK) + if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK) { av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n"); + return AVERROR_INVALIDDATA; + } break; #else av_log(avctx, AV_LOG_ERROR, "compiled without zlib support\n"); From ae2c159b87f2ee5c12c9403deadf3ccdeb2503c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Mar 2018 21:19:19 +0200 Subject: [PATCH 604/818] avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed() I was not able to reproduce this, this fix is based on just the fuzzer log. Fixes: 4959/clusterfuzz-testcase-minimized-6035350934781952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 197a4e8feed45b2e5868760240e83636818f32a9) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 6ba0e63325..b19a622403 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -417,7 +417,7 @@ static void apply_independent_coupling_fixed(AACContext *ac, int i, c, shift, round, tmp; const int gain = cce->coup.gain[index][0]; const int *src = cce->ch[0].ret; - int *dest = target->ret; + unsigned int *dest = target->ret; const int len = 1024 << (ac->oc[1].m4ac.sbr == 1); c = cce_scale_fixed[gain & 7]; From 30c26bb78f6a7d347c05d0b175593e095ae312ea Mon Sep 17 00:00:00 2001 From: Hendrik Schreiber Date: Thu, 5 Apr 2018 13:58:37 +0200 Subject: [PATCH 605/818] swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering. Removed +len1 in call to s->mix_2_1_f() as I found no logical explanation for it. After removal, problem was gone. Signed-off-by: Hendrik Schreiber Signed-off-by: Michael Niedermayer (cherry picked from commit 647fd4b8292e3bfae30b1086aa842a5ee47ee868) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 74c96dce60..170f76bc56 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -678,7 +678,7 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co s->mix_2_1_simd(conv_src->ch[ch], preout->ch[ch], s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos, s->native_simd_one, 0, 0, len1); if(out_count != len1) for(ch=0; chch_count; ch++) - s->mix_2_1_f(conv_src->ch[ch] + off, preout->ch[ch] + off, s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos + off + len1, s->native_one, 0, 0, out_count - len1); + s->mix_2_1_f(conv_src->ch[ch] + off, preout->ch[ch] + off, s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos + off, s->native_one, 0, 0, out_count - len1); } else { for(ch=0; chch_count; ch++) s->mix_2_1_f(conv_src->ch[ch], preout->ch[ch], s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos, s->native_one, 0, 0, out_count); From 23f13130f12a269b9b721cf233c3343ffc2ed3bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Apr 2018 20:01:07 +0200 Subject: [PATCH 606/818] libavcodec/rv34: error out earlier on missing references Fixes visual corruption on seeking Fixes: downloadTest_clip_24M.rmvb Signed-off-by: Michael Niedermayer (cherry picked from commit 6cd81d68c5e4b0ff00288970c4151ff4031c0ea9) Signed-off-by: Michael Niedermayer --- libavcodec/rv34.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index d2d676a86d..d65ab41552 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1585,7 +1585,7 @@ int ff_rv34_decode_update_thread_context(AVCodecContext *dst, const AVCodecConte // Do no call ff_mpeg_update_thread_context on a partially initialized // decoder context. - if (!s1->linesize) + if (!s1->context_initialized) return 0; return ff_mpeg_update_thread_context(dst, src); @@ -1733,6 +1733,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, if ((err = rv34_decoder_realloc(r)) < 0) return err; } + if (faulty_b) + return AVERROR_INVALIDDATA; s->pict_type = si.type ? si.type : AV_PICTURE_TYPE_I; if (ff_mpv_frame_start(s, s->avctx) < 0) return -1; @@ -1783,8 +1785,6 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, "multithreading mode (start MB is %d).\n", si.start); return AVERROR_INVALIDDATA; } - if (faulty_b) - return AVERROR_INVALIDDATA; for(i = 0; i < slice_count; i++){ int offset = get_slice_offset(avctx, slices_hdr, i , slice_count, buf_size); From 0e5946d5b247d0f9d59096629ccae3bf01b9d40d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Apr 2018 21:55:06 +0200 Subject: [PATCH 607/818] avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble() Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be represented in type 'int' This was missed in b1bef755f617af9685b592d866b3eb7f3c4b02b1 Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c837918f50a7bbd6150afd340857ea43fe4717c7) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 0622d2ff7c..a25605800f 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -571,7 +571,7 @@ static void sbr_hf_assemble(int Y1[38][64][2], int idx = indexsine&1; int A = (1-((indexsine+(kx & 1))&2)); int B = (A^(-idx)) + idx; - int *out = &Y1[i][kx][idx]; + unsigned *out = &Y1[i][kx][idx]; int shift; unsigned round; From c9452899db109d0fe2238d9162a8fd1b315b78c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Apr 2018 03:29:44 +0200 Subject: [PATCH 608/818] avcodec/movtextdec: Check style_start/end Limits based on 3GPP TS 26.245 V14.0.0 Fixes: Timeout Fixes: 6377/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOVTEXT_fuzzer-5175929115508736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Philip Langdale Signed-off-by: Michael Niedermayer (cherry picked from commit 249aca8f98ff7fb09c12ea68e23c862c62203b95) Signed-off-by: Michael Niedermayer --- libavcodec/movtextdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index fb5085c3e8..73e83f2f2c 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -299,6 +299,14 @@ static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) m->s_temp->style_start = AV_RB16(tsmb); tsmb += 2; m->s_temp->style_end = AV_RB16(tsmb); + + if ( m->s_temp->style_end < m->s_temp->style_start + || (m->count_s && m->s_temp->style_start < m->s[m->count_s - 1]->style_end)) { + av_freep(&m->s_temp); + mov_text_cleanup(m); + return AVERROR(ENOMEM); + } + tsmb += 2; m->s_temp->style_fontID = AV_RB16(tsmb); tsmb += 2; From 9b1a4da668999c0bd4d78b370872b9448cf746c3 Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Tue, 10 Apr 2018 13:59:25 -0700 Subject: [PATCH 609/818] lavc/libopusdec: Allow avcodec_open2 to call .close If there is a decoder initialization failure detected in avcodec_open2 after .init is called, allow graceful decoder .close to prevent leaking libopus decoder allocations. BUG=828526 Signed-off-by: Michael Niedermayer (cherry picked from commit e43e97f0e0f0596b56ceb2f887fe7414f202f081) Signed-off-by: Michael Niedermayer --- libavcodec/libopusdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c index e6ca61a78f..806ca1863d 100644 --- a/libavcodec/libopusdec.c +++ b/libavcodec/libopusdec.c @@ -126,7 +126,10 @@ static av_cold int libopus_decode_close(AVCodecContext *avc) { struct libopus_context *opus = avc->priv_data; - opus_multistream_decoder_destroy(opus->dec); + if (opus->dec) { + opus_multistream_decoder_destroy(opus->dec); + opus->dec = NULL; + } return 0; } @@ -200,6 +203,7 @@ AVCodec ff_libopus_decoder = { .decode = libopus_decode, .flush = libopus_flush, .capabilities = AV_CODEC_CAP_DR1, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .sample_fmts = (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_FLT, AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_NONE }, From 9b56e65e8c124cb2972295f8d80519c8409ab190 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Apr 2018 23:56:57 +0200 Subject: [PATCH 610/818] avformat/mov: Fix extradata memleak Fixes: crbug 822705 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 0a8133119ca5d087c7c7140d100406ff84c477ee) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index b60f8f0eac..921db588ef 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2391,6 +2391,12 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom) return mov_finalize_stsd_codec(c, pb, st, sc); fail: + if (sc->extradata) { + int j; + for (j = 0; j < sc->stsd_count; j++) + av_freep(&sc->extradata[j]); + } + av_freep(&sc->extradata); av_freep(&sc->extradata_size); return ret; From 41458534aa8890810b678bcdb4c1c04f38b72231 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Apr 2018 00:34:25 +0200 Subject: [PATCH 611/818] avcodec/h264_slice: Fix integer overflow with last_poc Fixes: signed integer overflow: 2147483646 - -2816 cannot be represented in type 'int' Fixes: crbug 823145 Reported-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 8c02cd8ca097871dcd00cf8e08ce51660873f405) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index d83ba000ce..4d24ac6d66 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1297,7 +1297,7 @@ static int h264_select_output_frame(H264Context *h) } out_of_order = MAX_DELAYED_PIC_COUNT - i; if( cur->f->pict_type == AV_PICTURE_TYPE_B - || (h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > INT_MIN && h->last_pocs[MAX_DELAYED_PIC_COUNT-1] - h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > 2)) + || (h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > INT_MIN && h->last_pocs[MAX_DELAYED_PIC_COUNT-1] - (int64_t)h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > 2)) out_of_order = FFMAX(out_of_order, 1); if (out_of_order == MAX_DELAYED_PIC_COUNT) { av_log(h->avctx, AV_LOG_VERBOSE, "Invalid POC %d<%d\n", cur->poc, h->last_pocs[0]); From 6de499caed33f26cfce32f0ddd74b2a518f60402 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Apr 2018 16:12:15 +0200 Subject: [PATCH 612/818] avcodec/mjpegdec: Check input buffer size. Fixes: Timeout Fixes: 6381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5665032743419904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8d381b57fd9d17fb5c3a851ca46c738b3afc33a2) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ libavcodec/mjpegdec.h | 1 + 2 files changed, 5 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 31c8fb422d..ab326b8e9a 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -309,6 +309,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height); if (av_image_check_size(width, height, 0, s->avctx)) return AVERROR_INVALIDDATA; + if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size * 4LL) + return AVERROR_INVALIDDATA; nb_components = get_bits(&s->gb, 8); if (nb_components <= 0 || @@ -2091,6 +2093,8 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int ret = 0; int is16bit; + s->buf_size = buf_size; + av_dict_free(&s->exif_metadata); av_freep(&s->stereo3d); s->adobe_transform = -1; diff --git a/libavcodec/mjpegdec.h b/libavcodec/mjpegdec.h index 024cedcb5a..0fa5a748a1 100644 --- a/libavcodec/mjpegdec.h +++ b/libavcodec/mjpegdec.h @@ -45,6 +45,7 @@ typedef struct MJpegDecodeContext { AVClass *class; AVCodecContext *avctx; GetBitContext gb; + int buf_size; int start_code; /* current start code */ int buffer_size; From 3e3704da0c71d5254b986300f610b0f0217f2023 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 24 Nov 2017 17:46:16 -0300 Subject: [PATCH 613/818] avformat/utils: fix mixed declarations and code Signed-off-by: James Almer (cherry picked from commit 31de45d20b1ff90d4baf7c5a65e88f582efdb2a6) --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 2053c3f755..0749151ee3 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1732,10 +1732,10 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt) if (next_pkt->dts != AV_NOPTS_VALUE) { int wrap_bits = s->streams[next_pkt->stream_index]->pts_wrap_bits; - av_assert2(wrap_bits <= 64); // last dts seen for this stream. if any of packets following // current one had no dts, we will set this to AV_NOPTS_VALUE. int64_t last_dts = next_pkt->dts; + av_assert2(wrap_bits <= 64); while (pktl && next_pkt->pts == AV_NOPTS_VALUE) { if (pktl->pkt.stream_index == next_pkt->stream_index && av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << (wrap_bits - 1)) < 0) { From 7af6fba1455afb19e12b19119665b97f4fd032dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Apr 2018 01:22:06 +0200 Subject: [PATCH 614/818] Update for 3.3.7 Signed-off-by: Michael Niedermayer --- Changelog | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 105 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index cd95ddab50..24337668ed 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,109 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.3.7: +- avformat/utils: fix mixed declarations and code +- avcodec/mjpegdec: Check input buffer size. +- avcodec/h264_slice: Fix integer overflow with last_poc +- avformat/mov: Fix extradata memleak +- lavc/libopusdec: Allow avcodec_open2 to call .close +- avcodec/movtextdec: Check style_start/end +- avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble() +- libavcodec/rv34: error out earlier on missing references +- swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering. +- avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed() +- avcodec/cscd: Error out when LZ* decompression fails +- avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list() +- avfilter/vf_signature: use av_strlcpy() +- avcodec/utvideodec: Set pro flag based on fourcc +- avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame() +- avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables +- avformat/mov: Move +1 in check to avoid hypothetical overflow in add_ctts_entry() +- avcodec/get_bits: Make sure the input bitstream with padding can be addressed +- avformat/mov: Check STSC and remove invalid entries +- avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it +- avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg +- avcodec/wmalosslessdec: Reset num_saved_bits on error path +- avformat/mov: Fix integer overflows related to sample_duration +- avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE +- avformat/oggparseogm: Check lb against psize +- avformat/oggparseogm: Fix undefined shift in ogm_packet() +- avformat/avidec: Fix integer overflow in cum_len check +- avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE +- avformat/utils: Fix integer overflow of fps_first/last_dts +- avformat/oggdec: Fix metadata memleak on multiple headers +- libavformat/oggparsevorbis: Fix memleak on multiple headers +- avcodec/truemotion2rt: Check input buffer size +- avcodec/g2meet: Check tile dimensions with av_image_check_size2() +- avcodec/exr: fix invalid shift in unpack_14() +- avcodec/bintext: sanity check dimensions +- avcodec/utvideodec: Check subsample factors +- avcodec/smc: Check input packet size +- avcodec/cavsdec: Check alpha/beta offset +- avcodec/diracdec: Fix integer overflow in mv computation +- avcodec/h264_parse: Clear invalid chroma weights in ff_h264_pred_weight_table() +- avcodec/aacdec_templat: Fix integer overflow in apply_ltp() +- avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53() +- avcodec/diracdec: Use int64 in global mv to prevent overflow +- avcodec/dxtory: Remove code that corrupts dimensions +- avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i() +- avcodec/hevcdec: Check luma/chroma_log2_weight_denom +- avcodec/jpeg2000dec: Use av_image_check_size2() +- avcodec/vp8: Check for bitstream end before vp7_fade_frame() +- avcodec/exr: Check remaining bits in last get code loop +- avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c() +- avcodec/h264_cabac: Tighten allowed coeff_abs range +- avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc() +- avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs() +- avcodec/mpeg4videodec: Ignore multiple VOL headers +- avcodec/vp3: Check eob_run +- avcodec/pafvideo: Check allocated frame size +- avcodec/scpr: Fix reading a pixel before the first +- avcodec/mpeg2dec: Fix field selection for skipped macroblocks +- avcodec/huffyuvdec: Check input buffer size +- avcodec/utvideodec: Fix bytes left check in decode_frame() +- avcodec/wavpack: Fix integer overflow in FFABS +- avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble() +- avcodec/exr: Fix memleaks in decode_header() +- avcodec/dirac_dwt: Fix several integer overflows +- avcodec/indeo5: Do not leave frame_type set to an invalid value +- avcodec/hevc_ps: Check log2_sao_offset_scale_* +- avcodec/hevc_ps: extract SPS fields required for hvcC construction +- avcodec/mpeg4videodec: Avoid possibly aliasing violating casts +- avcodec/get_bits: Document the return code of get_vlc2() +- avcodec/mpeg4videodec: Check mb_num also against 0 +- avfilter/vf_transpose: Fix used plane count. +- avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode() +- avcodec/mjpegdec: Fix integer overflow in DC dequantization +- avcodec/dxtory: Fix bits left checks +- avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down +- avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK() +- avcodec/snowdec: Fix integer overflow before htaps check +- avcodec/ulti: Check number of blocks at init +- avcodec/jpeg2000: Check sum of sizes of band->prec before allocating +- avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs() +- avformat/lrcdec: Fix memory leak in lrc_read_header() +- avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks() +- configure: bump year +- avcodec/utils: Avoid hardcoding duplicated types in sizeof() +- avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one +- avcodec/h264addpx_template: Fixes integer overflows +- avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0 +- avcodec/diracdec: Fix integer overflow with quant +- avcodec/opus_parser: Check payload_len in parse_opus_ts_header() +- avcodec/jpeg2000dsp: Fix integer overflows in ict_int() +- avcodec/h264_slice: Do not attempt to render into frames already output +- avcodec/dnxhddec: Check dc vlc +- avformat/hvcc: zero initialize the nal buffers past the last written byte +- swresample/rematrix: fix update of channel matrix if input or output layout is undefined +- configure: add support for libnpp* from cuda sdk 9 +- avcodec/nvenc: also clear data pointer after unregistering a resource +- avcodec/nvenc: add some more error case checks +- avcodec/nvenc: unregister input resource when unmapping +- avcodec/nvenc: refcount input frame mappings +- avformat/libssh: check the user provided a password before trying to use it + + version 3.3.6: - x264: Support version 153 - avcodec/exr: Check buf_size more completely diff --git a/RELEASE b/RELEASE index 9c25013dbb..86fb650440 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.3.6 +3.3.7 diff --git a/doc/Doxyfile b/doc/Doxyfile index 4f2b3dc57f..655649c117 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.3.6 +PROJECT_NUMBER = 3.3.7 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 01645d59156733d80f6fe777814fbe665c6164ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Apr 2018 18:55:57 +0200 Subject: [PATCH 615/818] avformat/utils: Fix integer overflow in end time calculation in update_stream_timings() Fixes: crbug 829153 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit c48ceff786bdc96fdc64417118c457d03bd19871) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 0749151ee3..6da5838dbc 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2608,7 +2608,7 @@ static void update_stream_timings(AVFormatContext *ic) else if (start_time > start_time_text) av_log(ic, AV_LOG_VERBOSE, "Ignoring outlier non primary stream starttime %f\n", start_time_text / (float)AV_TIME_BASE); - if (end_time == INT64_MIN || (end_time < end_time_text && end_time_text - end_time < AV_TIME_BASE)) { + if (end_time == INT64_MIN || (end_time < end_time_text && end_time_text - (uint64_t)end_time < AV_TIME_BASE)) { end_time = end_time_text; } else if (end_time < end_time_text) { av_log(ic, AV_LOG_VERBOSE, "Ignoring outlier non primary stream endtime %f\n", end_time_text / (float)AV_TIME_BASE); From d7bda29820f0f71b76857f364f9178220a36b535 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Apr 2018 22:24:03 +0200 Subject: [PATCH 616/818] avcodec/truemotion2: Propagate out of bounds error from GET_TOK() Fixes: Timeout Fixes: 6389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5695918121680896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f6304af2341d0cee51c2116766622e3ac567b7a0) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 97c38f7f08..f7dbe047c7 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -63,6 +63,7 @@ typedef struct TM2Context { AVFrame *pic; GetBitContext gb; + int error; BswapDSPContext bdsp; uint8_t *buffer; @@ -398,6 +399,7 @@ static inline int GET_TOK(TM2Context *ctx,int type) { if (ctx->tok_ptrs[type] >= ctx->tok_lens[type]) { av_log(ctx->avctx, AV_LOG_ERROR, "Read token from stream %i out of bounds (%i>=%i)\n", type, ctx->tok_ptrs[type], ctx->tok_lens[type]); + ctx->error = 1; return 0; } if (type <= TM2_MOT) { @@ -809,6 +811,8 @@ static int tm2_decode_blocks(TM2Context *ctx, AVFrame *p) default: av_log(ctx->avctx, AV_LOG_ERROR, "Skipping unknown block type %i\n", type); } + if (ctx->error) + return AVERROR_INVALIDDATA; } } @@ -889,6 +893,8 @@ static int decode_frame(AVCodecContext *avctx, int offset = TM2_HEADER_SIZE; int i, t, ret; + l->error = 0; + av_fast_padded_malloc(&l->buffer, &l->buffer_size, buf_size); if (!l->buffer) { av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n"); From b8ef20becf92cec9736eacb4c8cb2e9abfea6a3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Apr 2018 19:50:52 +0200 Subject: [PATCH 617/818] avcodec/utils: Enforce minimum width also for VP5/6 Fixes: out of array access Fixes: poc_0411 Found-by: GwanYeong Kim Tested-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit 544324827e0131e43af1a54fb790a48a25fd7ba4) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 9064cb31d6..e60ff100bf 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -418,7 +418,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, *width = FFALIGN(*width, w_align); *height = FFALIGN(*height, h_align); - if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) { + if (s->codec_id == AV_CODEC_ID_H264 || s->lowres || + s->codec_id == AV_CODEC_ID_VP5 || s->codec_id == AV_CODEC_ID_VP6 || + s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A + ) { // some of the optimized chroma MC reads one line too much // which is also done in mpeg decoders with lowres > 0 *height += 2; From d4b5ffeb57f28196c263fa228019aa6d2956476a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Apr 2018 11:38:48 +0200 Subject: [PATCH 618/818] avformat/utils: Check cur_dts in update_initial_timestamps() more Fixes: runtime error: signed integer overflow: 18133149658382192 - -9223090561878065151 cannot be represented in type 'long long' Fixes: crbug 831552 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 37d46dc21d708192b12aa13617ebe6a117b07363) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 6da5838dbc..4df9ba5665 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1090,6 +1090,7 @@ static void update_initial_timestamps(AVFormatContext *s, int stream_index, if (st->first_dts != AV_NOPTS_VALUE || dts == AV_NOPTS_VALUE || st->cur_dts == AV_NOPTS_VALUE || + st->cur_dts < INT_MIN + RELATIVE_TS_BASE || is_relative(dts)) return; From 93e2cb4511417d265f3644c122167678fe4d3161 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Apr 2018 23:11:26 +0200 Subject: [PATCH 619/818] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Changelog b/Changelog index 24337668ed..88155186e0 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,10 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.3.7: +- avformat/utils: Check cur_dts in update_initial_timestamps() more +- avcodec/utils: Enforce minimum width also for VP5/6 +- avcodec/truemotion2: Propagate out of bounds error from GET_TOK() +- avformat/utils: Fix integer overflow in end time calculation in update_stream_timings() - avformat/utils: fix mixed declarations and code - avcodec/mjpegdec: Check input buffer size. - avcodec/h264_slice: Fix integer overflow with last_poc From bc07879bc5e4ef8ba0d2aae452c109bd5995b814 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 18 Apr 2018 15:19:40 -0300 Subject: [PATCH 620/818] avdevice/iec61883: return reference counted packets Fixes part of ticket #7146, dealing with leaks of packet data since commit 87c88122703f2befcf96383d05bdf14373c22df9. Signed-off-by: James Almer (cherry picked from commit b8629654c6460a28c507f816a977914e3a6f2520) --- libavdevice/iec61883.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/libavdevice/iec61883.c b/libavdevice/iec61883.c index 721dca38ee..aeca7616df 100644 --- a/libavdevice/iec61883.c +++ b/libavdevice/iec61883.c @@ -118,7 +118,7 @@ static int iec61883_callback(unsigned char *data, int length, goto exit; } - packet->buf = av_malloc(length); + packet->buf = av_malloc(length + AV_INPUT_BUFFER_PADDING_SIZE); if (!packet->buf) { av_free(packet); ret = -1; @@ -127,6 +127,7 @@ static int iec61883_callback(unsigned char *data, int length, packet->len = length; memcpy(packet->buf, data, length); + memset(packet->buf + length, 0, AV_INPUT_BUFFER_PADDING_SIZE); if (dv->queue_first) { dv->queue_last->next = packet; @@ -200,13 +201,21 @@ static int iec61883_parse_queue_dv(struct iec61883_data *dv, AVPacket *pkt) size = avpriv_dv_produce_packet(dv->dv_demux, pkt, packet->buf, packet->len, -1); dv->queue_first = packet->next; + if (size < 0) + av_free(packet->buf); av_free(packet); dv->packets--; - if (size > 0) - return size; + if (size < 0) + return -1; - return -1; + if (av_packet_from_data(pkt, pkt->data, pkt->size) < 0) { + av_freep(&pkt->data); + av_packet_unref(pkt); + return -1; + } + + return size; } static int iec61883_parse_queue_hdv(struct iec61883_data *dv, AVPacket *pkt) From 003be3e49ede2c4e7554c5f1b080a1964e8bcd3b Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 18 Apr 2018 15:32:10 -0300 Subject: [PATCH 621/818] avdevice/iec61883: free the private context at the end Fixes part of ticket #7146. Signed-off-by: James Almer (cherry picked from commit 5079e96bcc7aaa9cae82a58397ce986e124028e4) --- libavdevice/iec61883.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavdevice/iec61883.c b/libavdevice/iec61883.c index aeca7616df..382b989fb1 100644 --- a/libavdevice/iec61883.c +++ b/libavdevice/iec61883.c @@ -463,6 +463,7 @@ static int iec61883_close(AVFormatContext *context) } else { iec61883_dv_fb_stop(dv->iec61883_dv); iec61883_dv_fb_close(dv->iec61883_dv); + av_freep(&dv->dv_demux); } while (dv->queue_first) { DVPacket *packet = dv->queue_first; From f4e2ac296dac85bad5f42beb18bc29e39b51d29d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Apr 2018 18:23:12 +0200 Subject: [PATCH 622/818] doc/APIchanges: Fix typos in hashes Thanks-to: Moritz Barsnick for finding the correct ones Signed-off-by: Michael Niedermayer (cherry picked from commit ec8a5262b03f85158d722dbc8b8f30cb6bd67e0f) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index b344e098c8..5522d18726 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -626,7 +626,7 @@ API changes, most recent first: Add av_opt_get_dict_val/set_dict_val with AV_OPT_TYPE_DICT to support dictionary types being set as options. -2014-08-13 - afbd4b8 - lavf 56.01.0 - avformat.h +2014-08-13 - afbd4b7e09 - lavf 56.01.0 - avformat.h Add AVFormatContext.event_flags and AVStream.event_flags for signaling to the user when events happen in the file/stream. @@ -643,7 +643,7 @@ API changes, most recent first: 2014-08-08 - 5c3c671 - lavf 55.53.100 - avio.h Add avio_feof() and deprecate url_feof(). -2014-08-07 - bb78903 - lsws 2.1.3 - swscale.h +2014-08-07 - bb789016d4 - lsws 2.1.3 - swscale.h sws_getContext is not going to be removed in the future. 2014-08-07 - a561662 / ad1ee5f - lavc 55.73.101 / 55.57.3 - avcodec.h From f322de901d2d76af952385cadbaf2181b7cc3986 Mon Sep 17 00:00:00 2001 From: Rahul Chaudhry Date: Wed, 18 Apr 2018 16:29:39 -0700 Subject: [PATCH 623/818] swresample/arm: remove unintentional relocation. Branch to global symbol results in reference to PLT, and when compiling for THUMB-2 - in a R_ARM_THM_JUMP19 relocation. Some linkers don't support this relocation (ld.gold), while others can end up truncating the relocation to fit (ld.bfd). Convert this branch through PLT into a direct branch that the assembler can resolve locally. See https://github.com/android-ndk/ndk/issues/337 for background. The current workaround is to disable neon during gstreamer build, which is not optimal and can be reverted after this patch: https://github.com/freedesktop/gstreamer-cerbero/commit/41556c415739fbc3a72c7eaee7e70a565b719b2f Signed-off-by: Michael Niedermayer (cherry picked from commit b22db4f465c9adb2cf1489e04f7b65ef6bb55b8b) Signed-off-by: Michael Niedermayer --- libswresample/arm/audio_convert_neon.S | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libswresample/arm/audio_convert_neon.S b/libswresample/arm/audio_convert_neon.S index 1f88316dde..7729514701 100644 --- a/libswresample/arm/audio_convert_neon.S +++ b/libswresample/arm/audio_convert_neon.S @@ -22,6 +22,7 @@ #include "libavutil/arm/asm.S" function swri_oldapi_conv_flt_to_s16_neon, export=1 +_swri_oldapi_conv_flt_to_s16_neon: subs r2, r2, #8 vld1.32 {q0}, [r1,:128]! vcvt.s32.f32 q8, q0, #31 @@ -66,6 +67,7 @@ function swri_oldapi_conv_flt_to_s16_neon, export=1 endfunc function swri_oldapi_conv_fltp_to_s16_2ch_neon, export=1 +_swri_oldapi_conv_fltp_to_s16_2ch_neon: ldm r1, {r1, r3} subs r2, r2, #8 vld1.32 {q0}, [r1,:128]! @@ -133,8 +135,8 @@ function swri_oldapi_conv_fltp_to_s16_nch_neon, export=1 cmp r3, #2 itt lt ldrlt r1, [r1] - blt X(swri_oldapi_conv_flt_to_s16_neon) - beq X(swri_oldapi_conv_fltp_to_s16_2ch_neon) + blt _swri_oldapi_conv_flt_to_s16_neon + beq _swri_oldapi_conv_fltp_to_s16_2ch_neon push {r4-r8, lr} cmp r3, #4 From 4b0181dc009df6e8791417b6f7e7fd65bd284bf0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Apr 2018 02:13:42 +0200 Subject: [PATCH 624/818] avcodec/cinepak: move some checks prior to frame allocation Speeds up decoding from 8 to 3 seconds for 6302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5626371985375232 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2324ef1ff32e5effd6f295bca80580ae4816be0b) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 89e940ae0d..ba0589582f 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -315,14 +315,11 @@ static int cinepak_decode_strip (CinepakContext *s, return AVERROR_INVALIDDATA; } -static int cinepak_decode (CinepakContext *s) +static int cinepak_predecode_check (CinepakContext *s) { - const uint8_t *eod = (s->data + s->size); - int i, result, strip_size, frame_flags, num_strips; - int y0 = 0; + int num_strips; int encoded_buf_size; - frame_flags = s->data[0]; num_strips = AV_RB16 (&s->data[8]); encoded_buf_size = AV_RB24(&s->data[1]); @@ -353,6 +350,21 @@ static int cinepak_decode (CinepakContext *s) s->sega_film_skip_bytes = 0; } + if (s->size < 10 + s->sega_film_skip_bytes + num_strips * 12) + return AVERROR_INVALIDDATA; + + return 0; +} + +static int cinepak_decode (CinepakContext *s) +{ + const uint8_t *eod = (s->data + s->size); + int i, result, strip_size, frame_flags, num_strips; + int y0 = 0; + + frame_flags = s->data[0]; + num_strips = AV_RB16 (&s->data[8]); + s->data += 10 + s->sega_film_skip_bytes; num_strips = FFMIN(num_strips, MAX_STRIPS); @@ -439,6 +451,11 @@ static int cinepak_decode_frame(AVCodecContext *avctx, if (s->size < 10) return AVERROR_INVALIDDATA; + if ((ret = cinepak_predecode_check(s)) < 0) { + av_log(avctx, AV_LOG_ERROR, "cinepak_predecode_check failed\n"); + return ret; + } + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; From 5d42300731b1ffdd52c27e198bb724f2c3918f23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Apr 2018 02:13:43 +0200 Subject: [PATCH 625/818] avcodec/cinepak: Skip empty frames Speeds up decoding from 3 to 0.1 seconds for 6302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5626371985375232 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9033920bec9ccf17de205fc17c2b330906b200f5) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index ba0589582f..9b0077402f 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -444,6 +444,7 @@ static int cinepak_decode_frame(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int ret = 0, buf_size = avpkt->size; CinepakContext *s = avctx->priv_data; + int num_strips; s->data = buf; s->size = buf_size; @@ -451,6 +452,12 @@ static int cinepak_decode_frame(AVCodecContext *avctx, if (s->size < 10) return AVERROR_INVALIDDATA; + num_strips = AV_RB16 (&s->data[8]); + + //Empty frame, do not waste time + if (!num_strips && (!s->palette_video || !av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL))) + return buf_size; + if ((ret = cinepak_predecode_check(s)) < 0) { av_log(avctx, AV_LOG_ERROR, "cinepak_predecode_check failed\n"); return ret; From 45f03502c93dc09e6f9410f601cea4b00c7827d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Apr 2018 22:04:53 +0200 Subject: [PATCH 626/818] avcodec/dfa: Check dimension against maximum The headers from where the dimensions are read in actual files are limited to 16bit per component. Fixes: Timeout Fixes: 6305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DFA_fuzzer-4824270749302784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9d5a4fcfbb51edc871bdb1c67a88223cbfb1c0e4) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 8067ac94e5..b8500a4995 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -41,7 +41,7 @@ static av_cold int dfa_decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_PAL8; - if (!avctx->width || !avctx->height) + if (!avctx->width || !avctx->height || FFMAX(avctx->width, avctx->height) >= (1<<16)) return AVERROR_INVALIDDATA; av_assert0(av_image_check_size(avctx->width, avctx->height, 0, avctx) >= 0); From bd6a181d5a4998d0eb54c67845d64b52b9a74dca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Apr 2018 22:28:23 +0200 Subject: [PATCH 627/818] avcodec/dsicinvideo: Propagate errors from cin_decode_rle() Signed-off-by: Michael Niedermayer (cherry picked from commit 942217b153a9bff2d17463957abd772fcd72b400) Signed-off-by: Michael Niedermayer --- libavcodec/dsicinvideo.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/dsicinvideo.c b/libavcodec/dsicinvideo.c index f95cbc74a0..add7afa383 100644 --- a/libavcodec/dsicinvideo.c +++ b/libavcodec/dsicinvideo.c @@ -226,27 +226,35 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, * surface.width = surface.pitch */ switch (bitmap_frame_type) { case 9: - cin_decode_rle(buf, bitmap_frame_size, + res = cin_decode_rle(buf, bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + if (res < 0) + return res; break; case 34: - cin_decode_rle(buf, bitmap_frame_size, + res = cin_decode_rle(buf, bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + if (res < 0) + return res; cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 35: bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size, cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); - cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, + res = cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + if (res < 0) + return res; break; case 36: bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size, cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); - cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, + res = cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + if (res < 0) + return res; cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; From 7784a7c1d8df7364a01436a7c90f483db596be78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Apr 2018 22:29:09 +0200 Subject: [PATCH 628/818] avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame Fixes: Timeout Fixes: 6306/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DSICINVIDEO_fuzzer-5079253549842432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5549488bbf3a23c0fb9833cefc6354f97055dd96) Signed-off-by: Michael Niedermayer --- libavcodec/dsicinvideo.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/dsicinvideo.c b/libavcodec/dsicinvideo.c index add7afa383..aa080417d2 100644 --- a/libavcodec/dsicinvideo.c +++ b/libavcodec/dsicinvideo.c @@ -158,6 +158,9 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, } } + if (dst_end - dst > dst_size - dst_size/10) + return AVERROR_INVALIDDATA; + return 0; } @@ -184,6 +187,10 @@ static int cin_decode_rle(const unsigned char *src, int src_size, } dst += len; } + + if (dst_end - dst > dst_size - dst_size/10) + return AVERROR_INVALIDDATA; + return 0; } From 2d975fff05488e64999360eb775c5a8219a05958 Mon Sep 17 00:00:00 2001 From: Stephan Holljes Date: Fri, 12 Jan 2018 19:16:29 +0100 Subject: [PATCH 629/818] lavf/http.c: Free allocated client URLContext in case of error. Signed-off-by: Stephan Holljes Signed-off-by: Michael Niedermayer (cherry picked from commit 7b6b8c92652d6683d97515352e4a9a4147b7da7c) Signed-off-by: Michael Niedermayer --- libavformat/http.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/http.c b/libavformat/http.c index d06103ab6d..a1fdd1dd56 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -538,7 +538,11 @@ static int http_accept(URLContext *s, URLContext **c) goto fail; cc->hd = cl; cc->is_multi_client = 1; + return 0; fail: + if (c) { + ffurl_closep(c); + } return ret; } From bcc47312d4fd7b4ccedca400e9ea9d650a77f4bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Apr 2018 22:19:31 +0200 Subject: [PATCH 630/818] avcodec/ffv1enc: Check that the crc + version combination is supported The crc flag is only stored since version 3 thus before this crcs do not work. We increase the version as needed same as we do with pix_fmts Signed-off-by: Michael Niedermayer (cherry picked from commit d9706f79c17a33bf97e51a7d6ab211ce83a463ee) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 7f31606775..62d295b4f8 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -539,6 +539,10 @@ static av_cold int encode_init(AVCodecContext *avctx) s->ec = (s->version >= 3); } + // CRC requires version 3+ + if (s->ec) + s->version = FFMAX(s->version, 3); + if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) { av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n"); return AVERROR_INVALIDDATA; From 77121f6bff4dd08bffae2d9f94fc144636678100 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Apr 2018 02:08:10 +0200 Subject: [PATCH 631/818] avcodec/vc1_block: simplify ac_val computation also fixes: runtime error: index 1456 out of bounds for type 'int16_t [16]' Found-by: durandal_1707 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d06b01fc2d4f5e031d45f9460d1eea610d23d6c5) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index f9f26f7e42..b06ee9fce7 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -594,7 +594,7 @@ static int vc1_decode_i_block(VC1Context *v, int16_t block[64], int n, scale = s->c_dc_scale; block[0] = dcdiff * scale; - ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + ac_val = s->ac_val[0][s->block_index[n]]; ac_val2 = ac_val; if (dc_pred_dir) // left ac_val -= 16; @@ -745,7 +745,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n, scale = mquant * 2 + ((mquant == v->pq) ? v->halfpq : 0); - ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + ac_val = s->ac_val[0][s->block_index[n]]; ac_val2 = ac_val; if (dc_pred_dir) // left ac_val -= 16; @@ -946,7 +946,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, if (!a_avail) dc_pred_dir = 1; if (!c_avail) dc_pred_dir = 0; if (!a_avail && !c_avail) use_pred = 0; - ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + ac_val = s->ac_val[0][s->block_index[n]]; ac_val2 = ac_val; scale = mquant * 2 + v->halfpq; From 3d29170013b1e28770082d660e8695fe26ba4e2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Apr 2018 01:54:17 +0200 Subject: [PATCH 632/818] avcodec/elsdec: Fix memleaks Fixes: 6798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5135899701542912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0bd0401336df4e4ca7f3da6a7e226904fd7d5add) Signed-off-by: Michael Niedermayer --- libavcodec/elsdec.c | 8 +++----- libavcodec/g2meet.c | 1 + 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/libavcodec/elsdec.c b/libavcodec/elsdec.c index 4797965457..cb0e9c6534 100644 --- a/libavcodec/elsdec.c +++ b/libavcodec/elsdec.c @@ -271,7 +271,7 @@ void ff_els_decoder_init(ElsDecCtx *ctx, const uint8_t *in, size_t data_size) void ff_els_decoder_uninit(ElsUnsignedRung *rung) { - av_free(rung->rem_rung_list); + av_freep(&rung->rem_rung_list); } static int els_import_byte(ElsDecCtx *ctx) @@ -391,12 +391,10 @@ unsigned ff_els_decode_unsigned(ElsDecCtx *ctx, ElsUnsignedRung *ur) if (ur->rung_list_size <= (ur->avail_index + 2) * sizeof(ElsRungNode)) { // remember rung_node position ptrdiff_t pos = rung_node - ur->rem_rung_list; - ur->rem_rung_list = av_realloc(ur->rem_rung_list, + ctx->err = av_reallocp(&ur->rem_rung_list, ur->rung_list_size + RUNG_SPACE); - if (!ur->rem_rung_list) { - av_free(ur->rem_rung_list); - ctx->err = AVERROR(ENOMEM); + if (ctx->err < 0) { return 0; } memset((uint8_t *) ur->rem_rung_list + ur->rung_list_size, 0, diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 3b8b97ab41..b4adce03a2 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -927,6 +927,7 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y, if (c->ec.els_ctx.err != 0) { av_log(avctx, AV_LOG_ERROR, "ePIC: couldn't decode transparency pixel!\n"); + ff_els_decoder_uninit(&c->ec.unsigned_rung); return AVERROR_INVALIDDATA; } From 69f861be42ecb07e1deac86757760ec36a8e7bef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Apr 2018 21:07:45 +0200 Subject: [PATCH 633/818] avcodec/h263dec: Check slice_ret in mspeg4 slice loop Fixes infinite loop Fixes: 6858/clusterfuzz-testcase-ffmpeg_AV_CODEC_ID_MSMPEG4V3_fuzzer-4681563766784000 Fixes: 6890/clusterfuzz-testcase-ffmpeg_AV_CODEC_ID_WMV1_fuzzer-4756103142309888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de841fbea7655b74a9663001e01008a86c88779a) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 077666470d..8491db0ed6 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -637,7 +637,7 @@ retry: slice_ret = decode_slice(s); while (s->mb_y < s->mb_height) { if (s->msmpeg4_version) { - if (s->slice_height == 0 || s->mb_x != 0 || + if (s->slice_height == 0 || s->mb_x != 0 || slice_ret < 0 || (s->mb_y % s->slice_height) != 0 || get_bits_left(&s->gb) < 0) break; } else { From 986747c9e25db3ac45bb4d8f6c73044080768b56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Apr 2018 21:46:05 +0200 Subject: [PATCH 634/818] avcodec/error_resilience: Fix integer overflow in filter181() Fixes: runtime error: signed integer overflow: 197710 * 10923 cannot be represented in type 'int' Fixes: 7010/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5667127596941312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1c97035e3b1677d6f0c5b6161ebfeffcf7bb638d) Signed-off-by: Michael Niedermayer --- libavcodec/error_resilience.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index 5364940e94..d7f94c10c2 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -108,7 +108,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride) dc = -prev_dc + data[x + y * stride] * 8 - data[x + 1 + y * stride]; - dc = (dc * 10923 + 32768) >> 16; + dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16; prev_dc = data[x + y * stride]; data[x + y * stride] = dc; } @@ -124,7 +124,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride) dc = -prev_dc + data[x + y * stride] * 8 - data[x + (y + 1) * stride]; - dc = (dc * 10923 + 32768) >> 16; + dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16; prev_dc = data[x + y * stride]; data[x + y * stride] = dc; } From bb7b9238b4121e608d98b6cef9272276ea74d59d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Apr 2018 21:44:07 +0200 Subject: [PATCH 635/818] avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED() Fixes: runtime error: signed integer overflow: 2147483637 + 128 cannot be represented in type 'int' Fixes: 6701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5358324934508544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e95d80e6fae978f8a44afc24b0c5097a062719f) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.h b/libavcodec/wavpack.h index 053b1c575d..bf4ddb59f6 100644 --- a/libavcodec/wavpack.h +++ b/libavcodec/wavpack.h @@ -99,8 +99,8 @@ typedef struct WvChannel { // macros for manipulating median values #define GET_MED(n) ((c->median[n] >> 4) + 1) -#define DEC_MED(n) c->median[n] -= ((c->median[n] + (128 >> (n)) - 2) / (128 >> (n))) * 2U -#define INC_MED(n) c->median[n] += ((c->median[n] + (128 >> (n)) ) / (128 >> (n))) * 5U +#define DEC_MED(n) c->median[n] -= ((int)(c->median[n] + (128U >> (n)) - 2) / (128 >> (n))) * 2U +#define INC_MED(n) c->median[n] += ((int)(c->median[n] + (128U >> (n)) ) / (128 >> (n))) * 5U // macros for applying weight #define UPDATE_WEIGHT_CLIP(weight, delta, samples, in) \ From 90e9b76d3a9b4e220e7636fdc7672f1e91924a6c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Apr 2018 22:20:28 +0200 Subject: [PATCH 636/818] avcodec/flac_parser: Fix infinite loop Fixes: crbug/827204 Reported-by: Frank Liberato Reviewed-by: Frank Liberato Signed-off-by: Michael Niedermayer (cherry picked from commit 15a2e35e9e74bba5a27e39c26da5be2361f27945) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 84da23f327..2721286464 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -686,12 +686,17 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, } for (curr = fpc->headers; curr; curr = curr->next) { - if (curr->max_score > 0 && - (!fpc->best_header || curr->max_score > fpc->best_header->max_score)) { + if (!fpc->best_header || curr->max_score > fpc->best_header->max_score) { fpc->best_header = curr; } } + if (fpc->best_header && fpc->best_header->max_score <= 0) { + // Only accept a bad header if there is no other option to continue + if (!buf_size || !buf || read_end != buf || fpc->nb_headers_buffered < FLAC_MIN_HEADERS) + fpc->best_header = NULL; + } + if (fpc->best_header) { fpc->best_header_valid = 1; if (fpc->best_header->offset > 0) { From 6315215e5c0b4052f66f5f0f4311acd2031fb43c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 May 2018 18:16:08 +0200 Subject: [PATCH 637/818] avcodec/g2meet: Change order of operations to avoid undefined behavior Fixes: signed integer overflow: 65280 * 196032 cannot be represented in type 'int' Fixes: 7279/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5977332473921536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a4745145840d97619c424961c1b5c625dbf516c) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index b4adce03a2..e3f43bcf32 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -1356,14 +1356,16 @@ static void g2m_paint_cursor(G2MContext *c, uint8_t *dst, int stride) } else { dst += x * 3; } - if (y < 0) { + + if (y < 0) h += y; + if (w < 0 || h < 0) + return; + if (y < 0) { cursor += -y * c->cursor_stride; } else { dst += y * stride; } - if (w < 0 || h < 0) - return; for (j = 0; j < h; j++) { for (i = 0; i < w; i++) { From 083c48e6d9dbc1c390146422ddcdc2d25278e3a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 May 2018 19:11:36 +0200 Subject: [PATCH 638/818] avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done Fixes: assertion failure Fixes: 7949/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-4819602782552064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a96c131eb53b00de154f4773d96a3b323ea3daed) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 404cf06ddc..2eb66bb921 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1125,6 +1125,9 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 step_x = 32; step_y = 32; + if (RSpoc > FFMIN(codsty->nreslevels, REpoc)) + continue; + for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, REpoc); reslevelno++) { uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; // ==> N_L - r Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno; From 716ab0f2f4567ad1838be7c69f7b5e0ae783fc04 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 May 2018 19:18:25 +0200 Subject: [PATCH 639/818] avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case Fixes: shift exponent 47 is too large for 32-bit type 'int' Fixes: 7955/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6016721977606144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 652ba72ed3124f201f98eea9bafb2232b535f549) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 2eb66bb921..4a7a0d7387 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1147,10 +1147,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 int xc = x / s->cdx[compno]; int yc = y / s->cdy[compno]; - if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check + if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; - if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check + if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists From d48738bd674f70131df4581936ef0125f1c26c5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Apr 2018 20:16:13 +0200 Subject: [PATCH 640/818] avcodec/g2meet: Check RGB upper limit Fixes: runtime error: left shift of 1876744317 by 16 places cannot be represented in type 'int' Fixes: 6799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5115274731716608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dd2c8b9ea46b4e008a8bfc2077834428cd5a17c) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index e3f43bcf32..89d269751e 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -556,7 +556,7 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int x, int y, B = ((pred >> B_shift) & 0xFF) - TOSIGNED(delta); } - if (R<0 || G<0 || B<0) { + if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) { av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B); return 0; } From 38fd80c656b4550ac6a7aef0bf3d83027784226f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 May 2018 22:00:01 +0200 Subject: [PATCH 641/818] avcodec/fic: Check available input space for cursor Fixes: out of array read Fixes: 6546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-6317064647081984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cb2f7ea96b4f6e03ebf0c0563677745fc65f148e) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 8691d49932..b7e0da6ce9 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -333,6 +333,10 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, skip_cursor = 1; } + if (!skip_cursor && avpkt->size < CURSOR_OFFSET + sizeof(ctx->cursor_buf)) { + skip_cursor = 1; + } + /* Slice height for all but the last slice. */ ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices; if (ctx->slice_h % 16) From 8283586dce95cf66de744b35d37e5ea4b8c12405 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 May 2018 00:10:33 +0200 Subject: [PATCH 642/818] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0 Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); Fixes: 6500/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-4523620274536448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cb944fc7f1327443a0cf449afbce5a3e8712f90f) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 68ebd19560..994dc21d70 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -99,10 +99,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b1 + (unsigned)((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ - (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) + (int)(((unsigned)(b2) + ((int)(9U*b1 + 9U*b3 - b4 - b0 + 8) >> 4))) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ - (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) + (int)(((unsigned)(b2) - ((int)(9U*b1 + 9U*b3 - b4 - b0 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ ((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1))) From c48ac14c067d1b41650df785499c657361a0590b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 May 2018 17:07:00 +0200 Subject: [PATCH 643/818] avformat/mov: Only fail for STCO/STSC contradictions if both exist Fixes regression with playback of GF9720Repeal20the20Eighth20with20Helen20Linehan.m4a See: crbug 822666 Found-by: "Mattias Wadman Signed-off-by: Michael Niedermayer (cherry picked from commit 2c2d689c56646cce64d02a3b75f61c12c5589260) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 921db588ef..11526346be 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3758,7 +3758,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->index); return 0; } - if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { + if (sc->chunk_count && sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", st->index); return AVERROR_INVALIDDATA; From b0207c5b2a82cc9a7c80640977a004053e2d6ecf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 May 2018 13:40:38 +0200 Subject: [PATCH 644/818] indeo4: Decode all or nothing of a band header. This avoids inconsistent value combinations. Alternatively it would be possible to add more checks and careful use of temporary variables, but my try of this quickly seemed to become a rather large change. The disadvantage of this, is that the struct is copied back and forth. Fixes: index 6 out of bounds for type 'const uint16_t [5][16]' Fixes: 6557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-4787296550256640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 10c8521265da86118597336c5589e26de377a374) Signed-off-by: Michael Niedermayer --- libavcodec/indeo4.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 85d5fa3e7a..5809052cf8 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -260,12 +260,14 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) * @param[in] avctx pointer to the AVCodecContext * @return result code: 0 = OK, negative number = error */ -static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, +static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *arg_band, AVCodecContext *avctx) { int plane, band_num, indx, transform_id, scan_indx; int i; int quant_mat; + IVIBandDesc temp_band, *band = &temp_band; + memcpy(&temp_band, arg_band, sizeof(temp_band)); plane = get_bits(&ctx->gb, 2); band_num = get_bits(&ctx->gb, 4); @@ -395,10 +397,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, /* decode block huffman codebook */ if (!get_bits1(&ctx->gb)) - band->blk_vlc.tab = ctx->blk_vlc.tab; + arg_band->blk_vlc.tab = ctx->blk_vlc.tab; else if (ff_ivi_dec_huff_desc(&ctx->gb, 1, IVI_BLK_HUFF, - &band->blk_vlc, avctx)) + &arg_band->blk_vlc, avctx)) return AVERROR_INVALIDDATA; /* select appropriate rvmap table for this band */ @@ -439,6 +441,9 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, return AVERROR_INVALIDDATA; } + band->blk_vlc = arg_band->blk_vlc; + memcpy(arg_band, band, sizeof(*arg_band)); + return 0; } From fdab123c031250742ea84c188999a855baa4bf30 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 May 2018 13:58:46 +0200 Subject: [PATCH 645/818] avcodec/mlpdec: Only change noise_type if the related fields are valid Fixes: inconsistency Fixes:runtime error: index 8 out of bounds for type 'int32_t [8]' Fixes: 6686/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-5191383498358784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 63c4a4b0d692bc86142790276358ba35129f2290) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index f60f14cc71..c50dc73e25 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -474,7 +474,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, uint8_t checksum; uint8_t lossless_check; int start_count = get_bits_count(gbp); - int min_channel, max_channel, max_matrix_channel; + int min_channel, max_channel, max_matrix_channel, noise_type; const int std_max_matrix_channel = m->avctx->codec_id == AV_CODEC_ID_MLP ? MAX_MATRIX_CHANNEL_MLP : MAX_MATRIX_CHANNEL_TRUEHD; @@ -487,9 +487,9 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, return AVERROR_INVALIDDATA; } - s->noise_type = get_bits1(gbp); + noise_type = get_bits1(gbp); - if (m->avctx->codec_id == AV_CODEC_ID_MLP && s->noise_type) { + if (m->avctx->codec_id == AV_CODEC_ID_MLP && noise_type) { av_log(m->avctx, AV_LOG_ERROR, "MLP must have 0x31ea sync word.\n"); return AVERROR_INVALIDDATA; } @@ -515,7 +515,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, /* This should happen for TrueHD streams with >6 channels and MLP's noise * type. It is not yet known if this is allowed. */ - if (max_channel > MAX_MATRIX_CHANNEL_MLP && !s->noise_type) { + if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { avpriv_request_sample(m->avctx, "%d channels (more than the " "maximum supported by the decoder)", @@ -532,6 +532,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, s->min_channel = min_channel; s->max_channel = max_channel; s->max_matrix_channel = max_matrix_channel; + s->noise_type = noise_type; if (m->avctx->request_channel_layout && (s->ch_layout & m->avctx->request_channel_layout) == m->avctx->request_channel_layout && m->max_decoded_substream > substr) { From d1bac7f77772a68e164385d7018f2c2562e0d219 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 May 2018 23:08:05 +0200 Subject: [PATCH 646/818] avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes truncation Fixes Assertion n <= 31 && value < (1U << n) failed at libavcodec/put_bits.h:169 Fixes: ffmpeg_crash_2.avi Found-by: Thuan Pham , Marcel Böhme, Andrew Santosa and Alexandru RazvanCaciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit e1182fac1afba92a4975917823a5f644bee7e6e8) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videoenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index 494452c938..f6a5992df7 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -882,7 +882,7 @@ void ff_set_mpeg4_time(MpegEncContext *s) static void mpeg4_encode_gop_header(MpegEncContext *s) { - int hours, minutes, seconds; + int64_t hours, minutes, seconds; int64_t time; put_bits(&s->pb, 16, 0); From 45ce622f909354847bbbab9b650b2264d33f2d58 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 May 2018 21:56:04 +0200 Subject: [PATCH 647/818] avcodec/g723_1dec: Clip bits2 in both directions Fixes: shift exponent 33 is too large for 32-bit type 'int' Fixes: 6743/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G723_1_fuzzer-5823772687859712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53f241218d9eac368e2e1c58bcca9bbdf10fd0e1) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index aaa26c24ef..3522c91bd6 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -549,7 +549,7 @@ static void gain_scale(G723_1_Context *p, int16_t * buf, int energy) denom <<= bits2; bits2 = 5 + bits1 - bits2; - bits2 = FFMAX(0, bits2); + bits2 = av_clip_uintp2(bits2, 5); gain = (num >> 1) / (denom >> 16); gain = square_root(gain << 16 >> bits2); From e95a0e261fe92d73130ed5c5cc6e01b4f96c6c53 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 May 2018 22:02:20 +0200 Subject: [PATCH 648/818] oavcodec/aacpsdsp_template: Use unsigned for hs0X to prevent undefined behavior Fixes: signed integer overflow: 1073741842 + 1784008138 cannot be represented in type 'int' Fixes: 6792/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5677589835284480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 62cb6fadf33de6db386deac92853d4b95c930015) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsdsp_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c index 0e532fcf84..8f72624559 100644 --- a/libavcodec/aacpsdsp_template.c +++ b/libavcodec/aacpsdsp_template.c @@ -180,10 +180,10 @@ static void ps_stereo_interpolate_ipdopd_c(INTFLOAT (*l)[2], INTFLOAT (*r)[2], INTFLOAT h01 = h[0][1], h11 = h[1][1]; INTFLOAT h02 = h[0][2], h12 = h[1][2]; INTFLOAT h03 = h[0][3], h13 = h[1][3]; - INTFLOAT hs00 = h_step[0][0], hs10 = h_step[1][0]; - INTFLOAT hs01 = h_step[0][1], hs11 = h_step[1][1]; - INTFLOAT hs02 = h_step[0][2], hs12 = h_step[1][2]; - INTFLOAT hs03 = h_step[0][3], hs13 = h_step[1][3]; + UINTFLOAT hs00 = h_step[0][0], hs10 = h_step[1][0]; + UINTFLOAT hs01 = h_step[0][1], hs11 = h_step[1][1]; + UINTFLOAT hs02 = h_step[0][2], hs12 = h_step[1][2]; + UINTFLOAT hs03 = h_step[0][3], hs13 = h_step[1][3]; int n; for (n = 0; n < len; n++) { From 6d8859e23474181f291a7b030b1ea04d4fa9ed05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 May 2018 22:06:48 +0200 Subject: [PATCH 649/818] avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed() Fixes: signed integer overflow: -2141499320 + -14469590 cannot be represented in type 'int' Fixes: 7351/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-6351214791884800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90475db97e2e5931d295df6ab86519fa2e14d259) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index b19a622403..e4152bea6a 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -385,7 +385,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac, for (k = offsets[i]; k < offsets[i + 1]; k++) { tmp = (int)(((int64_t)src[group * 128 + k] * c + \ (int64_t)0x1000000000) >> 37); - dest[group * 128 + k] += (tmp + round) >> shift; + dest[group * 128 + k] += (tmp + (int64_t)round) >> shift; } } } From 3be0bcbef6aa9b8b77766ce1e4f7320b1d33b2d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 May 2018 22:50:19 +0200 Subject: [PATCH 650/818] avcodec/g2meet: ask for sample with overflowing RGB MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Suggested-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit ab834b8f36c8157b7015e849405cbf6ae21e672f) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 89d269751e..8bf04b3d49 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -557,7 +557,7 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int x, int y, } if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) { - av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B); + avpriv_request_sample(NULL, "RGB %d %d %d is out of range\n", R, G, B); return 0; } From 05e253684ebc2985b0c4662a9f86e4475c20a5e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 May 2018 23:42:36 +0200 Subject: [PATCH 651/818] avcodec/fic: Avoid some magic numbers related to cursors Signed-off-by: Michael Niedermayer (cherry picked from commit c6a11714c4b1227be62cbc36651ccfc415e8e623) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index b7e0da6ce9..e1b72b9448 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -82,6 +82,7 @@ static const uint8_t fic_qmat_lq[64] = { static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' }; #define FIC_HEADER_SIZE 27 +#define CURSOR_OFFSET 59 static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd) { @@ -416,7 +417,7 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, /* Draw cursor. */ if (!skip_cursor) { - memcpy(ctx->cursor_buf, src + 59, 32 * 32 * 4); + memcpy(ctx->cursor_buf, src + CURSOR_OFFSET, sizeof(ctx->cursor_buf)); fic_draw_cursor(avctx, cur_x, cur_y); } From aa50d67cc7d07278ce39d395871bc6a0dc7cfe32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 May 2018 17:06:59 +0200 Subject: [PATCH 652/818] avformat/mov: Break out early if chunk_count is 0 in mov_build_index() Without this some operations might overflow (undefined behavior) even though the index adding loop would never execute No testcase known Signed-off-by: Michael Niedermayer (cherry picked from commit 56e76bd0579cc7f7b28860885d9e569a39daf41b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 11526346be..c4d3863de9 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3516,6 +3516,9 @@ static void mov_build_index(MOVContext *mov, AVStream *st) } else { unsigned chunk_samples, total = 0; + if (!sc->chunk_count) + return; + // compute total chunk count for (i = 0; i < sc->stsc_count; i++) { unsigned count, chunk_count; From 9ecb1998b034cf53bf3812eb1d3427cb82e41a21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 May 2018 03:16:58 +0200 Subject: [PATCH 653/818] avformat/mov: replace a value error by clipping into valid range in mov_read_stsc() Fixes: #7165 Signed-off-by: Michael Niedermayer (cherry picked from commit fe84f70819d6f5aab3c4823290e0d32b99d6de78) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index c4d3863de9..66fce34f3a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2440,14 +2440,22 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc->stsc_count = i; for (i = sc->stsc_count - 1; i < UINT_MAX; i--) { + int64_t first_min = i + 1; if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= sc->stsc_data[i+1].first) || (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) || - sc->stsc_data[i].first < 1 || + sc->stsc_data[i].first < first_min || sc->stsc_data[i].count < 1 || sc->stsc_data[i].id < 1) { av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, sc->stsc_data[i].id); - if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2) - return AVERROR_INVALIDDATA; + if (i+1 >= sc->stsc_count) { + sc->stsc_data[i].first = FFMAX(sc->stsc_data[i].first, first_min); + if (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) + sc->stsc_data[i].first = FFMIN(sc->stsc_data[i-1].first + 1LL, INT_MAX); + sc->stsc_data[i].count = FFMAX(sc->stsc_data[i].count, 1); + sc->stsc_data[i].id = FFMAX(sc->stsc_data[i].id, 1); + continue; + } + av_assert0(sc->stsc_data[i+1].first >= 2); // We replace this entry by the next valid sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1; sc->stsc_data[i].count = sc->stsc_data[i+1].count; From 6577ae7119ebf326a1af25fb90c1afde74602633 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jun 2018 00:48:06 +0200 Subject: [PATCH 654/818] avcodec/amrwbdec: Fix division by 0 in find_hb_gain() This restructures the code slightly toward D_UTIL_dec_synthesis() Fixes: 7420/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMRWB_fuzzer-6577305112543232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dce80a4b47efaba97707bda781a9ee57f5a26974) Signed-off-by: Michael Niedermayer --- libavcodec/amrwbdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 7f2874d35f..47fe7eb55e 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -862,15 +862,20 @@ static float find_hb_gain(AMRWBContext *ctx, const float *synth, { int wsp = (vad > 0); float tilt; + float tmp; if (ctx->fr_cur_mode == MODE_23k85) return qua_hb_gain[hb_idx] * (1.0f / (1 << 14)); - tilt = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1) / - ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE); + tmp = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1); + + if (tmp > 0) { + tilt = tmp / ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE); + } else + tilt = 0; /* return gain bounded by [0.1, 1.0] */ - return av_clipf((1.0 - FFMAX(0.0, tilt)) * (1.25 - 0.25 * wsp), 0.1, 1.0); + return av_clipf((1.0 - tilt) * (1.25 - 0.25 * wsp), 0.1, 1.0); } /** From 412872e6cbf6313bc8eeccb9f5978861c8f044a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jun 2018 01:33:54 +0200 Subject: [PATCH 655/818] avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c Fixes: runtime error: signed integer overflow: -1440457022 - 785819492 cannot be represented in type 'int' Fixes: 7700/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OPUS_fuzzer-6595838684954624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7dda51150b73e5fbdccf4c2d3a72e356980fba3) Signed-off-by: Michael Niedermayer --- libavcodec/opus_silk.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index dbf6756864..ce8c3e507f 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -232,8 +232,10 @@ static void silk_lsf2lpc(const int16_t nlsf[16], float lpcf[16], int order) /* reconstruct A(z) */ for (k = 0; k < order>>1; k++) { - lpc32[k] = -p[k + 1] - p[k] - q[k + 1] + q[k]; - lpc32[order-k-1] = -p[k + 1] - p[k] + q[k + 1] - q[k]; + int32_t p_tmp = p[k + 1] + p[k]; + int32_t q_tmp = q[k + 1] - q[k]; + lpc32[k] = -q_tmp - p_tmp; + lpc32[order-k-1] = q_tmp - p_tmp; } /* limit the range of the LPC coefficients to each fit within an int16_t */ From 0f1e6771d03c4f5b998bced9c8dfc8cf4180a999 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 02:09:59 +0200 Subject: [PATCH 656/818] avcodec/truemotion2: Fix overflow in tm2_apply_deltas() Fixes: signed integer overflow: 1077952576 + 1077952576 cannot be represented in type 'int' Fixes: 7712/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5056281753681920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79c6047c3668c639f717b3a7001a34dddba0ede2) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index f7dbe047c7..b689efdb99 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -451,7 +451,7 @@ static inline int GET_TOK(TM2Context *ctx,int type) /* common operations - add deltas to 4x4 block of luma or 2x2 blocks of chroma */ static inline void tm2_apply_deltas(TM2Context *ctx, int* Y, int stride, int *deltas, int *last) { - int ct, d; + unsigned ct, d; int i, j; for (j = 0; j < 4; j++){ From bb6d47cf35836640309cf933a3d6a4bf1eec3ced Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 02:17:24 +0200 Subject: [PATCH 657/818] avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan() Fixes: signed integer overflow: 32768 + 2147450880 cannot be represented in type 'int' Fixes: 7885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5298834394578944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 936f4a2c2e14ec753e8835f2e820b4cd9aec9a56) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index ab326b8e9a..5d3ccbea6d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1012,7 +1012,7 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p return -1; left[i] = buffer[mb_x][i] = - mask & (pred + (dc * (1 << point_transform))); + mask & (pred + (unsigned)(dc * (1 << point_transform))); } if (s->restart_interval && !--s->restart_count) { From 8da3d6916316588ad7c1f6d66e4133b51af9ea94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 02:33:43 +0200 Subject: [PATCH 658/818] avcodec/shorten: Check non COMM chunk len before skip in decode_aiff_header() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 8024/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5109204648984576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 424a81df107b63a166894a4aee3d27702ae3f459) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 3b0fa272e7..7157bb0cae 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -234,11 +234,11 @@ static int decode_aiff_header(AVCodecContext *avctx, const uint8_t *header, while (bytestream2_get_le32(&gb) != MKTAG('C', 'O', 'M', 'M')) { len = bytestream2_get_be32(&gb); - bytestream2_skip(&gb, len + (len & 1)); - if (len < 0 || bytestream2_get_bytes_left(&gb) < 18) { + if (len < 0 || bytestream2_get_bytes_left(&gb) < 18LL + len + (len&1)) { av_log(avctx, AV_LOG_ERROR, "no COMM chunk found\n"); return AVERROR_INVALIDDATA; } + bytestream2_skip(&gb, len + (len & 1)); } len = bytestream2_get_be32(&gb); From f51163b1666e0d43fc94ac839e80f044ecb8b7c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 13:03:48 +0200 Subject: [PATCH 659/818] avcodec/shorten: Sanity check nmeans Fixes: OOM Fixes: 8195/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5179785826271232 The reference software appears to use longs for 32bits and it uses int for nmeans hinting that the intended maximum size was not 32bit. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d91a0b503d7a886587281bc1ee42476aa5e89f85) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 7157bb0cae..0c29275df2 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -450,6 +450,10 @@ static int read_header(ShortenContext *s) return AVERROR_INVALIDDATA; } s->nmean = get_uint(s, 0); + if (s->nmean > 32768U) { + av_log(s->avctx, AV_LOG_ERROR, "nmean is: %d\n", s->nmean); + return AVERROR_INVALIDDATA; + } skip_bytes = get_uint(s, NSKIPSIZE); if ((unsigned)skip_bytes > get_bits_left(&s->gb)/8) { From b7134d7fb679df78069648d0fb7bc54a59f9f557 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 13:12:54 +0200 Subject: [PATCH 660/818] avcodec/shorten: Fix a negative left shift in shorten_decode_frame() Fixes: left shift of negative value -9057 Fixes: 8527/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5666853924896768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a711efe922b2bf1d363bdf7f8357656c3e35021e) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 0c29275df2..5f4e5ed9bc 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -706,7 +706,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, if (s->version < 2) s->offset[channel][s->nmean - 1] = sum / s->blocksize; else - s->offset[channel][s->nmean - 1] = s->bitshift == 32 ? 0 : (sum / s->blocksize) << s->bitshift; + s->offset[channel][s->nmean - 1] = s->bitshift == 32 ? 0 : (sum / s->blocksize) * (1 << s->bitshift); } /* copy wrap samples for use with next block */ From c2d16aafbb1527d4b47ecfad659a381c22a017ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 13:15:34 +0200 Subject: [PATCH 661/818] avcodec/shorten: Fix undefined shift in fix_bitshift() Fixes: left shift of negative value -9 Fixes: 8571/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5715966875926528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 606c7148231404544005c0827b83c165dd6b39a8) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 5f4e5ed9bc..5a14e8e5bf 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -177,7 +177,7 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer) buffer[i] = 0; } else if (s->bitshift != 0) { for (i = 0; i < s->blocksize; i++) - buffer[i] <<= s->bitshift; + buffer[i] *= 1 << s->bitshift; } } From 3f66c3386c2466c13562b8b0ac3943dac22bbfa1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 13:19:35 +0200 Subject: [PATCH 662/818] avcodec/shorten: Fix multiple integer overflows Fixes: signed integer overflow: 3 * 1006632960 cannot be represented in type 'int' Fixes: 8278/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5692857166856192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f2abd36b3863188894fd21964c662b6c17268bfb) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 5a14e8e5bf..42d91a4636 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -389,7 +389,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, for (i = 0; i < s->blocksize; i++) { sum = init_sum; for (j = 0; j < pred_order; j++) - sum += coeffs[j] * s->decoded[channel][i - j - 1]; + sum += coeffs[j] * (unsigned)s->decoded[channel][i - j - 1]; s->decoded[channel][i] = get_sr_golomb_shorten(&s->gb, residual_size) + (sum >> qshift); } @@ -696,7 +696,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, /* update means with info from the current block */ if (s->nmean > 0) { - int32_t sum = (s->version < 2) ? 0 : s->blocksize / 2; + int64_t sum = (s->version < 2) ? 0 : s->blocksize / 2; for (i = 0; i < s->blocksize; i++) sum += s->decoded[channel][i]; From 719931c036e7ace5bd0cf4f4027648f196e3f06e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Jun 2018 00:07:04 +0200 Subject: [PATCH 663/818] avcodec/wavpack: Fix overflow in adding tail Fixes: signed integer overflow: 2146907204 + 26846088 cannot be represented in type 'int' Fixes: 8105/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-6233036682166272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d13379fb79708f550460dd6d698023bf26f968d5) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index e0440959ff..2427962a92 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -85,7 +85,7 @@ typedef struct WavpackContext { #define LEVEL_DECAY(a) (((a) + 0x80) >> 8) -static av_always_inline int get_tail(GetBitContext *gb, int k) +static av_always_inline unsigned get_tail(GetBitContext *gb, int k) { int p, e, res; From a16a4fefb6d1dee75d329012c0e3ecaa7769ebd6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Jun 2018 00:42:31 +0200 Subject: [PATCH 664/818] avcodec/xwddec: Use ff_set_dimensions() Fixes: OOM Fixes: 8178/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XWD_fuzzer-4844793342459904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c2852e4e00de4073ff7de82d41cb3368702686e8) Signed-off-by: Michael Niedermayer --- libavcodec/xwddec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 8b0845fc01..25c64e0e14 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -39,6 +39,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, uint32_t pixformat, pixdepth, bunit, bitorder, bpad; uint32_t rgb[3]; uint8_t *ptr; + int width, height; GetByteContext gb; if (buf_size < XWD_HEADER_SIZE) @@ -60,8 +61,8 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, pixformat = bytestream2_get_be32u(&gb); pixdepth = bytestream2_get_be32u(&gb); - avctx->width = bytestream2_get_be32u(&gb); - avctx->height = bytestream2_get_be32u(&gb); + width = bytestream2_get_be32u(&gb); + height = bytestream2_get_be32u(&gb); xoffset = bytestream2_get_be32u(&gb); be = bytestream2_get_be32u(&gb); bunit = bytestream2_get_be32u(&gb); @@ -77,6 +78,9 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, ncolors = bytestream2_get_be32u(&gb); bytestream2_skipu(&gb, header_size - (XWD_HEADER_SIZE - 20)); + if ((ret = ff_set_dimensions(avctx, width, height)) < 0) + return ret; + av_log(avctx, AV_LOG_DEBUG, "pixformat %"PRIu32", pixdepth %"PRIu32", bunit %"PRIu32", bitorder %"PRIu32", bpad %"PRIu32"\n", pixformat, pixdepth, bunit, bitorder, bpad); From 5f771a74b23f83edbcc6f0cae79e458ac7931e1e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Jun 2018 18:25:14 +0200 Subject: [PATCH 665/818] avcodec/h264_mc_template: Only prefetch motion if the list is used. Fixes: index 59 out of bounds for type 'H264Ref [48]' Fixes: 8232/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5703295145345024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b55591757244d8244a2be369c2b54c9ae79b02a) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mc_template.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_mc_template.c b/libavcodec/h264_mc_template.c index 58c05044c1..d02e2bf580 100644 --- a/libavcodec/h264_mc_template.c +++ b/libavcodec/h264_mc_template.c @@ -78,7 +78,8 @@ static void MCFUNC(hl_motion)(const H264Context *h, H264SliceContext *sl, if (HAVE_THREADS && (h->avctx->active_thread_type & FF_THREAD_FRAME)) await_references(h, sl); - prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC); + if (USES_LIST(mb_type, 0)) + prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC); if (IS_16X16(mb_type)) { mc_part(h, sl, 0, 1, 16, 0, dest_y, dest_cb, dest_cr, 0, 0, From f4f9bd655d4254d3c9ef093efff1afbaeefbb219 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Jun 2018 17:02:47 +0200 Subject: [PATCH 666/818] avcodec/h264_ps: Move MAX_LOG2_MAX_FRAME_NUM to header so it can be used in h264_sei Signed-off-by: Michael Niedermayer (cherry picked from commit b796c5ae9299c795cba0d16ce1d8eef05488953b) Signed-off-by: Michael Niedermayer --- libavcodec/h264_ps.c | 1 - libavcodec/h264_ps.h | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 7e66ed7224..6affaaf917 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -35,7 +35,6 @@ #include "h264_ps.h" #include "golomb.h" -#define MAX_LOG2_MAX_FRAME_NUM (12 + 4) #define MIN_LOG2_MAX_FRAME_NUM 4 #define EXTENDED_SAR 255 diff --git a/libavcodec/h264_ps.h b/libavcodec/h264_ps.h index 51b6694b5f..e967b9cbcf 100644 --- a/libavcodec/h264_ps.h +++ b/libavcodec/h264_ps.h @@ -36,6 +36,7 @@ #define MAX_SPS_COUNT 32 #define MAX_PPS_COUNT 256 +#define MAX_LOG2_MAX_FRAME_NUM (12 + 4) /** * Sequence parameter set From 98f10ca12ccc1accafbf26d9eeb6e7c91bd650eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 May 2018 23:35:58 +0200 Subject: [PATCH 667/818] avformat/mov: Only set pkt->duration to non negative values Reviewed-by: Sasi Inguva Signed-off-by: Michael Niedermayer (cherry picked from commit 8176799f31b23849382623f0f9001acc5edf7c76) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 66fce34f3a..f6db8a47b7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6384,7 +6384,9 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) } else { int64_t next_dts = (sc->current_sample < st->nb_index_entries) ? st->index_entries[sc->current_sample].timestamp : st->duration; - pkt->duration = next_dts - pkt->dts; + + if (next_dts >= pkt->dts) + pkt->duration = next_dts - pkt->dts; pkt->pts = pkt->dts; } if (st->discard == AVDISCARD_ALL) From b5d51d23a068f7511662acd363b39d2f922dff0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 May 2018 22:44:07 +0200 Subject: [PATCH 668/818] fftools/ffmpeg: Fallback to duration if sample rate is unavailable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Regression since: af1761f7 Fixes: Division by 0 Fixes: ffmpeg_crash_1 Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit 16d8b13b3b26c19d7f8856e039fe6662d96b4ff3) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 4b4dae47fe..eb0f8b7c9c 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2725,8 +2725,12 @@ static int process_input_packet(InputStream *ist, const AVPacket *pkt, int no_eo ist->dts = ist->next_dts; switch (ist->dec_ctx->codec_type) { case AVMEDIA_TYPE_AUDIO: - ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) / - ist->dec_ctx->sample_rate; + if (ist->dec_ctx->sample_rate) { + ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) / + ist->dec_ctx->sample_rate; + } else { + ist->next_dts += av_rescale_q(pkt->duration, ist->st->time_base, AV_TIME_BASE_Q); + } break; case AVMEDIA_TYPE_VIDEO: if (ist->framerate.num) { From 96cf8a9cf993db44007dd438edbbbdf69279943e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jun 2018 15:41:33 +0200 Subject: [PATCH 669/818] avutil/common: Fix undefined behavior in av_clip_uintp2_c() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 8521/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5639024952737792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa41d322be71106ce147445f2b42bb763f1eff86) Signed-off-by: Michael Niedermayer --- libavutil/common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/common.h b/libavutil/common.h index 53e43feb3a..58ead80514 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -228,7 +228,7 @@ static av_always_inline av_const int av_clip_intp2_c(int a, int p) */ static av_always_inline av_const unsigned av_clip_uintp2_c(int a, int p) { - if (a & ~((1<> 31 & ((1<> 31 & ((1< Date: Thu, 14 Jun 2018 16:37:32 +0200 Subject: [PATCH 670/818] avcodec/dirac_dwt_template: Fix undefined behavior in interleave() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 8697/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5197148130902016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 575d8ca0260fabac29e5b3541154633569ce2b5d) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 8c25c1f822..528fc7e9e7 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -57,8 +57,8 @@ static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src { int i; for (i = 0; i < w2; i++) { - dst[2*i ] = (src0[i] + add) >> shift; - dst[2*i+1] = (src1[i] + add) >> shift; + dst[2*i ] = (src0[i] + (unsigned)add) >> shift; + dst[2*i+1] = (src1[i] + (unsigned)add) >> shift; } } From 516f8dbc58a2777b23065e83157f8462d00600dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jun 2018 16:41:49 +0200 Subject: [PATCH 671/818] avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed() Fixes: signed integer overflow: 1195517 * 2048 cannot be represented in type 'int' Fixes: 8636/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-4695836326887424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8bd514d9343746566b123275f8b6d0e9c11ec2b0) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index e4152bea6a..c92f873335 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -434,7 +434,7 @@ static void apply_independent_coupling_fixed(AACContext *ac, else { for (i = 0; i < len; i++) { tmp = (int)(((int64_t)src[i] * c + (int64_t)0x1000000000) >> 37); - dest[i] += tmp * (1 << shift); + dest[i] += tmp * (1U << shift); } } } From 4fb69a60f6c0bdb335c2e86a2f1d2a8bd147ead6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jun 2018 22:48:54 +0200 Subject: [PATCH 672/818] avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan() Fixes: Timeout Fixes: 8648/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5108395525799936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 540e8c2d641bf90fc28e47e170f8c0b1962197e9) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 5d3ccbea6d..e944e29a7a 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -989,6 +989,11 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p for (mb_x = 0; mb_x < s->mb_width; mb_x++) { int modified_predictor = predictor; + if (get_bits_left(&s->gb) < 1) { + av_log(s->avctx, AV_LOG_ERROR, "bitstream end in rgb_scan\n"); + return AVERROR_INVALIDDATA; + } + if (s->restart_interval && !s->restart_count){ s->restart_count = s->restart_interval; resync_mb_x = mb_x; From 76c4838a11a61fb0cfed5defff7e683f64068692 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Jun 2018 21:45:59 +0200 Subject: [PATCH 673/818] avcodec/h264_parser: Reduce needed history for parsing mb index This fixes a bug/regression with very small packets Fixes: output_file Regression since: 0782fb6bcb32fe3ab956a99af4cc472ff81da0c2 Reported-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit d25c945247979a88fac6bb3b7a26370262b96ef1) Signed-off-by: Michael Niedermayer --- libavcodec/h264_parser.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index 2564c6c6c3..74961ddcda 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -121,20 +121,23 @@ static int h264_find_frame_end(H264ParseContext *p, const uint8_t *buf, } state = 7; } else { + unsigned int mb, last_mb = p->parse_last_mb; + GetBitContext gb; p->parse_history[p->parse_history_count++] = buf[i]; - if (p->parse_history_count > 5) { - unsigned int mb, last_mb = p->parse_last_mb; - GetBitContext gb; - init_get_bits(&gb, p->parse_history, 8*p->parse_history_count); - p->parse_history_count = 0; - mb= get_ue_golomb_long(&gb); + init_get_bits(&gb, p->parse_history, 8*p->parse_history_count); + mb= get_ue_golomb_long(&gb); + if (get_bits_left(&gb) > 0 || p->parse_history_count > 5) { p->parse_last_mb = mb; if (pc->frame_start_found) { - if (mb <= last_mb) + if (mb <= last_mb) { + i -= p->parse_history_count - 1; + p->parse_history_count = 0; goto found; + } } else pc->frame_start_found = 1; + p->parse_history_count = 0; state = 7; } } @@ -149,7 +152,7 @@ found: pc->frame_start_found = 0; if (p->is_avc) return next_avc; - return i - (state & 5) - 5 * (state > 7); + return i - (state & 5); } static int scan_mmco_reset(AVCodecParserContext *s, GetBitContext *gb, From b0c14b02b0570a2edd7054bf7dd6b6e9b00e5858 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Jun 2018 19:23:02 +0200 Subject: [PATCH 674/818] avcodec/escape124: Check buf_size against num_superblocks Fixes: Timeout Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6677c98626489edfdb4b49b4f66ca91867768a9f) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index c3174ce6ef..186f0cb8af 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -221,7 +221,11 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This call also guards the potential depth reads for the // codebook unpacking. - if (get_bits_left(&gb) < 64) + // Check if the amount we will read minimally is available on input. + // The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320 + // represent a lower bound of the space needed for skiped superblocks. Non + // skipped SBs need more space. + if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) return -1; frame_flags = get_bits_long(&gb, 32); From 3db270a0786207fc5692581ae2fe3f28b917e430 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Jun 2018 01:18:20 +0200 Subject: [PATCH 675/818] avcodec/cscd: Check output buffer size for lzo. Fixes: Timeout Fixes: 8665/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5768442610188288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit 78167b498f53c36c31105a2bf11e90b03637598f) Signed-off-by: Michael Niedermayer --- libavcodec/cscd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index 35c4ee08c3..5eb511a565 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -81,7 +81,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; - if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen)) { + if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || outlen) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); return AVERROR_INVALIDDATA; } From eedde18f1a8f5cb32883d0bf529f400b82d80d1c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jun 2018 23:08:32 +0200 Subject: [PATCH 676/818] avcodec/ra144: Fix integer overflow in ff_eval_refl() Fixes: signed integer overflow: -4096 * -524288 cannot be represented in type 'int' Fixes: 8650/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5734816036159488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b31189881a4cf54b0057ecf3eab917ad56eecfea) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index c077b7b327..cf8127c236 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1569,11 +1569,11 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx) b = 0x1000000 / b; for (j=0; j <= i; j++) { #if CONFIG_FTRAPV - int a = bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12); + int a = bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12); if((int)(a*(unsigned)b) != a*(int64_t)b) return 1; #endif - bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12; + bp1[j] = (int)((bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12)) * (unsigned)b) >> 12; } if ((unsigned) bp1[i] + 0x1000 > 0x1fff) From 228c05ee547d99e7aae5c895172d99581b03eed9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Jun 2018 13:00:28 +0200 Subject: [PATCH 677/818] avcodec/escape124: Fix spelling errors in comment Signed-off-by: Michael Niedermayer (cherry picked from commit f59c4e43915ed0528e2789f27ddb1635b59779df) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 186f0cb8af..26fa2da5e8 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -222,8 +222,8 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This call also guards the potential depth reads for the // codebook unpacking. // Check if the amount we will read minimally is available on input. - // The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320 - // represent a lower bound of the space needed for skiped superblocks. Non + // The 64 represent the immediately next 2 frame_* elements read, the 23/4320 + // represent a lower bound of the space needed for skipped superblocks. Non // skipped SBs need more space. if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) return -1; From 672ada0f179b3ef45e52987d8c96716d23aa0722 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Jun 2018 17:27:50 +0200 Subject: [PATCH 678/818] avformat/movenc: Do not pass AVCodecParameters in avpriv_request_sample MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: out of array read Fixes: ffmpeg_crash_8.avi Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit 95556e27e2c1d56d9e18f5db34d6f756f3011148) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 9280dc8d23..4b1ffff10f 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -378,7 +378,7 @@ static int handle_eac3(MOVMuxContext *mov, AVPacket *pkt, MOVTrack *track) if (hdr->substreamid == info->num_ind_sub + 1) { //info->num_ind_sub++; - avpriv_request_sample(track->par, "Multiple independent substreams"); + avpriv_request_sample(mov->fc, "Multiple independent substreams"); return AVERROR_PATCHWELCOME; } else if (hdr->substreamid < info->num_ind_sub || hdr->substreamid == 0 && info->substream[0].bsid) { From 0bc74532a94716217ab43f20a65764cd4f019e52 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jul 2018 18:40:08 +0200 Subject: [PATCH 679/818] avcodec/jpeg2000dec: Check that there are enough bytes for all tiles Fixes: OOM Fixes: 8781/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5810709081358336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0898a3d9909960324e27d3a7a4f48c4effbb654a) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 4a7a0d7387..8aeec3328c 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -340,7 +340,10 @@ static int get_siz(Jpeg2000DecoderContext *s) s->numXtiles = ff_jpeg2000_ceildiv(s->width - s->tile_offset_x, s->tile_width); s->numYtiles = ff_jpeg2000_ceildiv(s->height - s->tile_offset_y, s->tile_height); - if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile)) { + // There must be at least a SOT and SOD per tile, their minimum size is 14 + if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile) || + s->numXtiles * s->numYtiles * 14LL > bytestream2_size(&s->g) + ) { s->numXtiles = s->numYtiles = 0; return AVERROR(EINVAL); } From bba9bb735a535c9e6bf21fd3457913d7fe831e2e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jul 2018 18:57:05 +0200 Subject: [PATCH 680/818] avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration() Fixes: shift exponent 47 is too large for 32-bit type 'int' Fixes: 9163/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5661750182543360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 652d7c6348f96181fa69f8e2afb7b27a14c0a88a) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 8aeec3328c..f844d032a9 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1220,10 +1220,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 if (reslevelno >= codsty->nreslevels) continue; - if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check + if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; - if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check + if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists @@ -1291,10 +1291,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; // ==> N_L - r Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno; - if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check + if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; - if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check + if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists From 739e3ff47533746a72fd212eae4af009144921c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jul 2018 19:08:54 +0200 Subject: [PATCH 681/818] avcodec/shorten: Fix undefined integer overflow Fixes: signed integer overflow: 8454144 * 256 cannot be represented in type 'int' Fixes: 8788/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5728205041303552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 70832333bba3b915040f415548518e136b44280e) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 42d91a4636..609ff0e26f 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -177,7 +177,7 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer) buffer[i] = 0; } else if (s->bitshift != 0) { for (i = 0; i < s->blocksize; i++) - buffer[i] *= 1 << s->bitshift; + buffer[i] *= 1U << s->bitshift; } } From 01a694d4823c48ecc602f31a39a85aac4b7eaf66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jul 2018 19:11:46 +0200 Subject: [PATCH 682/818] avcodec/shorten: Fix undefined addition in shorten_decode_frame() Fixes: signed integer overflow: 1139785606 + 1454196085 cannot be represented in type 'int' Fixes: 8937/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-6202943597445120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3b10bb8772c76177cc47b8d15a6970f19dd11039) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 609ff0e26f..68c2a2d804 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -678,7 +678,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, else { int32_t sum = (s->version < 2) ? 0 : s->nmean / 2; for (i = 0; i < s->nmean; i++) - sum += s->offset[channel][i]; + sum += (unsigned)s->offset[channel][i]; coffset = sum / s->nmean; if (s->version >= 2) coffset = s->bitshift == 0 ? coffset : coffset >> s->bitshift - 1 >> 1; From c43f5e0dce1b1b77d300a7e2fe382dba229ec781 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jul 2018 01:26:44 +0200 Subject: [PATCH 683/818] avcodec/indeo4: Check for end of bitstream in decode_mb_info() Fixes: Timeout Fixes: 8776/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-5361788798369792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 267ba2aa96354c5b6a1ea89b2943fbd7a4893862) Signed-off-by: Michael Niedermayer --- libavcodec/indeo4.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 5809052cf8..199af1a3c2 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -492,6 +492,11 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, mb->b_mv_x = mb->b_mv_y = 0; + if (get_bits_left(&ctx->gb) < 1) { + av_log(avctx, AV_LOG_ERROR, "Insufficient input for mb info\n"); + return AVERROR_INVALIDDATA; + } + if (get_bits1(&ctx->gb)) { if (ctx->frame_type == IVI4_FRAMETYPE_INTRA) { av_log(avctx, AV_LOG_ERROR, "Empty macroblock in an INTRA picture!\n"); From 34654d41d4bd9abb3b848477a6dd0a7d33816d4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Jul 2018 21:37:46 +0200 Subject: [PATCH 684/818] avformat/rmdec: Do not pass mime type in rm_read_multi() to ff_rm_read_mdpr_codecdata() Fixes: use after free() Fixes: rmdec-crash-ffe85b4cab1597d1cfea6955705e53f1f5c8a362 Found-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit a7e032a277452366771951e29fd0bf2bd5c029f0) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index d6d7d9cd84..3eb49a5d29 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -526,7 +526,7 @@ static int rm_read_multi(AVFormatContext *s, AVIOContext *pb, size2 = avio_rb32(pb); ret = ff_rm_read_mdpr_codecdata(s, s->pb, st2, st2->priv_data, - size2, mime); + size2, NULL); if (ret < 0) return ret; } From 9bb3047060c33e93ace258634aa89ee1705ec0c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Jul 2018 22:14:42 +0200 Subject: [PATCH 685/818] avformat/pva: Check for EOF before retrying in read_part_of_packet() Fixes: Infinite loop Fixes: pva-4b1835dbc2027bf3c567005dcc78e85199240d06 Found-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1) Signed-off-by: Michael Niedermayer --- libavformat/pva.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/pva.c b/libavformat/pva.c index 16381db905..04ae8e2800 100644 --- a/libavformat/pva.c +++ b/libavformat/pva.c @@ -134,6 +134,10 @@ recover: pes_flags = avio_rb16(pb); pes_header_data_length = avio_r8(pb); + if (avio_feof(pb)) { + return AVERROR_EOF; + } + if (pes_signal != 1 || pes_header_data_length == 0) { pva_log(s, AV_LOG_WARNING, "expected non empty signaled PES packet, " "trying to recover\n"); From 4d77a4a54d2f5c34a9cc7d3b3424d16e24515a0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Jul 2018 20:33:04 +0200 Subject: [PATCH 686/818] avformat/mms: Add missing chunksize check Fixes: out of array read Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a Found-by: Paul Ch 1st hunk by Paul Ch Tested-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit cced03dd667a5df6df8fd40d8de0bff477ee02e8) Signed-off-by: Michael Niedermayer --- libavformat/mms.c | 44 ++++++++++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 18 deletions(-) diff --git a/libavformat/mms.c b/libavformat/mms.c index 17fa76a8d4..768fda6525 100644 --- a/libavformat/mms.c +++ b/libavformat/mms.c @@ -94,24 +94,26 @@ int ff_mms_asf_header_parser(MMSContext *mms) } } } else if (!memcmp(p, ff_asf_stream_header, sizeof(ff_asf_guid))) { - flags = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24); - stream_id = flags & 0x7F; - //The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size, - //we can calculate the packet size by stream_num. - //Please see function send_stream_selection_request(). - if (mms->stream_num < MMS_MAX_STREAMS && - 46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) { - mms->streams = av_fast_realloc(mms->streams, - &mms->nb_streams_allocated, - (mms->stream_num + 1) * sizeof(MMSStream)); - if (!mms->streams) - return AVERROR(ENOMEM); - mms->streams[mms->stream_num].id = stream_id; - mms->stream_num++; - } else { - av_log(NULL, AV_LOG_ERROR, - "Corrupt stream (too many A/V streams)\n"); - return AVERROR_INVALIDDATA; + if (end - p >= (sizeof(ff_asf_guid) * 3 + 26)) { + flags = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24); + stream_id = flags & 0x7F; + //The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size, + //we can calculate the packet size by stream_num. + //Please see function send_stream_selection_request(). + if (mms->stream_num < MMS_MAX_STREAMS && + 46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) { + mms->streams = av_fast_realloc(mms->streams, + &mms->nb_streams_allocated, + (mms->stream_num + 1) * sizeof(MMSStream)); + if (!mms->streams) + return AVERROR(ENOMEM); + mms->streams[mms->stream_num].id = stream_id; + mms->stream_num++; + } else { + av_log(NULL, AV_LOG_ERROR, + "Corrupt stream (too many A/V streams)\n"); + return AVERROR_INVALIDDATA; + } } } else if (!memcmp(p, ff_asf_ext_stream_header, sizeof(ff_asf_guid))) { if (end - p >= 88) { @@ -143,6 +145,12 @@ int ff_mms_asf_header_parser(MMSContext *mms) } } else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) { chunksize = 46; // see references [2] section 3.4. This should be set 46. + if (chunksize > end - p) { + av_log(NULL, AV_LOG_ERROR, + "Corrupt stream (header chunksize %"PRId64" is invalid)\n", + chunksize); + return AVERROR_INVALIDDATA; + } } p += chunksize; } From 68fb93be04a40b9a90f7d118e459f9c09be3c913 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Jul 2018 12:01:46 +0200 Subject: [PATCH 687/818] avcodec/vp8_parser: Do not leave data/size uninitialized This is identical to what the VP9 parser does Fixes: 9215/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVPX_VP8_fuzzer-5768227253649408 Fixes: out of memory access This may also fix oss fuzz issue 9212 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 284dde24dab30225ed3e233b0e5908d67d7e13e7) Signed-off-by: Michael Niedermayer --- libavcodec/vp8_parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vp8_parser.c b/libavcodec/vp8_parser.c index 609f5077d1..e2d91b271f 100644 --- a/libavcodec/vp8_parser.c +++ b/libavcodec/vp8_parser.c @@ -28,6 +28,9 @@ static int parse(AVCodecParserContext *s, unsigned int frame_type; unsigned int profile; + *poutbuf = buf; + *poutbuf_size = buf_size; + if (buf_size < 3) return buf_size; From 78b1fbca3404459dcf8a1c34b5c7f9a5825ad61f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Jun 2018 16:51:51 +0200 Subject: [PATCH 688/818] avformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: out of array access Fixes: ffmpeg_bof_1.avi Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit ed22dc22216f74c75ee7901f82649e1ff725ba50) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 4b1ffff10f..11d58274fd 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -385,6 +385,11 @@ static int handle_eac3(MOVMuxContext *mov, AVPacket *pkt, MOVTrack *track) info->ec3_done = 1; goto concatenate; } + } else { + if (hdr->substreamid != 0) { + avpriv_request_sample(mov->fc, "Multiple non EAC3 independent substreams"); + return AVERROR_PATCHWELCOME; + } } /* fill the info needed for the "dec3" atom */ From 314ca5672d378997a8a523b567b846c518cef8f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Jul 2018 16:28:14 +0200 Subject: [PATCH 689/818] avcodec/mjpegdec: Check for odd progressive RGB Fixes: out of array access Fixes: 9225/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5684770334834688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ee1e3ca5eb1ec7d34e925d129c893e33847ee0b7) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index e944e29a7a..841c9c317c 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -597,6 +597,10 @@ unk_pixfmt: avpriv_report_missing_feature(s->avctx, "Lowres for weird subsampling"); return AVERROR_PATCHWELCOME; } + if ((AV_RB32(s->upscale_h) || AV_RB32(s->upscale_v)) && s->progressive && s->avctx->pix_fmt == AV_PIX_FMT_GBRP) { + avpriv_report_missing_feature(s->avctx, "progressive for weird subsampling"); + return AVERROR_PATCHWELCOME; + } if (s->ls) { memset(s->upscale_h, 0, sizeof(s->upscale_h)); memset(s->upscale_v, 0, sizeof(s->upscale_v)); From 6a0a16e563f07722acd4b666b2c501e186e9fa4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Jul 2018 22:23:25 +0200 Subject: [PATCH 690/818] avformat/movenc: Check input sample count Fixes: division by 0 Fixes: fpe_movenc.c_199_1.wav Fixes: fpe_movenc.c_199_2.wav Fixes: fpe_movenc.c_199_3.wav Fixes: fpe_movenc.c_199_4.wav Fixes: fpe_movenc.c_199_5.wav Fixes: fpe_movenc.c_199_6.wav Fixes: fpe_movenc.c_199_7.wav Found-by: #CHEN HONGXU# Signed-off-by: Michael Niedermayer (cherry picked from commit 3a2d21bc5f97aa0161db3ae731fc2732be6108b8) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 11d58274fd..b36322837e 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -4955,6 +4955,11 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) else samples_in_chunk = 1; + if (samples_in_chunk < 1) { + av_log(s, AV_LOG_ERROR, "fatal error, input packet contains no samples\n"); + return AVERROR_PATCHWELCOME; + } + /* copy extradata if it exists */ if (trk->vos_len == 0 && par->extradata_size > 0 && !TAG_IS_AVCI(trk->tag) && From 0e9ecdabf3a43dadb59e690dcedc5798f779960d Mon Sep 17 00:00:00 2001 From: Rahul Chaudhry Date: Fri, 27 Apr 2018 13:49:52 -0700 Subject: [PATCH 691/818] swresample/arm: rename labels to fix xcode build error Signed-off-by: Michael Niedermayer (cherry picked from commit e84212b78e00df17799e01be1e153a073eb8f689) Signed-off-by: Michael Niedermayer --- libswresample/arm/audio_convert_neon.S | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswresample/arm/audio_convert_neon.S b/libswresample/arm/audio_convert_neon.S index 7729514701..085d50aafa 100644 --- a/libswresample/arm/audio_convert_neon.S +++ b/libswresample/arm/audio_convert_neon.S @@ -22,7 +22,7 @@ #include "libavutil/arm/asm.S" function swri_oldapi_conv_flt_to_s16_neon, export=1 -_swri_oldapi_conv_flt_to_s16_neon: +.L_swri_oldapi_conv_flt_to_s16_neon: subs r2, r2, #8 vld1.32 {q0}, [r1,:128]! vcvt.s32.f32 q8, q0, #31 @@ -67,7 +67,7 @@ _swri_oldapi_conv_flt_to_s16_neon: endfunc function swri_oldapi_conv_fltp_to_s16_2ch_neon, export=1 -_swri_oldapi_conv_fltp_to_s16_2ch_neon: +.L_swri_oldapi_conv_fltp_to_s16_2ch_neon: ldm r1, {r1, r3} subs r2, r2, #8 vld1.32 {q0}, [r1,:128]! @@ -135,8 +135,8 @@ function swri_oldapi_conv_fltp_to_s16_nch_neon, export=1 cmp r3, #2 itt lt ldrlt r1, [r1] - blt _swri_oldapi_conv_flt_to_s16_neon - beq _swri_oldapi_conv_fltp_to_s16_2ch_neon + blt .L_swri_oldapi_conv_flt_to_s16_neon + beq .L_swri_oldapi_conv_fltp_to_s16_2ch_neon push {r4-r8, lr} cmp r3, #4 From 87ddf73e52b412ee015108ec2f1aaac7a05c947f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Jul 2018 00:16:42 +0200 Subject: [PATCH 692/818] avformat/movenc: Write version 2 of audio atom if channels is not known The version 1 needs the channel count and would divide by 0 Fixes: division by 0 Fixes: fpe_movenc.c_1108_1.ogg Fixes: fpe_movenc.c_1108_2.ogg Fixes: fpe_movenc.c_1108_3.wav Found-by: #CHEN HONGXU# Signed-off-by: Michael Niedermayer (cherry picked from commit fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index b36322837e..cf3d969547 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -937,7 +937,7 @@ static int mov_write_audio_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex uint32_t tag = track->tag; if (track->mode == MODE_MOV) { - if (track->timescale > UINT16_MAX) { + if (track->timescale > UINT16_MAX || !track->par->channels) { if (mov_get_lpcm_flags(track->par->codec_id)) tag = AV_RL32("lpcm"); version = 2; From c8ca54961dcc49ac7eb6353b6c007be3a0dfe1cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Jul 2018 18:33:08 +0200 Subject: [PATCH 693/818] avcodec/dirac_dwt_template: Fix signedness regression in interleave() Found-by: Tested-by: James Darnley Signed-off-by: Michael Niedermayer (cherry picked from commit 181435a4de6e38e0a15ddaf16de9a157ef41cb18) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 528fc7e9e7..2369c8d15b 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -57,8 +57,8 @@ static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src { int i; for (i = 0; i < w2; i++) { - dst[2*i ] = (src0[i] + (unsigned)add) >> shift; - dst[2*i+1] = (src1[i] + (unsigned)add) >> shift; + dst[2*i ] = ((int)(src0[i] + (unsigned)add)) >> shift; + dst[2*i+1] = ((int)(src1[i] + (unsigned)add)) >> shift; } } From 28e0e494ee6499e7c37255e54453d791ff79ae54 Mon Sep 17 00:00:00 2001 From: Simon Thelen Date: Tue, 3 Apr 2018 14:41:33 +0200 Subject: [PATCH 694/818] avcodec/imgconvert: fix possible null pointer dereference regression since 354b26a3945eadd4ed8fcd801dfefad2566241de (cherry picked from commit 8c2c97403baf95d0facb53f03e468f023eb943e1) (cherry picked from commit c1e172c2e14ef059dac632f7c67f081dfecd30dc) Signed-off-by: Michael Niedermayer --- libavcodec/imgconvert.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 7b0005b308..1fd636c83d 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -72,11 +72,12 @@ enum AVPixelFormat avcodec_find_best_pix_fmt_of_list(const enum AVPixelFormat *p int loss; for (i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) { - loss = *loss_ptr; + loss = loss_ptr ? *loss_ptr : 0; best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, &loss); } - *loss_ptr = loss; + if (loss_ptr) + *loss_ptr = loss; return best; } From db85ff35788dfbe3f1570e71640c99f7c24579f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Jul 2018 18:54:48 +0200 Subject: [PATCH 695/818] avcodec/dvdsub_parser: Init output buf/size No testcase Signed-off-by: Michael Niedermayer (cherry picked from commit 9e6c8437761661441d836876934314cb2b8fafe7) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsub_parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index 32a945ed65..8e1c48bef6 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -44,6 +44,9 @@ static int dvdsub_parse(AVCodecParserContext *s, { DVDSubParseContext *pc = s->priv_data; + *poutbuf = buf; + *poutbuf_size = buf_size; + if (pc->packet_index == 0) { if (buf_size < 2 || AV_RB16(buf) && buf_size < 6) { if (buf_size) From eae9ab01930169bceb439a7ef62ecb0549e4a6fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Jul 2018 18:56:10 +0200 Subject: [PATCH 696/818] avcodec/dvdsub_parser: Allocate input padding Fixes: out of array read Fixes: 9350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5746777750765568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cd86b5cfe278af79d6b147e122d9a72c270a9fde) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsub_parser.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index 8e1c48bef6..698ccb6987 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -57,7 +57,11 @@ static int dvdsub_parse(AVCodecParserContext *s, if (pc->packet_len == 0) /* HD-DVD subpicture packet */ pc->packet_len = AV_RB32(buf+2); av_freep(&pc->packet); - pc->packet = av_malloc(pc->packet_len); + if ((unsigned)pc->packet_len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { + av_log(avctx, AV_LOG_ERROR, "packet length %d is invalid\n", pc->packet_len); + return buf_size; + } + pc->packet = av_malloc(pc->packet_len + AV_INPUT_BUFFER_PADDING_SIZE); } if (pc->packet) { if (pc->packet_index + buf_size <= pc->packet_len) { From 18c9d5d3e80dc0b47e0a260b51f5230bdd499e8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Jul 2018 20:44:22 +0200 Subject: [PATCH 697/818] update for 3.3.8 Signed-off-by: Michael Niedermayer --- Changelog | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 81 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 88155186e0..0dd9d68d67 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,85 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.3.8: +- avcodec/dvdsub_parser: Allocate input padding +- avcodec/dvdsub_parser: Init output buf/size +- avcodec/imgconvert: fix possible null pointer dereference +- avcodec/dirac_dwt_template: Fix signedness regression in interleave() +- avformat/movenc: Write version 2 of audio atom if channels is not known +- swresample/arm: rename labels to fix xcode build error +- avformat/movenc: Check input sample count +- avcodec/mjpegdec: Check for odd progressive RGB +- avformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id +- avcodec/vp8_parser: Do not leave data/size uninitialized +- avformat/mms: Add missing chunksize check +- avformat/pva: Check for EOF before retrying in read_part_of_packet() +- avformat/rmdec: Do not pass mime type in rm_read_multi() to ff_rm_read_mdpr_codecdata() +- avcodec/indeo4: Check for end of bitstream in decode_mb_info() +- avcodec/shorten: Fix undefined addition in shorten_decode_frame() +- avcodec/shorten: Fix undefined integer overflow +- avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration() +- avcodec/jpeg2000dec: Check that there are enough bytes for all tiles +- avformat/movenc: Do not pass AVCodecParameters in avpriv_request_sample +- avcodec/escape124: Fix spelling errors in comment +- avcodec/ra144: Fix integer overflow in ff_eval_refl() +- avcodec/cscd: Check output buffer size for lzo. +- avcodec/escape124: Check buf_size against num_superblocks +- avcodec/h264_parser: Reduce needed history for parsing mb index +- avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan() +- avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed() +- avcodec/dirac_dwt_template: Fix undefined behavior in interleave() +- avutil/common: Fix undefined behavior in av_clip_uintp2_c() +- fftools/ffmpeg: Fallback to duration if sample rate is unavailable +- avformat/mov: Only set pkt->duration to non negative values +- avcodec/h264_ps: Move MAX_LOG2_MAX_FRAME_NUM to header so it can be used in h264_sei +- avcodec/h264_mc_template: Only prefetch motion if the list is used. +- avcodec/xwddec: Use ff_set_dimensions() +- avcodec/wavpack: Fix overflow in adding tail +- avcodec/shorten: Fix multiple integer overflows +- avcodec/shorten: Fix undefined shift in fix_bitshift() +- avcodec/shorten: Fix a negative left shift in shorten_decode_frame() +- avcodec/shorten: Sanity check nmeans +- avcodec/shorten: Check non COMM chunk len before skip in decode_aiff_header() +- avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan() +- avcodec/truemotion2: Fix overflow in tm2_apply_deltas() +- avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c +- avcodec/amrwbdec: Fix division by 0 in find_hb_gain() +- avformat/mov: replace a value error by clipping into valid range in mov_read_stsc() +- avformat/mov: Break out early if chunk_count is 0 in mov_build_index() +- avcodec/fic: Avoid some magic numbers related to cursors +- avcodec/g2meet: ask for sample with overflowing RGB +- avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed() +- oavcodec/aacpsdsp_template: Use unsigned for hs0X to prevent undefined behavior +- avcodec/g723_1dec: Clip bits2 in both directions +- avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header() +- avcodec/mlpdec: Only change noise_type if the related fields are valid +- indeo4: Decode all or nothing of a band header. +- avformat/mov: Only fail for STCO/STSC contradictions if both exist +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0 +- avcodec/fic: Check available input space for cursor +- avcodec/g2meet: Check RGB upper limit +- avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case +- avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done +- avcodec/g2meet: Change order of operations to avoid undefined behavior +- avcodec/flac_parser: Fix infinite loop +- avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED() +- avcodec/error_resilience: Fix integer overflow in filter181() +- avcodec/h263dec: Check slice_ret in mspeg4 slice loop +- avcodec/elsdec: Fix memleaks +- avcodec/vc1_block: simplify ac_val computation +- avcodec/ffv1enc: Check that the crc + version combination is supported +- lavf/http.c: Free allocated client URLContext in case of error. +- avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame +- avcodec/dsicinvideo: Propagate errors from cin_decode_rle() +- avcodec/dfa: Check dimension against maximum +- avcodec/cinepak: Skip empty frames +- avcodec/cinepak: move some checks prior to frame allocation +- swresample/arm: remove unintentional relocation. +- doc/APIchanges: Fix typos in hashes +- avdevice/iec61883: free the private context at the end +- avdevice/iec61883: return reference counted packets + version 3.3.7: - avformat/utils: Check cur_dts in update_initial_timestamps() more - avcodec/utils: Enforce minimum width also for VP5/6 diff --git a/RELEASE b/RELEASE index 86fb650440..37d02a6e38 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.3.7 +3.3.8 diff --git a/doc/Doxyfile b/doc/Doxyfile index 655649c117..7610d18818 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.3.7 +PROJECT_NUMBER = 3.3.8 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 660e4c0c961c41c2ae5fc2f40c25bff30ec64133 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 28 Jul 2018 00:51:57 -0300 Subject: [PATCH 698/818] avcodec/bitstream_filters: check the input argument of av_bsf_get_by_name() for NULL Fixes crashes like "ffmpeg -h bsf" caused by passing NULL to strcmp() Signed-off-by: James Almer (cherry picked from commit 3258cc6507a2012d54889ce5f8efbde7e81d927d) --- libavcodec/bitstream_filters.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/bitstream_filters.c b/libavcodec/bitstream_filters.c index 2045e18b94..d4ee4d7d6a 100644 --- a/libavcodec/bitstream_filters.c +++ b/libavcodec/bitstream_filters.c @@ -59,6 +59,9 @@ const AVBitStreamFilter *av_bsf_get_by_name(const char *name) { int i; + if (!name) + return NULL; + for (i = 0; bitstream_filters[i]; i++) { const AVBitStreamFilter *f = bitstream_filters[i]; if (!strcmp(f->name, name)) From 5c98f8d80a50fb012deb1e4e24864dd52372a367 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sun, 14 Oct 2018 18:33:55 +0200 Subject: [PATCH 699/818] avcodec/cuviddec: properly take deinterlacing and display delay into account for buffer_full check Signed-off-by: Timo Rothenpieler --- libavcodec/cuvid.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/cuvid.c b/libavcodec/cuvid.c index 916d7e9987..da31693036 100644 --- a/libavcodec/cuvid.c +++ b/libavcodec/cuvid.c @@ -367,13 +367,17 @@ static int cuvid_decode_packet(AVCodecContext *avctx, const AVPacket *avpkt) AVPacket filter_packet = { 0 }; AVPacket filtered_packet = { 0 }; int ret = 0, eret = 0, is_flush = ctx->decoder_flushing; + int delay = ctx->cuparseinfo.ulMaxDisplayDelay; av_log(avctx, AV_LOG_TRACE, "cuvid_decode_packet\n"); if (is_flush && avpkt && avpkt->size) return AVERROR_EOF; - if ((av_fifo_size(ctx->frame_queue) / sizeof(CuvidParsedFrame)) + 2 > ctx->nb_surfaces && avpkt && avpkt->size) + if (ctx->deint_mode != cudaVideoDeinterlaceMode_Weave && !ctx->drop_second_field) + delay *= 2; + + if ((av_fifo_size(ctx->frame_queue) / sizeof(CuvidParsedFrame)) + delay >= ctx->nb_surfaces && avpkt && avpkt->size) return AVERROR(EAGAIN); if (ctx->bsf && avpkt && avpkt->size) { From ea160f02137e515a7909b73eba172da008af614a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Jul 2018 22:22:35 +0200 Subject: [PATCH 700/818] avutil/pixfmt: Document chroma plane size for odd resolutions Signed-off-by: Michael Niedermayer (cherry picked from commit be0b77e6e83b61c2da338201b5ddfae1c9acedc5) Signed-off-by: Michael Niedermayer --- libavutil/pixfmt.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/pixfmt.h b/libavutil/pixfmt.h index 5dafc341a1..926bf5ae43 100644 --- a/libavutil/pixfmt.h +++ b/libavutil/pixfmt.h @@ -42,6 +42,10 @@ * This is stored as BGRA on little-endian CPU architectures and ARGB on * big-endian CPUs. * + * @note + * If the resolution is not a multiple of the chroma subsampling factor + * then the chroma plane resolution must be rounded up. + * * @par * When the pixel format is palettized RGB32 (AV_PIX_FMT_PAL8), the palettized * image data is stored in AVFrame.data[0]. The palette is transported in From 31262860ccd33b704a31f945fa1b9442b4e328c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jul 2018 22:44:12 +0200 Subject: [PATCH 701/818] swresample/swresample: Fix input channel count in resample_first computation Found-by: Marcin Gorzel Reviewed-by: Marcin Gorzel Signed-off-by: Michael Niedermayer (cherry picked from commit bce4da85e8110b66040a5fb07ffc724ab4e09a86) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 170f76bc56..c740f5d5fd 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -318,7 +318,7 @@ av_cold int swr_init(struct SwrContext *s){ av_assert0(s->used_ch_count); av_assert0(s->out.ch_count); - s->resample_first= RSC*s->out.ch_count/s->in.ch_count - RSC < s->out_sample_rate/(float)s-> in_sample_rate - 1.0; + s->resample_first= RSC*s->out.ch_count/s->used_ch_count - RSC < s->out_sample_rate/(float)s-> in_sample_rate - 1.0; s->in_buffer= s->in; s->silence = s->in; From 922a29142e77221f685e875e14435abf7a691f5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jul 2018 18:58:34 +0200 Subject: [PATCH 702/818] avcodec/diracdec: Prevent integer overflow in intermediate in global_mv() Fixes: signed integer overflow: -393471 * 5460 cannot be represented in type 'int' Fixes: 8890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6299775379963904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51290406461ed40b70e0e05b389a461a283f3367) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index fee2b7787c..5d63464f6c 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1399,8 +1399,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int m = (1<u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); From d5c48e8536d007a0cfdaf3e7cd5ab428db948374 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jul 2018 19:11:04 +0200 Subject: [PATCH 703/818] avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 8926/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6047609228623872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 69cac9e130dc8c9d2a5b8012011df372974adf35) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 2369c8d15b..5d55d932a1 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -190,15 +190,15 @@ static void RENAME(horizontal_compose_daub97i)(uint8_t *_b, uint8_t *_temp, int // second stage combined with interleave and shift b0 = b2 = COMPOSE_DAUB97iL0(temp[w2], temp[0], temp[w2]); - b[0] = (b0 + 1) >> 1; + b[0] = ~((~b0) >> 1); for (x = 1; x < w2; x++) { b2 = COMPOSE_DAUB97iL0(temp[x+w2-1], temp[x ], temp[x+w2]); b1 = COMPOSE_DAUB97iH0( b0, temp[x+w2-1], b2 ); - b[2*x-1] = (b1 + 1) >> 1; - b[2*x ] = (b2 + 1) >> 1; + b[2*x-1] = ~((~b1) >> 1); + b[2*x ] = ~((~b2) >> 1); b0 = b2; } - b[w-1] = (COMPOSE_DAUB97iH0(b2, temp[w-1], b2) + 1) >> 1; + b[w-1] = ~((~COMPOSE_DAUB97iH0(b2, temp[w-1], b2)) >> 1); } static void RENAME(vertical_compose_dirac53iH0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_b2, From ee5b42ce2f2f45a28d12643cf86538f7a7535d47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jul 2018 20:45:39 +0200 Subject: [PATCH 704/818] avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 9291/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6324345860259840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 462d1be6dec5ff4768be8c202f359cbf037db3c6) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 5d63464f6c..eeaa8f4498 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -140,7 +140,7 @@ typedef struct DiracContext { GetBitContext gb; AVDiracSeqHeader seq; int seen_sequence_header; - int frame_number; /* number of the next frame to display */ + int64_t frame_number; /* number of the next frame to display */ Plane plane[3]; int chroma_x_shift; int chroma_y_shift; @@ -2300,7 +2300,7 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } if (*got_frame) - s->frame_number = picture->display_picture_number + 1; + s->frame_number = picture->display_picture_number + 1LL; return buf_idx; } From c07d568603d33fe3d3c38d888da859f202299382 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jul 2018 21:26:24 +0200 Subject: [PATCH 705/818] avcodec/diracdec: Check slice numbers for overflows in relation to picture dimensions Fixes: signed integer overflow: 88 * 33685506 cannot be represented in type 'int' Fixes: 9433/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5725943535501312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f457c0ad7f73e31e99761f2ad3738cf3b3c24ca0) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index eeaa8f4498..5a4877386b 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1242,7 +1242,10 @@ static int dirac_unpack_idwt_params(DiracContext *s) else { s->num_x = get_interleaved_ue_golomb(gb); s->num_y = get_interleaved_ue_golomb(gb); - if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX) { + if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX || + s->num_x * (uint64_t)s->avctx->width > INT_MAX || + s->num_y * (uint64_t)s->avctx->height > INT_MAX + ) { av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n"); s->num_x = s->num_y = 0; return AVERROR_INVALIDDATA; From c1a3212d45a99dce153f4185befc49daa579ef10 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jul 2018 21:42:16 +0200 Subject: [PATCH 706/818] avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too Fixes: signed integer overflow: 8 * 340018243 cannot be represented in type 'int' Fixes: 9441/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5194665207791616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bed125b7108481574f36fdd6ee699b27354602e8) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 5a4877386b..c2a6bcbd31 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -985,6 +985,10 @@ static int decode_lowdelay(DiracContext *s) for (slice_x = 0; bufsize > 0 && slice_x < s->num_x; slice_x++) { bytes = (slice_num+1) * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den - slice_num * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den; + if (bytes >= INT_MAX || bytes*8 > bufsize) { + av_log(s->avctx, AV_LOG_ERROR, "too many bytes\n"); + return AVERROR_INVALIDDATA; + } slices[slice_num].bytes = bytes; slices[slice_num].slice_x = slice_x; slices[slice_num].slice_y = slice_y; From 1e1c02c51b3bab52753fd09ecaea0a852df1a623 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Jul 2018 12:40:48 +0200 Subject: [PATCH 707/818] avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp() Fixes: Timeout Fixes: 9213/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QTRLE_fuzzer-5649753332252672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7dd836a3f9771e0e44df1b27e67d6866d91e06d7) Signed-off-by: Michael Niedermayer --- libavcodec/qtrle.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index 1b0d2016b5..cd8301d143 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -155,6 +155,8 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int row_ptr, CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) { + if (bytestream2_get_bytes_left(&s->g) < 1) + return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (num_pixels * (bytestream2_get_byte(&s->g) - 1)); @@ -210,6 +212,8 @@ static void qtrle_decode_8bpp(QtrleContext *s, int row_ptr, int lines_to_change) CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) { + if (bytestream2_get_bytes_left(&s->g) < 1) + return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (4 * (bytestream2_get_byte(&s->g) - 1)); @@ -259,6 +263,8 @@ static void qtrle_decode_16bpp(QtrleContext *s, int row_ptr, int lines_to_change CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) { + if (bytestream2_get_bytes_left(&s->g) < 1) + return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 2; @@ -303,6 +309,8 @@ static void qtrle_decode_24bpp(QtrleContext *s, int row_ptr, int lines_to_change CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) { + if (bytestream2_get_bytes_left(&s->g) < 1) + return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 3; @@ -350,6 +358,8 @@ static void qtrle_decode_32bpp(QtrleContext *s, int row_ptr, int lines_to_change CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) { + if (bytestream2_get_bytes_left(&s->g) < 1) + return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 4; From e2d052d5c8321487338979568c1e372727002603 Mon Sep 17 00:00:00 2001 From: Nikolas Bowe Date: Mon, 30 Jul 2018 17:22:02 -0700 Subject: [PATCH 708/818] lavc/svq3: Fix regression decoding some files. Fixes some SVQ3 encoded files which fail to decode correctly after 6d6faa2a2d. These files exhibit lots of artifacts and logs show "Media key encryption is not implemented". However they decode without artifacts before 6d6faa2a2d. The attatched patch allows these files to successfully decode, but also reject media key files. Tested on the files in #6094 and http://samples.mplayerhq.hu/V-codecs/SVQ3/Vertical400kbit.sorenson3.mov Signed-off-by: Michael Niedermayer (cherry picked from commit 5aeb3b008080d8d4a38f245d557dbc9bd6c36dcf) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 5cb5bd45b7..e5bbb393e0 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1065,16 +1065,15 @@ static int svq3_decode_slice_header(AVCodecContext *avctx) av_log(s->avctx, AV_LOG_ERROR, "illegal slice type %u \n", slice_id); return -1; } - if (get_bits1(&s->gb_slice)) { - avpriv_report_missing_feature(s->avctx, "Media key encryption"); - return AVERROR_PATCHWELCOME; - } s->slice_type = ff_h264_golomb_to_pict_type[slice_id]; if ((header & 0x9F) == 2) { - i = (s->mb_num < 64) ? 5 : av_log2(s->mb_num - 1); + i = (s->mb_num < 64) ? 6 : (1 + av_log2(s->mb_num - 1)); get_bits(&s->gb_slice, i); + } else if (get_bits1(&s->gb_slice)) { + avpriv_report_missing_feature(s->avctx, "Media key encryption"); + return AVERROR_PATCHWELCOME; } s->slice_num = get_bits(&s->gb_slice, 8); From 0026d007428a1ef5cd4e8f54bafc54c0306beab9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Jul 2018 15:03:50 +0200 Subject: [PATCH 709/818] avformat/flvenc: Check audio packet size Fixes: Assertion failure Fixes: assert_flvenc.c:941_1.swf Found-by: #CHEN HONGXU# Signed-off-by: Michael Niedermayer (cherry picked from commit 6b67d7f05918f7a1ee8fc6ff21355d7e8736aa10) Signed-off-by: Michael Niedermayer --- libavformat/flvenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index 899b07ea7b..e966c36c65 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -879,6 +879,11 @@ static int flv_write_packet(AVFormatContext *s, AVPacket *pkt) int flags = -1, flags_size, ret; int64_t cur_offset = avio_tell(pb); + if (par->codec_type == AVMEDIA_TYPE_AUDIO && !pkt->size) { + av_log(s, AV_LOG_WARNING, "Empty audio Packet\n"); + return AVERROR(EINVAL); + } + if (par->codec_id == AV_CODEC_ID_VP6F || par->codec_id == AV_CODEC_ID_VP6A || par->codec_id == AV_CODEC_ID_VP6 || par->codec_id == AV_CODEC_ID_AAC) flags_size = 2; From 0678985c14dd716efaa373ed5986b6e7230365d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Jul 2018 10:59:09 +0200 Subject: [PATCH 710/818] avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c() Fixes: signed integer overflow: -1813244069 + -1407981383 cannot be represented in type 'int' Fixes: 8823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5643295618236416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 47db5763e21c5e3b0ddde2430d15938f8d88480d) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsdsp_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c index 8f72624559..b924148e0f 100644 --- a/libavcodec/aacpsdsp_template.c +++ b/libavcodec/aacpsdsp_template.c @@ -149,10 +149,10 @@ static void ps_stereo_interpolate_c(INTFLOAT (*l)[2], INTFLOAT (*r)[2], INTFLOAT h1 = h[0][1]; INTFLOAT h2 = h[0][2]; INTFLOAT h3 = h[0][3]; - INTFLOAT hs0 = h_step[0][0]; - INTFLOAT hs1 = h_step[0][1]; - INTFLOAT hs2 = h_step[0][2]; - INTFLOAT hs3 = h_step[0][3]; + UINTFLOAT hs0 = h_step[0][0]; + UINTFLOAT hs1 = h_step[0][1]; + UINTFLOAT hs2 = h_step[0][2]; + UINTFLOAT hs3 = h_step[0][3]; int n; for (n = 0; n < len; n++) { From 0ea1b62b9ac50739b12b9d72c991456ed2f2d192 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Aug 2018 14:51:36 +0200 Subject: [PATCH 711/818] avcodec/mpegaudio_parser: Initialize poutbuf* Possibly fixes: null pointer dereference Possibly fixes: 9352/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5146068961460224 Fixes: Heap-use-after-free Fixes: 9453/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5137954375729152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0f4c3b0b8e5435d13fd3b64c91969b31c3c018dc) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudio_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index 8c39825792..a072851ecf 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -98,6 +98,8 @@ static int mpegaudio_parse(AVCodecParserContext *s1, } else if (codec_id == AV_CODEC_ID_MP3ADU) { avpriv_report_missing_feature(avctx, "MP3ADU full parser"); + *poutbuf = NULL; + *poutbuf_size = 0; return 0; /* parsers must not return error codes */ } From 488c246bf565d56f153874d1348435c7187679a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Aug 2018 22:43:33 +0200 Subject: [PATCH 712/818] avcodec/shorten: Check verbatim length Fixes: Timeout Fixes: 9252/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5780720709533696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7007dabec08f2f9f81661e71ef482dde394e17a8) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 68c2a2d804..010000d0a1 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -623,6 +623,11 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, switch (cmd) { case FN_VERBATIM: len = get_ur_golomb_shorten(&s->gb, VERBATIM_CKSIZE_SIZE); + if (len < 0 || len > get_bits_left(&s->gb)) { + av_log(avctx, AV_LOG_ERROR, "verbatim length %d invalid\n", + len); + return AVERROR_INVALIDDATA; + } while (len--) get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE); break; From d16d851238f4c056837ba6d8fef4b0c274b8d146 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Aug 2018 22:55:59 +0200 Subject: [PATCH 713/818] avcodec/shorten: Fix integer overflow in residual/LPC combination Fixes: signed integer overflow: -540538872 + -2012739576 cannot be represented in type 'int' Fixes: 9255/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5758630052757504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db7e9082e1a1479c6a8844f7adf77eae03cc2aa7) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 010000d0a1..ad83dfb199 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -391,7 +391,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, for (j = 0; j < pred_order; j++) sum += coeffs[j] * (unsigned)s->decoded[channel][i - j - 1]; s->decoded[channel][i] = get_sr_golomb_shorten(&s->gb, residual_size) + - (sum >> qshift); + (unsigned)(sum >> qshift); } /* add offset to current samples */ From 298ca73ab14ba66fec0596fef1eda92a532a488d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Aug 2018 23:06:55 +0200 Subject: [PATCH 714/818] avcodec/shorten: Fix signed 32bit overflow in shift in shorten_decode_frame() Fixes: runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 9480/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-6647324284551168 -rss_limit_mb=2000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9b604e96a51a1fca92bbabfe4f7ac53f0470ee41) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index ad83dfb199..c63be626ba 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -711,7 +711,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, if (s->version < 2) s->offset[channel][s->nmean - 1] = sum / s->blocksize; else - s->offset[channel][s->nmean - 1] = s->bitshift == 32 ? 0 : (sum / s->blocksize) * (1 << s->bitshift); + s->offset[channel][s->nmean - 1] = s->bitshift == 32 ? 0 : (sum / s->blocksize) * (1LL << s->bitshift); } /* copy wrap samples for use with next block */ From 907699d1207f50f3a0f9c96443ffbde71bb580e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Aug 2018 23:45:52 +0200 Subject: [PATCH 715/818] avcodec/scpr: Check for min > max in decompress_p() Fixes: Timeout Fixes: 9342/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-4795990841229312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3378194ce8e9a126a7cc6ed57bedde1221790469) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index 694450abf0..f286ca8575 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -522,6 +522,9 @@ static int decompress_p(AVCodecContext *avctx, return ret; max += temp << 8; + if (min > max) + return AVERROR_INVALIDDATA; + memset(s->blocks, 0, sizeof(*s->blocks) * s->nbcount); while (min <= max) { From 44ebea8657e2c786b8b22ebee69d97a2b0efd07f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Aug 2018 15:36:29 +0200 Subject: [PATCH 716/818] avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header() Fixes: long running loop Fixes: ivr-timeout-42468cb797f52f025fb329394702f5d4d64322d6 Found-by: Paul Ch Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c2eec1762d372663c35aaf3d6ee419bafb185057) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 3eb49a5d29..f3fa550c63 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1270,6 +1270,8 @@ static int ivr_read_header(AVFormatContext *s) if (avio_rb32(pb) == MKBETAG('M', 'L', 'T', 'I')) { ret = rm_read_multi(s, pb, st, NULL); } else { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_seek(pb, -4, SEEK_CUR); ret = ff_rm_read_mdpr_codecdata(s, pb, st, st->priv_data, len, NULL); } From 24add16a323630d38be67203b2272b951ce68575 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Aug 2018 15:36:28 +0200 Subject: [PATCH 717/818] avformat/mlvdec: read_string() received unsigned size, make the argument unsigned Fixes: infinite loop Fixes: mlv-timeout-e3b8cab9835edecad6823baa057e029671329d04 Found-by: Paul Ch Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1e71cb2c8edcf3dad657c15a6fb8572862f2afb9) Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 319cd26de4..6d774a191d 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -77,7 +77,7 @@ static int check_file_header(AVIOContext *pb, uint64_t guid) return 0; } -static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, int size) +static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, unsigned size) { char * value = av_malloc(size + 1); if (!value) { From b80d7d4a092048251336806095138ae5f495bad4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Aug 2018 12:23:20 +0200 Subject: [PATCH 718/818] avformat/nsvdec: Do not parse multiple NSVf The specification states "NSV files may contain a single file header. " Fixes: out of array access Fixes: nsv-asan-002f473f726a0dcbd3bd53e422c4fc40b3cf3421 Found-by: Paul Ch Tested-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit 78d4b6bd43fc266a2ee926f0555c8782246f9445) Signed-off-by: Michael Niedermayer --- libavformat/nsvdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index d8ce656817..92f7d178f6 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -176,6 +176,7 @@ typedef struct NSVContext { int16_t avsync; AVRational framerate; uint32_t *nsvs_timestamps; + int nsvf; } NSVContext; static const AVCodecTag nsv_codec_video_tags[] = { @@ -266,6 +267,12 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) nsv->state = NSV_UNSYNC; /* in case we fail */ + if (nsv->nsvf) { + av_log(s, AV_LOG_TRACE, "Multiple NSVf\n"); + return 0; + } + nsv->nsvf = 1; + size = avio_rl32(pb); if (size < 28) return -1; From dc8ec1a5bc8539339f866c77f1f1b917b6a4e125 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Aug 2018 20:15:19 +0200 Subject: [PATCH 719/818] avcodec/snowdec: Fix integer overflow with motion vector residual Fixes: signed integer overflow: -19818 + -2147483648 cannot be represented in type 'int' Fixes: 9545/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4928769537081344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit acba153a148782c08f9fd17f0c05b93468f3cbd0) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 00fa064102..a9fe91d251 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -208,8 +208,8 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ return AVERROR_INVALIDDATA; } pred_mv(s, &mx, &my, ref, left, top, tr); - mx+= get_symbol(&s->c, &s->block_state[128 + 32*(mx_context + 16*!!ref)], 1); - my+= get_symbol(&s->c, &s->block_state[128 + 32*(my_context + 16*!!ref)], 1); + mx+= (unsigned)get_symbol(&s->c, &s->block_state[128 + 32*(mx_context + 16*!!ref)], 1); + my+= (unsigned)get_symbol(&s->c, &s->block_state[128 + 32*(my_context + 16*!!ref)], 1); } set_blocks(s, level, x, y, l, cb, cr, mx, my, ref, type); }else{ From 347c50b0d4e7119e77edcd0871b5d9c841877af4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Aug 2018 22:19:23 +0200 Subject: [PATCH 720/818] avcodec/vb: Check for end of bytestream before reading blocktype Fixes: Timeout Fixes: 9601/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VB_fuzzer-4550228702134272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1cbac9ce20d32806febf64cbd9f830e1485695ca) Signed-off-by: Michael Niedermayer --- libavcodec/vb.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vb.c b/libavcodec/vb.c index 021657f7d8..c6dd6fb456 100644 --- a/libavcodec/vb.c +++ b/libavcodec/vb.c @@ -107,6 +107,10 @@ static int vb_decode_framedata(VBDecContext *c, int offset) blk2 = 0; for (blk = 0; blk < blocks; blk++) { if (!(blk & 3)) { + if (bytestream2_get_bytes_left(&g) < 1) { + av_log(c->avctx, AV_LOG_ERROR, "Insufficient data\n"); + return AVERROR_INVALIDDATA; + } blocktypes = bytestream2_get_byte(&g); } switch (blocktypes & 0xC0) { From 66331499a7d221d5053f74452c976b2d8f2038f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Aug 2018 22:53:32 +0200 Subject: [PATCH 721/818] avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb() Fixes: Timeout Fixes: 9634/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-6267852259590144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c9222b972d6cbdaf6571cf7ae0a6513bffa5ff9f) Signed-off-by: Michael Niedermayer --- libavcodec/hq_hqa.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index f88ad7d5f5..ec9da3e04f 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -181,6 +181,9 @@ static int hqa_decode_mb(HQContext *c, AVFrame *pic, int qgroup, int flag = 0; int i, ret, cbp; + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; + cbp = get_vlc2(gb, c->hqa_cbp_vlc.table, 5, 1); for (i = 0; i < 12; i++) From 7266a6d23c8943d76cf1e056671c9a8bd9902069 Mon Sep 17 00:00:00 2001 From: Michael Bunk Date: Thu, 30 Aug 2018 08:56:19 +0200 Subject: [PATCH 722/818] examples: Fix use of AV_CODEC_FLAG_GLOBAL_HEADER AV_CODEC_FLAG_GLOBAL_HEADER should be set before calling avcodec_open2() to have any effect. Signed-off-by: Michael Niedermayer (cherry picked from commit a82e4fb8c6f26e75506df6818fee1b61f940cbeb) Signed-off-by: Michael Niedermayer --- doc/examples/transcoding.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/examples/transcoding.c b/doc/examples/transcoding.c index 476ec69afe..0e2fe0a4a1 100644 --- a/doc/examples/transcoding.c +++ b/doc/examples/transcoding.c @@ -173,6 +173,9 @@ static int open_output_file(const char *filename) enc_ctx->time_base = (AVRational){1, enc_ctx->sample_rate}; } + if (ofmt_ctx->oformat->flags & AVFMT_GLOBALHEADER) + enc_ctx->flags |= AV_CODEC_FLAG_GLOBAL_HEADER; + /* Third parameter can be used to pass settings to encoder */ ret = avcodec_open2(enc_ctx, encoder, NULL); if (ret < 0) { @@ -184,8 +187,6 @@ static int open_output_file(const char *filename) av_log(NULL, AV_LOG_ERROR, "Failed to copy encoder parameters to output stream #%u\n", i); return ret; } - if (ofmt_ctx->oformat->flags & AVFMT_GLOBALHEADER) - enc_ctx->flags |= AV_CODEC_FLAG_GLOBAL_HEADER; out_stream->time_base = enc_ctx->time_base; stream_ctx[i].enc_ctx = enc_ctx; From 1acec9bbf55b9d53c20e8d2f147458262abdc28f Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 30 Aug 2018 15:18:25 -0700 Subject: [PATCH 723/818] avformat/mov: Error on too large stsd entry counts. Entries are always at least 8 bytes per the parsing code, so if we see an impossible entry count avoid massive allocations. This is similar to an existing check in mov_read_stsc(). Since ff_mov_read_stsd_entries() does eof checks, an alternative approach could be to clamp the entry count to atom.size / 8. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 320b631a99a9f759fd1d5460fd4e285d184b8186) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f6db8a47b7..f4687db54e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2356,7 +2356,8 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb24(pb); /* flags */ entries = avio_rb32(pb); - if (entries <= 0) { + /* Each entry contains a size (4 bytes) and format (4 bytes). */ + if (entries <= 0 || entries > atom.size / 8) { av_log(c->fc, AV_LOG_ERROR, "invalid STSD entries %d\n", entries); return AVERROR_INVALIDDATA; } From 78a1db00c4c41258791c8ff9d5bc1adcc176cf69 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Aug 2018 01:58:32 +0200 Subject: [PATCH 724/818] avcodec/indeo4: Check dimensions in decode_pic_hdr() Fixes: Timeout Fixes: 9654/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-6289863463665664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7592e88bfe3d5bf9109a55acd025af9110618405) Signed-off-by: Michael Niedermayer --- libavcodec/indeo4.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 199af1a3c2..eee868cb7c 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -30,6 +30,7 @@ #define BITSTREAM_READER_LE #include "avcodec.h" #include "get_bits.h" +#include "libavutil/imgutils.h" #include "indeo4data.h" #include "internal.h" #include "ivi.h" @@ -178,6 +179,13 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) pic_conf.chroma_bands = 0; if (pic_conf.luma_bands) pic_conf.chroma_bands = decode_plane_subdivision(&ctx->gb); + + if (av_image_check_size2(pic_conf.pic_width, pic_conf.pic_height, avctx->max_pixels, AV_PIX_FMT_YUV410P, 0, avctx) < 0) { + av_log(avctx, AV_LOG_ERROR, "picture dimensions %d %d cannot be decoded\n", + pic_conf.pic_width, pic_conf.pic_height); + return AVERROR_INVALIDDATA; + } + ctx->is_scalable = pic_conf.luma_bands != 1 || pic_conf.chroma_bands != 1; if (ctx->is_scalable && (pic_conf.luma_bands != 4 || pic_conf.chroma_bands != 1)) { av_log(avctx, AV_LOG_ERROR, "Scalability: unsupported subdivision! Luma bands: %d, chroma bands: %d\n", From 5c91bb1881a88980ad19e40d2fcadbfe0eacef6a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Aug 2018 02:26:24 +0200 Subject: [PATCH 725/818] avcodec/ra144: Fix undefined integer overflow in add_wav() Fixes: signed integer overflow: -26884 * 91439 cannot be represented in type 'int' Fixes: 9687/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-4995588121690112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93a203662f6ff1bb9fd2e966bf7df27e9bdb1916) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index cf8127c236..573703d70b 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m, if (v[0]) { for (i=0; i < BLOCKSIZE; i++) - dest[i] = (s1[i]*v[0] + s2[i]*v[1] + s3[i]*v[2]) >> 12; + dest[i] = ((int)(s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12; } else { for (i=0; i < BLOCKSIZE; i++) dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12; From fa5498cb4dae73d4cf733e1578851547d17f1716 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Aug 2018 02:06:27 +0200 Subject: [PATCH 726/818] avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking() Signed-off-by: Michael Niedermayer (cherry picked from commit 697984b9db4d4d199680f43ac3eb662cd1d37eff) Signed-off-by: Michael Niedermayer --- libavcodec/h264_refs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index af70829594..2cdb67f978 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -806,6 +806,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h) } } + // Detect unmarked random access points if ( err >= 0 && h->long_ref_count==0 && ( h->short_ref_count<=2 From 46875255bc957832bbd3cabf593471c5a16f2e55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Sep 2018 04:24:49 +0200 Subject: [PATCH 727/818] avcodec/dvdsubdec: Avoid branch in decode_run_8bit() Speed improvment 35.5 sec -> 34.7sec Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 71bf0330505e2108935d05c5c018ec65eac4b946) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index e18113c20c..a5107096df 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -82,10 +82,7 @@ static int decode_run_8bit(GetBitContext *gb, int *color) { int len; int has_run = get_bits1(gb); - if (get_bits1(gb)) - *color = get_bits(gb, 8); - else - *color = get_bits(gb, 2); + *color = get_bits(gb, 2 + 6*get_bits1(gb)); if (has_run) { if (get_bits1(gb)) { len = get_bits(gb, 7); From 3c3b437d794703e4172a08b82067612b45f3747e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Sep 2018 02:08:20 +0200 Subject: [PATCH 728/818] avcodec/shorten: Fix bitstream end check in read_header() Fixes: Timeout Fixes: 9961/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5687856176562176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 28b80c2d52d82eb4f73af5f818dab60946bcf299) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index c63be626ba..fa5ed3b64b 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -456,7 +456,7 @@ static int read_header(ShortenContext *s) } skip_bytes = get_uint(s, NSKIPSIZE); - if ((unsigned)skip_bytes > get_bits_left(&s->gb)/8) { + if ((unsigned)skip_bytes > FFMAX(get_bits_left(&s->gb), 0)/8) { av_log(s->avctx, AV_LOG_ERROR, "invalid skip_bytes: %d\n", skip_bytes); return AVERROR_INVALIDDATA; } From bf4026fcbee8209b95d69d36cafb8fab63aeb442 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Sep 2018 21:33:59 +0200 Subject: [PATCH 729/818] avcodec/zmbv: Update decomp_len in raw frames decomp_len is used in raw frames, so it should not be left at the value from whatever was decoded previously (which may be any other frame) Signed-off-by: Michael Niedermayer (cherry picked from commit 3d201b83cda03fd9e866acafee82d7ce88260e66) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index f91d2e3931..1ec656be36 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -519,6 +519,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac return AVERROR_INVALIDDATA; } memcpy(c->decomp_buf, buf, len); + c->decomp_len = len; } else { // ZLIB-compressed data c->zstream.total_in = c->zstream.total_out = 0; c->zstream.next_in = (uint8_t*)buf; From 7fb45ccf4ef537599f9bb2c8925d6a28204650a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Sep 2018 00:28:37 +0200 Subject: [PATCH 730/818] avcodec/zmbv: Check that the decompressed data size is correct This checks the value exactly for intra frames and checks it against a minimum for inter frames as they can be variable. Fixes: Timeout Fixes: 10182/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-6245951174344704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e33b28cc79d164fff22bfee750c9283587c00bc4) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 1ec656be36..b994e96e95 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -408,6 +408,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int zret = Z_OK; // Zlib return code int len = buf_size; int hi_ver, lo_ver, ret; + int expected_size; /* parse header */ if (len < 1) @@ -504,6 +505,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac memset(c->prev, 0, avctx->width * avctx->height * (c->bpp / 8)); c->decode_intra= decode_intra; } + if (c->flags & ZMBV_KEYFRAME) { + expected_size = avctx->width * avctx->height * (c->bpp / 8); + } else { + expected_size = (c->bx * c->by * 2 + 3) & ~3; + } + if (avctx->pix_fmt == AV_PIX_FMT_PAL8 && + (c->flags & (ZMBV_DELTAPAL | ZMBV_KEYFRAME))) + expected_size += 768; if (!c->decode_intra) { av_log(avctx, AV_LOG_ERROR, "Error! Got no format or no keyframe!\n"); @@ -533,6 +542,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } c->decomp_len = c->zstream.total_out; } + if (expected_size > c->decomp_len || + (c->flags & ZMBV_KEYFRAME) && expected_size < c->decomp_len) { + av_log(avctx, AV_LOG_ERROR, "decompressed size %d is incorrect, expected %d\n", c->decomp_len, expected_size); + return AVERROR_INVALIDDATA; + } if (c->flags & ZMBV_KEYFRAME) { frame->key_frame = 1; frame->pict_type = AV_PICTURE_TYPE_I; From 43a80efee600d75b5ae9efe52f36303dabfb81bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Sep 2018 00:20:38 +0200 Subject: [PATCH 731/818] avcodec/mpeg4videodec: Fix undefined shift in get_amv() Fixes: runtime error: shift exponent -1 is negative Fixes: 9938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5653783529914368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c88afa44c4823aba7b6f4a1b01fd6a4169643c57) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 319a3809ea..91a0d726f9 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -539,7 +539,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) len >>= s->quarter_sample; if (s->real_sprite_warping_points == 1) { - if (ctx->divx_version == 500 && ctx->divx_build == 413) + if (ctx->divx_version == 500 && ctx->divx_build == 413 && a >= s->quarter_sample) sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample)); else sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a); From 6177ed2a9b703bca232d466e90120bd74860a771 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Sep 2018 03:33:50 +0200 Subject: [PATCH 732/818] avcodec/dvdsubdec: Sanity check len in decode_rle() Fixes: Timeout Fixes: 9778/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5186007132536832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7b023e1db9fb13175929c02a02846d03510ec91) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index a5107096df..cf10844753 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -124,6 +124,8 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, len = decode_run_8bit(&gb, &color); else len = decode_run_2bit(&gb, &color); + if (len != INT_MAX && len > w - x) + return AVERROR_INVALIDDATA; len = FFMIN(len, w - x); memset(d + x, color, len); x += len; From a9ce7cfc594916d55958a9e776104ad70a81fea5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Sep 2018 15:18:17 +0200 Subject: [PATCH 733/818] avcodec/unary: Improve get_unary() docs Found-by: kierank Signed-off-by: Michael Niedermayer (cherry picked from commit ad89e203bfedf25df00e2a6ed9196170d772f25b) Signed-off-by: Michael Niedermayer --- libavcodec/unary.h | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/libavcodec/unary.h b/libavcodec/unary.h index 908dc93507..d57f9f70c5 100644 --- a/libavcodec/unary.h +++ b/libavcodec/unary.h @@ -28,7 +28,20 @@ * @param gb GetBitContext * @param[in] stop The bitstop value (unary code of 1's or 0's) * @param[in] len Maximum length - * @return Unary length/index + * @return unary 0 based code index. This is also the length in bits of the + * code excluding the stop bit. + * (in case len=1) + * 1 0 + * 0 1 + * (in case len=2) + * 1 0 + * 01 1 + * 00 2 + * (in case len=3) + * 1 0 + * 01 1 + * 001 2 + * 000 3 */ static inline int get_unary(GetBitContext *gb, int stop, int len) { From 1e59d05e48f9e12aa50a3ad89d6a78c281997a6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Oct 2018 03:00:32 +0200 Subject: [PATCH 734/818] avformat/utils: Fix integer overflow in discontinuity check Fixes: signed integer overflow: 7738135736989908991 - -7954308516317364223 cannot be represented in type 'long' Fixes: find_stream_info_usan Reported-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 4e19cfcfa3944fe4cf97bea758f72f104dcaebad) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 4df9ba5665..0f6b0f6e53 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3622,7 +3622,7 @@ FF_ENABLE_DEPRECATION_WARNINGS * sequence, we treat it as a discontinuity. */ if (st->info->fps_last_dts != AV_NOPTS_VALUE && st->info->fps_last_dts_idx > st->info->fps_first_dts_idx && - (pkt->dts - st->info->fps_last_dts) / 1000 > + (pkt->dts - (uint64_t)st->info->fps_last_dts) / 1000 > (st->info->fps_last_dts - (uint64_t)st->info->fps_first_dts) / (st->info->fps_last_dts_idx - st->info->fps_first_dts_idx)) { av_log(ic, AV_LOG_WARNING, From a1f4fe165a4063433d1f0472b3ed5dbf15130b96 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Oct 2018 20:55:25 +0200 Subject: [PATCH 735/818] avformat/utils: Never store negative values in last_IP_duration Fixes: integer overflow compute_pkt_fields() Fixes: compute_pkt_usan Reported-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 079d1a7175c4b881631a7e7f449c4c13b761cdeb) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 0f6b0f6e53..362497d284 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1311,7 +1311,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, /* This is tricky: the dts must be incremented by the duration * of the frame we are displaying, i.e. the last I- or P-frame. */ - if (st->last_IP_duration == 0) + if (st->last_IP_duration == 0 && (uint64_t)pkt->duration <= INT32_MAX) st->last_IP_duration = pkt->duration; if (pkt->dts != AV_NOPTS_VALUE) st->cur_dts = pkt->dts + st->last_IP_duration; @@ -1323,7 +1323,8 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, next_pts != AV_NOPTS_VALUE) pkt->pts = next_dts; - st->last_IP_duration = pkt->duration; + if ((uint64_t)pkt->duration <= INT32_MAX) + st->last_IP_duration = pkt->duration; st->last_IP_pts = pkt->pts; /* Cannot compute PTS if not present (we can compute it only * by knowing the future. */ From caddb7890aa68dcce7b0a8df9491a82389cacb47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Oct 2018 04:25:50 +0200 Subject: [PATCH 736/818] avcodec/ra144: Fix integer overflow in add_wav() Fixes: signed integer overflow: -2144033225 + -5208934 cannot be represented in type 'int' Fixes: 10633/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5679133791617024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c6282141cba20934d9801f31134872fabbd6ba3e) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 573703d70b..65a744876c 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m, if (v[0]) { for (i=0; i < BLOCKSIZE; i++) - dest[i] = ((int)(s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12; + dest[i] = (int)((s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12; } else { for (i=0; i < BLOCKSIZE; i++) dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12; From 65710b7e6c89131ed4ea9be7799b8a804505e4d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Oct 2018 03:13:41 +0200 Subject: [PATCH 737/818] avcodec/h264_cavlc: Check mb_skip_run Fixes: 10300/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6292205497483264 Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f72b9904fefa79d799d0f6ecc8bd97ce52658725) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cavlc.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index ffed204441..c88140650a 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -714,8 +714,14 @@ int ff_h264_decode_mb_cavlc(const H264Context *h, H264SliceContext *sl) cbp = 0; /* avoid warning. FIXME: find a solution without slowing down the code */ if (sl->slice_type_nos != AV_PICTURE_TYPE_I) { - if (sl->mb_skip_run == -1) - sl->mb_skip_run = get_ue_golomb_long(&sl->gb); + if (sl->mb_skip_run == -1) { + unsigned mb_skip_run = get_ue_golomb_long(&sl->gb); + if (mb_skip_run > h->mb_num) { + av_log(h->avctx, AV_LOG_ERROR, "mb_skip_run %d is invalid\n", mb_skip_run); + return AVERROR_INVALIDDATA; + } + sl->mb_skip_run = mb_skip_run; + } if (sl->mb_skip_run--) { if (FRAME_MBAFF(h) && (sl->mb_y & 1) == 0) { From 947f7af04821555f6ee935e5735560daabbe9a14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Oct 2018 01:19:36 +0200 Subject: [PATCH 738/818] avcodec/mpeg4videodec: Fix typo in sprite delta check Fixes: Integer overflow Fixes: 10890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5636062181851136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b737317a8813e671c00b8ac7023c47e48ffeb1c8) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 91a0d726f9..d241c58e8a 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -392,7 +392,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g llabs(sprite_offset[0][i] + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL) + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(sprite_delta[i][0] * (w+16LL)) >= INT_MAX || - llabs(sprite_delta[i][1] * (w+16LL)) >= INT_MAX || + llabs(sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(sd[0]) >= INT_MAX || llabs(sd[1]) >= INT_MAX || llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || From 98444e0222eda0d9e1a67ac28e2822434db4175e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Oct 2018 22:35:37 +0200 Subject: [PATCH 739/818] avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling Fixes: assertion failure Fixes: 10785/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5672160496975872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 305e523105f6f59e7572050f19edc9f4671c036c) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index f844d032a9..4d679a4999 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1128,7 +1128,7 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 step_x = 32; step_y = 32; - if (RSpoc > FFMIN(codsty->nreslevels, REpoc)) + if (RSpoc >= FFMIN(codsty->nreslevels, REpoc)) continue; for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, REpoc); reslevelno++) { From 2405af5081a906cacc053ac4c59b13ef724cd094 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Oct 2018 14:40:14 +0200 Subject: [PATCH 740/818] avcodec/msrle: Check that the input is large enough to contain a end of picture code Fixes: Timeout Fixes: 10625/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSRLE_fuzzer-5659651283091456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 203ccb8746997777ce66beadd53b4631d217b9cd) Signed-off-by: Michael Niedermayer --- libavcodec/msrle.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c index adb55b1302..1ab8a41985 100644 --- a/libavcodec/msrle.c +++ b/libavcodec/msrle.c @@ -95,6 +95,9 @@ static int msrle_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; + if (buf_size < 2) //Minimally a end of picture code should be there + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; From 72e1c43d6df5fc9952d11ee1b6cbd9431f71be50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Oct 2018 01:44:12 +0200 Subject: [PATCH 741/818] avutil/integer: Fix integer overflow in av_mul_i() Found-by: fate Signed-off-by: Michael Niedermayer (cherry picked from commit 3cc3cb663bf3061e40356392d2f7638de6a479fe) Signed-off-by: Michael Niedermayer --- libavutil/integer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/integer.c b/libavutil/integer.c index 6d6855fa1b..ba4aa778c9 100644 --- a/libavutil/integer.c +++ b/libavutil/integer.c @@ -74,7 +74,7 @@ AVInteger av_mul_i(AVInteger a, AVInteger b){ if(a.v[i]) for(j=i; j>16) + out.v[j] + a.v[i]*b.v[j-i]; + carry= (carry>>16) + out.v[j] + a.v[i]*(unsigned)b.v[j-i]; out.v[j]= carry; } } From 6fe9f36dd9945961c0d95912f5ae5be4d8ea431f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Nov 2018 01:32:12 +0100 Subject: [PATCH 742/818] Update for FFmpeg 3.3.9 Signed-off-by: Michael Niedermayer --- Changelog | 47 +++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 49 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 0dd9d68d67..ea75538f17 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,53 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.3.9: +- avutil/integer: Fix integer overflow in av_mul_i() +- avcodec/msrle: Check that the input is large enough to contain a end of picture code +- avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling +- avcodec/mpeg4videodec: Fix typo in sprite delta check +- avcodec/h264_cavlc: Check mb_skip_run +- avcodec/ra144: Fix integer overflow in add_wav() +- avformat/utils: Never store negative values in last_IP_duration +- avformat/utils: Fix integer overflow in discontinuity check +- avcodec/unary: Improve get_unary() docs +- avcodec/dvdsubdec: Sanity check len in decode_rle() +- avcodec/mpeg4videodec: Fix undefined shift in get_amv() +- avcodec/zmbv: Check that the decompressed data size is correct +- avcodec/zmbv: Update decomp_len in raw frames +- avcodec/shorten: Fix bitstream end check in read_header() +- avcodec/dvdsubdec: Avoid branch in decode_run_8bit() +- avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking() +- avcodec/ra144: Fix undefined integer overflow in add_wav() +- avcodec/indeo4: Check dimensions in decode_pic_hdr() +- avformat/mov: Error on too large stsd entry counts. +- examples: Fix use of AV_CODEC_FLAG_GLOBAL_HEADER +- avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb() +- avcodec/vb: Check for end of bytestream before reading blocktype +- avcodec/snowdec: Fix integer overflow with motion vector residual +- avformat/nsvdec: Do not parse multiple NSVf +- avformat/mlvdec: read_string() received unsigned size, make the argument unsigned +- avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header() +- avcodec/scpr: Check for min > max in decompress_p() +- avcodec/shorten: Fix signed 32bit overflow in shift in shorten_decode_frame() +- avcodec/shorten: Fix integer overflow in residual/LPC combination +- avcodec/shorten: Check verbatim length +- avcodec/mpegaudio_parser: Initialize poutbuf* +- avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c() +- avformat/flvenc: Check audio packet size +- lavc/svq3: Fix regression decoding some files. +- avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp() +- avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too +- avcodec/diracdec: Check slice numbers for overflows in relation to picture dimensions +- avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case +- avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i() +- avcodec/diracdec: Prevent integer overflow in intermediate in global_mv() +- swresample/swresample: Fix input channel count in resample_first computation +- avutil/pixfmt: Document chroma plane size for odd resolutions +- avcodec/cuviddec: properly take deinterlacing and display delay into account for buffer_full check +- avcodec/bitstream_filters: check the input argument of av_bsf_get_by_name() for NULL + + version 3.3.8: - avcodec/dvdsub_parser: Allocate input padding - avcodec/dvdsub_parser: Init output buf/size diff --git a/RELEASE b/RELEASE index 37d02a6e38..3b47f2e4f8 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.3.8 +3.3.9 diff --git a/doc/Doxyfile b/doc/Doxyfile index 7610d18818..3e4b051b18 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.3.8 +PROJECT_NUMBER = 3.3.9 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From ecbf42e13a682481deb83eb4e63d56fe87a4b356 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Oct 2018 21:08:39 +0100 Subject: [PATCH 743/818] avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case Fixes: Timeout Fixes: 10966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADU_fuzzer-5348695024336896 Fixes: 10969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5691669402877952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit df91af140c5543cfbbed187f696e79b554d2c135) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudio_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index a072851ecf..04400a44e7 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -100,7 +100,7 @@ static int mpegaudio_parse(AVCodecParserContext *s1, "MP3ADU full parser"); *poutbuf = NULL; *poutbuf_size = 0; - return 0; /* parsers must not return error codes */ + return buf_size; /* parsers must not return error codes */ } break; From 14c8795361a8b59c575cdce60961d9086aedd2b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Nov 2018 20:00:16 +0100 Subject: [PATCH 744/818] avcodec/cavsdec: Propagate error codes inside decode_mb_i() Fixes: Timeout Fixes: 10702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5669940938407936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c1cee0565692c541f589aefd7f375d37f55b9d94) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 79349b5005..b4ec6e996a 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -591,14 +591,21 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb, } -static inline void decode_residual_chroma(AVSContext *h) +static inline int decode_residual_chroma(AVSContext *h) { - if (h->cbp & (1 << 4)) - decode_residual_block(h, &h->gb, chroma_dec, 0, + if (h->cbp & (1 << 4)) { + int ret = decode_residual_block(h, &h->gb, chroma_dec, 0, ff_cavs_chroma_qp[h->qp], h->cu, h->c_stride); - if (h->cbp & (1 << 5)) - decode_residual_block(h, &h->gb, chroma_dec, 0, + if (ret < 0) + return ret; + } + if (h->cbp & (1 << 5)) { + int ret = decode_residual_block(h, &h->gb, chroma_dec, 0, ff_cavs_chroma_qp[h->qp], h->cv, h->c_stride); + if (ret < 0) + return ret; + } + return 0; } static inline int decode_residual_inter(AVSContext *h) @@ -649,6 +656,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) uint8_t top[18]; uint8_t *left = NULL; uint8_t *d; + int ret; ff_cavs_init_mb(h); @@ -692,8 +700,11 @@ static int decode_mb_i(AVSContext *h, int cbp_code) ff_cavs_load_intra_pred_luma(h, top, &left, block); h->intra_pred_l[h->pred_mode_Y[scan3x3[block]]] (d, top, left, h->l_stride); - if (h->cbp & (1<qp, d, h->l_stride); + if (h->cbp & (1<qp, d, h->l_stride); + if (ret < 0) + return ret; + } } /* chroma intra prediction */ @@ -703,7 +714,9 @@ static int decode_mb_i(AVSContext *h, int cbp_code) h->intra_pred_c[pred_mode_uv](h->cv, &h->top_border_v[h->mbx * 10], h->left_border_v, h->c_stride); - decode_residual_chroma(h); + ret = decode_residual_chroma(h); + if (ret < 0) + return ret; ff_cavs_filter(h, I_8X8); set_mv_intra(h); return 0; From 26610256798174b0216ae807d92af3e712b99040 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Nov 2018 19:59:27 +0100 Subject: [PATCH 745/818] avcodec/shorten: Fix integer overflow with offset Fixes: signed integer overflow: -1625810908 - 582229060 cannot be represented in type 'int' Fixes: 10977/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5732602018267136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f888771cd1ce8d68d4b18a1009650c1f260aaf2) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index fa5ed3b64b..181d89f021 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -382,7 +382,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* subtract offset from previous samples to use in prediction */ if (command == FN_QLPC && coffset) for (i = -pred_order; i < 0; i++) - s->decoded[channel][i] -= coffset; + s->decoded[channel][i] -= (unsigned)coffset; /* decode residual and do LPC prediction */ init_sum = pred_order ? (command == FN_QLPC ? s->lpcqoffset : 0) : coffset; @@ -397,7 +397,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* add offset to current samples */ if (command == FN_QLPC && coffset) for (i = 0; i < s->blocksize; i++) - s->decoded[channel][i] += coffset; + s->decoded[channel][i] += (unsigned)coffset; return 0; } From 3c4a874388a903abc03954c9d5220a47a5e11df6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Nov 2018 20:29:40 +0100 Subject: [PATCH 746/818] fftools/ffmpeg: Repair reinit_filter feature Signed-off-by: Michael Niedermayer (cherry picked from commit 35040048793bc5d19942277fe17d1235e915a7d8) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index eb0f8b7c9c..b0ac1c6708 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2154,9 +2154,6 @@ static int ifilter_send_frame(InputFilter *ifilter, AVFrame *frame) /* determine if the parameters for this input changed */ need_reinit = ifilter->format != frame->format; - if (!!ifilter->hw_frames_ctx != !!frame->hw_frames_ctx || - (ifilter->hw_frames_ctx && ifilter->hw_frames_ctx->data != frame->hw_frames_ctx->data)) - need_reinit = 1; switch (ifilter->ist->st->codecpar->codec_type) { case AVMEDIA_TYPE_AUDIO: @@ -2170,6 +2167,13 @@ static int ifilter_send_frame(InputFilter *ifilter, AVFrame *frame) break; } + if (!ifilter->ist->reinit_filters && fg->graph) + need_reinit = 0; + + if (!!ifilter->hw_frames_ctx != !!frame->hw_frames_ctx || + (ifilter->hw_frames_ctx && ifilter->hw_frames_ctx->data != frame->hw_frames_ctx->data)) + need_reinit = 1; + if (need_reinit) { ret = ifilter_parameters_from_frame(ifilter, frame); if (ret < 0) From 14778d3fda0a1fe83d6f40cd8ee1dcf4199b1f98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Nov 2018 03:12:45 +0100 Subject: [PATCH 747/818] avcodec/pngdec: Check compression method method 0 (inflate/deflate) is the only specified in the specification and the only supported Fixes: Timeout Fixes: 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f99674ddddcc33f4c37def0a206e31ad7c4c1af) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 67a6e3f9d0..e25239780a 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -577,6 +577,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, } s->color_type = bytestream2_get_byte(&s->gb); s->compression_type = bytestream2_get_byte(&s->gb); + if (s->compression_type) { + av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n", s->compression_type); + goto error; + } s->filter_type = bytestream2_get_byte(&s->gb); s->interlace_type = bytestream2_get_byte(&s->gb); bytestream2_skip(&s->gb, 4); /* crc */ From 9cba90e5ef03f741074d45e3e68741d26c6c1741 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Nov 2018 01:33:38 +0100 Subject: [PATCH 748/818] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Changelog b/Changelog index ea75538f17..126772a013 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,11 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.3.9: +- avcodec/pngdec: Check compression method +- fftools/ffmpeg: Repair reinit_filter feature +- avcodec/shorten: Fix integer overflow with offset +- avcodec/cavsdec: Propagate error codes inside decode_mb_i() +- avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case - avutil/integer: Fix integer overflow in av_mul_i() - avcodec/msrle: Check that the input is large enough to contain a end of picture code - avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling From 3d5762380d7d16fda58d3b347ea9a57c4fb18ec2 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 27 Nov 2017 16:32:54 +0100 Subject: [PATCH 749/818] avfilter/af_silenceremove: fix possible crash if supplied duration is negative Signed-off-by: Paul B Mahol Fixes ticket #7697. (cherry picked from commit 2d1594a8d6a754a426cb53184dccf9cf8c8a94b0) --- libavfilter/af_silenceremove.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavfilter/af_silenceremove.c b/libavfilter/af_silenceremove.c index f156d1883d..3d3651a76f 100644 --- a/libavfilter/af_silenceremove.c +++ b/libavfilter/af_silenceremove.c @@ -186,8 +186,17 @@ static int config_input(AVFilterLink *inlink) s->start_duration = av_rescale(s->start_duration, inlink->sample_rate, AV_TIME_BASE); + if (s->start_duration < 0) { + av_log(ctx, AV_LOG_WARNING, "start duration must be non-negative\n"); + s->start_duration = -s->start_duration; + } + s->stop_duration = av_rescale(s->stop_duration, inlink->sample_rate, AV_TIME_BASE); + if (s->stop_duration < 0) { + av_log(ctx, AV_LOG_WARNING, "stop duration must be non-negative\n"); + s->stop_duration = -s->stop_duration; + } s->start_holdoff = av_malloc_array(FFMAX(s->start_duration, 1), sizeof(*s->start_holdoff) * From 884ecede17017bb5b56f547e66f13a505636f6de Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 18 Mar 2019 17:25:58 -0300 Subject: [PATCH 750/818] avcodec/hevcdec: decode at most one slice reporting being the first in the picture Fixes deadlocks when decoding packets containing more than one of the aforementioned slices when using frame threads. Tested-by: Derek Buitenhuis Signed-off-by: James Almer (cherry picked from commit 70c8c8a818f39bc262565ec29fae2baffb3e1660) --- libavcodec/hevcdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index db0bebfa49..776bb8f51c 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -2799,6 +2799,10 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) return ret; if (s->sh.first_slice_in_pic_flag) { + if (s->ref) { + av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); + goto fail; + } if (s->max_ra == INT_MAX) { if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) { s->max_ra = s->poc; From 9d3509f4015f422584fe748ff66b0783d86c62e1 Mon Sep 17 00:00:00 2001 From: Mark Harris Date: Sat, 24 Nov 2018 13:02:02 -0800 Subject: [PATCH 751/818] avutil/mem: Fix invalid use of av_alloc_size The alloc_size attribute is valid only on functions that return a pointer. GCC 9 (not yet released) warns about invalid usage: ./libavutil/mem.h:342:1: warning: 'alloc_size' attribute ignored on a function returning int' [-Wattributes] 342 | av_alloc_size(2, 3) int av_reallocp_array(void *ptr, size_t nmemb, size_t size); | ^~~~~~~~~~~~~ Signed-off-by: Michael Niedermayer (cherry picked from commit 4361293fcf59edb56879c36edcd25f0a91e0edf8) --- libavutil/mem.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/mem.h b/libavutil/mem.h index 527cd03191..d6f9c81549 100644 --- a/libavutil/mem.h +++ b/libavutil/mem.h @@ -338,7 +338,7 @@ av_alloc_size(2, 3) void *av_realloc_array(void *ptr, size_t nmemb, size_t size) * @warning Unlike av_malloc(), the allocated memory is not guaranteed to be * correctly aligned. */ -av_alloc_size(2, 3) int av_reallocp_array(void *ptr, size_t nmemb, size_t size); +int av_reallocp_array(void *ptr, size_t nmemb, size_t size); /** * Reallocate the given buffer if it is not large enough, otherwise do nothing. From c13febd84353417f83c5f3ec4855e847af048733 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 20 Nov 2019 13:26:59 +0100 Subject: [PATCH 752/818] avformat/matroskadec: Fix default value of BlockAddID Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit dbc50f8a935043243232b2e01f3c012ab6d49928) --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index cd6db9ebac..7d12efef9d 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -681,7 +681,7 @@ static const EbmlSyntax matroska_segments[] = { }; static const EbmlSyntax matroska_blockmore[] = { - { MATROSKA_ID_BLOCKADDID, EBML_UINT, 0, offsetof(MatroskaBlock,additional_id) }, + { MATROSKA_ID_BLOCKADDID, EBML_UINT, 0, offsetof(MatroskaBlock,additional_id), { .u = 1 } }, { MATROSKA_ID_BLOCKADDITIONAL, EBML_BIN, 0, offsetof(MatroskaBlock,additional) }, { 0 } }; From 174ce949d707476e9f7e4a215b69e2c3a42569f4 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 23 May 2020 11:40:23 +0200 Subject: [PATCH 753/818] avcodec/libopusenc: Don't free user-provided AVPacket Reviewed-by: James Almer Signed-off-by: Andreas Rheinhardt (cherry picked from commit b803993b6d99423c8c1e01e7e206e3916a98d5d5) --- libavcodec/libopusenc.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/libopusenc.c b/libavcodec/libopusenc.c index c40fcde7ba..ee91cd9653 100644 --- a/libavcodec/libopusenc.c +++ b/libavcodec/libopusenc.c @@ -482,7 +482,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, // Check if subtraction resulted in an overflow if ((discard_padding < opus->opts.packet_size) != (avpkt->duration > 0)) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(EINVAL); } if (discard_padding > 0) { @@ -491,7 +490,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, 10); if(!side_data) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(ENOMEM); } AV_WL32(side_data + 4, discard_padding); From 1a577c59d093db9645fdeb2bd7a113c0e0432185 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 23 May 2020 12:11:30 +0200 Subject: [PATCH 754/818] libavcodec/libmp3lame: Don't free user-provided AVPacket Signed-off-by: Andreas Rheinhardt (cherry picked from commit 7e6941e185649409f44fb5aa31207bd7b00d23cd) --- libavcodec/libmp3lame.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/libmp3lame.c b/libavcodec/libmp3lame.c index 5e26743f29..79b2b9de06 100644 --- a/libavcodec/libmp3lame.c +++ b/libavcodec/libmp3lame.c @@ -279,7 +279,6 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, if ((discard_padding < avctx->frame_size) != (avpkt->duration > 0)) { av_log(avctx, AV_LOG_ERROR, "discard padding overflow\n"); av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(EINVAL); } if ((!s->delay_sent && avctx->initial_padding > 0) || discard_padding > 0) { @@ -288,7 +287,6 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, 10); if(!side_data) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(ENOMEM); } if (!s->delay_sent) { From 364a80ecb91d9b71c0306d323c2f2d7ca770c93e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 23 May 2020 12:13:26 +0200 Subject: [PATCH 755/818] libavcodec/libvpxenc: Don't free user-provided AVPacket Signed-off-by: Andreas Rheinhardt (cherry picked from commit 26b45096906097a73ba587bf3b98dada4e795224) --- libavcodec/libvpxenc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index b8e8d3a87b..f9d4f534c0 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -860,7 +860,6 @@ FF_ENABLE_DEPRECATION_WARNINGS cx_frame->sz_alpha + 8); if(!side_data) { av_packet_unref(pkt); - av_free(pkt); return AVERROR(ENOMEM); } AV_WB64(side_data, 1); From 706ae61cf3ab49be333ebaa4096bfd46aa1a64a2 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 25 Jun 2020 15:10:35 +0200 Subject: [PATCH 756/818] avcodec/bitstream: Don't check for undefined behaviour after it happened Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5e196dac22cc510db104922f99626a03b453ef4a) Signed-off-by: Andreas Rheinhardt --- libavcodec/bitstream.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index ed528fe4af..237491978d 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -162,9 +162,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes, uint32_t code; volatile VLC_TYPE (* volatile table)[2]; // the double volatile is needed to prevent an internal compiler error in gcc 4.2 - table_size = 1 << table_nb_bits; if (table_nb_bits > 30) return -1; + table_size = 1 << table_nb_bits; table_index = alloc_table(vlc, table_size, flags & INIT_VLC_USE_NEW_STATIC); ff_dlog(NULL, "new table index=%d size=%d\n", table_index, table_size); if (table_index < 0) From b6f31b41cc5260fb99f28ca0244b20e00f883559 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 16 Sep 2019 15:48:31 +0200 Subject: [PATCH 757/818] libavformat/mov: Fix memleaks when demuxing DV audio The code for demuxing DV audio predates the introduction of refcounted packets and when the latter was added, changes to the former were forgotten. This meant that when avpriv_dv_produce_packet initialized the packet containing the AVBufferRef, the AVBufferRef as well as the underlying AVBuffer leaked; the actual packet data didn't leak: They were directly freed, but not via their AVBuffer's free function. https://samples.ffmpeg.org/ffmpeg-bugs/trac/ticket4671/dir1.tar.bz2 contains samples for this (enable_drefs needs to be enabled for them). Moreover, errors in avpriv_dv_produce_packet were ignored; this has been changed, too. Furthermore, in the hypothetical scenario that the track has a palette, this would leak, too, so reorder the code so that the palette code appears after the DV audio code. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 61f5c6ab06fc61e0f9f8f8dab5595b8bb202df73) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f4687db54e..2a04b62f80 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6341,6 +6341,19 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) } return ret; } +#if CONFIG_DV_DEMUXER + if (mov->dv_demux && sc->dv_audio_container) { + AVBufferRef *buf = pkt->buf; + ret = avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); + pkt->buf = buf; + av_packet_unref(pkt); + if (ret < 0) + return ret; + ret = avpriv_dv_get_packet(mov->dv_demux, pkt); + if (ret < 0) + return ret; + } +#endif if (sc->has_palette) { uint8_t *pal; @@ -6352,16 +6365,6 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) sc->has_palette = 0; } } -#if CONFIG_DV_DEMUXER - if (mov->dv_demux && sc->dv_audio_container) { - avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); - av_freep(&pkt->data); - pkt->size = 0; - ret = avpriv_dv_get_packet(mov->dv_demux, pkt); - if (ret < 0) - return ret; - } -#endif if (st->codecpar->codec_id == AV_CODEC_ID_MP3 && !st->need_parsing && pkt->size > 4) { if (ff_mpa_check_header(AV_RB32(pkt->data)) < 0) st->need_parsing = AVSTREAM_PARSE_FULL; From d04829a36ba19ed867d9ec9140eebbee43de3866 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Sun, 28 Jun 2020 11:15:39 +0800 Subject: [PATCH 758/818] avformat/mov: fix memleaks Fix two cases of memleaks: 1. The leak of dv_demux 2. The leak of dv_fctx upon dv_demux allocate failure Signed-off-by: Andreas Rheinhardt (cherry picked from commit f3dc38a186b2326ce03e50969897ea703817ddb0) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 2a04b62f80..105084813e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5822,10 +5822,9 @@ static int mov_read_close(AVFormatContext *s) av_freep(&sc->spherical); } - if (mov->dv_demux) { - avformat_free_context(mov->dv_fctx); - mov->dv_fctx = NULL; - } + av_freep(&mov->dv_demux); + avformat_free_context(mov->dv_fctx); + mov->dv_fctx = NULL; if (mov->meta_keys) { for (i = 1; i < mov->meta_keys_count; i++) { From 3a4be74dcd3226dd823574d1bfb5037674df0e4d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 7 Jan 2020 14:55:48 +0100 Subject: [PATCH 759/818] avformat/wtvdec: Fix memleak when reading header fails Fixes #8314. Signed-off-by: Andreas Rheinhardt Reviewed-by: Peter Ross Signed-off-by: James Almer (cherry picked from commit 373c1c9b691fd4c6831b3a114a006b639304c2af) Signed-off-by: Andreas Rheinhardt --- libavformat/wtvdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 3ac4501306..035aeaf015 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -992,8 +992,10 @@ static int read_header(AVFormatContext *s) } ret = parse_chunks(s, SEEK_TO_DATA, 0, 0); - if (ret < 0) + if (ret < 0) { + wtvfile_close(wtv->pb); return ret; + } avio_seek(wtv->pb, -32, SEEK_CUR); timeline_pos = avio_tell(s->pb); // save before opening another file From e40aff3fdb171b21b8a4c4dc7cbcde7aa4b92452 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 8 Jan 2020 19:29:13 +0100 Subject: [PATCH 760/818] avcodec/proresenc_anatoliy: Fix invalid left shift of negative number This fixes ticket #7997 as well as the vsynth*-prores_# FATE-tests (where * ranges over { 1, 2, 3, _lena } and # over { , _int, _444, _444_int }). (Given that prev_dc is in the range -0xC000..0x3FFF, no overflow can happen upon multiplication with 2.) Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 198081efb7c7343349f0a7acc836f001c511e990) Signed-off-by: Andreas Rheinhardt --- libavcodec/proresenc_anatoliy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresenc_anatoliy.c b/libavcodec/proresenc_anatoliy.c index 0516066163..eccfc5661d 100644 --- a/libavcodec/proresenc_anatoliy.c +++ b/libavcodec/proresenc_anatoliy.c @@ -183,7 +183,7 @@ static void encode_codeword(PutBitContext *pb, int val, int codebook) } #define QSCALE(qmat,ind,val) ((val) / ((qmat)[ind])) -#define TO_GOLOMB(val) (((val) << 1) ^ ((val) >> 31)) +#define TO_GOLOMB(val) (((val) * 2) ^ ((val) >> 31)) #define DIFF_SIGN(val, sign) (((val) >> 31) ^ (sign)) #define IS_NEGATIVE(val) ((((val) >> 31) ^ -1) + 1) #define TO_GOLOMB2(val,sign) ((val)==0 ? 0 : ((val) << 1) + (sign)) From 8c9132a88e0582c40a8600ba43c035e5a2fb536b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 20 Jan 2020 16:56:55 +0100 Subject: [PATCH 761/818] avcodec/adpcm: Fix undefined left shifts of negative numbers Affected the adpcm-afc, adpcm-ea-1, adpcm-ea-2, adpcm-ea-maxis-xa, adpcm-thp and ea-cdata FATE-tests. Also fixes ticket #8487. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 3ad8af51b7c0a968ac3fd62964780d4ff9136c5a) Signed-off-by: Andreas Rheinhardt --- libavcodec/adpcm.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index be206c55ba..d63f696f2f 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1182,8 +1182,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, for (count2 = 0; count2 < 28; count2++) { byte = bytestream2_get_byteu(&gb); - next_left_sample = sign_extend(byte >> 4, 4) << shift_left; - next_right_sample = sign_extend(byte, 4) << shift_right; + next_left_sample = sign_extend(byte >> 4, 4) * (1 << shift_left); + next_right_sample = sign_extend(byte, 4) * (1 << shift_right); next_left_sample = (next_left_sample + (current_left_sample * coeff1l) + @@ -1222,7 +1222,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, if (st) byte[1] = bytestream2_get_byteu(&gb); for(i = 4; i >= 0; i-=4) { /* Pairwise samples LL RR (st) or LL LL (mono) */ for(channel = 0; channel < avctx->channels; channel++) { - int sample = sign_extend(byte[channel] >> i, 4) << shift[channel]; + int sample = sign_extend(byte[channel] >> i, 4) * (1 << shift[channel]); sample = (sample + c->status[channel].sample1 * coeff[channel][0] + c->status[channel].sample2 * coeff[channel][1] + 0x80) >> 8; @@ -1337,11 +1337,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, int level, pred; int byte = bytestream2_get_byteu(&gb); - level = sign_extend(byte >> 4, 4) << shift[n]; + level = sign_extend(byte >> 4, 4) * (1 << shift[n]); pred = s[-1] * coeff[0][n] + s[-2] * coeff[1][n]; s[0] = av_clip_int16((level + pred + 0x80) >> 8); - level = sign_extend(byte, 4) << shift[n]; + level = sign_extend(byte, 4) * (1 << shift[n]); pred = s[0] * coeff[0][n] + s[-1] * coeff[1][n]; s[1] = av_clip_int16((level + pred + 0x80) >> 8); } @@ -1498,8 +1498,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, sampledat = sign_extend(byte >> 4, 4); } - sampledat = ((prev1 * factor1 + prev2 * factor2) + - ((sampledat * scale) << 11)) >> 11; + sampledat = ((prev1 * factor1 + prev2 * factor2) >> 11) + + sampledat * scale; *samples = av_clip_int16(sampledat); prev2 = prev1; prev1 = *samples++; @@ -1576,7 +1576,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, } sampledat = ((c->status[ch].sample1 * factor1 - + c->status[ch].sample2 * factor2) >> 11) + (sampledat << exp); + + c->status[ch].sample2 * factor2) >> 11) + sampledat * (1 << exp); *samples = av_clip_int16(sampledat); c->status[ch].sample2 = c->status[ch].sample1; c->status[ch].sample1 = *samples++; From c103c203ddd391bfef20dce3c7bda4cbc4e164c9 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 20 Jan 2020 20:20:42 +0100 Subject: [PATCH 762/818] avcodec/adxenc: Avoid undefined left shift of negative numbers Replace "((a << shift) + b) >> shift" by "a + (b >> shift)". This avoids a left shift which also happens to trigger undefined behaviour in case "a" is negative. This affected the FATE-tests acodec-adpcm-adx and acodec-adpcm-adx-trellis; it also fixes ticket #8008. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 59a9d65e0d790821f88527a82569f56eb2f8a9be) Signed-off-by: Andreas Rheinhardt --- libavcodec/adxenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/adxenc.c b/libavcodec/adxenc.c index f1ba5911b3..77f6bf0487 100644 --- a/libavcodec/adxenc.c +++ b/libavcodec/adxenc.c @@ -48,7 +48,7 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav, s2 = prev->s2; for (i = 0, j = 0; j < 32; i += channels, j++) { s0 = wav[i]; - d = ((s0 << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS; + d = s0 + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS); if (max < d) max = d; if (min > d) @@ -79,13 +79,13 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav, s1 = prev->s1; s2 = prev->s2; for (i = 0, j = 0; j < 32; i += channels, j++) { - d = ((wav[i] << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS; + d = wav[i] + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS); d = av_clip_intp2(ROUNDED_DIV(d, scale), 3); put_sbits(&pb, 4, d); - s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; + s0 = d * scale + ((c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS); s2 = s1; s1 = s0; } From 4c7f9a32f9274a922fb5e783c8ec4eaa2462f4f6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 22 Jan 2020 15:52:10 +0100 Subject: [PATCH 763/818] avcodec/ra144enc: Fix invalid left shift of negative number by replacing it with a multiplication. Said multiplication can't overflow an int32_t because lpc_coefs is limited to 16 bit precision. Fixes the FACE-test acodec-ra144 as well as part of #8217. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit e3fb9af6f1353f30855eaa1cbd5befaf06e303b8) Signed-off-by: Andreas Rheinhardt --- libavcodec/ra144enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ra144enc.c b/libavcodec/ra144enc.c index cc4f381606..059f582334 100644 --- a/libavcodec/ra144enc.c +++ b/libavcodec/ra144enc.c @@ -477,8 +477,8 @@ static int ra144_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, LPC_ORDER, 16, lpc_coefs, shift, FF_LPC_TYPE_LEVINSON, 0, ORDER_METHOD_EST, 0, 12, 0); for (i = 0; i < LPC_ORDER; i++) - block_coefs[NBLOCKS - 1][i] = -(lpc_coefs[LPC_ORDER - 1][i] << - (12 - shift[LPC_ORDER - 1])); + block_coefs[NBLOCKS - 1][i] = -lpc_coefs[LPC_ORDER - 1][i] + * (1 << (12 - shift[LPC_ORDER - 1])); /** * TODO: apply perceptual weighting of the input speech through bandwidth From 013e49ab522c777a25e2a2cb6bef424c7f44a7bf Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 23 Jan 2020 17:08:27 +0100 Subject: [PATCH 764/818] avformat/matroskaenc: Check for reformatting errors This is needed especially for AV1: If a reformatting error happens (e.g. if the length field of an OBU contained in the current packet indicates that said OBU extends beyond the current packet), the data pointer is still NULL, yet the size is unchanged, so that writing the data leads to a segmentation fault. Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit 58428bef4b2c053f47dce35157fb96833ba8efea) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskaenc.c | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 9c7a213db9..0942a00536 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -2055,13 +2055,13 @@ fail: return ret; } -static void mkv_write_block(AVFormatContext *s, AVIOContext *pb, - unsigned int blockid, AVPacket *pkt, int keyframe) +static int mkv_write_block(AVFormatContext *s, AVIOContext *pb, + uint32_t blockid, AVPacket *pkt, int keyframe) { MatroskaMuxContext *mkv = s->priv_data; AVCodecParameters *par = s->streams[pkt->stream_index]->codecpar; uint8_t *data = NULL, *side_data = NULL; - int offset = 0, size = pkt->size, side_data_size = 0; + int err = 0, offset = 0, size = pkt->size, side_data_size = 0; int64_t ts = mkv->tracks[pkt->stream_index].write_dts ? pkt->dts : pkt->pts; uint64_t additional_id = 0; int64_t discard_padding = 0; @@ -2074,20 +2074,22 @@ static void mkv_write_block(AVFormatContext *s, AVIOContext *pb, keyframe != 0); if (par->codec_id == AV_CODEC_ID_H264 && par->extradata_size > 0 && (AV_RB24(par->extradata) == 1 || AV_RB32(par->extradata) == 1)) - ff_avc_parse_nal_units_buf(pkt->data, &data, &size); + err = ff_avc_parse_nal_units_buf(pkt->data, &data, &size); else if (par->codec_id == AV_CODEC_ID_HEVC && par->extradata_size > 6 && (AV_RB24(par->extradata) == 1 || AV_RB32(par->extradata) == 1)) /* extradata is Annex B, assume the bitstream is too and convert it */ - ff_hevc_annexb2mp4_buf(pkt->data, &data, &size, 0, NULL); + err = ff_hevc_annexb2mp4_buf(pkt->data, &data, &size, 0, NULL); else if (par->codec_id == AV_CODEC_ID_WAVPACK) { - int ret = mkv_strip_wavpack(pkt->data, &data, &size); - if (ret < 0) { - av_log(s, AV_LOG_ERROR, "Error stripping a WavPack packet.\n"); - return; - } + err = mkv_strip_wavpack(pkt->data, &data, &size); } else data = pkt->data; + if (err < 0) { + av_log(s, AV_LOG_ERROR, "Error when reformatting data of " + "a packet from stream %d.\n", pkt->stream_index); + return err; + } + if (par->codec_id == AV_CODEC_ID_PRORES && size >= 8) { /* Matroska specification requires to remove the first QuickTime atom */ @@ -2152,6 +2154,8 @@ static void mkv_write_block(AVFormatContext *s, AVIOContext *pb, if ((side_data_size && additional_id == 1) || discard_padding) { end_ebml_master(pb, block_group); } + + return 0; } static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt) @@ -2295,7 +2299,9 @@ static int mkv_write_packet_internal(AVFormatContext *s, AVPacket *pkt, int add_ relative_packet_pos = avio_tell(pb); if (par->codec_type != AVMEDIA_TYPE_SUBTITLE) { - mkv_write_block(s, pb, MATROSKA_ID_SIMPLEBLOCK, pkt, keyframe); + ret = mkv_write_block(s, pb, MATROSKA_ID_SIMPLEBLOCK, pkt, keyframe); + if (ret < 0) + return ret; if ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && (par->codec_type == AVMEDIA_TYPE_VIDEO && keyframe || add_cue)) { ret = mkv_add_cuepoint(mkv->cues, pkt->stream_index, dash_tracknum, ts, mkv->cluster_pos, relative_packet_pos, -1); if (ret < 0) return ret; From ac6fd4546af719599de2b02e624d63447efbfed3 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:26:00 +0200 Subject: [PATCH 765/818] avcodec/cavsdsp: Fix undefined left shifts of negative numbers Affected the ffmpeg-filter_colorkey FATE-test (but only if the C version of idct8_add is used and not e.g. the x86 SSE2 version). Signed-off-by: Andreas Rheinhardt Fixes: left shift of negative value -107 Fixes: 20398/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5725389278412800 Signed-off-by: Michael Niedermayer (cherry picked from commit 0f0f2ab0c3b3d04e904db97b07ae829c72c91778) Signed-off-by: Andreas Rheinhardt --- libavcodec/cavsdsp.c | 48 ++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/libavcodec/cavsdsp.c b/libavcodec/cavsdsp.c index 90a67e910c..ba92121cc9 100644 --- a/libavcodec/cavsdsp.c +++ b/libavcodec/cavsdsp.c @@ -201,20 +201,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, ptrdiff_t stride) src[0][0] += 8; for( i = 0; i < 8; i++ ) { - const int a0 = 3*src[i][1] - (src[i][7]<<1); - const int a1 = 3*src[i][3] + (src[i][5]<<1); - const int a2 = (src[i][3]<<1) - 3*src[i][5]; - const int a3 = (src[i][1]<<1) + 3*src[i][7]; + const int a0 = 3 * src[i][1] - 2 * src[i][7]; + const int a1 = 3 * src[i][3] + 2 * src[i][5]; + const int a2 = 2 * src[i][3] - 3 * src[i][5]; + const int a3 = 2 * src[i][1] + 3 * src[i][7]; - const int b4 = ((a0 + a1 + a3)<<1) + a1; - const int b5 = ((a0 - a1 + a2)<<1) + a0; - const int b6 = ((a3 - a2 - a1)<<1) + a3; - const int b7 = ((a0 - a2 - a3)<<1) - a2; + const int b4 = 2 * (a0 + a1 + a3) + a1; + const int b5 = 2 * (a0 - a1 + a2) + a0; + const int b6 = 2 * (a3 - a2 - a1) + a3; + const int b7 = 2 * (a0 - a2 - a3) - a2; - const int a7 = (src[i][2]<<2) - 10*src[i][6]; - const int a6 = (src[i][6]<<2) + 10*src[i][2]; - const int a5 = ((src[i][0] - src[i][4]) << 3) + 4; - const int a4 = ((src[i][0] + src[i][4]) << 3) + 4; + const int a7 = 4 * src[i][2] - 10 * src[i][6]; + const int a6 = 4 * src[i][6] + 10 * src[i][2]; + const int a5 = 8 * (src[i][0] - src[i][4]) + 4; + const int a4 = 8 * (src[i][0] + src[i][4]) + 4; const int b0 = a4 + a6; const int b1 = a5 + a7; @@ -231,20 +231,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, ptrdiff_t stride) src[i][7] = (b0 - b4) >> 3; } for( i = 0; i < 8; i++ ) { - const int a0 = 3*src[1][i] - (src[7][i]<<1); - const int a1 = 3*src[3][i] + (src[5][i]<<1); - const int a2 = (src[3][i]<<1) - 3*src[5][i]; - const int a3 = (src[1][i]<<1) + 3*src[7][i]; + const int a0 = 3 * src[1][i] - 2 * src[7][i]; + const int a1 = 3 * src[3][i] + 2 * src[5][i]; + const int a2 = 2 * src[3][i] - 3 * src[5][i]; + const int a3 = 2 * src[1][i] + 3 * src[7][i]; - const int b4 = ((a0 + a1 + a3)<<1) + a1; - const int b5 = ((a0 - a1 + a2)<<1) + a0; - const int b6 = ((a3 - a2 - a1)<<1) + a3; - const int b7 = ((a0 - a2 - a3)<<1) - a2; + const int b4 = 2 * (a0 + a1 + a3) + a1; + const int b5 = 2 * (a0 - a1 + a2) + a0; + const int b6 = 2 * (a3 - a2 - a1) + a3; + const int b7 = 2 * (a0 - a2 - a3) - a2; - const int a7 = (src[2][i]<<2) - 10*src[6][i]; - const int a6 = (src[6][i]<<2) + 10*src[2][i]; - const int a5 = (src[0][i] - src[4][i]) << 3; - const int a4 = (src[0][i] + src[4][i]) << 3; + const int a7 = 4 * src[2][i] - 10 * src[6][i]; + const int a6 = 4 * src[6][i] + 10 * src[2][i]; + const int a5 = 8 * (src[0][i] - src[4][i]); + const int a4 = 8 * (src[0][i] + src[4][i]); const int b0 = a4 + a6; const int b1 = a5 + a7; From 3f4195d9ef06b311549b47823e38c94f4c4a3bbe Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 7 Jan 2020 14:55:47 +0100 Subject: [PATCH 766/818] avformat/utils: Fix memleaks in avformat_open_input() A demuxer might have allocated memory while reading the header. If reading the header was successfull and an error happens before returning (e.g. when queueing the attached pictures), the read_close function would have never been called, so that all those allocations would leak. This commit changes this. Furthermore, there would be even more memleaks if the error level was set to AV_EF_EXPLODE in case there is both metadata and id3v2 metadata. This has been fixed, too. Signed-off-by: Andreas Rheinhardt Signed-off-by: Marton Balint (cherry picked from commit e2307f4ff197646a7feee0edbcdd2d3262932676) Signed-off-by: Andreas Rheinhardt --- libavformat/utils.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 362497d284..cd7f1a4eb2 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -604,22 +604,24 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, level = AV_LOG_ERROR; av_log(s, level, "Discarding ID3 tags because more suitable tags were found.\n"); av_dict_free(&s->internal->id3v2_meta); - if (s->error_recognition & AV_EF_EXPLODE) - return AVERROR_INVALIDDATA; + if (s->error_recognition & AV_EF_EXPLODE) { + ret = AVERROR_INVALIDDATA; + goto close; + } } if (id3v2_extra_meta) { if (!strcmp(s->iformat->name, "mp3") || !strcmp(s->iformat->name, "aac") || !strcmp(s->iformat->name, "tta")) { if ((ret = ff_id3v2_parse_apic(s, &id3v2_extra_meta)) < 0) - goto fail; + goto close; } else av_log(s, AV_LOG_DEBUG, "demuxer does not support additional id3 data, skipping\n"); } ff_id3v2_free_extra_meta(&id3v2_extra_meta); if ((ret = avformat_queue_attached_pictures(s)) < 0) - goto fail; + goto close; if (!(s->flags&AVFMT_FLAG_PRIV_OPT) && s->pb && !s->internal->data_offset) s->internal->data_offset = avio_tell(s->pb); @@ -638,6 +640,9 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, *ps = s; return 0; +close: + if (s->iformat->read_close) + s->iformat->read_close(s); fail: ff_id3v2_free_extra_meta(&id3v2_extra_meta); av_dict_free(&tmp); From ff1a79d7f33ee290ffa0c92830330a4aa4b04c4f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 26 Jan 2020 06:10:27 +0100 Subject: [PATCH 767/818] avformat/matroskaenc: Check BlockAdditional size before use Don't read a 64bit number before having checked that the data is at least 8 bytes long. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 6e9cc964293bf1e0cca6a52b2938a20d711e4146) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskaenc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 0942a00536..61da13f0fd 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -2111,9 +2111,13 @@ static int mkv_write_block(AVFormatContext *s, AVIOContext *pb, AV_PKT_DATA_MATROSKA_BLOCKADDITIONAL, &side_data_size); if (side_data) { - additional_id = AV_RB64(side_data); - side_data += 8; - side_data_size -= 8; + if (side_data_size < 8) { + side_data_size = 0; + } else { + additional_id = AV_RB64(side_data); + side_data += 8; + side_data_size -= 8; + } } if ((side_data_size && additional_id == 1) || discard_padding) { From 98efb7afc9e6bace65aeb73d7d9c2001bbf0009d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 26 Dec 2019 11:53:28 +0100 Subject: [PATCH 768/818] avformat/smoothstreaming: Fix memleaks on errors If an AVFormatContext could be allocated, but white-/blacklists couldn't be copied, the AVFormatContext would leak as it was only accessible through a local variable that goes out of scope when one goes to fail. Furthermore, in case writing a header of a submuxer failed, the options used for said call could leak. Both of these memleaks have been fixed. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit abbb466368c51285ca27d5e3959a16a9591e9a4c) Signed-off-by: Andreas Rheinhardt --- libavformat/smoothstreamingenc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/smoothstreamingenc.c b/libavformat/smoothstreamingenc.c index dabd1ea304..793b8b79d1 100644 --- a/libavformat/smoothstreamingenc.c +++ b/libavformat/smoothstreamingenc.c @@ -331,12 +331,11 @@ static int ism_write_header(AVFormatContext *s) goto fail; } - ctx = avformat_alloc_context(); + os->ctx = ctx = avformat_alloc_context(); if (!ctx || ff_copy_whiteblacklists(ctx, s) < 0) { ret = AVERROR(ENOMEM); goto fail; } - os->ctx = ctx; ctx->oformat = oformat; ctx->interrupt_callback = s->interrupt_callback; @@ -356,12 +355,13 @@ static int ism_write_header(AVFormatContext *s) av_dict_set_int(&opts, "ism_lookahead", c->lookahead_count, 0); av_dict_set(&opts, "movflags", "frag_custom", 0); - if ((ret = avformat_write_header(ctx, &opts)) < 0) { + ret = avformat_write_header(ctx, &opts); + av_dict_free(&opts); + if (ret < 0) { goto fail; } os->ctx_inited = 1; avio_flush(ctx->pb); - av_dict_free(&opts); s->streams[i]->time_base = st->time_base; if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { c->has_video = 1; From 4639e4743fd52b6991e2cf59478de7ab62324033 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 21 Mar 2020 03:57:32 +0100 Subject: [PATCH 769/818] avformat/bethsoftvid: Fix potential memleak upon reallocation failure The classical ptr = av_realloc(ptr, size), just with av_fast_realloc(). Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5acef1206144554a48f699b421e8d739e752d8ab) Signed-off-by: Andreas Rheinhardt --- libavformat/bethsoftvid.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/bethsoftvid.c b/libavformat/bethsoftvid.c index f516806d91..752e05236d 100644 --- a/libavformat/bethsoftvid.c +++ b/libavformat/bethsoftvid.c @@ -146,9 +146,13 @@ static int read_frame(BVID_DemuxContext *vid, AVIOContext *pb, AVPacket *pkt, } do{ - vidbuf_start = av_fast_realloc(vidbuf_start, &vidbuf_capacity, vidbuf_nbytes + BUFFER_PADDING_SIZE); - if(!vidbuf_start) - return AVERROR(ENOMEM); + uint8_t *tmp = av_fast_realloc(vidbuf_start, &vidbuf_capacity, + vidbuf_nbytes + BUFFER_PADDING_SIZE); + if (!tmp) { + ret = AVERROR(ENOMEM); + goto fail; + } + vidbuf_start = tmp; code = avio_r8(pb); vidbuf_start[vidbuf_nbytes++] = code; From 590a168cf9ad8deda0a8a840bc238252a0ef45a6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 21 Mar 2020 04:50:20 +0100 Subject: [PATCH 770/818] avformat/subtitles: Don't increment packet counter prematurely Do it only if the packet has been successfully allocated in av_new_packet() -- otherwise on error a completely uninitialized packet would be unreferenced later. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 6bd8bcc2ac4c64577d964552317989e61db794d8) Signed-off-by: Andreas Rheinhardt --- libavformat/subtitles.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index 108f909c84..3147ef2355 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -132,9 +132,10 @@ AVPacket *ff_subtitles_queue_insert(FFDemuxSubtitlesQueue *q, if (!subs) return NULL; q->subs = subs; - sub = &subs[q->nb_subs++]; + sub = &subs[q->nb_subs]; if (av_new_packet(sub, len) < 0) return NULL; + q->nb_subs++; sub->flags |= AV_PKT_FLAG_KEY; sub->pts = sub->dts = 0; memcpy(sub->data, event, len); From a92b9ed7e31f26ac1766ff433436b170bc7a1712 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 21 Mar 2020 07:31:17 +0100 Subject: [PATCH 771/818] avformat/hnm: Check for extradata allocation failure and also add padding to it; moreover, don't use memcpy to write one byte to extradata. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9e0f3352d1f37a739d98df4347a2b60a396a56fe) Signed-off-by: Andreas Rheinhardt --- libavformat/hnm.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/hnm.c b/libavformat/hnm.c index 24d4e808a5..9ad457ac83 100644 --- a/libavformat/hnm.c +++ b/libavformat/hnm.c @@ -70,6 +70,7 @@ static int hnm_read_header(AVFormatContext *s) Hnm4DemuxContext *hnm = s->priv_data; AVIOContext *pb = s->pb; AVStream *vst; + int ret; /* default context members */ hnm->pts = 0; @@ -113,10 +114,10 @@ static int hnm_read_header(AVFormatContext *s) vst->codecpar->codec_tag = 0; vst->codecpar->width = hnm->width; vst->codecpar->height = hnm->height; - vst->codecpar->extradata = av_mallocz(1); + if ((ret = ff_alloc_extradata(vst->codecpar, 1)) < 0) + return ret; - vst->codecpar->extradata_size = 1; - memcpy(vst->codecpar->extradata, &hnm->version, 1); + vst->codecpar->extradata[0] = hnm->version; vst->start_time = 0; From 3f165b3e63eadd312f97c76cd03d8745249278ec Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 26 Dec 2019 04:17:24 +0100 Subject: [PATCH 772/818] avformat/matroskadec: Don't discard the upper 32bits of TrackNumber Signed-off-by: Andreas Rheinhardt (cherry picked from commit ba36a077342c01faa3f3deb841e8cdcc1379ea3d) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 7d12efef9d..9f03f8c0df 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1316,7 +1316,7 @@ static int matroska_probe(AVProbeData *p) } static MatroskaTrack *matroska_find_track_by_num(MatroskaDemuxContext *matroska, - int num) + uint64_t num) { MatroskaTrack *tracks = matroska->tracks.elem; int i; @@ -1325,7 +1325,7 @@ static MatroskaTrack *matroska_find_track_by_num(MatroskaDemuxContext *matroska, if (tracks[i].num == num) return &tracks[i]; - av_log(matroska->ctx, AV_LOG_ERROR, "Invalid track number %d\n", num); + av_log(matroska->ctx, AV_LOG_ERROR, "Invalid track number %"PRIu64"\n", num); return NULL; } From 445fee99b8a3b26c98d561a624b5271580518a1f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Dec 2019 21:21:59 +0100 Subject: [PATCH 773/818] avformat/webmdashenc: Fix memleak upon realloc failure The classical ptr = av_realloc(ptr, size). Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 418e468699868a0265f8b439beedf64bb643b088) Signed-off-by: Andreas Rheinhardt --- libavformat/webmdashenc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 9dc9b36d31..f3e23273ff 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -456,11 +456,12 @@ static int parse_adaptation_sets(AVFormatContext *s) state = parsing_streams; } else if (state == parsing_streams) { struct AdaptationSet *as = &w->as[w->nb_as - 1]; + int ret = av_reallocp_array(&as->streams, ++as->nb_streams, + sizeof(*as->streams)); + if (ret < 0) + return ret; q = p; while (*q != '\0' && *q != ',' && *q != ' ') q++; - as->streams = av_realloc(as->streams, sizeof(*as->streams) * ++as->nb_streams); - if (as->streams == NULL) - return AVERROR(ENOMEM); as->streams[as->nb_streams - 1] = to_integer(p, q - p + 1); if (as->streams[as->nb_streams - 1] < 0 || as->streams[as->nb_streams - 1] >= s->nb_streams) { From 397705d4c1d0a812962da888be11283dcf449204 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 30 Mar 2020 02:50:02 +0200 Subject: [PATCH 774/818] avformat/webmdashenc: Check codec types The WebM DASH Manifest muxer only supports VP8, VP9, Vorbis and Opus, but there was no check for this. The codec type is used to get a pointer to a string containing the codec name or NULL if it is not one of those four codecs. Said pointer has then been used without further checks as string for the %s conversion specifier in an avio_printf()) call which is undefined behaviour. This commit adds a check for the supported codec types. Signed-off-by: Andreas Rheinhardt (cherry picked from commit cbea58b2b35c6409e062c929f0b2ab763b8661eb) Signed-off-by: Andreas Rheinhardt --- libavformat/webmdashenc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index f3e23273ff..930b2bf677 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -484,6 +484,14 @@ static int webm_dash_manifest_write_header(AVFormatContext *s) double start = 0.0; int ret; WebMDashMuxContext *w = s->priv_data; + + for (unsigned i = 0; i < s->nb_streams; i++) { + enum AVCodecID codec_id = s->streams[i]->codecpar->codec_id; + if (codec_id != AV_CODEC_ID_VP8 && codec_id != AV_CODEC_ID_VP9 && + codec_id != AV_CODEC_ID_VORBIS && codec_id != AV_CODEC_ID_OPUS) + return AVERROR(EINVAL); + } + ret = parse_adaptation_sets(s); if (ret < 0) { goto fail; From f17200f600548e2cba090bbc3658ee330e41529d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 15 Apr 2020 20:54:42 +0200 Subject: [PATCH 775/818] fftools/ffmpeg_opt: Check attachment filesize The data of an attachment file is put into an AVCodecParameter's extradata. The corresponding size field has type int, yet there was no check for the size to fit into an int. As a consequence, it was possible to create extradata with negative size (by using a big enough max_alloc). Other errors were also possible: If SIZE_MAX < INT64_MAX (e.g. on 32bit systems) then the file size might be truncated before the allocation; and avio_read() takes an int, too, so one would not have read as much as one desired. Furthermore, the extradata is now padded as is required. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 889ad93c8839e5ac1ec28bc8e1fea6df71b9bf80) Signed-off-by: Andreas Rheinhardt --- ffmpeg_opt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index e73a61059f..5f53a7a89d 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -2303,12 +2303,14 @@ loop_end: o->attachments[i]); exit_program(1); } - if (!(attachment = av_malloc(len))) { - av_log(NULL, AV_LOG_FATAL, "Attachment %s too large to fit into memory.\n", + if (len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE || + !(attachment = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE))) { + av_log(NULL, AV_LOG_FATAL, "Attachment %s too large.\n", o->attachments[i]); exit_program(1); } avio_read(pb, attachment, len); + memset(attachment + len, 0, AV_INPUT_BUFFER_PADDING_SIZE); ost = new_attachment_stream(o, oc, -1); ost->stream_copy = 0; From 7b80a7e498286a7aaf1e58f66783ea367f49849c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 27 Apr 2020 05:42:09 +0200 Subject: [PATCH 776/818] avformat/matroskaenc: Fix memleak upon encountering bogus chapter Signed-off-by: Andreas Rheinhardt (cherry picked from commit cb255b616cf1ebc6bc89b3538b6b7465dc2c526b) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskaenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 61da13f0fd..3af82a81ba 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -1457,6 +1457,7 @@ static int mkv_write_chapters(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Invalid chapter start (%"PRId64") or end (%"PRId64").\n", chapterstart, chapterend); + ffio_free_dyn_buf(&dyn_cp); return AVERROR_INVALIDDATA; } From b9b845e98a6692ce85d7cfd51a8717817ee309a1 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 24 May 2020 03:14:00 +0200 Subject: [PATCH 777/818] avformat/aviobuf: Don't check for overflow after it happened If adding two ints overflows, it doesn't matter whether the result will be stored in an unsigned or not; and checking afterwards does not make it retroactively defined. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 28a078eded1c29985ed078b59d48ff59cf00394b) Signed-off-by: Andreas Rheinhardt --- libavformat/aviobuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 9afe9b3a68..c4687a7d89 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -1209,7 +1209,7 @@ static int dyn_buf_write(void *opaque, uint8_t *buf, int buf_size) unsigned new_size, new_allocated_size; /* reallocate buffer if needed */ - new_size = d->pos + buf_size; + new_size = (unsigned)d->pos + buf_size; new_allocated_size = d->allocated_size; if (new_size < d->pos || new_size > INT_MAX/2) return -1; From c6ee2f7c90aadf200eba53508f3fe15bc25e0c82 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 4 Sep 2019 00:50:11 +0200 Subject: [PATCH 778/818] avformat/matroskadec: Fix handling gigantic durations matroska_parse_block currently asserts that the duration is not equal to AV_NOPTS_VALUE, but there is nothing that actually guarantees this. It is easy to create (spec-compliant) files which run into this assert; so replace it and instead cap the duration to INT64_MAX, as the duration field of an AVPacket is an int64_t. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3714d452b894821591a2fbafdd1b8ef15abe4be6) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 9f03f8c0df..401139e27c 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3279,7 +3279,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, st = track->stream; if (st->discard >= AVDISCARD_ALL) return res; - av_assert1(block_duration != AV_NOPTS_VALUE); + if (block_duration > INT64_MAX) + block_duration = INT64_MAX; block_time = sign_extend(AV_RB16(data), 16); data += 2; From b5e9226dad0e9038fbadb1e377a1ac29b4711ca6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 30 Aug 2019 15:18:29 +0200 Subject: [PATCH 779/818] avformat/matroskadec: Use right number of tracks When demuxing a Matroska/WebM file, streams are added for tracks and for attachments, so that the array containing the former can be NULL even when the corresponding AVFormatContext has streams. So check for there to be tracks in the MatroskaDemuxContext instead of just streams in the AVFormatContext before dereferencing the pointer to the tracks. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 1ef30571a0a7150cb20c580bfc52af2a7101c20d) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 401139e27c..6cf172313a 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3895,9 +3895,9 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Failed to read file headers\n"); return -1; } - if (!s->nb_streams) { + if (!matroska->tracks.nb_elem || !s->nb_streams) { matroska_read_close(s); - av_log(s, AV_LOG_ERROR, "No streams found\n"); + av_log(s, AV_LOG_ERROR, "No track found\n"); return AVERROR_INVALIDDATA; } From da59fe3eea93e6a3ba48ebb60e151ba7f303c1e6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 00:24:55 +0200 Subject: [PATCH 780/818] avformat/omadec: Fix memleaks upon read_header failure Fixes possible leaks of id3v2 metadata as well as an AVDES struct in case the content is encrypted and an error happens lateron. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3d3ba43bc68ca90fe72d0fc390c9e5f5c7de1513) Signed-off-by: Andreas Rheinhardt --- libavformat/omadec.c | 44 ++++++++++++++++++++++++++++---------------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index fa53636f1a..38686e732a 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -79,6 +79,13 @@ typedef struct OMAContext { int (*read_packet)(AVFormatContext *s, AVPacket *pkt); } OMAContext; +static int oma_read_close(AVFormatContext *s) +{ + OMAContext *oc = s->priv_data; + av_freep(&oc->av_des); + return 0; +} + static void hex_log(AVFormatContext *s, int level, const char *name, const uint8_t *value, int len) { @@ -398,11 +405,14 @@ static int oma_read_header(AVFormatContext *s) ff_id3v2_read(s, ID3v2_EA3_MAGIC, &extra_meta, 0); ret = avio_read(s->pb, buf, EA3_HEADER_SIZE); - if (ret < EA3_HEADER_SIZE) + if (ret < EA3_HEADER_SIZE) { + ff_id3v2_free_extra_meta(&extra_meta); return -1; + } if (memcmp(buf, ((const uint8_t[]){'E', 'A', '3'}), 3) || buf[4] != 0 || buf[5] != EA3_HEADER_SIZE) { + ff_id3v2_free_extra_meta(&extra_meta); av_log(s, AV_LOG_ERROR, "Couldn't find the EA3 header !\n"); return AVERROR_INVALIDDATA; } @@ -421,8 +431,10 @@ static int oma_read_header(AVFormatContext *s) codec_params = AV_RB24(&buf[33]); st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); + goto fail; + } st->start_time = 0; st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; @@ -437,7 +449,8 @@ static int oma_read_header(AVFormatContext *s) samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100; if (!samplerate) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (samplerate != 44100) avpriv_request_sample(s, "Sample rate %d", samplerate); @@ -454,8 +467,8 @@ static int oma_read_header(AVFormatContext *s) /* fake the ATRAC3 extradata * (wav format, makes stream copy to wav work) */ - if (ff_alloc_extradata(st->codecpar, 14)) - return AVERROR(ENOMEM); + if ((ret = ff_alloc_extradata(st->codecpar, 14)) < 0) + goto fail; edata = st->codecpar->extradata; AV_WL16(&edata[0], 1); // always 1 @@ -472,7 +485,8 @@ static int oma_read_header(AVFormatContext *s) if (!channel_id) { av_log(s, AV_LOG_ERROR, "Invalid ATRAC-X channel id: %"PRIu32"\n", channel_id); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->channel_layout = ff_oma_chid_to_native_layout[channel_id - 1]; st->codecpar->channels = ff_oma_chid_to_num_channels[channel_id - 1]; @@ -480,7 +494,8 @@ static int oma_read_header(AVFormatContext *s) samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100; if (!samplerate) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->sample_rate = samplerate; st->codecpar->bit_rate = samplerate * framesize / (2048 / 8); @@ -520,12 +535,16 @@ static int oma_read_header(AVFormatContext *s) break; default: av_log(s, AV_LOG_ERROR, "Unsupported codec %d!\n", buf[32]); - return AVERROR(ENOSYS); + ret = AVERROR(ENOSYS); + goto fail; } st->codecpar->block_align = framesize; return 0; +fail: + oma_read_close(s); + return ret; } static int oma_read_packet(AVFormatContext *s, AVPacket *pkt) @@ -587,13 +606,6 @@ wipe: return err; } -static int oma_read_close(AVFormatContext *s) -{ - OMAContext *oc = s->priv_data; - av_free(oc->av_des); - return 0; -} - AVInputFormat ff_oma_demuxer = { .name = "oma", .long_name = NULL_IF_CONFIG_SMALL("Sony OpenMG audio"), From 19b1f676f66ec26afb2c9c9501d5451847a7c9b5 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 00:37:40 +0200 Subject: [PATCH 781/818] avformat/mov: Fix memleaks upon read_header failure By default, a demuxer's read_close function is not called automatically if an error happens when reading the header; instead it is up to the demuxer to clean up after itself in this case. The mov demuxer did this by calling its read_close function when it encountered some errors when reading the header. Yet for other errors (mostly adding side-data to streams) this has been forgotten, so that all the internal structures of the demuxer leak. This commit fixes this by making sure mov_read_close is called when necessary. Signed-off-by: Andreas Rheinhardt (cherry picked from commit ac378c535be907ee383dafb430be7216a2920982) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 105084813e..0c354ab387 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6024,14 +6024,13 @@ static int mov_read_header(AVFormatContext *s) avio_seek(pb, 0, SEEK_SET); if ((err = mov_read_default(mov, pb, atom)) < 0) { av_log(s, AV_LOG_ERROR, "error reading header\n"); - mov_read_close(s); - return err; + goto fail; } } while ((pb->seekable & AVIO_SEEKABLE_NORMAL) && !mov->found_moov && !mov->moov_retry++); if (!mov->found_moov) { av_log(s, AV_LOG_ERROR, "moov atom not found\n"); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } av_log(mov->fc, AV_LOG_TRACE, "on_parse_exit_offset=%"PRId64"\n", avio_tell(pb)); @@ -6084,7 +6083,7 @@ static int mov_read_header(AVFormatContext *s) } if (st->codecpar->codec_id == AV_CODEC_ID_DVD_SUBTITLE) { if ((err = mov_rewrite_dvd_sub_extradata(st)) < 0) - return err; + goto fail; } } if (mov->handbrake_version && @@ -6104,8 +6103,8 @@ static int mov_read_header(AVFormatContext *s) if (sc->data_size > INT64_MAX / sc->time_scale / 8) { av_log(s, AV_LOG_ERROR, "Overflow during bit rate calculation %"PRId64" * 8 * %d\n", sc->data_size, sc->time_scale); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->bit_rate = sc->data_size * 8 * sc->time_scale / st->duration; } @@ -6120,8 +6119,8 @@ static int mov_read_header(AVFormatContext *s) if (sc->data_size > INT64_MAX / sc->time_scale / 8) { av_log(s, AV_LOG_ERROR, "Overflow during bit rate calculation %"PRId64" * 8 * %d\n", sc->data_size, sc->time_scale); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->bit_rate = sc->data_size * 8 * sc->time_scale / sc->duration_for_fps; @@ -6145,8 +6144,7 @@ static int mov_read_header(AVFormatContext *s) case AVMEDIA_TYPE_AUDIO: err = ff_replaygain_export(st, s->metadata); if (err < 0) { - mov_read_close(s); - return err; + goto fail; } break; case AVMEDIA_TYPE_VIDEO: @@ -6154,7 +6152,7 @@ static int mov_read_header(AVFormatContext *s) err = av_stream_add_side_data(st, AV_PKT_DATA_DISPLAYMATRIX, (uint8_t*)sc->display_matrix, sizeof(int32_t) * 9); if (err < 0) - return err; + goto fail; sc->display_matrix = NULL; } @@ -6163,7 +6161,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->stereo3d, sizeof(*sc->stereo3d)); if (err < 0) - return err; + goto fail; sc->stereo3d = NULL; } @@ -6172,7 +6170,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->spherical, sc->spherical_size); if (err < 0) - return err; + goto fail; sc->spherical = NULL; } @@ -6182,6 +6180,9 @@ static int mov_read_header(AVFormatContext *s) ff_configure_buffers_for_index(s, AV_TIME_BASE); return 0; +fail: + mov_read_close(s); + return err; } static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st) From 950b32a2e86bdbbee2235bf707d5fb8ac6e90d32 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:04:29 +0200 Subject: [PATCH 782/818] avformat/aqtitledec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit a86a5d06d8967d01964833456df1df9fc186f125) Signed-off-by: Andreas Rheinhardt --- libavformat/aqtitledec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/aqtitledec.c b/libavformat/aqtitledec.c index f0e840b0f7..317547c4f4 100644 --- a/libavformat/aqtitledec.c +++ b/libavformat/aqtitledec.c @@ -81,11 +81,11 @@ static int aqt_read_header(AVFormatContext *s) if (!new_event) { sub = ff_subtitles_queue_insert(&aqt->q, "\n", 1, 1); if (!sub) - return AVERROR(ENOMEM); + goto fail; } sub = ff_subtitles_queue_insert(&aqt->q, line, strlen(line), !new_event); if (!sub) - return AVERROR(ENOMEM); + goto fail; if (new_event) { sub->pts = frame; sub->duration = -1; @@ -97,6 +97,9 @@ static int aqt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &aqt->q); return 0; +fail: + ff_subtitles_queue_clean(&aqt->q); + return AVERROR(ENOMEM); } static int aqt_read_packet(AVFormatContext *s, AVPacket *pkt) From 80b4dd41ff3e5f804568a321ba5c82d2584b1fc6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:07:28 +0200 Subject: [PATCH 783/818] avformat/assdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle or if creating the extradata failed. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5ab39c2d8c1e5e00b48d758eee7d5ae435a99ef7) Signed-off-by: Andreas Rheinhardt --- libavformat/assdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/assdec.c b/libavformat/assdec.c index d89c14e5b8..3b580fc4d2 100644 --- a/libavformat/assdec.c +++ b/libavformat/assdec.c @@ -160,6 +160,8 @@ static int ass_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &ass->q); end: + if (res < 0) + ass_read_close(s); av_bprint_finalize(&header, NULL); av_bprint_finalize(&line, NULL); av_bprint_finalize(&rline, NULL); From 1a01d3cbb8efc0bcb2b8acebb362eb2b027ea610 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:09:08 +0200 Subject: [PATCH 784/818] avformat/jacosubdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c13a752733a9af955b032c55f704b748fe37dd19) Signed-off-by: Andreas Rheinhardt --- libavformat/jacosubdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 520c435cc5..87dc649485 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -187,8 +187,10 @@ static int jacosub_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&jacosub->q, line, len, merge_line); - if (!sub) - return AVERROR(ENOMEM); + if (!sub) { + ret = AVERROR(ENOMEM); + goto fail; + } sub->pos = pos; merge_line = len > 1 && !strcmp(&line[len - 2], "\\\n"); continue; From e95ebaa3323e3244dc391908db96a09e6f2f9469 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:12:00 +0200 Subject: [PATCH 785/818] avformat/lrcdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit d38694cea9f289b3f9dcce1a2f07746d029b35f3) Signed-off-by: Andreas Rheinhardt --- libavformat/lrcdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c index f4e9a4efa9..45f0bf24a7 100644 --- a/libavformat/lrcdec.c +++ b/libavformat/lrcdec.c @@ -202,6 +202,7 @@ static int lrc_read_header(AVFormatContext *s) sub = ff_subtitles_queue_insert(&lrc->q, line.str + ts_strlength, line.len - ts_strlength, 0); if(!sub) { + ff_subtitles_queue_clean(&lrc->q); return AVERROR(ENOMEM); } sub->pos = pos; From 1b99059359bd1a8fbe216cf0286ad1c6ca6bf301 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:16:15 +0200 Subject: [PATCH 786/818] avformat/microdvddec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle or when allocating extradata. Signed-off-by: Andreas Rheinhardt (cherry picked from commit b12014a5b861959fd41a32ba3ff4cb139c56efcd) Signed-off-by: Andreas Rheinhardt --- libavformat/microdvddec.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/libavformat/microdvddec.c b/libavformat/microdvddec.c index c2f1ac45cd..3c4727e325 100644 --- a/libavformat/microdvddec.c +++ b/libavformat/microdvddec.c @@ -81,7 +81,7 @@ static int microdvd_read_header(AVFormatContext *s) AVRational pts_info = (AVRational){ 2997, 125 }; /* default: 23.976 fps */ MicroDVDContext *microdvd = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); - int i = 0; + int i = 0, ret; char line_buf[MAX_LINESIZE]; int has_real_fps = 0; @@ -116,8 +116,10 @@ static int microdvd_read_header(AVFormatContext *s) } if (!st->codecpar->extradata && sscanf(line, "{DEFAULT}{}%c", &c) == 1) { st->codecpar->extradata = av_strdup(line + 11); - if (!st->codecpar->extradata) - return AVERROR(ENOMEM); + if (!st->codecpar->extradata) { + ret = AVERROR(ENOMEM); + goto fail; + } st->codecpar->extradata_size = strlen(st->codecpar->extradata) + 1; continue; } @@ -135,8 +137,10 @@ static int microdvd_read_header(AVFormatContext *s) if (!*p) continue; sub = ff_subtitles_queue_insert(µdvd->q, p, strlen(p), 0); - if (!sub) - return AVERROR(ENOMEM); + if (!sub) { + ret = AVERROR(ENOMEM); + goto fail; + } sub->pos = pos; sub->pts = get_pts(line); sub->duration = get_duration(line); @@ -153,6 +157,9 @@ static int microdvd_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_MICRODVD; return 0; +fail: + ff_subtitles_queue_clean(µdvd->q); + return ret; } static int microdvd_read_packet(AVFormatContext *s, AVPacket *pkt) From ed1f68ccfe9b543104a0bf605578bdb6123ae41e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:19:32 +0200 Subject: [PATCH 787/818] avformat/mpl2dec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 331799747e7e995710f5dfc4d413cda35eb01289) Signed-off-by: Andreas Rheinhardt --- libavformat/mpl2dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mpl2dec.c b/libavformat/mpl2dec.c index dfcdf5a564..0c111e9dc1 100644 --- a/libavformat/mpl2dec.c +++ b/libavformat/mpl2dec.c @@ -108,8 +108,10 @@ static int mpl2_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&mpl2->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&mpl2->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; From c253f384dc1b831836091c72bf68e26906424be2 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:20:09 +0200 Subject: [PATCH 788/818] avformat/mpsubdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon creating an AVStream. Signed-off-by: Andreas Rheinhardt (cherry picked from commit a5ed8aeea4f4199e89520c3fdbd9d07ae7fc3c3f) Signed-off-by: Andreas Rheinhardt --- libavformat/mpsubdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mpsubdec.c b/libavformat/mpsubdec.c index 1236efa712..8b9016876f 100644 --- a/libavformat/mpsubdec.c +++ b/libavformat/mpsubdec.c @@ -97,8 +97,10 @@ static int mpsub_read_header(AVFormatContext *s) } st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + res = AVERROR(ENOMEM); + goto end; + } avpriv_set_pts_info(st, 64, pts_info.den, pts_info.num); st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_TEXT; From f26395604c94d3418b0a84f752e4ac15a763fbc7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:21:03 +0200 Subject: [PATCH 789/818] avformat/pjsdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9df560e8986640e20c62286f0baee2a80540accd) Signed-off-by: Andreas Rheinhardt --- libavformat/pjsdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/pjsdec.c b/libavformat/pjsdec.c index bb587b569a..667129a8af 100644 --- a/libavformat/pjsdec.c +++ b/libavformat/pjsdec.c @@ -92,8 +92,10 @@ static int pjs_read_header(AVFormatContext *s) p[strcspn(p, "\"")] = 0; sub = ff_subtitles_queue_insert(&pjs->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&pjs->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; From c9b6385c16217d6d229076028abb3cb54f0dbf3c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:21:46 +0200 Subject: [PATCH 790/818] avformat/samidec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle or when creating extradata. Signed-off-by: Andreas Rheinhardt (cherry picked from commit f161f8e4ad10c8ae5b2e97870e09bc6a421408eb) Signed-off-by: Andreas Rheinhardt --- libavformat/samidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/samidec.c b/libavformat/samidec.c index 7ea1bdfdd9..678fac0e17 100644 --- a/libavformat/samidec.c +++ b/libavformat/samidec.c @@ -108,6 +108,8 @@ static int sami_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &sami->q); end: + if (res < 0) + ff_subtitles_queue_clean(&sami->q); av_bprint_finalize(&buf, NULL); return res; } From ba1f99c86a7b368bf5d99ef33df5b9b5ea52d295 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:22:32 +0200 Subject: [PATCH 791/818] avformat/sccdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit f3c63e67bb00fa7d96595203d01a576df651e275) Signed-off-by: Andreas Rheinhardt --- libavformat/sccdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/sccdec.c b/libavformat/sccdec.c index 89d21b9c1f..371d2d9d13 100644 --- a/libavformat/sccdec.c +++ b/libavformat/sccdec.c @@ -132,7 +132,7 @@ static int scc_read_header(AVFormatContext *s) sub = ff_subtitles_queue_insert(&scc->q, out, i, 0); if (!sub) - return AVERROR(ENOMEM); + goto fail; sub->pos = pos; sub->pts = ts_start; @@ -144,6 +144,9 @@ static int scc_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &scc->q); return ret; +fail: + ff_subtitles_queue_clean(&scc->q); + return AVERROR(ENOMEM); } static int scc_read_packet(AVFormatContext *s, AVPacket *pkt) From 8120d1ddcfea3da979224bef02b02388af8bb629 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:23:27 +0200 Subject: [PATCH 792/818] avformat/srtdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c70409957c7332971f0e147729d769f6d2f95390) Signed-off-by: Andreas Rheinhardt --- libavformat/srtdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/srtdec.c b/libavformat/srtdec.c index 56bd0c43f6..67b245a123 100644 --- a/libavformat/srtdec.c +++ b/libavformat/srtdec.c @@ -207,6 +207,8 @@ static int srt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &srt->q); end: + if (res < 0) + ff_subtitles_queue_clean(&srt->q); av_bprint_finalize(&buf, NULL); return res; } From 49196e704c1006aaa73fb33085119c99c8f718f9 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:24:23 +0200 Subject: [PATCH 793/818] avformat/stldec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit e13874b9eae4e156ca1c478e6d59d3461bbdc09f) Signed-off-by: Andreas Rheinhardt --- libavformat/stldec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/stldec.c b/libavformat/stldec.c index 35de49322c..87bf0724a9 100644 --- a/libavformat/stldec.c +++ b/libavformat/stldec.c @@ -97,8 +97,10 @@ static int stl_read_header(AVFormatContext *s) if (pts_start != AV_NOPTS_VALUE) { AVPacket *sub; sub = ff_subtitles_queue_insert(&stl->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&stl->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; From 1cf9ba634e0ddc4763e4956a637578e7cb8700fe Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:26:40 +0200 Subject: [PATCH 794/818] avformat/subviewer1dec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9751d7515222c7b58d0c6fb31aec6e0464c0f338) Signed-off-by: Andreas Rheinhardt --- libavformat/subviewer1dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/subviewer1dec.c b/libavformat/subviewer1dec.c index e579d1ca9a..90a430404b 100644 --- a/libavformat/subviewer1dec.c +++ b/libavformat/subviewer1dec.c @@ -77,8 +77,10 @@ static int subviewer1_read_header(AVFormatContext *s) sub->duration = pts_start - sub->pts; } else { sub = ff_subtitles_queue_insert(&subviewer1->q, line, len, 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&subviewer1->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = -1; From f8d1b5d7691245b71ec8f9b6b807e85b0832f73d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:27:11 +0200 Subject: [PATCH 795/818] avformat/subviewerdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit a708f652737eba08607df84394ca4bec6b458736) Signed-off-by: Andreas Rheinhardt --- libavformat/subviewerdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/subviewerdec.c b/libavformat/subviewerdec.c index af084f4856..e8d1eb6c96 100644 --- a/libavformat/subviewerdec.c +++ b/libavformat/subviewerdec.c @@ -156,6 +156,8 @@ static int subviewer_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &subviewer->q); end: + if (res < 0) + ff_subtitles_queue_clean(&subviewer->q); av_bprint_finalize(&header, NULL); return res; } From d8c5124ad987ea9af08b91ebf954bcdf16bb98df Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:27:43 +0200 Subject: [PATCH 796/818] avformat/tedcaptionsdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if allocating the AVStream for the subtitles fails. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 337783b118d4cc265759c103b672dd5d5d3e7cb8) Signed-off-by: Andreas Rheinhardt --- libavformat/tedcaptionsdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/tedcaptionsdec.c b/libavformat/tedcaptionsdec.c index 774d4993b5..21d44c17f4 100644 --- a/libavformat/tedcaptionsdec.c +++ b/libavformat/tedcaptionsdec.c @@ -275,10 +275,13 @@ static int parse_file(AVIOContext *pb, FFDemuxSubtitlesQueue *subs) static av_cold int tedcaptions_read_header(AVFormatContext *avf) { TEDCaptionsDemuxer *tc = avf->priv_data; - AVStream *st; + AVStream *st = avformat_new_stream(avf, NULL); int ret, i; AVPacket *last; + if (!st) + return AVERROR(ENOMEM); + ret = parse_file(avf->pb, &tc->subs); if (ret < 0) { if (ret == AVERROR_INVALIDDATA) @@ -292,9 +295,6 @@ static av_cold int tedcaptions_read_header(AVFormatContext *avf) tc->subs.subs[i].pts += tc->start_time; last = &tc->subs.subs[tc->subs.nb_subs - 1]; - st = avformat_new_stream(avf, NULL); - if (!st) - return AVERROR(ENOMEM); st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_TEXT; avpriv_set_pts_info(st, 64, 1, 1000); From 5808413509a44c89ffaa52872c86eac980c2c3a2 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:28:56 +0200 Subject: [PATCH 797/818] avformat/vplayerdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 67434afa7fcb2b411b10a4d09fb30cd3a5907c2c) Signed-off-by: Andreas Rheinhardt --- libavformat/vplayerdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/vplayerdec.c b/libavformat/vplayerdec.c index 49943d0d0e..feee9af873 100644 --- a/libavformat/vplayerdec.c +++ b/libavformat/vplayerdec.c @@ -83,8 +83,10 @@ static int vplayer_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&vplayer->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&vplayer->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = -1; From a828461303cfae8f2f885b369e4a0522561ef059 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:29:17 +0200 Subject: [PATCH 798/818] avformat/webvttdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c784fe8b867e42a1c8d2c48d7046e3e0cce7ec31) Signed-off-by: Andreas Rheinhardt --- libavformat/webvttdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/webvttdec.c b/libavformat/webvttdec.c index 0aeb8a63f4..8e9c562683 100644 --- a/libavformat/webvttdec.c +++ b/libavformat/webvttdec.c @@ -165,6 +165,8 @@ static int webvtt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &webvtt->q); end: + if (res < 0) + ff_subtitles_queue_clean(&webvtt->q); av_bprint_finalize(&cue, NULL); av_bprint_finalize(&header, NULL); return res; From 7c50575dcf4ac5c4c030569fe396afb4c1aba587 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:35:41 +0200 Subject: [PATCH 799/818] avformat/matroskaenc: Don't use NULL for %s format string The argument pertaining to a printf %s conversion specifier must not be NULL, even if the precision (i.e. the number of characters to write) is zero. If it is NULL, it is undefined behaviour. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 6de6ce7bc80e874099895b6c73977bc2efb06a4d) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskaenc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 3af82a81ba..6689d138af 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -2168,17 +2168,19 @@ static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, AVPacket *p MatroskaMuxContext *mkv = s->priv_data; ebml_master blockgroup; int id_size, settings_size, size; - uint8_t *id, *settings; + const char *id, *settings; int64_t ts = mkv->tracks[pkt->stream_index].write_dts ? pkt->dts : pkt->pts; const int flags = 0; id_size = 0; id = av_packet_get_side_data(pkt, AV_PKT_DATA_WEBVTT_IDENTIFIER, &id_size); + id = id ? id : ""; settings_size = 0; settings = av_packet_get_side_data(pkt, AV_PKT_DATA_WEBVTT_SETTINGS, &settings_size); + settings = settings ? settings : ""; size = id_size + 1 + settings_size + 1 + pkt->size; From 9b84d1d505fbdf0c5d8cfc284c9535c65076b078 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 09:19:38 +0200 Subject: [PATCH 800/818] avformat/mov: Fix memleak upon encountering repeating tags mov_read_custom tries to read three strings belonging to three different tags. When an already encountered tag is encountered again, a new buffer for the string to be read is allocated and stored in the pointer destined for this particular tag. But in this scenario, said pointer already holds the address of the string read earlier, leading to a leak. This commit therefore aborts the reading process upon encountering an already encountered tag. Signed-off-by: Andreas Rheinhardt (cherry picked from commit dfef1d5e3cd4dfead84416a01e6c9ff0da50b34d) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 0c354ab387..ab81ad64ae 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3954,6 +3954,9 @@ static int mov_read_custom(MOVContext *c, AVIOContext *pb, MOVAtom atom) } else break; + if (*p) + break; + *p = av_malloc(len + 1); if (!*p) break; From 8bac2df94a77cc7edf5e295a87544e3369228d00 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 20:54:46 +0200 Subject: [PATCH 801/818] avformat/mov: Fix reel_name size check Only read str_size bytes from offset 30 of extradata if the extradata is indeed at least 30 + str_size bytes long. Signed-off-by: Andreas Rheinhardt (cherry picked from commit ff3fad6b0edb13dd664403b01bc00309f035b110) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ab81ad64ae..67046333c3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2118,7 +2118,7 @@ FF_ENABLE_DEPRECATION_WARNINGS uint32_t format = AV_RB32(st->codecpar->extradata + 22); if (format == AV_RB32("name") && (int64_t)size >= (int64_t)len + 18) { uint16_t str_size = AV_RB16(st->codecpar->extradata + 26); /* string length */ - if (str_size > 0 && size >= (int)str_size + 26) { + if (str_size > 0 && size >= (int)str_size + 30) { char *reel_name = av_malloc(str_size + 1); if (!reel_name) return AVERROR(ENOMEM); From 5f288e1b29b2fa8f7c2b6f437d986b2e1f73fa51 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 16 Sep 2019 17:55:01 +0200 Subject: [PATCH 802/818] fftools/ffmpeg_opt: Fix signed integer overflow Fixes ticket #8154. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 2b1fcba8ddcb7d29299ea28403fb597640a7288b) Signed-off-by: Andreas Rheinhardt --- ffmpeg_opt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index 5f53a7a89d..2600d314cd 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -1,3 +1,4 @@ + /* * ffmpeg option parsing * @@ -2702,13 +2703,14 @@ static int opt_target(void *optctx, const char *opt, const char *arg) } else { /* Try to determine PAL/NTSC by peeking in the input files */ if (nb_input_files) { - int i, j, fr; + int i, j; for (j = 0; j < nb_input_files; j++) { for (i = 0; i < input_files[j]->nb_streams; i++) { AVStream *st = input_files[j]->ctx->streams[i]; + int64_t fr; if (st->codecpar->codec_type != AVMEDIA_TYPE_VIDEO) continue; - fr = st->time_base.den * 1000 / st->time_base.num; + fr = st->time_base.den * 1000LL / st->time_base.num; if (fr == 25000) { norm = PAL; break; From fbaa2dce420b90a388f247d88a8bdeb2cb6deacb Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:16:59 +0200 Subject: [PATCH 803/818] avcodec/tdsc: Fix undefined shifts Fixes the tdsc FATE-test. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 86bef10e7aee338a4df60c57904c16e33509e76e) Signed-off-by: Andreas Rheinhardt --- libavcodec/tdsc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/tdsc.c b/libavcodec/tdsc.c index 4182404cf0..e9ea41ef55 100644 --- a/libavcodec/tdsc.c +++ b/libavcodec/tdsc.c @@ -187,7 +187,7 @@ static void tdsc_paint_cursor(AVCodecContext *avctx, uint8_t *dst, int stride) static int tdsc_load_cursor(AVCodecContext *avctx) { TDSCContext *ctx = avctx->priv_data; - int i, j, k, ret, bits, cursor_fmt; + int i, j, k, ret, cursor_fmt; uint8_t *dst; ctx->cursor_hot_x = bytestream2_get_le16(&ctx->gbc); @@ -231,7 +231,7 @@ static int tdsc_load_cursor(AVCodecContext *avctx) case CUR_FMT_MONO: for (j = 0; j < ctx->cursor_h; j++) { for (i = 0; i < ctx->cursor_w; i += 32) { - bits = bytestream2_get_be32(&ctx->gbc); + uint32_t bits = bytestream2_get_be32(&ctx->gbc); for (k = 0; k < 32; k++) { dst[0] = !!(bits & 0x80000000); dst += 4; @@ -244,7 +244,7 @@ static int tdsc_load_cursor(AVCodecContext *avctx) dst = ctx->cursor; for (j = 0; j < ctx->cursor_h; j++) { for (i = 0; i < ctx->cursor_w; i += 32) { - bits = bytestream2_get_be32(&ctx->gbc); + uint32_t bits = bytestream2_get_be32(&ctx->gbc); for (k = 0; k < 32; k++) { int mask_bit = !!(bits & 0x80000000); switch (dst[0] * 2 + mask_bit) { From 788a5806208332207b0d82693dfb97d1de74019c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:17:06 +0200 Subject: [PATCH 804/818] avcodec/ac3enc: Fix invalid shift Fixes the FATE-tests unknown_layout-ac3, ac3-fixed-encode, ac3-encode and eac3-encode. It furthermore fixes the ac3-encoder bugs mentioned in tickets #7994, #8144 and #8159. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 2f289ec914cc7e8133858d4f9e8d91dab685ae44) Signed-off-by: Andreas Rheinhardt --- libavcodec/ac3enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3enc.c b/libavcodec/ac3enc.c index 636ca72050..032881724b 100644 --- a/libavcodec/ac3enc.c +++ b/libavcodec/ac3enc.c @@ -1065,7 +1065,7 @@ static int bit_alloc(AC3EncodeContext *s, int snr_offset) { int blk, ch; - snr_offset = (snr_offset - 240) << 2; + snr_offset = (snr_offset - 240) * 4; reset_block_bap(s); for (blk = 0; blk < s->num_blocks; blk++) { From 594dd57af477e0bb04ee1ada5c6ef6934f1e27c6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:16:58 +0200 Subject: [PATCH 805/818] avcodec/wavpackenc: Fix undefined shifts Fixes ticket #8161 and the acodec-wavpack FATE-test. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 84974c6fb542cf019904016c2165d9a62db9f312) Signed-off-by: Andreas Rheinhardt --- libavcodec/wavpackenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 979b92165b..bc896f15e5 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -529,9 +529,9 @@ static int8_t store_weight(int weight) static int restore_weight(int8_t weight) { - int result; + int result = 8 * weight; - if ((result = (int) weight << 3) > 0) + if (result > 0) result += (result + 64) >> 7; return result; @@ -2571,7 +2571,7 @@ static int wavpack_encode_block(WavPackEncodeContext *s, ret = wv_mono(s, samples_l, !s->num_terms, 1); } else { for (i = 0; i < nb_samples; i++) - crc += (crc << 3) + (samples_l[i] << 1) + samples_l[i] + samples_r[i]; + crc += (crc << 3) + ((uint32_t)samples_l[i] << 1) + samples_l[i] + samples_r[i]; if (s->num_passes) ret = wv_stereo(s, samples_l, samples_r, !s->num_terms, 1); From f4bcf5742e930384fa32616437c7ab8c65e19357 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:17:01 +0200 Subject: [PATCH 806/818] avcodec/pcm: Fix undefined shifts Fixes the acodec-pcm-u16[lb]e FATE-tests. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 69473bec6f38fefc9a433d95f8e00de101299592) Signed-off-by: Andreas Rheinhardt --- libavcodec/pcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index 8c326c6829..a2caf0367f 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -290,7 +290,7 @@ static av_cold int pcm_decode_close(AVCodecContext *avctx) #define DECODE(size, endian, src, dst, n, shift, offset) \ for (; n > 0; n--) { \ uint ## size ## _t v = bytestream_get_ ## endian(&src); \ - AV_WN ## size ## A(dst, (v - offset) << shift); \ + AV_WN ## size ## A(dst, (uint ## size ## _t)(v - offset) << shift); \ dst += size / 8; \ } @@ -301,7 +301,7 @@ static av_cold int pcm_decode_close(AVCodecContext *avctx) dst = frame->extended_data[c]; \ for (i = n; i > 0; i--) { \ uint ## size ## _t v = bytestream_get_ ## endian(&src); \ - AV_WN ## size ## A(dst, (v - offset) << shift); \ + AV_WN ## size ## A(dst, (uint ## size ##_t)(v - offset) << shift); \ dst += size / 8; \ } \ } From 2b177a46d270b5c2be15770d458e18441ecedffc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:17:03 +0200 Subject: [PATCH 807/818] avformat/movenc: Fix undefined shift Fixes the movenc FATE-test. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 646799b42fd59ee79920e472795bf881b78bb5ce) Signed-off-by: Andreas Rheinhardt --- libavformat/movenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index cf3d969547..e8f26cb08f 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -4180,7 +4180,8 @@ static int mov_write_sidx_tag(AVIOContext *pb, { int64_t pos = avio_tell(pb), offset_pos, end_pos; int64_t presentation_time, duration, offset; - int starts_with_SAP, i, entries; + unsigned starts_with_SAP; + int i, entries; if (track->entry) { entries = 1; From 3eafbebe1188938baa2e6d8c4f6471285befb4b9 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 25 Sep 2019 00:03:07 +0200 Subject: [PATCH 808/818] avcodec/exr: Fix undefined left shifts of negative numbers Affected the FATE-tests exr-rgb-scanline-pxr24-half-uint32-13x9 and exr-rgb-scanline-pxr24-uint32. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 8b0f949906116c40b6f1e55a1bce4447ada3219c) Signed-off-by: Andreas Rheinhardt --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 2481959a21..1ba8074272 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -892,7 +892,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src, in = ptr[3] + s->xdelta; for (j = 0; j < s->xdelta; ++j) { - uint32_t diff = (*(ptr[0]++) << 24) | + uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) | (*(ptr[1]++) << 16) | (*(ptr[2]++) << 8 ) | (*(ptr[3]++)); From 2c5943a3848195a25354a0d09338854431e519b9 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:25:58 +0200 Subject: [PATCH 809/818] swscale/x86/swscale: Fix undefined left shifts of negative numbers This affected many FATE-tests: The number of failing tests went down from 663 to 344. (Both numbers exclude tests that failed because of unaligned accesses in code that is inside #if HAVE_FAST_UNALIGNED.) Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 736c7c20e7819811dc59f43490563789b192eb6e) Signed-off-by: Andreas Rheinhardt --- libswscale/x86/swscale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/x86/swscale.c b/libswscale/x86/swscale.c index 869e7fb176..1c452941c7 100644 --- a/libswscale/x86/swscale.c +++ b/libswscale/x86/swscale.c @@ -160,7 +160,7 @@ void ff_updateMMXDitherTables(SwsContext *c, int dstY, int lumBufIndex, int chrB *(const void**)&lumMmxFilter[s*i+APCK_PTR2/4 ]= lumSrcPtr[i+(vLumFilterSize>1)]; lumMmxFilter[s*i+APCK_COEF/4 ]= lumMmxFilter[s*i+APCK_COEF/4+1]= vLumFilter[dstY*vLumFilterSize + i ] - + (vLumFilterSize>1 ? vLumFilter[dstY*vLumFilterSize + i + 1]<<16 : 0); + + (vLumFilterSize>1 ? vLumFilter[dstY*vLumFilterSize + i + 1] * (1 << 16) : 0); if (CONFIG_SWSCALE_ALPHA && hasAlpha) { *(const void**)&alpMmxFilter[s*i ]= alpSrcPtr[i ]; *(const void**)&alpMmxFilter[s*i+APCK_PTR2/4 ]= alpSrcPtr[i+(vLumFilterSize>1)]; @@ -173,7 +173,7 @@ void ff_updateMMXDitherTables(SwsContext *c, int dstY, int lumBufIndex, int chrB *(const void**)&chrMmxFilter[s*i+APCK_PTR2/4 ]= chrUSrcPtr[i+(vChrFilterSize>1)]; chrMmxFilter[s*i+APCK_COEF/4 ]= chrMmxFilter[s*i+APCK_COEF/4+1]= vChrFilter[chrDstY*vChrFilterSize + i ] - + (vChrFilterSize>1 ? vChrFilter[chrDstY*vChrFilterSize + i + 1]<<16 : 0); + + (vChrFilterSize>1 ? vChrFilter[chrDstY*vChrFilterSize + i + 1] * (1 << 16) : 0); } } else { for (i=0; i Date: Sat, 28 Sep 2019 04:26:02 +0200 Subject: [PATCH 810/818] swscale/utils: Fix invalid left shifts of negative numbers Affected the FATE-tests vsynth_lena-dv-411, vsynth1-dv-411, vsynth2-dv-411 and hevc-paramchange-yuv420p.yuv420p10. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit e2646e23be69bdef1e41d4decee1a4298701b8d1) Signed-off-by: Andreas Rheinhardt --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 4c9b53bbeb..19fb284931 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -378,7 +378,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, (*filterPos)[i] = xx; // bilinear upscale / linear interpolate / area averaging for (j = 0; j < filterSize; j++) { - int64_t coeff= fone - FFABS(((int64_t)xx<<16) - xDstInSrc)*(fone>>16); + int64_t coeff = fone - FFABS((int64_t)xx * (1 << 16) - xDstInSrc) * (fone >> 16); if (coeff < 0) coeff = 0; filter[i * filterSize + j] = coeff; From 3c891c36132ba37bf9ee9c68c947163a59e281a7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:26:06 +0200 Subject: [PATCH 811/818] avcodec/dnxhdenc: Fix undefined left shifts of negative numbers Affected 61 FATE-tests: 60 vsynth tests and lavf-mxf_opatom. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit b7f156e8cbdf3256c7860c62ebb7a6c3002cbb03) Signed-off-by: Andreas Rheinhardt --- libavcodec/dnxhdenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/dnxhdenc.c b/libavcodec/dnxhdenc.c index 665a992706..e2b4713141 100644 --- a/libavcodec/dnxhdenc.c +++ b/libavcodec/dnxhdenc.c @@ -220,7 +220,7 @@ static av_cold int dnxhd_init_vlc(DNXHDEncContext *ctx) ctx->vlc_bits += max_level * 2; for (level = -max_level; level < max_level; level++) { for (run = 0; run < 2; run++) { - int index = (level << 1) | run; + int index = level * (1 << 1) | run; int sign, offset = 0, alevel = level; MASK_ABS(sign, alevel); @@ -618,7 +618,7 @@ void dnxhd_encode_block(DNXHDEncContext *ctx, int16_t *block, slevel = block[j]; if (slevel) { int run_level = i - last_non_zero - 1; - int rlevel = (slevel << 1) | !!run_level; + int rlevel = slevel * (1 << 1) | !!run_level; put_bits(&ctx->m.pb, ctx->vlc_bits[rlevel], ctx->vlc_codes[rlevel]); if (run_level) put_bits(&ctx->m.pb, ctx->run_bits[run_level], @@ -698,7 +698,7 @@ int dnxhd_calc_ac_bits(DNXHDEncContext *ctx, int16_t *block, int last_index) level = block[j]; if (level) { int run_level = i - last_non_zero - 1; - bits += ctx->vlc_bits[(level << 1) | + bits += ctx->vlc_bits[level * (1 << 1) | !!run_level] + ctx->run_bits[run_level]; last_non_zero = i; } From 32c81dffb0a6aedbd8fd8929d9f8a83e8f253bcc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:26:07 +0200 Subject: [PATCH 812/818] avcodec/ituh263dec: Fix undefined left shift of negative number Fixes ticket #8160. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 324487b596fbcda0a5753c7bb7b2e96e9d512479) Signed-off-by: Andreas Rheinhardt --- libavcodec/ituh263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index edb68861ac..f2804e8af2 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -1266,7 +1266,7 @@ int ff_h263_decode_picture_header(MpegEncContext *s) for(i=0; i<13; i++){ for(j=0; j<3; j++){ int v= get_bits(&s->gb, 8); - v |= get_sbits(&s->gb, 8)<<8; + v |= get_sbits(&s->gb, 8) * (1 << 8); av_log(s->avctx, AV_LOG_DEBUG, " %5d", v); } av_log(s->avctx, AV_LOG_DEBUG, "\n"); From d4f2de5151d44028f5122b2051c532f26473e2ce Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:26:10 +0200 Subject: [PATCH 813/818] avcodec/jpeg2000dwt: Fix undefined shifts of negative numbers Affected the vsynth*-jpeg2000 and the vsynth*-jpeg2000-97 FATE tests (where * ranges over { 1, 2, 3, _lena }) as well as ticket #7983. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 5cf593adcd79a7c9502dc2725e1f0681ada36aef) Signed-off-by: Andreas Rheinhardt --- libavcodec/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 8092297b8c..dd23b21924 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -255,7 +255,7 @@ static void dwt_encode97_int(DWTContext *s, int *t) line += 5; for (i = 0; i < w * h; i++) - t[i] <<= I_PRESHIFT; + t[i] *= 1 << I_PRESHIFT; for (lev = s->ndeclevels-1; lev >= 0; lev--){ int lh = s->linelen[lev][0], From 0b4a122a5ab8a5013cb7980cb6104a17e5e51100 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:25:57 +0200 Subject: [PATCH 814/818] avfilter/vf_hqx: Fix undefined left shifts of negative numbers Affected every usage of this filter; in particular, it affected the FATE-tests filter-2xbr, filter-3xbr and filter-4xbr. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit fa211943265ca991548a4cc2f85a6df9cedcd092) Signed-off-by: Andreas Rheinhardt --- libavfilter/vf_hqx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_hqx.c b/libavfilter/vf_hqx.c index 5f63b2a3f9..8899d7a70f 100644 --- a/libavfilter/vf_hqx.c +++ b/libavfilter/vf_hqx.c @@ -523,7 +523,7 @@ static av_cold int init(AVFilterContext *ctx) int startg = FFMAX3(-bg, -rg, 0); int endg = FFMIN3(255-bg, 255-rg, 255); uint32_t y = (uint32_t)(( 299*rg + 1000*startg + 114*bg)/1000); - c = bg + (rg<<16) + 0x010101 * startg; + c = bg + rg * (1 << 16) + 0x010101 * startg; for (g = startg; g <= endg; g++) { hqx->rgbtoyuv[c] = ((y++) << 16) + (u << 8) + v; c+= 0x010101; From e5655c04446614e54f2fdf1294cc4f6773d8f6a6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:25:56 +0200 Subject: [PATCH 815/818] avfilter/vf_xbr: Fix left shift of negative number Affected every usage of vf_xbr, e.g. the FATE-tests filter-2xbr, filter-3xbr, filter-4xbr. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4294dc3589a3ab973b10a85b576ff15e3ffb000d) Signed-off-by: Andreas Rheinhardt --- libavfilter/vf_xbr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_xbr.c b/libavfilter/vf_xbr.c index d0d51045cc..323252abe9 100644 --- a/libavfilter/vf_xbr.c +++ b/libavfilter/vf_xbr.c @@ -395,7 +395,7 @@ static int init(AVFilterContext *ctx) int startg = FFMAX3(-bg, -rg, 0); int endg = FFMIN3(255-bg, 255-rg, 255); uint32_t y = (uint32_t)(( 299*rg + 1000*startg + 114*bg)/1000); - c = bg + (rg<<16) + 0x010101 * startg; + c = bg + rg * (1 << 16) + 0x010101 * startg; for (g = startg; g <= endg; g++) { s->rgbtoyuv[c] = ((y++) << 16) + (u << 8) + v; c+= 0x010101; From 25a0887c5a1d4e2cc4d84ddeabdfd7dc26a69786 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 24 Oct 2019 15:36:35 +0200 Subject: [PATCH 816/818] fftools/ffmpeg: Free swresample dictionary during cleanup Freeing this was forgotten in ad899522. Fixes #8315 and #8316. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 6f2a3958cfac135c60b509a61a4fd39432d8f9a9) Signed-off-by: Andreas Rheinhardt --- ffmpeg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ffmpeg.c b/ffmpeg.c index b0ac1c6708..05aa475981 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -554,6 +554,7 @@ static void ffmpeg_cleanup(int ret) ost->audio_channels_mapped = 0; av_dict_free(&ost->sws_dict); + av_dict_free(&ost->swr_opts); avcodec_free_context(&ost->enc_ctx); avcodec_parameters_free(&ost->ref_par); From eb892918778164ff0b7a398954109e5fc5bf8872 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 15 Sep 2019 22:01:20 +0200 Subject: [PATCH 817/818] avcodec/ttaenc: Fix undefined shift MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ttaenc contained (1 << unary) - 1 as an argument for a function expecting an unsigned int. unary can be as big as 31 in this case. The type of the shift and the whole expression is int, because 1 fits into an integer, so that the behaviour is undefined if unary == 31 as the result of the shift can't be represented in an int §. Subtraction by 1 (which makes the result of the whole expression representable in an int) doesn't change that this is undefined (it usually leads to signed integer overflow which is undefined, too). The solution is simple: Make 1 unsigned to change the type of the whole expression to unsigned int (as the function expects anyway). Fixes ticket #8153. §: This of course presupposes the common int range of -2^31..2^31-1 Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3ab488a5407f833ecc66e8fa4c537dc4852db720) Signed-off-by: Andreas Rheinhardt --- libavcodec/ttaenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ttaenc.c b/libavcodec/ttaenc.c index 3cc54d78c5..08a0d0483a 100644 --- a/libavcodec/ttaenc.c +++ b/libavcodec/ttaenc.c @@ -164,7 +164,7 @@ pkt_alloc: put_bits(&pb, 31, 0x7FFFFFFF); unary -= 31; } else { - put_bits(&pb, unary, (1 << unary) - 1); + put_bits(&pb, unary, (1U << unary) - 1); unary = 0; } } while (unary); From af8d5aab74c1fac2280e1a0b1e52c09b7e92e8b1 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 20 Apr 2019 00:03:15 +0200 Subject: [PATCH 818/818] lavf/webm_chunk: Fix NULL dereference The earlier version of the webm_chunk muxer had several bugs: 1. If the first packet of an audio stream didn't have a PTS of zero, then no chunk will be started before a packet is delivered to the underlying Matroska/WebM muxer, i.e. the AVFormatContext used to write these packets had a NULL as AVIOContext for output. This is behind the crash in ticket #5752. 2. If an error happens during writing a packet, the underlyimg Matroska/WebM muxer context is freed. This leads to a use-after-free coupled with a double-free in webm_chunk_write_trailer (which supposes that the underlying AVFormatContext is still valid). 3. Even when no error occurs at all, webm_chunk_write_trailer is still buggy: After the underlying Matroska/WebM muxer has written its trailer, ending the chunk implicitly flushes it again which is illegal at this point. These bugs have been fixed. Fixes #5752. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 8c6ee7626bcce7c270360f33b60dc7ef99939fc3) Signed-off-by: Andreas Rheinhardt --- libavformat/webm_chunk.c | 44 +++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/libavformat/webm_chunk.c b/libavformat/webm_chunk.c index f8dbaa3339..6e9ecc8be7 100644 --- a/libavformat/webm_chunk.c +++ b/libavformat/webm_chunk.c @@ -162,7 +162,7 @@ static int chunk_start(AVFormatContext *s) return 0; } -static int chunk_end(AVFormatContext *s) +static int chunk_end(AVFormatContext *s, int flush) { WebMChunkContext *wc = s->priv_data; AVFormatContext *oc = wc->avf; @@ -173,11 +173,14 @@ static int chunk_end(AVFormatContext *s) char filename[MAX_FILENAME_SIZE]; AVDictionary *options = NULL; - if (wc->chunk_start_index == wc->chunk_index) + if (!oc->pb) return 0; - // Flush the cluster in WebM muxer. - oc->oformat->write_packet(oc, NULL); + + if (flush) + // Flush the cluster in WebM muxer. + oc->oformat->write_packet(oc, NULL); buffer_size = avio_close_dyn_buf(oc->pb, &buffer); + oc->pb = NULL; ret = get_chunk_filename(s, 0, filename); if (ret < 0) goto fail; @@ -188,7 +191,6 @@ static int chunk_end(AVFormatContext *s) goto fail; avio_write(pb, buffer, buffer_size); ff_format_io_close(s, &pb); - oc->pb = NULL; fail: av_dict_free(&options); av_free(buffer); @@ -210,27 +212,19 @@ static int webm_chunk_write_packet(AVFormatContext *s, AVPacket *pkt) } // For video, a new chunk is started only on key frames. For audio, a new - // chunk is started based on chunk_duration. - if ((st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && + // chunk is started based on chunk_duration. Also, a new chunk is started + // unconditionally if there is no currently open chunk. + if (!oc->pb || (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && (pkt->flags & AV_PKT_FLAG_KEY)) || (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO && - (pkt->pts == 0 || wc->duration_written >= wc->chunk_duration))) { + wc->duration_written >= wc->chunk_duration)) { wc->duration_written = 0; - if ((ret = chunk_end(s)) < 0 || (ret = chunk_start(s)) < 0) { - goto fail; + if ((ret = chunk_end(s, 1)) < 0 || (ret = chunk_start(s)) < 0) { + return ret; } } ret = oc->oformat->write_packet(oc, pkt); - if (ret < 0) - goto fail; - -fail: - if (ret < 0) { - oc->streams = NULL; - oc->nb_streams = 0; - avformat_free_context(oc); - } return ret; } @@ -239,12 +233,20 @@ static int webm_chunk_write_trailer(AVFormatContext *s) { WebMChunkContext *wc = s->priv_data; AVFormatContext *oc = wc->avf; + int ret; + + if (!oc->pb) { + ret = chunk_start(s); + if (ret < 0) + goto fail; + } oc->oformat->write_trailer(oc); - chunk_end(s); + ret = chunk_end(s, 0); +fail: oc->streams = NULL; oc->nb_streams = 0; avformat_free_context(oc); - return 0; + return ret; } #define OFFSET(x) offsetof(WebMChunkContext, x)