From 6ceda546298145225345d7c40074ec934a0a05fc Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Fri, 22 Mar 2024 20:43:43 +0800 Subject: [PATCH 001/562] tests: Remove fate-libx265-hdr10 The test depends on the compile option of x265. It failed when HIGH_BIT_DEPTH isn't enabled. It also failed when asan is enabled because of memory issue inside of x265, which I don't think can be fixed within FFmpeg. Signed-off-by: Zhao Zhili (cherry picked from commit edb1f1bc09c7dd89d35da670d8b1f4366003df59) --- tests/fate/enc_external.mak | 5 ----- tests/ref/fate/libx265-hdr10 | 16 ---------------- 2 files changed, 21 deletions(-) delete mode 100644 tests/ref/fate/libx265-hdr10 diff --git a/tests/fate/enc_external.mak b/tests/fate/enc_external.mak index 30021efbcd..4095a4b51a 100644 --- a/tests/fate/enc_external.mak +++ b/tests/fate/enc_external.mak @@ -12,10 +12,5 @@ FATE_ENC_EXTERNAL-$(call ENCDEC, LIBX264 HEVC, MOV, LIBX264_HDR10 HEVC_DEMUXER H fate-libx264-hdr10: CMD = enc_external $(TARGET_SAMPLES)/hevc/hdr10_plus_h265_sample.hevc \ mp4 "-c:v libx264" "-show_frames -show_entries frame=side_data_list -of flat" -# test for x265 MDCV and CLL passthrough during encoding -FATE_ENC_EXTERNAL-$(call ENCDEC, LIBX265 HEVC, MOV, HEVC_DEMUXER) += fate-libx265-hdr10 -fate-libx265-hdr10: CMD = enc_external $(TARGET_SAMPLES)/hevc/hdr10_plus_h265_sample.hevc \ - mp4 "-c:v libx265" "-show_frames -show_entries frame=side_data_list -of flat" - FATE_SAMPLES_FFMPEG_FFPROBE += $(FATE_ENC_EXTERNAL-yes) fate-enc-external: $(FATE_ENC_EXTERNAL-yes) diff --git a/tests/ref/fate/libx265-hdr10 b/tests/ref/fate/libx265-hdr10 deleted file mode 100644 index 571c837cac..0000000000 --- a/tests/ref/fate/libx265-hdr10 +++ /dev/null @@ -1,16 +0,0 @@ -frames.frame.0.side_data_list.side_data.0.side_data_type="H.26[45] User Data Unregistered SEI message" -frames.frame.0.side_data_list.side_data.1.side_data_type="H.26[45] User Data Unregistered SEI message" -frames.frame.0.side_data_list.side_data.2.side_data_type="Mastering display metadata" -frames.frame.0.side_data_list.side_data.2.red_x="13250/50000" -frames.frame.0.side_data_list.side_data.2.red_y="34500/50000" -frames.frame.0.side_data_list.side_data.2.green_x="7500/50000" -frames.frame.0.side_data_list.side_data.2.green_y="3000/50000" -frames.frame.0.side_data_list.side_data.2.blue_x="34000/50000" -frames.frame.0.side_data_list.side_data.2.blue_y="16000/50000" -frames.frame.0.side_data_list.side_data.2.white_point_x="15635/50000" -frames.frame.0.side_data_list.side_data.2.white_point_y="16450/50000" -frames.frame.0.side_data_list.side_data.2.min_luminance="50/10000" -frames.frame.0.side_data_list.side_data.2.max_luminance="10000000/10000" -frames.frame.0.side_data_list.side_data.3.side_data_type="Content light level metadata" -frames.frame.0.side_data_list.side_data.3.max_content=1000 -frames.frame.0.side_data_list.side_data.3.max_average=200 From 304208d40c9ad7ac1687a96734ec97cfb5791b2a Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Mon, 25 Mar 2024 16:09:00 +0800 Subject: [PATCH 002/562] avcodec/h264_mp4toannexb: Fix heap buffer overflow Fixes: out of array write Fixes: 64407/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_MP4TOANNEXB_fuzzer-4966763443650560 mp4toannexb_filter counts the number of bytes needed in the first pass and allocate the memory, then do memcpy in the second pass. Update sps/pps size in the loop makes the count invalid in the case of SPS/PPS occur after IDR slice. This patch process in-band SPS/PPS before the two pass loops. Signed-off-by: Zhao Zhili (cherry picked from commit 89e9486bc3da83ae031313c4b0224a7b46e83ab6) --- libavcodec/bsf/h264_mp4toannexb.c | 59 ++++++++++++++++++++++++------- 1 file changed, 46 insertions(+), 13 deletions(-) diff --git a/libavcodec/bsf/h264_mp4toannexb.c b/libavcodec/bsf/h264_mp4toannexb.c index 120241c892..92af6a6881 100644 --- a/libavcodec/bsf/h264_mp4toannexb.c +++ b/libavcodec/bsf/h264_mp4toannexb.c @@ -208,6 +208,49 @@ static int h264_mp4toannexb_save_ps(uint8_t **dst, int *dst_size, return 0; } +static int h264_mp4toannexb_filter_ps(H264BSFContext *s, + const uint8_t *buf, + const uint8_t *buf_end) +{ + int sps_count = 0; + int pps_count = 0; + uint8_t unit_type; + + do { + uint32_t nal_size = 0; + + /* possible overread ok due to padding */ + for (int i = 0; i < s->length_size; i++) + nal_size = (nal_size << 8) | buf[i]; + + buf += s->length_size; + + /* This check requires the cast as the right side might + * otherwise be promoted to an unsigned value. */ + if ((int64_t)nal_size > buf_end - buf) + return AVERROR_INVALIDDATA; + + if (!nal_size) + continue; + + unit_type = *buf & 0x1f; + + if (unit_type == H264_NAL_SPS) { + h264_mp4toannexb_save_ps(&s->sps, &s->sps_size, &s->sps_buf_size, buf, + nal_size, !sps_count); + sps_count++; + } else if (unit_type == H264_NAL_PPS) { + h264_mp4toannexb_save_ps(&s->pps, &s->pps_size, &s->pps_buf_size, buf, + nal_size, !pps_count); + pps_count++; + } + + buf += nal_size; + } while (buf < buf_end); + + return 0; +} + static int h264_mp4toannexb_init(AVBSFContext *ctx) { int extra_size = ctx->par_in->extradata_size; @@ -263,14 +306,14 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt) } buf_end = in->data + in->size; + ret = h264_mp4toannexb_filter_ps(s, in->data, buf_end); + if (ret < 0) + goto fail; #define LOG_ONCE(...) \ if (j) \ av_log(__VA_ARGS__) for (int j = 0; j < 2; j++) { - int sps_count = 0; - int pps_count = 0; - buf = in->data; new_idr = s->new_idr; sps_seen = s->idr_sps_seen; @@ -301,18 +344,8 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt) if (unit_type == H264_NAL_SPS) { sps_seen = new_idr = 1; - if (!j) { - h264_mp4toannexb_save_ps(&s->sps, &s->sps_size, &s->sps_buf_size, - buf, nal_size, !sps_count); - sps_count++; - } } else if (unit_type == H264_NAL_PPS) { pps_seen = new_idr = 1; - if (!j) { - h264_mp4toannexb_save_ps(&s->pps, &s->pps_size, &s->pps_buf_size, - buf, nal_size, !pps_count); - pps_count++; - } /* if SPS has not been seen yet, prepend the AVCC one to PPS */ if (!sps_seen) { if (!s->sps_size) { From 9cfb29baa2c5fed75107bd9e3a3a3afabf2db3f4 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 26 Mar 2024 21:11:20 -0300 Subject: [PATCH 003/562] avformat/mov: don't abort on duplicate Mastering Display Metadata boxes The VP9 spec defines a SmDm box for this information, and the ISOBMFF spec defines a mdvc one. If both are present, just ignore one of them. This is in line with clli and CoLL boxes. Fixes ticket #10711. Signed-off-by: James Almer --- libavformat/mov.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index e7aa8d1833..5463f36770 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6140,8 +6140,10 @@ static int mov_read_smdm(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_WARNING, "Unsupported Mastering Display Metadata box version %d\n", version); return 0; } - if (sc->mastering) - return AVERROR_INVALIDDATA; + if (sc->mastering) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate Mastering Display Metadata\n"); + return 0; + } avio_skip(pb, 3); /* flags */ @@ -6178,11 +6180,16 @@ static int mov_read_mdcv(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc = c->fc->streams[c->fc->nb_streams - 1]->priv_data; - if (atom.size < 24 || sc->mastering) { + if (atom.size < 24) { av_log(c->fc, AV_LOG_ERROR, "Invalid Mastering Display Color Volume box\n"); return AVERROR_INVALIDDATA; } + if (sc->mastering) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate Mastering Display Color Volume\n"); + return 0; + } + sc->mastering = av_mastering_display_metadata_alloc(); if (!sc->mastering) return AVERROR(ENOMEM); From da903c558bb18b5476be4272fdaabaa7152892b9 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 27 Mar 2024 09:31:14 +0100 Subject: [PATCH 004/562] fftools/ffmpeg_sched: move sch_stop() to the bottom of the file Will allow avoiding forward declarations in following commits. (cherry picked from commit af81788f303a972c951fddc59d04521a9f112799) Signed-off-by: Anton Khirnov --- fftools/ffmpeg_sched.c | 138 ++++++++++++++++++++--------------------- 1 file changed, 69 insertions(+), 69 deletions(-) diff --git a/fftools/ffmpeg_sched.c b/fftools/ffmpeg_sched.c index ec88017e21..67c32fb5a0 100644 --- a/fftools/ffmpeg_sched.c +++ b/fftools/ffmpeg_sched.c @@ -399,22 +399,6 @@ static int queue_alloc(ThreadQueue **ptq, unsigned nb_streams, unsigned queue_si static void *task_wrapper(void *arg); -static int task_stop(SchTask *task) -{ - int ret; - void *thread_ret; - - if (!task->thread_running) - return 0; - - ret = pthread_join(task->thread, &thread_ret); - av_assert0(ret == 0); - - task->thread_running = 0; - - return (intptr_t)thread_ret; -} - static int task_start(SchTask *task) { int ret; @@ -468,59 +452,6 @@ static int64_t trailing_dts(const Scheduler *sch, int count_finished) return min_dts == INT64_MAX ? AV_NOPTS_VALUE : min_dts; } -int sch_stop(Scheduler *sch, int64_t *finish_ts) -{ - int ret = 0, err; - - atomic_store(&sch->terminate, 1); - - for (unsigned type = 0; type < 2; type++) - for (unsigned i = 0; i < (type ? sch->nb_demux : sch->nb_filters); i++) { - SchWaiter *w = type ? &sch->demux[i].waiter : &sch->filters[i].waiter; - waiter_set(w, 1); - } - - for (unsigned i = 0; i < sch->nb_demux; i++) { - SchDemux *d = &sch->demux[i]; - - err = task_stop(&d->task); - ret = err_merge(ret, err); - } - - for (unsigned i = 0; i < sch->nb_dec; i++) { - SchDec *dec = &sch->dec[i]; - - err = task_stop(&dec->task); - ret = err_merge(ret, err); - } - - for (unsigned i = 0; i < sch->nb_filters; i++) { - SchFilterGraph *fg = &sch->filters[i]; - - err = task_stop(&fg->task); - ret = err_merge(ret, err); - } - - for (unsigned i = 0; i < sch->nb_enc; i++) { - SchEnc *enc = &sch->enc[i]; - - err = task_stop(&enc->task); - ret = err_merge(ret, err); - } - - for (unsigned i = 0; i < sch->nb_mux; i++) { - SchMux *mux = &sch->mux[i]; - - err = task_stop(&mux->task); - ret = err_merge(ret, err); - } - - if (finish_ts) - *finish_ts = trailing_dts(sch, 1); - - return ret; -} - void sch_free(Scheduler **psch) { Scheduler *sch = *psch; @@ -2518,3 +2449,72 @@ static void *task_wrapper(void *arg) return (void*)(intptr_t)ret; } + +static int task_stop(SchTask *task) +{ + int ret; + void *thread_ret; + + if (!task->thread_running) + return 0; + + ret = pthread_join(task->thread, &thread_ret); + av_assert0(ret == 0); + + task->thread_running = 0; + + return (intptr_t)thread_ret; +} + +int sch_stop(Scheduler *sch, int64_t *finish_ts) +{ + int ret = 0, err; + + atomic_store(&sch->terminate, 1); + + for (unsigned type = 0; type < 2; type++) + for (unsigned i = 0; i < (type ? sch->nb_demux : sch->nb_filters); i++) { + SchWaiter *w = type ? &sch->demux[i].waiter : &sch->filters[i].waiter; + waiter_set(w, 1); + } + + for (unsigned i = 0; i < sch->nb_demux; i++) { + SchDemux *d = &sch->demux[i]; + + err = task_stop(&d->task); + ret = err_merge(ret, err); + } + + for (unsigned i = 0; i < sch->nb_dec; i++) { + SchDec *dec = &sch->dec[i]; + + err = task_stop(&dec->task); + ret = err_merge(ret, err); + } + + for (unsigned i = 0; i < sch->nb_filters; i++) { + SchFilterGraph *fg = &sch->filters[i]; + + err = task_stop(&fg->task); + ret = err_merge(ret, err); + } + + for (unsigned i = 0; i < sch->nb_enc; i++) { + SchEnc *enc = &sch->enc[i]; + + err = task_stop(&enc->task); + ret = err_merge(ret, err); + } + + for (unsigned i = 0; i < sch->nb_mux; i++) { + SchMux *mux = &sch->mux[i]; + + err = task_stop(&mux->task); + ret = err_merge(ret, err); + } + + if (finish_ts) + *finish_ts = trailing_dts(sch, 1); + + return ret; +} From 536443919f59822670e74d40c5aa1baa0b32fec0 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 27 Mar 2024 09:49:27 +0100 Subject: [PATCH 005/562] fftools/ffmpeg_sched: make sure to always run task cleanup Even in cases where sch_start() failed. This ensures all links are properly closed and no tasks are left hanging. Fixes #10916. (cherry picked from commit 24b9f29ff2e0b84ae1345f51cbf7240e079d7a2b) Signed-off-by: Anton Khirnov --- fftools/ffmpeg_sched.c | 68 +++++++++++++++++++++++++++--------------- 1 file changed, 44 insertions(+), 24 deletions(-) diff --git a/fftools/ffmpeg_sched.c b/fftools/ffmpeg_sched.c index 67c32fb5a0..ee3af45908 100644 --- a/fftools/ffmpeg_sched.c +++ b/fftools/ffmpeg_sched.c @@ -260,6 +260,12 @@ typedef struct SchFilterGraph { int task_exited; } SchFilterGraph; +enum SchedulerState { + SCH_STATE_UNINIT, + SCH_STATE_STARTED, + SCH_STATE_STOPPED, +}; + struct Scheduler { const AVClass *class; @@ -292,7 +298,7 @@ struct Scheduler { char *sdp_filename; int sdp_auto; - int transcode_started; + enum SchedulerState state; atomic_int terminate; atomic_int task_failed; @@ -1144,7 +1150,8 @@ int sch_mux_stream_ready(Scheduler *sch, unsigned mux_idx, unsigned stream_idx) // this may be called during initialization - do not start // threads before sch_start() is called - if (++mux->nb_streams_ready == mux->nb_streams && sch->transcode_started) + if (++mux->nb_streams_ready == mux->nb_streams && + sch->state >= SCH_STATE_STARTED) ret = mux_init(sch, mux); pthread_mutex_unlock(&sch->mux_ready_lock); @@ -1514,7 +1521,8 @@ int sch_start(Scheduler *sch) if (ret < 0) return ret; - sch->transcode_started = 1; + av_assert0(sch->state == SCH_STATE_UNINIT); + sch->state = SCH_STATE_STARTED; for (unsigned i = 0; i < sch->nb_mux; i++) { SchMux *mux = &sch->mux[i]; @@ -1522,7 +1530,7 @@ int sch_start(Scheduler *sch) if (mux->nb_streams_ready == mux->nb_streams) { ret = mux_init(sch, mux); if (ret < 0) - return ret; + goto fail; } } @@ -1531,7 +1539,7 @@ int sch_start(Scheduler *sch) ret = task_start(&enc->task); if (ret < 0) - return ret; + goto fail; } for (unsigned i = 0; i < sch->nb_filters; i++) { @@ -1539,7 +1547,7 @@ int sch_start(Scheduler *sch) ret = task_start(&fg->task); if (ret < 0) - return ret; + goto fail; } for (unsigned i = 0; i < sch->nb_dec; i++) { @@ -1547,7 +1555,7 @@ int sch_start(Scheduler *sch) ret = task_start(&dec->task); if (ret < 0) - return ret; + goto fail; } for (unsigned i = 0; i < sch->nb_demux; i++) { @@ -1558,7 +1566,7 @@ int sch_start(Scheduler *sch) ret = task_start(&d->task); if (ret < 0) - return ret; + goto fail; } pthread_mutex_lock(&sch->schedule_lock); @@ -1566,6 +1574,9 @@ int sch_start(Scheduler *sch) pthread_mutex_unlock(&sch->schedule_lock); return 0; +fail: + sch_stop(sch, NULL); + return ret; } int sch_wait(Scheduler *sch, uint64_t timeout_us, int64_t *transcode_ts) @@ -2414,6 +2425,18 @@ int sch_filter_command(Scheduler *sch, unsigned fg_idx, AVFrame *frame) return send_to_filter(sch, fg, fg->nb_inputs, frame); } +static int task_cleanup(Scheduler *sch, SchedulerNode node) +{ + switch (node.type) { + case SCH_NODE_TYPE_DEMUX: return demux_done (sch, node.idx); + case SCH_NODE_TYPE_MUX: return mux_done (sch, node.idx); + case SCH_NODE_TYPE_DEC: return dec_done (sch, node.idx); + case SCH_NODE_TYPE_ENC: return enc_done (sch, node.idx); + case SCH_NODE_TYPE_FILTER_IN: return filter_done(sch, node.idx); + default: av_assert0(0); + } +} + static void *task_wrapper(void *arg) { SchTask *task = arg; @@ -2426,15 +2449,7 @@ static void *task_wrapper(void *arg) av_log(task->func_arg, AV_LOG_ERROR, "Task finished with error code: %d (%s)\n", ret, av_err2str(ret)); - switch (task->node.type) { - case SCH_NODE_TYPE_DEMUX: err = demux_done (sch, task->node.idx); break; - case SCH_NODE_TYPE_MUX: err = mux_done (sch, task->node.idx); break; - case SCH_NODE_TYPE_DEC: err = dec_done (sch, task->node.idx); break; - case SCH_NODE_TYPE_ENC: err = enc_done (sch, task->node.idx); break; - case SCH_NODE_TYPE_FILTER_IN: err = filter_done(sch, task->node.idx); break; - default: av_assert0(0); - } - + err = task_cleanup(sch, task->node); ret = err_merge(ret, err); // EOF is considered normal termination @@ -2450,13 +2465,13 @@ static void *task_wrapper(void *arg) return (void*)(intptr_t)ret; } -static int task_stop(SchTask *task) +static int task_stop(Scheduler *sch, SchTask *task) { int ret; void *thread_ret; if (!task->thread_running) - return 0; + return task_cleanup(sch, task->node); ret = pthread_join(task->thread, &thread_ret); av_assert0(ret == 0); @@ -2470,6 +2485,9 @@ int sch_stop(Scheduler *sch, int64_t *finish_ts) { int ret = 0, err; + if (sch->state != SCH_STATE_STARTED) + return 0; + atomic_store(&sch->terminate, 1); for (unsigned type = 0; type < 2; type++) @@ -2481,40 +2499,42 @@ int sch_stop(Scheduler *sch, int64_t *finish_ts) for (unsigned i = 0; i < sch->nb_demux; i++) { SchDemux *d = &sch->demux[i]; - err = task_stop(&d->task); + err = task_stop(sch, &d->task); ret = err_merge(ret, err); } for (unsigned i = 0; i < sch->nb_dec; i++) { SchDec *dec = &sch->dec[i]; - err = task_stop(&dec->task); + err = task_stop(sch, &dec->task); ret = err_merge(ret, err); } for (unsigned i = 0; i < sch->nb_filters; i++) { SchFilterGraph *fg = &sch->filters[i]; - err = task_stop(&fg->task); + err = task_stop(sch, &fg->task); ret = err_merge(ret, err); } for (unsigned i = 0; i < sch->nb_enc; i++) { SchEnc *enc = &sch->enc[i]; - err = task_stop(&enc->task); + err = task_stop(sch, &enc->task); ret = err_merge(ret, err); } for (unsigned i = 0; i < sch->nb_mux; i++) { SchMux *mux = &sch->mux[i]; - err = task_stop(&mux->task); + err = task_stop(sch, &mux->task); ret = err_merge(ret, err); } if (finish_ts) *finish_ts = trailing_dts(sch, 1); + sch->state = SCH_STATE_STOPPED; + return ret; } From 7fa569e34d448c4a3a19fc0e5c7a74cfc9f6be59 Mon Sep 17 00:00:00 2001 From: Tong Wu Date: Fri, 29 Mar 2024 23:31:20 +0800 Subject: [PATCH 006/562] avcodec/hevc_ps: fix the problem of memcmp losing effectiveness HEVCHdrParams* receives a pointer which points to a dynamically allocated memory block. It causes the memcmp always returning 1. Add a function to do the comparision. A condition is also added to avoid malloc(0). Reviewed-by: James Almer Signed-off-by: Tong Wu Signed-off-by: James Almer (cherry picked from commit 6bf17136a2bc1e6f52ea9cd27a6dcaab648efe5c) --- libavcodec/hevc_ps.c | 19 +++++++++++++++---- libavcodec/hevc_ps.h | 4 +++- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index cbef3ef4cd..6475d86d7d 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -449,6 +449,15 @@ static void uninit_vps(FFRefStructOpaque opaque, void *obj) av_freep(&vps->hdr); } +static int compare_vps(const HEVCVPS *vps1, const HEVCVPS *vps2) +{ + if (!memcmp(vps1, vps2, offsetof(HEVCVPS, hdr))) + return !vps1->vps_num_hrd_parameters || + !memcmp(vps1->hdr, vps2->hdr, vps1->vps_num_hrd_parameters * sizeof(*vps1->hdr)); + + return 0; +} + int ff_hevc_decode_nal_vps(GetBitContext *gb, AVCodecContext *avctx, HEVCParamSets *ps) { @@ -545,9 +554,11 @@ int ff_hevc_decode_nal_vps(GetBitContext *gb, AVCodecContext *avctx, goto err; } - vps->hdr = av_calloc(vps->vps_num_hrd_parameters, sizeof(*vps->hdr)); - if (!vps->hdr) - goto err; + if (vps->vps_num_hrd_parameters) { + vps->hdr = av_calloc(vps->vps_num_hrd_parameters, sizeof(*vps->hdr)); + if (!vps->hdr) + goto err; + } for (i = 0; i < vps->vps_num_hrd_parameters; i++) { int common_inf_present = 1; @@ -569,7 +580,7 @@ int ff_hevc_decode_nal_vps(GetBitContext *gb, AVCodecContext *avctx, } if (ps->vps_list[vps_id] && - !memcmp(ps->vps_list[vps_id], vps, sizeof(*vps))) { + compare_vps(ps->vps_list[vps_id], vps)) { ff_refstruct_unref(&vps); } else { remove_vps(ps, vps_id); diff --git a/libavcodec/hevc_ps.h b/libavcodec/hevc_ps.h index cc75aeb8d3..0d8eaf2b3e 100644 --- a/libavcodec/hevc_ps.h +++ b/libavcodec/hevc_ps.h @@ -153,7 +153,6 @@ typedef struct PTL { typedef struct HEVCVPS { unsigned int vps_id; - HEVCHdrParams *hdr; uint8_t vps_temporal_id_nesting_flag; int vps_max_layers; @@ -175,6 +174,9 @@ typedef struct HEVCVPS { uint8_t data[4096]; int data_size; + /* Put this at the end of the structure to make it easier to calculate the + * size before this pointer, which is used for memcmp */ + HEVCHdrParams *hdr; } HEVCVPS; typedef struct ScalingList { From 515949a15a94b9c8e505d7334faceed435f9e107 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sat, 30 Mar 2024 00:12:03 +0100 Subject: [PATCH 007/562] avcodec/nvdec: reset bitstream_len/nb_slices when resetting bitstream pointer --- libavcodec/nvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/nvdec.c b/libavcodec/nvdec.c index 553c9bdf18..1741ee7e47 100644 --- a/libavcodec/nvdec.c +++ b/libavcodec/nvdec.c @@ -664,6 +664,8 @@ int ff_nvdec_simple_end_frame(AVCodecContext *avctx) NVDECContext *ctx = avctx->internal->hwaccel_priv_data; int ret = ff_nvdec_end_frame(avctx); ctx->bitstream = NULL; + ctx->bitstream_len = 0; + ctx->nb_slices = 0; return ret; } From 799a7200ee608df7ac415c90900a7e48b845c945 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 28 Mar 2024 13:52:46 -0300 Subject: [PATCH 008/562] avutil/frame: use the same data information as the source entry when cloning side data src->{data,size} does not need to match src->buf->{data,size}. Signed-off-by: James Almer (cherry picked from commit f8fbec8686d49a74aa6e96d55c5c738ae8aa8e49) --- libavutil/frame.c | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/libavutil/frame.c b/libavutil/frame.c index d7a32cdc92..eb04a65c90 100644 --- a/libavutil/frame.c +++ b/libavutil/frame.c @@ -711,16 +711,14 @@ AVBufferRef *av_frame_get_plane_buffer(const AVFrame *frame, int plane) return NULL; } -static AVFrameSideData *add_side_data_from_buf(AVFrameSideData ***sd, - int *nb_sd, - enum AVFrameSideDataType type, - AVBufferRef *buf) +static AVFrameSideData *add_side_data_from_buf_ext(AVFrameSideData ***sd, + int *nb_sd, + enum AVFrameSideDataType type, + AVBufferRef *buf, uint8_t *data, + size_t size) { AVFrameSideData *ret, **tmp; - if (!buf) - return NULL; - // *nb_sd + 1 needs to fit into an int and a size_t. if ((unsigned)*nb_sd >= FFMIN(INT_MAX, SIZE_MAX)) return NULL; @@ -735,8 +733,8 @@ static AVFrameSideData *add_side_data_from_buf(AVFrameSideData ***sd, return NULL; ret->buf = buf; - ret->data = ret->buf->data; - ret->size = buf->size; + ret->data = data; + ret->size = size; ret->type = type; (*sd)[(*nb_sd)++] = ret; @@ -744,6 +742,17 @@ static AVFrameSideData *add_side_data_from_buf(AVFrameSideData ***sd, return ret; } +static AVFrameSideData *add_side_data_from_buf(AVFrameSideData ***sd, + int *nb_sd, + enum AVFrameSideDataType type, + AVBufferRef *buf) +{ + if (!buf) + return NULL; + + return add_side_data_from_buf_ext(sd, nb_sd, type, buf, buf->data, buf->size); +} + AVFrameSideData *av_frame_new_side_data_from_buf(AVFrame *frame, enum AVFrameSideDataType type, AVBufferRef *buf) @@ -799,7 +808,8 @@ int av_frame_side_data_clone(AVFrameSideData ***sd, int *nb_sd, if (flags & AV_FRAME_SIDE_DATA_FLAG_UNIQUE) remove_side_data(sd, nb_sd, src->type); - sd_dst = add_side_data_from_buf(sd, nb_sd, src->type, buf); + sd_dst = add_side_data_from_buf_ext(sd, nb_sd, src->type, buf, + src->data, src->size); if (!sd_dst) { av_buffer_unref(&buf); return AVERROR(ENOMEM); From 5a3b625dbc68e16a6a732e97da921a3645314fa9 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 28 Mar 2024 21:33:25 -0300 Subject: [PATCH 009/562] Revert "avformat/mov: ignore item boxes for animated heif" This reverts commit f6b7b473d456a6aa1c063c4261b17277e2c70ac0. The image in the item boxes and the animation in the trak box are not necessarely the same, so both should be exported. Signed-off-by: James Almer (cherry picked from commit e37b233ee2c0d140e64f0bdbc4765d15bd728290) --- libavformat/mov.c | 44 ++++---------------------------------------- 1 file changed, 4 insertions(+), 40 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5463f36770..c93a09d385 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -83,7 +83,6 @@ typedef struct MOVParseTableEntry { static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom); static int mov_read_mfra(MOVContext *c, AVIOContext *f); -static void mov_free_stream_context(AVFormatContext *s, AVStream *st); static int64_t add_ctts_entry(MOVCtts** ctts_data, unsigned int* ctts_count, unsigned int* allocated_size, int count, int duration); @@ -4860,25 +4859,6 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVStreamContext *sc; int ret; - if (c->found_iinf) { - // * For animated heif, if the iinf box showed up before the moov - // box, we need to clear all the streams read in the former. - for (int i = c->nb_heif_item - 1; i >= 0; i--) { - HEIFItem *item = &c->heif_item[i]; - - av_freep(&item->name); - - if (!item->st) - continue; - - mov_free_stream_context(c->fc, item->st); - ff_remove_stream(c->fc, item->st); - } - av_freep(&c->heif_item); - c->nb_heif_item = 0; - c->found_iinf = c->found_iloc = 0; - } - st = avformat_new_stream(c->fc, NULL); if (!st) return AVERROR(ENOMEM); st->id = -1; @@ -8065,9 +8045,8 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom) int64_t base_offset, extent_offset, extent_length; uint8_t value; - if (c->found_moov) { - // * For animated heif, we don't care about the iloc box as all the - // necessary information can be found in the moov box. + if (c->found_iloc) { + av_log(c->fc, AV_LOG_INFO, "Duplicate iloc box found\n"); return 0; } @@ -8198,11 +8177,6 @@ static int mov_read_iinf(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_WARNING, "Duplicate iinf box found\n"); return 0; } - if (c->found_moov) { - // * For animated heif, we don't care about the iinf box as all the - // necessary information can be found in the moov box. - return 0; - } version = avio_r8(pb); avio_rb24(pb); // flags. @@ -8356,12 +8330,6 @@ static int mov_read_ispe(MOVContext *c, AVIOContext *pb, MOVAtom atom) { uint32_t width, height; - if (c->found_moov) { - // * For animated heif, we don't care about the ispe box as all the - // necessary information can be found in the moov box. - return 0; - } - avio_r8(pb); /* version */ avio_rb24(pb); /* flags */ width = avio_rb32(pb); @@ -8396,12 +8364,6 @@ static int mov_read_iprp(MOVContext *c, AVIOContext *pb, MOVAtom atom) int version, flags; int ret; - if (c->found_moov) { - // * For animated heif, we don't care about the iprp box as all the - // necessary information can be found in the moov box. - return 0; - } - a.size = avio_rb32(pb); a.type = avio_rl32(pb); @@ -8485,6 +8447,7 @@ static int mov_read_iprp(MOVContext *c, AVIOContext *pb, MOVAtom atom) ret = 0; fail: + c->cur_item_id = -1; for (int i = 0; i < nb_atoms; i++) av_free(atoms[i].data); av_free(atoms); @@ -9508,6 +9471,7 @@ static int mov_read_header(AVFormatContext *s) mov->trak_index = -1; mov->thmb_item_id = -1; mov->primary_item_id = -1; + mov->cur_item_id = -1; /* .mov and .mp4 aren't streamable anyway (only progressive download if moov is before mdat) */ if (pb->seekable & AVIO_SEEKABLE_NORMAL) atom.size = avio_size(pb); From 7ed9ad3467e104294abd84f4cb57accd9040865c Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 23 Mar 2024 16:10:22 +0100 Subject: [PATCH 010/562] avfilter/buffersrc: fix overriding unknown channel layouts with negotiated one Fixes ffplay playback of unknown layouts, when SDL directly supports the audio format, such as: ffplay -f lavfi anullsrc=cl=2C,aformat=s16 Without the patch, "Channel layout change is not supported" errors are generated because buffersrc (unknown 2 channel) and buffersink (stereo) negotiated a stereo layout, but the stereo layout was never stored in the BufferSourceContext. This fixes a regression of 7251f909721a570726775acf61b2b9c28a950c76, but this is more of a regression of the avfilter channel layout conversion (1f96db959c1235bb7079d354e09914a0a2608f62). Signed-off-by: Marton Balint (cherry picked from commit 2df2b4067ed01b9076a5dda073521551a32336cd) --- libavfilter/buffersrc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c index ddcd403785..fcae4f8e69 100644 --- a/libavfilter/buffersrc.c +++ b/libavfilter/buffersrc.c @@ -507,7 +507,7 @@ static int config_props(AVFilterLink *link) } break; case AVMEDIA_TYPE_AUDIO: - if (!c->ch_layout.nb_channels) { + if (!c->ch_layout.nb_channels || c->ch_layout.order == AV_CHANNEL_ORDER_UNSPEC) { int ret = av_channel_layout_copy(&c->ch_layout, &link->ch_layout); if (ret < 0) return ret; From 5ff5a431c758e8b25e3bee2a0242d9b30422edf1 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sun, 31 Mar 2024 18:25:15 +0200 Subject: [PATCH 011/562] avcodec/nvenc: stop using long deprecated format specifiers --- libavcodec/nvenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index fd73af2a32..0cb3b87c67 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1689,15 +1689,15 @@ static NV_ENC_BUFFER_FORMAT nvenc_map_buffer_format(enum AVPixelFormat pix_fmt) { switch (pix_fmt) { case AV_PIX_FMT_YUV420P: - return NV_ENC_BUFFER_FORMAT_YV12_PL; + return NV_ENC_BUFFER_FORMAT_YV12; case AV_PIX_FMT_NV12: - return NV_ENC_BUFFER_FORMAT_NV12_PL; + return NV_ENC_BUFFER_FORMAT_NV12; case AV_PIX_FMT_P010: case AV_PIX_FMT_P016: return NV_ENC_BUFFER_FORMAT_YUV420_10BIT; case AV_PIX_FMT_GBRP: case AV_PIX_FMT_YUV444P: - return NV_ENC_BUFFER_FORMAT_YUV444_PL; + return NV_ENC_BUFFER_FORMAT_YUV444; case AV_PIX_FMT_GBRP16: case AV_PIX_FMT_YUV444P16: return NV_ENC_BUFFER_FORMAT_YUV444_10BIT; From 4c5a809388f41ed6d67f6869958be47e3003fec6 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sun, 31 Mar 2024 18:39:49 +0200 Subject: [PATCH 012/562] avcodec/nvenc: support SDK 12.2 bit depth API --- libavcodec/nvenc.c | 15 +++++++++++++++ libavcodec/nvenc.h | 5 +++++ 2 files changed, 20 insertions(+) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 0cb3b87c67..8327496937 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1255,6 +1255,11 @@ static av_cold int nvenc_setup_h264_config(AVCodecContext *avctx) h264->level = ctx->level; +#ifdef NVENC_HAVE_NEW_BIT_DEPTH_API + h264->inputBitDepth = h264->outputBitDepth = + IS_10BIT(ctx->data_pix_fmt) ? NV_ENC_BIT_DEPTH_10 : NV_ENC_BIT_DEPTH_8; +#endif + if (ctx->coder >= 0) h264->entropyCodingMode = ctx->coder; @@ -1370,7 +1375,12 @@ static av_cold int nvenc_setup_hevc_config(AVCodecContext *avctx) hevc->chromaFormatIDC = IS_YUV444(ctx->data_pix_fmt) ? 3 : 1; +#ifdef NVENC_HAVE_NEW_BIT_DEPTH_API + hevc->inputBitDepth = hevc->outputBitDepth = + IS_10BIT(ctx->data_pix_fmt) ? NV_ENC_BIT_DEPTH_10 : NV_ENC_BIT_DEPTH_8; +#else hevc->pixelBitDepthMinus8 = IS_10BIT(ctx->data_pix_fmt) ? 2 : 0; +#endif hevc->level = ctx->level; @@ -1455,8 +1465,13 @@ static av_cold int nvenc_setup_av1_config(AVCodecContext *avctx) av1->chromaFormatIDC = IS_YUV444(ctx->data_pix_fmt) ? 3 : 1; +#ifdef NVENC_HAVE_NEW_BIT_DEPTH_API + av1->inputBitDepth = IS_10BIT(ctx->data_pix_fmt) ? NV_ENC_BIT_DEPTH_10 : NV_ENC_BIT_DEPTH_8; + av1->outputBitDepth = (IS_10BIT(ctx->data_pix_fmt) || ctx->highbitdepth) ? NV_ENC_BIT_DEPTH_10 : NV_ENC_BIT_DEPTH_8; +#else av1->inputPixelBitDepthMinus8 = IS_10BIT(ctx->data_pix_fmt) ? 2 : 0; av1->pixelBitDepthMinus8 = (IS_10BIT(ctx->data_pix_fmt) || ctx->highbitdepth) ? 2 : 0; +#endif if (ctx->b_ref_mode >= 0) av1->useBFramesAsRef = ctx->b_ref_mode; diff --git a/libavcodec/nvenc.h b/libavcodec/nvenc.h index 48cdfc58aa..d99d8a0d76 100644 --- a/libavcodec/nvenc.h +++ b/libavcodec/nvenc.h @@ -83,6 +83,11 @@ typedef void ID3D11Device; #define NVENC_NO_DEPRECATED_RC #endif +// SDK 12.2 compile time feature checks +#if NVENCAPI_CHECK_VERSION(12, 2) +#define NVENC_HAVE_NEW_BIT_DEPTH_API +#endif + typedef struct NvencSurface { NV_ENC_INPUT_PTR input_surface; From 43fd3d5df6a19fc768a33e37855aa7f8c7050cf0 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 27 Mar 2024 13:55:26 +0100 Subject: [PATCH 013/562] lavf/vf_setpts: unset output framerate This filter produces VFR output in general. Avoids dropping frames in the setpts test. (cherry picked from commit f121d954ac89060cb7b07da230479cffe5bf9e5c) Signed-off-by: Anton Khirnov --- libavfilter/setpts.c | 17 ++++++- tests/ref/fate/filter-setpts | 89 +++++++++++++++++++++--------------- 2 files changed, 67 insertions(+), 39 deletions(-) diff --git a/libavfilter/setpts.c b/libavfilter/setpts.c index 88a8d6af86..4f02a9a617 100644 --- a/libavfilter/setpts.c +++ b/libavfilter/setpts.c @@ -150,6 +150,13 @@ static int config_input(AVFilterLink *inlink) return 0; } +static int config_output_video(AVFilterLink *outlink) +{ + outlink->frame_rate = (AVRational){ 1, 0 }; + + return 0; +} + #define BUF_SIZE 64 static inline char *double2int64str(char *buf, double v) @@ -322,6 +329,14 @@ static const AVFilterPad avfilter_vf_setpts_inputs[] = { }, }; +static const AVFilterPad outputs_video[] = { + { + .name = "default", + .type = AVMEDIA_TYPE_VIDEO, + .config_props = config_output_video, + }, +}; + const AVFilter ff_vf_setpts = { .name = "setpts", .description = NULL_IF_CONFIG_SMALL("Set PTS for the output video frame."), @@ -335,7 +350,7 @@ const AVFilter ff_vf_setpts = { .priv_class = &setpts_class, FILTER_INPUTS(avfilter_vf_setpts_inputs), - FILTER_OUTPUTS(ff_video_default_filterpad), + FILTER_OUTPUTS(outputs_video), }; #endif /* CONFIG_SETPTS_FILTER */ diff --git a/tests/ref/fate/filter-setpts b/tests/ref/fate/filter-setpts index efdcf6a16e..8aa7a1e6a0 100644 --- a/tests/ref/fate/filter-setpts +++ b/tests/ref/fate/filter-setpts @@ -1,42 +1,55 @@ -#tb 0: 1/25 +#tb 0: 1/1000 #media_type 0: video #codec_id 0: rawvideo #dimensions 0: 352x288 #sar 0: 0/1 -0, 0, 0, 1, 152064, 0x05b789ef -0, 1, 1, 1, 152064, 0x4bb46551 -0, 2, 2, 1, 152064, 0x9dddf64a -0, 3, 3, 1, 152064, 0x2a8380b0 -0, 4, 4, 1, 152064, 0x4de3b652 -0, 5, 5, 1, 152064, 0xedb5a8e6 -0, 6, 6, 1, 152064, 0x5ab58bac -0, 7, 7, 1, 152064, 0x1f1b8026 -0, 8, 8, 1, 152064, 0x91373915 -0, 9, 9, 1, 152064, 0x30f5fcd5 -0, 10, 10, 1, 152064, 0xc711ad61 -0, 11, 11, 1, 152064, 0x52a48ddd -0, 12, 12, 1, 152064, 0xa91c0f05 -0, 13, 13, 1, 152064, 0x8e364e18 -0, 14, 14, 1, 152064, 0xf25f6acc -0, 15, 15, 1, 152064, 0xf34ddbff -0, 16, 16, 1, 152064, 0x9dc72412 -0, 17, 17, 1, 152064, 0x445d1d59 -0, 18, 18, 1, 152064, 0x2f2768ef -0, 19, 19, 1, 152064, 0x95579936 -0, 20, 20, 1, 152064, 0x43d796b5 -0, 21, 21, 1, 152064, 0x76d2a455 -0, 22, 22, 1, 152064, 0x6dc3650e -0, 23, 23, 1, 152064, 0x0f9d6aca -0, 24, 24, 1, 152064, 0xd766fc8d -0, 25, 25, 1, 152064, 0xe22f7a30 -0, 26, 26, 1, 152064, 0xfa8d94fb -0, 27, 27, 1, 152064, 0x4c9737ab -0, 28, 28, 1, 152064, 0xa50d01f8 -0, 29, 29, 1, 152064, 0x88734edd -0, 30, 30, 1, 152064, 0xd2735925 -0, 31, 31, 1, 152064, 0x20cebfa9 -0, 32, 32, 1, 152064, 0x575c20ec -0, 33, 33, 1, 152064, 0x61b47e73 -0, 34, 34, 1, 152064, 0x09ef53ff -0, 35, 35, 1, 152064, 0x6e88c5c2 -0, 36, 36, 1, 152064, 0x4bbad8ea +0, 0, 0, 40, 152064, 0x05b789ef +0, 28, 28, 40, 152064, 0x4bb46551 +0, 57, 57, 40, 152064, 0x9dddf64a +0, 86, 86, 40, 152064, 0x2a8380b0 +0, 115, 115, 40, 152064, 0x4de3b652 +0, 144, 144, 40, 152064, 0xedb5a8e6 +0, 172, 172, 40, 152064, 0xe20f7c23 +0, 201, 201, 40, 152064, 0x5ab58bac +0, 229, 229, 40, 152064, 0x1f1b8026 +0, 258, 258, 40, 152064, 0x91373915 +0, 286, 286, 40, 152064, 0x02344760 +0, 314, 314, 40, 152064, 0x30f5fcd5 +0, 343, 343, 40, 152064, 0xc711ad61 +0, 371, 371, 40, 152064, 0x24eca223 +0, 399, 399, 40, 152064, 0x52a48ddd +0, 427, 427, 40, 152064, 0xa91c0f05 +0, 456, 456, 40, 152064, 0x8e364e18 +0, 484, 484, 40, 152064, 0xb15d38c8 +0, 512, 512, 40, 152064, 0xf25f6acc +0, 541, 541, 40, 152064, 0xf34ddbff +0, 570, 570, 40, 152064, 0xfc7bf570 +0, 598, 598, 40, 152064, 0x9dc72412 +0, 627, 627, 40, 152064, 0x445d1d59 +0, 656, 656, 40, 152064, 0x2f2768ef +0, 685, 685, 40, 152064, 0xce09f9d6 +0, 714, 714, 40, 152064, 0x95579936 +0, 743, 743, 40, 152064, 0x43d796b5 +0, 772, 772, 40, 152064, 0xd780d887 +0, 800, 800, 40, 152064, 0x76d2a455 +0, 829, 829, 40, 152064, 0x6dc3650e +0, 858, 858, 40, 152064, 0x0f9d6aca +0, 887, 887, 40, 152064, 0xe295c51e +0, 915, 915, 40, 152064, 0xd766fc8d +0, 944, 944, 40, 152064, 0xe22f7a30 +0, 972, 972, 40, 152064, 0x7fea4378 +0, 1000, 1000, 40, 152064, 0xfa8d94fb +0, 1029, 1029, 40, 152064, 0x4c9737ab +0, 1057, 1057, 40, 152064, 0xa50d01f8 +0, 1085, 1085, 40, 152064, 0x0b07594c +0, 1113, 1113, 40, 152064, 0x88734edd +0, 1142, 1142, 40, 152064, 0xd2735925 +0, 1170, 1170, 40, 152064, 0xd4e49e08 +0, 1198, 1198, 40, 152064, 0x20cebfa9 +0, 1227, 1227, 40, 152064, 0x575c20ec +0, 1255, 1255, 40, 152064, 0xfd500471 +0, 1284, 1284, 40, 152064, 0x61b47e73 +0, 1313, 1313, 40, 152064, 0x09ef53ff +0, 1341, 1341, 40, 152064, 0x6e88c5c2 +0, 1370, 1370, 40, 152064, 0xbb87b483 +0, 1399, 1399, 40, 152064, 0x4bbad8ea From 8709604ca1f99ab4f37c3f92f2732d08e60be202 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 27 Mar 2024 13:57:15 +0100 Subject: [PATCH 014/562] lavfi/setpts: unset frame durations Actual frame durations are, in general, not computable without buffering a frame. FIxes #10886 (cherry picked from commit fa110c32b5168d99098dc0c50c6465054cf9d20b) Signed-off-by: Anton Khirnov --- libavfilter/setpts.c | 1 + tests/ref/fate/filter-setpts | 100 +++++++++++++++++------------------ 2 files changed, 51 insertions(+), 50 deletions(-) diff --git a/libavfilter/setpts.c b/libavfilter/setpts.c index 4f02a9a617..60cf2b642e 100644 --- a/libavfilter/setpts.c +++ b/libavfilter/setpts.c @@ -205,6 +205,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) d = eval_pts(setpts, inlink, frame, frame->pts); frame->pts = D2TS(d); + frame->duration = 0; av_log(inlink->dst, AV_LOG_TRACE, "N:%"PRId64" PTS:%s T:%f", diff --git a/tests/ref/fate/filter-setpts b/tests/ref/fate/filter-setpts index 8aa7a1e6a0..08e0203831 100644 --- a/tests/ref/fate/filter-setpts +++ b/tests/ref/fate/filter-setpts @@ -3,53 +3,53 @@ #codec_id 0: rawvideo #dimensions 0: 352x288 #sar 0: 0/1 -0, 0, 0, 40, 152064, 0x05b789ef -0, 28, 28, 40, 152064, 0x4bb46551 -0, 57, 57, 40, 152064, 0x9dddf64a -0, 86, 86, 40, 152064, 0x2a8380b0 -0, 115, 115, 40, 152064, 0x4de3b652 -0, 144, 144, 40, 152064, 0xedb5a8e6 -0, 172, 172, 40, 152064, 0xe20f7c23 -0, 201, 201, 40, 152064, 0x5ab58bac -0, 229, 229, 40, 152064, 0x1f1b8026 -0, 258, 258, 40, 152064, 0x91373915 -0, 286, 286, 40, 152064, 0x02344760 -0, 314, 314, 40, 152064, 0x30f5fcd5 -0, 343, 343, 40, 152064, 0xc711ad61 -0, 371, 371, 40, 152064, 0x24eca223 -0, 399, 399, 40, 152064, 0x52a48ddd -0, 427, 427, 40, 152064, 0xa91c0f05 -0, 456, 456, 40, 152064, 0x8e364e18 -0, 484, 484, 40, 152064, 0xb15d38c8 -0, 512, 512, 40, 152064, 0xf25f6acc -0, 541, 541, 40, 152064, 0xf34ddbff -0, 570, 570, 40, 152064, 0xfc7bf570 -0, 598, 598, 40, 152064, 0x9dc72412 -0, 627, 627, 40, 152064, 0x445d1d59 -0, 656, 656, 40, 152064, 0x2f2768ef -0, 685, 685, 40, 152064, 0xce09f9d6 -0, 714, 714, 40, 152064, 0x95579936 -0, 743, 743, 40, 152064, 0x43d796b5 -0, 772, 772, 40, 152064, 0xd780d887 -0, 800, 800, 40, 152064, 0x76d2a455 -0, 829, 829, 40, 152064, 0x6dc3650e -0, 858, 858, 40, 152064, 0x0f9d6aca -0, 887, 887, 40, 152064, 0xe295c51e -0, 915, 915, 40, 152064, 0xd766fc8d -0, 944, 944, 40, 152064, 0xe22f7a30 -0, 972, 972, 40, 152064, 0x7fea4378 -0, 1000, 1000, 40, 152064, 0xfa8d94fb -0, 1029, 1029, 40, 152064, 0x4c9737ab -0, 1057, 1057, 40, 152064, 0xa50d01f8 -0, 1085, 1085, 40, 152064, 0x0b07594c -0, 1113, 1113, 40, 152064, 0x88734edd -0, 1142, 1142, 40, 152064, 0xd2735925 -0, 1170, 1170, 40, 152064, 0xd4e49e08 -0, 1198, 1198, 40, 152064, 0x20cebfa9 -0, 1227, 1227, 40, 152064, 0x575c20ec -0, 1255, 1255, 40, 152064, 0xfd500471 -0, 1284, 1284, 40, 152064, 0x61b47e73 -0, 1313, 1313, 40, 152064, 0x09ef53ff -0, 1341, 1341, 40, 152064, 0x6e88c5c2 -0, 1370, 1370, 40, 152064, 0xbb87b483 -0, 1399, 1399, 40, 152064, 0x4bbad8ea +0, 0, 0, 0, 152064, 0x05b789ef +0, 28, 28, 0, 152064, 0x4bb46551 +0, 57, 57, 0, 152064, 0x9dddf64a +0, 86, 86, 0, 152064, 0x2a8380b0 +0, 115, 115, 0, 152064, 0x4de3b652 +0, 144, 144, 0, 152064, 0xedb5a8e6 +0, 172, 172, 0, 152064, 0xe20f7c23 +0, 201, 201, 0, 152064, 0x5ab58bac +0, 229, 229, 0, 152064, 0x1f1b8026 +0, 258, 258, 0, 152064, 0x91373915 +0, 286, 286, 0, 152064, 0x02344760 +0, 314, 314, 0, 152064, 0x30f5fcd5 +0, 343, 343, 0, 152064, 0xc711ad61 +0, 371, 371, 0, 152064, 0x24eca223 +0, 399, 399, 0, 152064, 0x52a48ddd +0, 427, 427, 0, 152064, 0xa91c0f05 +0, 456, 456, 0, 152064, 0x8e364e18 +0, 484, 484, 0, 152064, 0xb15d38c8 +0, 512, 512, 0, 152064, 0xf25f6acc +0, 541, 541, 0, 152064, 0xf34ddbff +0, 570, 570, 0, 152064, 0xfc7bf570 +0, 598, 598, 0, 152064, 0x9dc72412 +0, 627, 627, 0, 152064, 0x445d1d59 +0, 656, 656, 0, 152064, 0x2f2768ef +0, 685, 685, 0, 152064, 0xce09f9d6 +0, 714, 714, 0, 152064, 0x95579936 +0, 743, 743, 0, 152064, 0x43d796b5 +0, 772, 772, 0, 152064, 0xd780d887 +0, 800, 800, 0, 152064, 0x76d2a455 +0, 829, 829, 0, 152064, 0x6dc3650e +0, 858, 858, 0, 152064, 0x0f9d6aca +0, 887, 887, 0, 152064, 0xe295c51e +0, 915, 915, 0, 152064, 0xd766fc8d +0, 944, 944, 0, 152064, 0xe22f7a30 +0, 972, 972, 0, 152064, 0x7fea4378 +0, 1000, 1000, 0, 152064, 0xfa8d94fb +0, 1029, 1029, 0, 152064, 0x4c9737ab +0, 1057, 1057, 0, 152064, 0xa50d01f8 +0, 1085, 1085, 0, 152064, 0x0b07594c +0, 1113, 1113, 0, 152064, 0x88734edd +0, 1142, 1142, 0, 152064, 0xd2735925 +0, 1170, 1170, 0, 152064, 0xd4e49e08 +0, 1198, 1198, 0, 152064, 0x20cebfa9 +0, 1227, 1227, 0, 152064, 0x575c20ec +0, 1255, 1255, 0, 152064, 0xfd500471 +0, 1284, 1284, 0, 152064, 0x61b47e73 +0, 1313, 1313, 0, 152064, 0x09ef53ff +0, 1341, 1341, 0, 152064, 0x6e88c5c2 +0, 1370, 1370, 0, 152064, 0xbb87b483 +0, 1399, 1399, 0, 152064, 0x4bbad8ea From 2ecaef745556684ba3d446994a570214e6fac7ce Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 1 Apr 2024 21:13:04 -0300 Subject: [PATCH 015/562] avformat/mov: ensure all items id referenced by a grid are valid Fixes: null pointer dereference Fixes: 67494/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6528714521247744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Tested-by: Michael Niedermayer Signed-off-by: James Almer --- libavformat/mov.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index c93a09d385..917a69fa34 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -9396,8 +9396,9 @@ static int mov_parse_tiles(AVFormatContext *s) for (int j = 0; j < grid->nb_tiles; j++) { int tile_id = grid->tile_id_list[j]; + int k; - for (int k = 0; k < mov->nb_heif_item; k++) { + for (k = 0; k < mov->nb_heif_item; k++) { HEIFItem *item = &mov->heif_item[k]; AVStream *st = item->st; @@ -9423,6 +9424,13 @@ static int mov_parse_tiles(AVFormatContext *s) break; } + if (k == grid->nb_tiles) { + av_log(s, AV_LOG_WARNING, "HEIF item id %d referenced by grid id %d doesn't " + "exist\n", + tile_id, grid->item->item_id); + ff_remove_stream_group(s, stg); + loop = 0; + } if (!loop) break; } From d0e5f83ffb30b6110b14d35faf2bec060c61a8af Mon Sep 17 00:00:00 2001 From: Eugene Zemtsov Date: Mon, 1 Apr 2024 19:28:03 -0700 Subject: [PATCH 016/562] avformat/mov: Check if a key is longer than the atom containing it Stop reading keys and return AVERROR_INVALIDDATA if key_size is larger than the amount of space left in the atom. Bug: https://crbug.com/41496983 Signed-off-by: Eugene Zemtsov Signed-off-by: James Almer (cherry picked from commit 8a23a145d85964950123952d897b89c2c2b1b8c5) --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 917a69fa34..be4291c0da 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5037,12 +5037,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 1; i <= count; ++i) { uint32_t key_size = avio_rb32(pb); uint32_t type = avio_rl32(pb); - if (key_size < 8) { + if (key_size < 8 || key_size > atom.size) { av_log(c->fc, AV_LOG_ERROR, "The key# %"PRIu32" in meta has invalid size:" "%"PRIu32"\n", i, key_size); return AVERROR_INVALIDDATA; } + atom.size -= key_size; key_size -= 8; if (type != MKTAG('m','d','t','a')) { avio_skip(pb, key_size); From efa0670048ddc8450c8fca380f65d7accd7f26a8 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 2 Apr 2024 04:13:44 +0200 Subject: [PATCH 017/562] avformat/mov: Don't add attached pic if one is already present Fixes: memleak Fixes: 67714/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5671570999476224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9d219ff149738a9a6e3ba8f075c032cc1a3554f7) --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index be4291c0da..50fbcd1f9b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8820,7 +8820,7 @@ static void mov_read_chapters(AVFormatContext *s) if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { st->disposition |= AV_DISPOSITION_ATTACHED_PIC | AV_DISPOSITION_TIMED_THUMBNAILS; - if (sti->nb_index_entries) { + if (!st->attached_pic.data && sti->nb_index_entries) { // Retrieve the first frame, if possible AVIndexEntry *sample = &sti->index_entries[0]; if (avio_seek(sc->pb, sample->pos, SEEK_SET) != sample->pos) { From dcbc1fdb3b9c55a1b5c4011f51f52baac97986b7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 30 Mar 2024 03:25:24 +0100 Subject: [PATCH 018/562] avcodec/vlc, bitstream: Fix multi VLC with uint8_t syms on BE VLC_MULTI_ELEM contains an uint8_t array that is supposed to be treated as an array of uint16_t when the used symbols have a size of two; otherwise it should be treated as just an array of uint8_t, but it was not always treated that way: vlc_multi_gen() initialized the first entry of the array by writing the symbol via AV_WN16; on big endian systems, the intended value was instead written into the second entry of the array (where it would likely be overwritten lateron during initialization). read_vlc_multi() also treated this case incorrectly: In case the code is so long that it needs a classical multi-stage lookup, the symbol has been written to the destination as if via AV_WN16. On little endian systems, this sets the correct first symbol and clobbers (zeroes) the next one, but the next one will be overwritten lateron anyway, so it won't be recognized. But on big-endian systems, the first symbol will be set to zero and the actually read symbol will be put into the slot for the next one (where it will be overwritten lateron). This commit fixes this; this fixes the magicyuv and utvideo FATE-tests on big endian arches. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 4ab82d2fb6361864521b41a5c8168902e534fa1a) --- libavcodec/bitstream_template.h | 8 ++++++-- libavcodec/get_bits.h | 3 ++- libavcodec/magicyuv.c | 2 +- libavcodec/utvideodec.c | 2 +- libavcodec/vlc.c | 5 ++++- 5 files changed, 14 insertions(+), 6 deletions(-) diff --git a/libavcodec/bitstream_template.h b/libavcodec/bitstream_template.h index 4f3d07275f..c8e4a5131e 100644 --- a/libavcodec/bitstream_template.h +++ b/libavcodec/bitstream_template.h @@ -536,7 +536,8 @@ static inline int BS_FUNC(read_vlc)(BSCTX *bc, const VLCElem *table, static inline int BS_FUNC(read_vlc_multi)(BSCTX *bc, uint8_t dst[8], const VLC_MULTI_ELEM *const Jtable, const VLCElem *const table, - const int bits, const int max_depth) + const int bits, const int max_depth, + const int symbols_size) { unsigned idx = BS_FUNC(peek)(bc, bits); int ret, nb_bits, code, n = Jtable[idx].len; @@ -554,7 +555,10 @@ static inline int BS_FUNC(read_vlc_multi)(BSCTX *bc, uint8_t dst[8], code = BS_FUNC(priv_set_idx)(bc, code, &n, &nb_bits, table); } } - AV_WN16(dst, code); + if (symbols_size == 1) + *dst = code; + else + AV_WN16(dst, code); ret = n > 0; } BS_FUNC(priv_skip_remaining)(bc, n); diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index cfcf97c021..fe2f6378b4 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -667,7 +667,8 @@ static av_always_inline int get_vlc2(GetBitContext *s, const VLCElem *table, static inline int get_vlc_multi(GetBitContext *s, uint8_t *dst, const VLC_MULTI_ELEM *const Jtable, const VLCElem *const table, - const int bits, const int max_depth) + const int bits, const int max_depth, + const int symbols_size) { dst[0] = get_vlc2(s, table, bits, max_depth); return 1; diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index 3f6348b531..4f30493626 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -124,7 +124,7 @@ static void magicyuv_median_pred16(uint16_t *dst, const uint16_t *src1, x = 0; \ for (; CACHED_BITSTREAM_READER && x < width-c && get_bits_left(&gb) > 0;) {\ ret = get_vlc_multi(&gb, (uint8_t *)dst + x * b, multi, \ - vlc, vlc_bits, 3); \ + vlc, vlc_bits, 3, b); \ if (ret <= 0) \ return AVERROR_INVALIDDATA; \ x += ret; \ diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index ce5d00f7af..0c2e67e282 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -120,7 +120,7 @@ static int build_huff(UtvideoContext *c, const uint8_t *src, VLC *vlc, i = 0; \ for (; CACHED_BITSTREAM_READER && i < width-end && get_bits_left(&gb) > 0;) {\ ret = get_vlc_multi(&gb, (uint8_t *)buf + i * b, multi.table, \ - vlc.table, VLC_BITS, 3); \ + vlc.table, VLC_BITS, 3, b); \ if (ret > 0) \ i += ret; \ if (ret <= 0) \ diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c index 78510e30d6..e01cc41689 100644 --- a/libavcodec/vlc.c +++ b/libavcodec/vlc.c @@ -499,7 +499,10 @@ static int vlc_multi_gen(VLC_MULTI_ELEM *table, const VLC *single, for (int j = 0; j < 1<table[j].len; table[j].num = single->table[j].len > 0 ? 1 : 0; - AV_WN16(table[j].val, single->table[j].sym); + if (is16bit) + AV_WN16(table[j].val, single->table[j].sym); + else + table[j].val[0] = single->table[j].sym; } add_level(table, is16bit, nb_codes, numbits, buf, From 112fdae9f99abce1d95a0c2b1e2f3c76cdee4c3c Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 2 Apr 2024 11:48:32 -0300 Subject: [PATCH 019/562] avcodec/vvc_refs: don't ask for a "Inter layer ref" sample The FATE suite has two already. Signed-off-by: James Almer (cherry picked from commit 45b56455ad03649d66f151b2f14cecdd88fa3a2c) --- libavcodec/vvc/vvc_refs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/vvc/vvc_refs.c b/libavcodec/vvc/vvc_refs.c index afcfc09da7..336705c620 100644 --- a/libavcodec/vvc/vvc_refs.c +++ b/libavcodec/vvc/vvc_refs.c @@ -454,7 +454,8 @@ int ff_vvc_slice_rpl(VVCContext *s, VVCFrameContext *fc, SliceContext *sc) if (ret < 0) return ret; } else { - avpriv_request_sample(fc->log_ctx, "Inter layer ref"); + // OPI_B_3.bit and VPS_A_3.bit should cover this + avpriv_report_missing_feature(fc->log_ctx, "Inter layer ref"); ret = AVERROR_PATCHWELCOME; return ret; } From 4bb04c52fbd63a6a24dec69f2a88c3ad8dbdabef Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 2 Apr 2024 11:50:08 -0300 Subject: [PATCH 020/562] fate/vvc: disable vvc-conformance-OPI_B_3 and vvc-conformance-VPS_A_3 Both samples rely on a feature our decoder doesn't currently support. Should fix fate failures on some systems where not even the one single frame could be generated. Signed-off-by: James Almer (cherry picked from commit e9778d20a434c77166b1725a1f6343170ac45d82) --- tests/fate/vvc.mak | 4 ++-- tests/ref/fate/vvc-conformance-OPI_B_3 | 6 ------ tests/ref/fate/vvc-conformance-VPS_A_3 | 6 ------ 3 files changed, 2 insertions(+), 14 deletions(-) delete mode 100644 tests/ref/fate/vvc-conformance-OPI_B_3 delete mode 100644 tests/ref/fate/vvc-conformance-VPS_A_3 diff --git a/tests/fate/vvc.mak b/tests/fate/vvc.mak index f5a45cc4ca..d1bc8ef935 100644 --- a/tests/fate/vvc.mak +++ b/tests/fate/vvc.mak @@ -9,7 +9,6 @@ VVC_SAMPLES_10BIT = \ BUMP_A_2 \ DCI_A_3 \ HRD_A_3 \ - OPI_B_3 \ PHSH_B_1 \ POC_A_1 \ PPS_B_1 \ @@ -21,7 +20,6 @@ VVC_SAMPLES_10BIT = \ STILL_B_1 \ SUBPIC_A_3 \ TILE_A_2 \ - VPS_A_3 \ WP_A_3 \ WPP_A_3 \ WRAP_A_4 \ @@ -31,6 +29,8 @@ VVC_SAMPLES_444_10BIT = \ # not tested: # BOUNDARY_A_3 (too big) +# OPI_B_3 (Inter layer ref support needed) +# VPS_A_3 (Inter layer ref support needed) FATE_VVC_VARS := 8BIT 10BIT 444_10BIT $(foreach VAR,$(FATE_VVC_VARS), $(eval VVC_TESTS_$(VAR) := $(addprefix fate-vvc-conformance-, $(VVC_SAMPLES_$(VAR))))) diff --git a/tests/ref/fate/vvc-conformance-OPI_B_3 b/tests/ref/fate/vvc-conformance-OPI_B_3 deleted file mode 100644 index 6ce3b46a21..0000000000 --- a/tests/ref/fate/vvc-conformance-OPI_B_3 +++ /dev/null @@ -1,6 +0,0 @@ -#tb 0: 1/25 -#media_type 0: video -#codec_id 0: rawvideo -#dimensions 0: 416x240 -#sar 0: 0/1 -0, 0, 0, 1, 299520, 0xdf1640db diff --git a/tests/ref/fate/vvc-conformance-VPS_A_3 b/tests/ref/fate/vvc-conformance-VPS_A_3 deleted file mode 100644 index bf9326b051..0000000000 --- a/tests/ref/fate/vvc-conformance-VPS_A_3 +++ /dev/null @@ -1,6 +0,0 @@ -#tb 0: 1/25 -#media_type 0: video -#codec_id 0: rawvideo -#dimensions 0: 208x120 -#sar 0: 0/1 -0, 0, 0, 1, 74880, 0x1b401a6d From 2d18c4906f29520644d27efe6e817e672973c70a Mon Sep 17 00:00:00 2001 From: Fei Wang Date: Thu, 28 Mar 2024 16:10:59 +0800 Subject: [PATCH 021/562] lavc/vaapi_encode: Add VAAPI version check for BLBRC Fix build fail when VAAPI version less than 0.39.2. Signed-off-by: Fei Wang (cherry picked from commit 09377887df4bb74c4be0c44a610a33bc04895274) --- libavcodec/vaapi_encode.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/libavcodec/vaapi_encode.c b/libavcodec/vaapi_encode.c index 940f0678a5..c4b5411e68 100644 --- a/libavcodec/vaapi_encode.c +++ b/libavcodec/vaapi_encode.c @@ -1805,9 +1805,17 @@ static av_cold int vaapi_encode_init_rate_control(AVCodecContext *avctx) int i, first = 1, res; supported_va_rc_modes = rc_attr.value; - if (ctx->blbrc && !(supported_va_rc_modes & VA_RC_MB)) { + if (ctx->blbrc) { +#if VA_CHECK_VERSION(0, 39, 2) + if (!(supported_va_rc_modes & VA_RC_MB)) { + ctx->blbrc = 0; + av_log(avctx, AV_LOG_WARNING, "Driver does not support BLBRC.\n"); + } +#else ctx->blbrc = 0; - av_log(avctx, AV_LOG_WARNING, "Driver does not support BLBRC.\n"); + av_log(avctx, AV_LOG_WARNING, "Please consider to update to VAAPI 0.39.2 " + "or above, which can support BLBRC.\n"); +#endif } for (i = 0; i < FF_ARRAY_ELEMS(vaapi_encode_rc_modes); i++) { @@ -2032,7 +2040,11 @@ rc_mode_found: ctx->config_attributes[ctx->nb_config_attributes++] = (VAConfigAttrib) { .type = VAConfigAttribRateControl, +#if VA_CHECK_VERSION(0, 39, 2) .value = ctx->blbrc ? ctx->va_rc_mode | VA_RC_MB : ctx->va_rc_mode, +#else + .value = ctx->va_rc_mode, +#endif }; } @@ -2061,10 +2073,12 @@ rc_mode_found: #if VA_CHECK_VERSION(1, 1, 0) .ICQ_quality_factor = av_clip(rc_quality, 1, 51), .max_qp = (avctx->qmax > 0 ? avctx->qmax : 0), - .rc_flags.bits.mb_rate_control = ctx->blbrc ? 1 : 2, #endif #if VA_CHECK_VERSION(1, 3, 0) .quality_factor = rc_quality, +#endif +#if VA_CHECK_VERSION(0, 39, 2) + .rc_flags.bits.mb_rate_control = ctx->blbrc ? 1 : 2, #endif }; vaapi_encode_add_global_param(avctx, From 74e4e900bb52c4a0f5f4fe38e2b7a40239d9e845 Mon Sep 17 00:00:00 2001 From: Haihao Xiang Date: Thu, 28 Mar 2024 14:55:57 +0800 Subject: [PATCH 022/562] lavc/vaapi_encode: convert from lambda to qp When AV_CODEC_FLAG_QSCALE is set, the value of avctx->global_quality is lambda. Signed-off-by: Haihao Xiang (cherry picked from commit 1590a96adc28a150ad641080262499f58158ee24) --- libavcodec/vaapi_encode.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/vaapi_encode.c b/libavcodec/vaapi_encode.c index c4b5411e68..4d47444f3f 100644 --- a/libavcodec/vaapi_encode.c +++ b/libavcodec/vaapi_encode.c @@ -1969,7 +1969,10 @@ rc_mode_found: if (ctx->explicit_qp) { rc_quality = ctx->explicit_qp; } else if (avctx->global_quality > 0) { - rc_quality = avctx->global_quality; + if (avctx->flags & AV_CODEC_FLAG_QSCALE) + rc_quality = avctx->global_quality / FF_QP2LAMBDA; + else + rc_quality = avctx->global_quality; } else { rc_quality = ctx->codec->default_quality; av_log(avctx, AV_LOG_WARNING, "No quality level set; " From 7570390be6343e4186273e59eaa96ef1415d6eeb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Feb 2024 19:40:07 +0100 Subject: [PATCH 023/562] avfilter/vf_signature: Dont crash on no frames Signed-off-by: Michael Niedermayer (cherry picked from commit 3d5f03bbc8bba2929cc09b07d2731ae5d392e772) Signed-off-by: Michael Niedermayer --- libavfilter/vf_signature.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c index 758b6e5101..3858fe3070 100644 --- a/libavfilter/vf_signature.c +++ b/libavfilter/vf_signature.c @@ -379,6 +379,9 @@ static int xml_export(AVFilterContext *ctx, StreamContext *sc, const char* filen FILE* f; unsigned int pot3[5] = { 3*3*3*3, 3*3*3, 3*3, 3, 1 }; + if (!sc->coarseend->last) + return AVERROR(EINVAL); // No frames ? + f = avpriv_fopen_utf8(filename, "w"); if (!f) { int err = AVERROR(EINVAL); From cc9d291fb00369b5692bd9afe94ca19d35643c22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Mar 2024 03:27:13 +0100 Subject: [PATCH 024/562] avcodec/jpeg2000htdec: Check magp before using it in a shift Fixes: shift exponent -1 is negative Fixes: 65378/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5457678193197056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 19ad05e9e0f045b13de8de7300ca3bd34ea8ca53) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 1afc6b1e2d..4d28be3656 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1885,7 +1885,7 @@ static inline void roi_scale_cblk(Jpeg2000Cblk *cblk, } } -static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile *tile) +static inline int tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile *tile) { Jpeg2000T1Context t1; @@ -1910,6 +1910,8 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile int nb_precincts, precno; Jpeg2000Band *band = rlevel->band + bandno; int cblkno = 0, bandpos; + /* See Rec. ITU-T T.800, Equation E-2 */ + int magp = quantsty->expn[subbandno] + quantsty->nguardbits - 1; bandpos = bandno + (reslevelno > 0); @@ -1917,6 +1919,11 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile band->coord[1][0] == band->coord[1][1]) continue; + if ((codsty->cblk_style & JPEG2000_CTSY_HTJ2K_F) && magp >= 31) { + avpriv_request_sample(s->avctx, "JPEG2000_CTSY_HTJ2K_F and magp >= 31"); + return AVERROR_PATCHWELCOME; + } + nb_precincts = rlevel->num_precincts_x * rlevel->num_precincts_y; /* Loop on precincts */ for (precno = 0; precno < nb_precincts; precno++) { @@ -1927,8 +1934,6 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile cblkno < prec->nb_codeblocks_width * prec->nb_codeblocks_height; cblkno++) { int x, y, ret; - /* See Rec. ITU-T T.800, Equation E-2 */ - int magp = quantsty->expn[subbandno] + quantsty->nguardbits - 1; Jpeg2000Cblk *cblk = prec->cblk + cblkno; @@ -1968,6 +1973,7 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile ff_dwt_decode(&comp->dwt, codsty->transform == FF_DWT97 ? (void*)comp->f_data : (void*)comp->i_data); } /*end comp */ + return 0; } #define WRITE_FRAME(D, PIXEL) \ @@ -2044,7 +2050,9 @@ static int jpeg2000_decode_tile(AVCodecContext *avctx, void *td, AVFrame *picture = td; Jpeg2000Tile *tile = s->tile + jobnr; - tile_codeblocks(s, tile); + int ret = tile_codeblocks(s, tile); + if (ret < 0) + return ret; /* inverse MCT transformation */ if (tile->codsty[0].mct) From 7e899776ec6dc1bed09e623f405029b65113b4db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Mar 2024 02:51:29 +0100 Subject: [PATCH 025/562] avcodec/jpeg2000htdec: warn about non zero roi shift MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Suggested-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 7b7eea8e63f761a0d0611d15c24170e40c62402c) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000htdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000htdec.c b/libavcodec/jpeg2000htdec.c index 6b9898d3ff..4f0b10b429 100644 --- a/libavcodec/jpeg2000htdec.c +++ b/libavcodec/jpeg2000htdec.c @@ -1198,6 +1198,9 @@ ff_jpeg2000_decode_htj2k(const Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *c av_assert0(width * height <= 4096); av_assert0(width * height > 0); + if (roi_shift) + avpriv_report_missing_feature(s->avctx, "ROI shift"); + memset(t1->data, 0, t1->stride * height * sizeof(*t1->data)); memset(t1->flags, 0, t1->stride * (height + 2) * sizeof(*t1->flags)); From 1a9da17c5ac3350636749617b6f763ed2c5732fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Mar 2024 03:35:18 +0100 Subject: [PATCH 026/562] avformat/mxfdec: Check first case of offset_temp computation for overflow This is kind of ugly Fixes: signed integer overflow: 255 * 1157565362826411919 cannot be represented in type 'long' Fixes: 67313/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6250434245230592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d6ed6f6e8dffcf777c336869f56002da588e2de8) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index c9af462855..51a7136555 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1891,9 +1891,13 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t if (edit_unit < s->index_start_position + s->index_duration) { int64_t index = edit_unit - s->index_start_position; - if (s->edit_unit_byte_count) + if (s->edit_unit_byte_count) { + if (index > INT64_MAX / s->edit_unit_byte_count || + s->edit_unit_byte_count * index > INT64_MAX - offset_temp) + return AVERROR_INVALIDDATA; + offset_temp += s->edit_unit_byte_count * index; - else { + } else { if (s->nb_index_entries == 2 * s->index_duration + 1) index *= 2; /* Avid index */ From d4bb784274b32f4a2219204276274e73008391bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Mar 2024 03:38:27 +0100 Subject: [PATCH 027/562] avformat/iamf_reader: Check len before summing Fixes: integer overflow Fixes: 67275/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-5438920751906816 Fixes: 67688/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-5970342318243840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f26ee6e0667d050b684668ad0e792e70fcf88b78) Signed-off-by: Michael Niedermayer --- libavformat/iamf_reader.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/iamf_reader.c b/libavformat/iamf_reader.c index 270cfac389..f3ff4170c6 100644 --- a/libavformat/iamf_reader.c +++ b/libavformat/iamf_reader.c @@ -283,9 +283,9 @@ int ff_iamf_read_packet(AVFormatContext *s, IAMFDemuxContext *c, len = ff_iamf_parse_obu_header(header, size, &obu_size, &start_pos, &type, &skip_samples, &discard_padding); - if (len < 0 || obu_size > max_size) { + if (len < 0 || obu_size > max_size || len > INT_MAX - read) { av_log(s, AV_LOG_ERROR, "Failed to read obu\n"); - return len; + return len < 0 ? len : AVERROR_INVALIDDATA; } avio_seek(pb, -(size - start_pos), SEEK_CUR); From 003e006ccbe3c415f6e4f72d34e34de39ada403c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Mar 2024 19:51:43 +0100 Subject: [PATCH 028/562] avformat/movenc: Check that cts fits in 32bit Fixes: Assertion av_rescale_rnd(start_dts, mov->movie_timescale, track->timescale, AV_ROUND_DOWN) <= 0 failed at libavformat/movenc.c:3694 Fixes: poc2 Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory Signed-off-by: Michael Niedermayer (cherry picked from commit d88c284c18bf6cd3dd24a7c86b5e496dd3037405) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index b97c479cc4..e40948edb8 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -6195,6 +6195,12 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) if (ret < 0) return ret; + if (pkt->pts != AV_NOPTS_VALUE && + (uint64_t)pkt->dts - pkt->pts != (int32_t)((uint64_t)pkt->dts - pkt->pts)) { + av_log(s, AV_LOG_WARNING, "pts/dts pair unsupported\n"); + return AVERROR_PATCHWELCOME; + } + if (mov->flags & FF_MOV_FLAG_FRAGMENT || mov->mode == MODE_AVIF) { int ret; if (mov->moov_written || mov->flags & FF_MOV_FLAG_EMPTY_MOOV) { From 54a7f22ee8ccff2231494d0508ec3cb65907818f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 18:29:46 +0200 Subject: [PATCH 029/562] avformat/mxfdec: Make edit_unit_byte_count unsigned Suggested-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit f30fe5e8d002e15f07eaacf720c5654097cb62df) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 51a7136555..94806ccb87 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -250,7 +250,7 @@ typedef struct MXFFFV1SubDescriptor { typedef struct MXFIndexTableSegment { MXFMetadataSet meta; - int edit_unit_byte_count; + unsigned edit_unit_byte_count; int index_sid; int body_sid; AVRational index_edit_rate; From 8194f34b5d4fb098ff88b213a0148b748209ad99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Mar 2024 23:07:01 +0100 Subject: [PATCH 030/562] avformat/aiffdec: Check for previously set channels Fixes: out of array access (av_channel_layout_copy()) Fixes: 67087/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-4920720268263424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 23b29f72eeb2ff6f2176ee74b9abe78aec4cd1f4) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 9318943f96..fc01ffcbf1 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -106,6 +106,8 @@ static int get_aiff_header(AVFormatContext *s, int64_t size, size++; par->codec_type = AVMEDIA_TYPE_AUDIO; channels = avio_rb16(pb); + if (par->ch_layout.nb_channels && par->ch_layout.nb_channels != channels) + return AVERROR_INVALIDDATA; par->ch_layout.nb_channels = channels; num_frames = avio_rb32(pb); par->bits_per_coded_sample = avio_rb16(pb); From cbbe688434e2aac4685e36036e413c026053ef47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Feb 2024 02:07:28 +0100 Subject: [PATCH 031/562] avformat/mpegts: Reset local nb_prg on add_program() failure add_program() will deallocate the whole array on failure so we must clear nb_prgs Fixes: null pointer dereference Fixes: crash-35a3b39ddcc5babeeb005b7399a3a1217c8781bc Found-by: Catena cyber Signed-off-by: Michael Niedermayer (cherry picked from commit cb9752d897de17212a7a3ce54ad3e16b377b22c0) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index de7a3c8b45..320926248b 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2605,7 +2605,8 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len FFSWAP(struct Program, ts->prg[nb_prg], ts->prg[prg_idx]); if (prg_idx >= nb_prg) nb_prg++; - } + } else + nb_prg = 0; } } ts->nb_prg = nb_prg; From e37d66a72edb6d3efae31f4757c6a08f33e642df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jan 2024 19:58:56 +0100 Subject: [PATCH 032/562] avcodec/vvc/vvcdec: Do not submit frames without VVCFrameThread Such frames will crash when pthread functions are called on the NULL pointer Fixes: member access within null pointer of type 'VVCFrameThread' (aka 'struct VVCFrameThread') Fixes: 65160/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_METADATA_fuzzer-4665241535119360 (partly) Fixes: 65636/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-5394745824182272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 84ce5ced3163975b5ba9ffbf4c4709114b9e8669) Signed-off-by: Michael Niedermayer --- libavcodec/vvc/vvcdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vvc/vvcdec.c b/libavcodec/vvc/vvcdec.c index d5704aca25..e72bb48a50 100644 --- a/libavcodec/vvc/vvcdec.c +++ b/libavcodec/vvc/vvcdec.c @@ -939,6 +939,9 @@ static int vvc_decode_frame(AVCodecContext *avctx, AVFrame *output, if (ret < 0) return ret; + if (!fc->ft) + return avpkt->size; + ret = submit_frame(s, fc, output, got_output); if (ret < 0) return ret; From 5469ba6d74dfe34a526edda814e6ac5a922e833c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 22:11:54 +0200 Subject: [PATCH 033/562] avcodec/apedec: Use NABS to avoid undefined negation Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: 67738/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5444313212321792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1887ff250cfd1e69c08bca21cc53e30a39e26818) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 0f48bdff77..7d96182d0c 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1286,7 +1286,7 @@ static void predictor_decode_stereo_3950(APEContext *ctx, int count) int32_t left = a1 - (unsigned)(a0 / 2); int32_t right = left + (unsigned)a0; - if (FFMAX(FFABS(left), FFABS(right)) > (1<<23)) { + if (FFMIN(FFNABS(left), FFNABS(right)) < -(1<<23)) { ctx->interim_mode = !interim_mode; av_log(ctx->avctx, AV_LOG_VERBOSE, "Interim mode: %d\n", ctx->interim_mode); break; From 8146cab801963ae948af31a682dc9a6562fb31f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 02:15:07 +0200 Subject: [PATCH 034/562] avcodec/exr: Check for remaining bits in huf_unpack_enc_table() Fixes: Timeout Fixes: 67645/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6308760977997824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 589fa8a027f3b1707d78d7c45335acc498a5e887) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 5711fbbdcd..f4d974d09e 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -334,7 +334,10 @@ static int huf_unpack_enc_table(GetByteContext *gb, return ret; for (; im <= iM; im++) { - uint64_t l = freq[im] = get_bits(&gbit, 6); + uint64_t l; + if (get_bits_left(&gbit) < 6) + return AVERROR_INVALIDDATA; + l = freq[im] = get_bits(&gbit, 6); if (l == LONG_ZEROCODE_RUN) { int zerun = get_bits(&gbit, 8) + SHORTEST_LONG_RUN; From 87e5bc918a4e25455860a730aa6986d3f18dc5ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 02:18:57 +0200 Subject: [PATCH 035/562] avcodec/exr: Dont use 64bits to hold 6bits Signed-off-by: Michael Niedermayer (cherry picked from commit e3984de6ffd6068efcfb5c576f1ec788211608fe) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index f4d974d09e..e680f9b9e0 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -334,7 +334,7 @@ static int huf_unpack_enc_table(GetByteContext *gb, return ret; for (; im <= iM; im++) { - uint64_t l; + int l; if (get_bits_left(&gbit) < 6) return AVERROR_INVALIDDATA; l = freq[im] = get_bits(&gbit, 6); From 5cd6683ddc52c8b7f95b295feded4acbd3ba130c Mon Sep 17 00:00:00 2001 From: Niklas Haas Date: Mon, 25 Mar 2024 16:07:23 +0100 Subject: [PATCH 036/562] avfilter: properly reduce YUV colorspace format lists Doing this with REDUCE_FORMATS() instead of swap_color_*() is not only shorter, but more importantly comes with the benefit of being done inside a loop, allowing us to correctly propagate complex graphs involving multiple conversion filters (e.g. -vf scale,zscale). The latter family of swapping functions is only used to settle the best *remaining* entry if no exact match was found, and as such was never the correct solution to YUV colorspaces, which only care about exact matches. (cherry picked from commit b89ee2653919c14193f646ba03b2bf1d13c9aa2d) --- libavfilter/avfiltergraph.c | 84 ++----------------------------------- 1 file changed, 4 insertions(+), 80 deletions(-) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index bb5399c55e..12ff7d6ffb 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -794,6 +794,10 @@ static int reduce_formats_on_filter(AVFilterContext *filter) nb_formats, ff_add_format); REDUCE_FORMATS(int, AVFilterFormats, samplerates, formats, nb_formats, ff_add_format); + REDUCE_FORMATS(int, AVFilterFormats, color_spaces, formats, + nb_formats, ff_add_format); + REDUCE_FORMATS(int, AVFilterFormats, color_ranges, formats, + nb_formats, ff_add_format); /* reduce channel layouts */ for (i = 0; i < filter->nb_inputs; i++) { @@ -906,82 +910,6 @@ static void swap_samplerates(AVFilterGraph *graph) swap_samplerates_on_filter(graph->filters[i]); } -static void swap_color_spaces_on_filter(AVFilterContext *filter) -{ - AVFilterLink *link = NULL; - enum AVColorSpace csp; - int i; - - for (i = 0; i < filter->nb_inputs; i++) { - link = filter->inputs[i]; - if (link->type == AVMEDIA_TYPE_VIDEO && - link->outcfg.color_spaces->nb_formats == 1) - break; - } - if (i == filter->nb_inputs) - return; - - csp = link->outcfg.color_spaces->formats[0]; - - for (i = 0; i < filter->nb_outputs; i++) { - AVFilterLink *outlink = filter->outputs[i]; - if (outlink->type != AVMEDIA_TYPE_VIDEO) - continue; - /* there is no meaningful 'score' between different yuv matrices, - * so just prioritize an exact match if it exists */ - for (int j = 0; j < outlink->incfg.color_spaces->nb_formats; j++) { - if (csp == outlink->incfg.color_spaces->formats[j]) { - FFSWAP(int, outlink->incfg.color_spaces->formats[0], - outlink->incfg.color_spaces->formats[j]); - break; - } - } - } -} - -static void swap_color_spaces(AVFilterGraph *graph) -{ - for (int i = 0; i < graph->nb_filters; i++) - swap_color_spaces_on_filter(graph->filters[i]); -} - -static void swap_color_ranges_on_filter(AVFilterContext *filter) -{ - AVFilterLink *link = NULL; - enum AVColorRange range; - int i; - - for (i = 0; i < filter->nb_inputs; i++) { - link = filter->inputs[i]; - if (link->type == AVMEDIA_TYPE_VIDEO && - link->outcfg.color_ranges->nb_formats == 1) - break; - } - if (i == filter->nb_inputs) - return; - - range = link->outcfg.color_ranges->formats[0]; - - for (i = 0; i < filter->nb_outputs; i++) { - AVFilterLink *outlink = filter->outputs[i]; - if (outlink->type != AVMEDIA_TYPE_VIDEO) - continue; - for (int j = 0; j < outlink->incfg.color_ranges->nb_formats; j++) { - if (range == outlink->incfg.color_ranges->formats[j]) { - FFSWAP(int, outlink->incfg.color_ranges->formats[0], - outlink->incfg.color_ranges->formats[j]); - break; - } - } - } -} - -static void swap_color_ranges(AVFilterGraph *graph) -{ - for (int i = 0; i < graph->nb_filters; i++) - swap_color_ranges_on_filter(graph->filters[i]); -} - #define CH_CENTER_PAIR (AV_CH_FRONT_LEFT_OF_CENTER | AV_CH_FRONT_RIGHT_OF_CENTER) #define CH_FRONT_PAIR (AV_CH_FRONT_LEFT | AV_CH_FRONT_RIGHT) #define CH_STEREO_PAIR (AV_CH_STEREO_LEFT | AV_CH_STEREO_RIGHT) @@ -1258,10 +1186,6 @@ static int graph_config_formats(AVFilterGraph *graph, void *log_ctx) if ((ret = reduce_formats(graph)) < 0) return ret; - /* for video filters, ensure that the best colorspace metadata is selected */ - swap_color_spaces(graph); - swap_color_ranges(graph); - /* for audio filters, ensure the best format, sample rate and channel layout * is selected */ swap_sample_fmts(graph); From fd8fb39af984b575efdb6ddf28ec1e3d1f855ad1 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 3 Apr 2024 19:59:20 +0200 Subject: [PATCH 037/562] configure: Add missing libdav1d/av1 decoders->dovi_rpu dependency Reviewed-by: James Almer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 924402f783d7d056eefa5c065504fbae2731235b) --- configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 2a1d22310b..69db402b9a 100755 --- a/configure +++ b/configure @@ -2894,7 +2894,7 @@ asv1_encoder_select="aandcttables bswapdsp fdctdsp pixblockdsp" asv2_decoder_select="blockdsp bswapdsp idctdsp" asv2_encoder_select="aandcttables bswapdsp fdctdsp pixblockdsp" atrac1_decoder_select="sinewin" -av1_decoder_select="cbs_av1 atsc_a53" +av1_decoder_select="atsc_a53 cbs_av1 dovi_rpu" bink_decoder_select="blockdsp hpeldsp" binkaudio_dct_decoder_select="wma_freqs" binkaudio_rdft_decoder_select="wma_freqs" @@ -3483,7 +3483,7 @@ libcelt_decoder_deps="libcelt" libcodec2_decoder_deps="libcodec2" libcodec2_encoder_deps="libcodec2" libdav1d_decoder_deps="libdav1d" -libdav1d_decoder_select="atsc_a53" +libdav1d_decoder_select="atsc_a53 dovi_rpu" libdavs2_decoder_deps="libdavs2" libdavs2_decoder_select="avs2_parser" libfdk_aac_decoder_deps="libfdk_aac" From aeff85620ac618df15e414d3a757ba9ad0076e8d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 3 Apr 2024 21:34:54 +0200 Subject: [PATCH 038/562] configure: Fix iamfdec dependencies Reviewed-by: James Almer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9c4558b5963bbc47a03bb8f99d0a99d03c5fd734) --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 69db402b9a..4f5353f84b 100755 --- a/configure +++ b/configure @@ -2851,6 +2851,7 @@ h264_sei_select="atsc_a53 golomb" hevcparse_select="golomb" hevc_sei_select="atsc_a53 golomb" frame_thread_encoder_deps="encoders threads" +iamfdec_select="iso_media mpeg4audio" inflate_wrapper_deps="zlib" intrax8_select="blockdsp wmv2dsp" iso_media_select="mpeg4audio" From 3b6732bcb30783daaf5998207bf79061f4733ff5 Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Kempf Date: Wed, 3 Apr 2024 23:12:54 +0200 Subject: [PATCH 039/562] changelog: update for 7.0 Signed-off-by: James Almer (cherry picked from commit 486a2b964ba4e496ecd821e189d495ad06585abe) --- Changelog | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index e83a00e35c..456af3ff59 100644 --- a/Changelog +++ b/Changelog @@ -17,7 +17,7 @@ version 7.0: - qrencode filter and qrencodesrc source - quirc filter - lavu/eval: introduce randomi() function in expressions -- VVC decoder +- VVC decoder (experimental) - fsync filter - Raw Captions with Time (RCWT) closed caption muxer - ffmpeg CLI -bsf option may now be used for input as well as output @@ -38,6 +38,15 @@ version 7.0: - ffplay with hwaccel decoding support (depends on vulkan renderer via libplacebo) - dnn filter libtorch backend - Android content URIs protocol +- AOMedia Film Grain Synthesis 1 (AFGS1) +- RISC-V optimizations for AAC, FLAC, JPEG-2000,LPC, RV4.0, SVQ, VC1, VP8 and more +- Loongarch optimizations for HEVC decoding +- Important AArch64 optimizations for HEVC +- IAMF support inside MP4/ISOBMFF +- Support for HEIF/AVIF still images and tiled still images +- Dolby Vision profile 10 support in AV1 +- Support for Ambient Viewing Environment metadata in MP4/ISOBMFF +- HDR10 metadata passthrough when encoding with libx264, libx265 and libsvtav1 version 6.1: From 4866aaf7c50ae256a0e29312163fd24189a22094 Mon Sep 17 00:00:00 2001 From: Marth64 Date: Thu, 4 Apr 2024 10:08:21 -0500 Subject: [PATCH 040/562] Changelog: fix typos for 7.0 section Signed-off-by: James Almer (cherry picked from commit e3335e9e9ebfff4acea97fd715b2824ec1957b96) --- Changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 456af3ff59..58b5a45b29 100644 --- a/Changelog +++ b/Changelog @@ -39,14 +39,14 @@ version 7.0: - dnn filter libtorch backend - Android content URIs protocol - AOMedia Film Grain Synthesis 1 (AFGS1) -- RISC-V optimizations for AAC, FLAC, JPEG-2000,LPC, RV4.0, SVQ, VC1, VP8 and more +- RISC-V optimizations for AAC, FLAC, JPEG-2000, LPC, RV4.0, SVQ, VC1, VP8, and more - Loongarch optimizations for HEVC decoding - Important AArch64 optimizations for HEVC - IAMF support inside MP4/ISOBMFF - Support for HEIF/AVIF still images and tiled still images - Dolby Vision profile 10 support in AV1 - Support for Ambient Viewing Environment metadata in MP4/ISOBMFF -- HDR10 metadata passthrough when encoding with libx264, libx265 and libsvtav1 +- HDR10 metadata passthrough when encoding with libx264, libx265, and libsvtav1 version 6.1: From d918d9afe0d4bcc3f149166143132f0d582108dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 22:56:02 +0200 Subject: [PATCH 041/562] avformat/isom: Uninit layout in ff_mp4_read_dec_config_descr() Fixes: memleak Fixes: 67442/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5068813261406208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit d157725cf726adc29385d264eaf79ae430b1f3e5) Signed-off-by: Michael Niedermayer --- libavformat/isom.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/isom.c b/libavformat/isom.c index 9fbccd4437..c5930bd4d8 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -359,6 +359,7 @@ int ff_mp4_read_dec_config_descr(AVFormatContext *fc, AVStream *st, AVIOContext st->codecpar->extradata_size, 1, fc); if (ret < 0) return ret; + av_channel_layout_uninit(&st->codecpar->ch_layout); st->codecpar->ch_layout.order = AV_CHANNEL_ORDER_UNSPEC; st->codecpar->ch_layout.nb_channels = cfg.channels; if (cfg.object_type == 29 && cfg.sampling_index < 3) // old mp3on4 From 839e8baa2078552b5369a0e1a2d5468ee2a019df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Apr 2024 02:13:05 +0200 Subject: [PATCH 042/562] doc/developer: (security) researchers should be credited MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 5a5422196d0283918a1aa996a81bd51522f34fda) Signed-off-by: Michael Niedermayer --- doc/developer.texi | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/developer.texi b/doc/developer.texi index c86bb5820c..63835dfa06 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -390,6 +390,10 @@ If you apply a patch, send an answer to ffmpeg-devel (or wherever you got the patch from) saying that you applied the patch. +@subheading Credit any researchers +If a commit/patch fixes an issues found by some researcher, always credit the +researcher in the commit message for finding/reporting the issue. + @subheading Always wait long enough before pushing changes Do NOT commit to code actively maintained by others without permission. Send a patch to ffmpeg-devel. If no one answers within a reasonable From 1ef084f910928aa24adecb9198d9cf3a9c2d7e36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Apr 2024 00:15:27 +0200 Subject: [PATCH 043/562] avcodec/wavarc: fix signed integer overflow in block type 6/19 Fixes: signed integer overflow: -2088796289 + -91276551 cannot be represented in type 'int' Fixes: 67772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6533568953122816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 28c7094b25b689185155a6833caf2747b94774a4) Signed-off-by: Michael Niedermayer --- libavcodec/wavarc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c index aa1af6330b..e121f1bc61 100644 --- a/libavcodec/wavarc.c +++ b/libavcodec/wavarc.c @@ -648,7 +648,7 @@ static int decode_5elp(AVCodecContext *avctx, for (int o = 0; o < order; o++) sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1]; - samples[n + 70] += ac_out[n] + (sum >> 4); + samples[n + 70] += ac_out[n] + (unsigned)(sum >> 4); } for (int n = 0; n < 70; n++) From 97751fda3eb4adef67b93a7033e81299133ddd7b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Apr 2024 00:20:34 +0200 Subject: [PATCH 044/562] avformat/iamf_parse: Check sound_system Fixes: index 13 out of bounds for type 'const struct IAMFSoundSystemMap [13]' Fixes: 67796/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4554553191104512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4593cf7ab3f0ff2884880b625f1873f0eaf7a439) Signed-off-by: Michael Niedermayer --- libavformat/iamf_parse.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index cb49cf0a57..210cadd85a 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -933,6 +933,10 @@ static int mix_presentation_obu(void *s, IAMFContext *c, AVIOContext *pb, int le if (submix_layout->layout_type == 2) { int sound_system; sound_system = (byte >> 2) & 0xF; + if (sound_system >= FF_ARRAY_ELEMS(ff_iamf_sound_system_map)) { + ret = AVERROR_INVALIDDATA; + goto fail; + } av_channel_layout_copy(&submix_layout->sound_system, &ff_iamf_sound_system_map[sound_system].layout); } From e0dd533ad6efa95cc6f15b04949d6bbba3207b35 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Apr 2024 00:31:40 +0200 Subject: [PATCH 045/562] swscale/utils: Fix xInc overflow Fixes: signed integer overflow: 2 * 1073741824 cannot be represented in type 'int' Fixes: 67802/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6249515855183872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1a9eda65d027e0167f7363e0514f71311ac5d8d1) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index ab8a68e241..54bbd519af 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -564,7 +564,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, filter[i * filterSize + j] = coeff; xx++; } - xDstInSrc += 2 * xInc; + xDstInSrc += 2LL * xInc; } } From 3736130e5b258732cd0dcff685aa11ce19d6f063 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Apr 2024 00:38:20 +0200 Subject: [PATCH 046/562] avformat/mxfdec: Check index_edit_rate Fixes: Assertion b >=0 failed at libavutil/mathematics.c:62 Fixes: 67811/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5108429687422976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ed49391961999f028e0bc55767d0eef6eeb15e49) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 94806ccb87..4e4beb40b0 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1263,6 +1263,9 @@ static int mxf_read_index_table_segment(void *arg, AVIOContext *pb, int tag, int case 0x3F0B: segment->index_edit_rate.num = avio_rb32(pb); segment->index_edit_rate.den = avio_rb32(pb); + if (segment->index_edit_rate.num <= 0 || + segment->index_edit_rate.den <= 0) + return AVERROR_INVALIDDATA; av_log(NULL, AV_LOG_TRACE, "IndexEditRate %d/%d\n", segment->index_edit_rate.num, segment->index_edit_rate.den); break; From abaa747ee5db942b59f7106bb76e4806ae5cae84 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Apr 2024 00:42:20 +0200 Subject: [PATCH 047/562] avformat/pcm: Use 64bit in bitrate computation Fixes: signed integer overflow: 65792 * 65312 cannot be represented in type 'int' Fixes: 67819/clusterfuzz-testcase-minimized-ffmpeg_dem_WADY_fuzzer-5236100912185344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf3b74142e4402912e26b5e58a0b63f87ec3cd21) Signed-off-by: Michael Niedermayer --- libavformat/pcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/pcm.c b/libavformat/pcm.c index 051e86dd46..a774dbc372 100644 --- a/libavformat/pcm.c +++ b/libavformat/pcm.c @@ -41,7 +41,7 @@ int ff_pcm_default_packet_size(AVCodecParameters *par) /* Don't trust the codecpar bitrate if we can calculate it ourselves */ if (bits_per_sample > 0 && par->sample_rate > 0 && par->ch_layout.nb_channels > 0) if ((int64_t)par->sample_rate * par->ch_layout.nb_channels < INT64_MAX / bits_per_sample) - bitrate = bits_per_sample * par->sample_rate * par->ch_layout.nb_channels; + bitrate = bits_per_sample * (int64_t)par->sample_rate * par->ch_layout.nb_channels; if (bitrate > 0) { nb_samples = av_clip64(bitrate / 8 / PCM_DEMUX_TARGET_FPS / par->block_align, 1, max_samples); From 9a4c7b937f4b804a023a9949d1250a332b33107c Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Wed, 27 Mar 2024 09:06:19 -0400 Subject: [PATCH 048/562] avcodec, avformat/ffjni: fix duplicate JNI symbols Use SHLIBOBJS and STLIBOBJS in the Makefiles for avcodec and avformat, and add a stub ffjni.c to libavformat, which allows the symbols to be duplicated for shared builds but not static builds. Signed-off-by: Leo Izen Signed-off-by: Matthieu Bouron --- libavcodec/Makefile | 1 + libavformat/Makefile | 1 + libavformat/ffjni.c | 23 +++++++++++++++++++++++ libavformat/file.c | 2 +- 4 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 libavformat/ffjni.c diff --git a/libavcodec/Makefile b/libavcodec/Makefile index 9ce6d445c1..113adb22d5 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -1068,6 +1068,7 @@ STLIBOBJS-$(CONFIG_ISO_MEDIA) += mpegaudiotabs.o STLIBOBJS-$(CONFIG_FLV_MUXER) += mpeg4audio_sample_rates.o STLIBOBJS-$(CONFIG_HLS_DEMUXER) += ac3_channel_layout_tab.o STLIBOBJS-$(CONFIG_IMAGE_JPEGXL_PIPE_DEMUXER) += jpegxl_parse.o +STLIBOBJS-$(CONFIG_JNI) += ffjni.o STLIBOBJS-$(CONFIG_JPEGXL_ANIM_DEMUXER) += jpegxl_parse.o STLIBOBJS-$(CONFIG_MATROSKA_DEMUXER) += mpeg4audio_sample_rates.o STLIBOBJS-$(CONFIG_MOV_DEMUXER) += ac3_channel_layout_tab.o diff --git a/libavformat/Makefile b/libavformat/Makefile index 44aa485029..a89df7e9a3 100644 --- a/libavformat/Makefile +++ b/libavformat/Makefile @@ -728,6 +728,7 @@ SHLIBOBJS-$(CONFIG_ISO_MEDIA) += mpegaudiotabs.o SHLIBOBJS-$(CONFIG_FLV_MUXER) += mpeg4audio_sample_rates.o SHLIBOBJS-$(CONFIG_HLS_DEMUXER) += ac3_channel_layout_tab.o SHLIBOBJS-$(CONFIG_IMAGE_JPEGXL_PIPE_DEMUXER) += jpegxl_parse.o +SHLIBOBJS-$(CONFIG_JNI) += ffjni.o SHLIBOBJS-$(CONFIG_JPEGXL_ANIM_DEMUXER) += jpegxl_parse.o SHLIBOBJS-$(CONFIG_MATROSKA_DEMUXER) += mpeg4audio_sample_rates.o SHLIBOBJS-$(CONFIG_MOV_DEMUXER) += ac3_channel_layout_tab.o diff --git a/libavformat/ffjni.c b/libavformat/ffjni.c new file mode 100644 index 0000000000..2b1483cf42 --- /dev/null +++ b/libavformat/ffjni.c @@ -0,0 +1,23 @@ +/* + * JNI utility functions - included stub + * + * Copyright (c) 2024 Leo Izen + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "libavcodec/ffjni.c" diff --git a/libavformat/file.c b/libavformat/file.c index 182995717a..1f853e0e17 100644 --- a/libavformat/file.c +++ b/libavformat/file.c @@ -527,8 +527,8 @@ const URLProtocol ff_fd_protocol = { #if CONFIG_ANDROID_CONTENT_PROTOCOL #include +#include "libavcodec/ffjni.h" #include "libavcodec/jni.h" -#include "libavcodec/ffjni.c" typedef struct JFields { jclass uri_class; From 4f0e9457d66110dc23f51db0124e86c40a585468 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Apr 2024 00:26:26 +0200 Subject: [PATCH 049/562] Update for 7.0 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index 238679db50..4fedf1d20e 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -5.1.git +7.0 diff --git a/doc/Doxyfile b/doc/Doxyfile index 572c532da5..3c40cb8c08 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 7.0 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 083443d67cb159ce469e5d902346b8d0c2cd1c93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Nov 2018 01:36:21 +0100 Subject: [PATCH 050/562] RELEASE_NOTES: Based on the version from 5.1 Name suggested by 7 people on ML Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 RELEASE_NOTES diff --git a/RELEASE_NOTES b/RELEASE_NOTES new file mode 100644 index 0000000000..93bcf7d5bd --- /dev/null +++ b/RELEASE_NOTES @@ -0,0 +1,15 @@ + + ┌─────────────────────────────────────────┐ + │ RELEASE NOTES for FFmpeg 7.0 "Dijkstra" │ + └─────────────────────────────────────────┘ + + The FFmpeg Project proudly presents FFmpeg 7.0 "Dijkstra", about 6 + months after the release of FFmpeg 6.1. + + A complete Changelog is available at the root of the project, and the + complete Git history on https://git.ffmpeg.org/gitweb/ffmpeg.git + + We hope you will like this release as much as we enjoyed working on it, and + as usual, if you have any questions about it, or any FFmpeg related topic, + feel free to join us on the #ffmpeg IRC channel (on irc.libera.chat) or ask + on the mailing-lists. From 0e3a46720af828726c8565d657b34b094759d444 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 4 Apr 2024 02:28:00 +0200 Subject: [PATCH 051/562] avcodec/ppc/h264dsp: Fix left shifts of negative numbers PPC equivalent of c756b3fca240df75ffa28e75f2eb34834c10294d. Signed-off-by: Andreas Rheinhardt (cherry picked from commit e54696bcaa0819674e2f9bc7c9a4c87383675091) --- libavcodec/ppc/h264dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ppc/h264dsp.c b/libavcodec/ppc/h264dsp.c index f50f2553a2..0650768d7b 100644 --- a/libavcodec/ppc/h264dsp.c +++ b/libavcodec/ppc/h264dsp.c @@ -663,7 +663,7 @@ void weight_h264_W_altivec(uint8_t *block, int stride, int height, DECLARE_ALIGNED(16, int32_t, temp)[4]; LOAD_ZERO; - offset <<= log2_denom; + offset *= 1 << log2_denom; if(log2_denom) offset += 1<<(log2_denom-1); temp[0] = log2_denom; temp[1] = weight; @@ -712,7 +712,7 @@ void biweight_h264_W_altivec(uint8_t *dst, uint8_t *src, int stride, int height, DECLARE_ALIGNED(16, int32_t, temp)[4]; LOAD_ZERO; - offset = ((offset + 1) | 1) << log2_denom; + offset = ((offset + 1) | 1) * (1 << log2_denom); temp[0] = log2_denom+1; temp[1] = weights; temp[2] = weightd; From 82aa18828185d53d46a6bc0fa14af3252cefe5ee Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 4 Apr 2024 03:45:57 +0200 Subject: [PATCH 052/562] avcodec/lossless_videoencdsp: Don't presume alignment in diff_bytes The alignment of all the parameters in diff_bytes can be anything the despite the documentation claiming otherwise. 8ecd38312210d48ec9e50d78fc223d60e71a30ed was based around said documentation and is therefore insufficient to fix e.g. the misaligned loads that happen in the huffyuvbgra and huffyuvbgr24 vsynth FATE-tests. Signed-off-by: Andreas Rheinhardt (cherry picked from commit a4800643bba40cf8461406aa078da93e42e6ea6c) --- libavcodec/lossless_videoencdsp.c | 10 ++++------ libavcodec/lossless_videoencdsp.h | 4 ++-- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/libavcodec/lossless_videoencdsp.c b/libavcodec/lossless_videoencdsp.c index 8d03a5b5c6..0a3a4ec509 100644 --- a/libavcodec/lossless_videoencdsp.c +++ b/libavcodec/lossless_videoencdsp.c @@ -25,13 +25,11 @@ #if HAVE_FAST_64BIT typedef uint64_t uint_native; #define READ AV_RN64 -#define READA AV_RN64A -#define WRITEA AV_WN64A +#define WRITE AV_WN64 #else typedef uint32_t uint_native; #define READ AV_RN32 -#define READA AV_RN32A -#define WRITEA AV_WN32A +#define WRITE AV_WN32 #endif // 0x7f7f7f7f or 0x7f7f7f7f7f7f7f7f or whatever, depending on the cpu's native arithmetic size #define pb_7f (~(uint_native)0 / 255 * 0x7f) @@ -56,9 +54,9 @@ static void diff_bytes_c(uint8_t *dst, const uint8_t *src1, const uint8_t *src2, } else #endif for (i = 0; i <= w - (int) sizeof(uint_native); i += sizeof(uint_native)) { - uint_native a = READA(src1 + i); + uint_native a = READ(src1 + i); uint_native b = READ(src2 + i); - WRITEA(dst + i, ((a | pb_80) - (b & pb_7f)) ^ ((a ^ b ^ pb_80) & pb_80)); + WRITE(dst + i, ((a | pb_80) - (b & pb_7f)) ^ ((a ^ b ^ pb_80) & pb_80)); } for (; i < w; i++) dst[i + 0] = src1[i + 0] - src2[i + 0]; diff --git a/libavcodec/lossless_videoencdsp.h b/libavcodec/lossless_videoencdsp.h index 07fff584af..7fd0ad32c7 100644 --- a/libavcodec/lossless_videoencdsp.h +++ b/libavcodec/lossless_videoencdsp.h @@ -23,8 +23,8 @@ #include typedef struct LLVidEncDSPContext { - void (*diff_bytes)(uint8_t *dst /* align 16 */, - const uint8_t *src1 /* align 16 */, + void (*diff_bytes)(uint8_t *dst /* align 1 */, + const uint8_t *src1 /* align 1 */, const uint8_t *src2 /* align 1 */, intptr_t w); /** From 607fca80b7701a74af18e21ae3a95ad5a15259b1 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 24 Mar 2024 16:10:16 +0100 Subject: [PATCH 053/562] avcodec/wavpack: Fix leak and segfault on reallocation error av_realloc_f() frees the buffer it is given on allocation failure. But in this case, the buffer is an array of ownership pointers, causing leaks on error. Furthermore, the count of pointers is unchanged on error and the codec's close function uses it to free said ownership pointers, causing a NPD. This is a regression since 46412a8935e4632b2460988bfce4152c7dccce22. Fix this by switching to av_realloc_array(). Signed-off-by: Andreas Rheinhardt (cherry picked from commit 2f59648aed8ba538e2ff3cd7edcb85f4501faa25) --- libavcodec/wavpack.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 09b8731465..a81049b18b 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -973,9 +973,11 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, static av_cold int wv_alloc_frame_context(WavpackContext *c) { - c->fdec = av_realloc_f(c->fdec, c->fdec_num + 1, sizeof(*c->fdec)); - if (!c->fdec) + WavpackFrameContext **fdec = av_realloc_array(c->fdec, c->fdec_num + 1, sizeof(*c->fdec)); + + if (!fdec) return -1; + c->fdec = fdec; c->fdec[c->fdec_num] = av_mallocz(sizeof(**c->fdec)); if (!c->fdec[c->fdec_num]) From 265de29acb15f957c629b1176ca4644fbd61b870 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 24 Mar 2024 16:43:42 +0100 Subject: [PATCH 054/562] avcodec/wavpack: Remove always-false check Signed-off-by: Andreas Rheinhardt (cherry picked from commit d307aca184a15be78236889c226f2699f40a1948) --- libavcodec/wavpack.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index a81049b18b..505bd3c96a 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1097,11 +1097,6 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, } s = wc->fdec[block_no]; - if (!s) { - av_log(avctx, AV_LOG_ERROR, "Context for block %d is not present\n", - block_no); - return AVERROR_INVALIDDATA; - } memset(s->decorr, 0, MAX_TERMS * sizeof(Decorr)); memset(s->ch, 0, sizeof(s->ch)); From e2a1a4f581af83e800507c6470b6e8cbf2bab32d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 5 Apr 2024 17:15:15 +0200 Subject: [PATCH 055/562] fate/ffmpeg: Avoid dependency on samples Creating vsynth_lena.yuv needs the FATE suite, yet several tests in ffmpeg.mak without a dependency on samples used it as input file. Fix this by using vsynth1.yuv (which does not have such a dependency) instead. Also use vsynth1.yuv in fate-shortest to avoid the samples dependency in this test, too. Fixes ticket #10947. Reviewed-by: Anton Khirnov Signed-off-by: Andreas Rheinhardt (cherry picked from commit 7b7b7819bd21cc92ac07f6696b0e7f26fa8f9834) --- tests/fate/ffmpeg.mak | 30 +++---- tests/ref/fate/ffmpeg-filter-in-eof | 100 +++++++++++------------ tests/ref/fate/ffmpeg-loopback-decoding | 104 ++++++++++++------------ tests/ref/fate/force_key_frames | 8 +- tests/ref/fate/shortest | 100 +++++++++++------------ 5 files changed, 171 insertions(+), 171 deletions(-) diff --git a/tests/fate/ffmpeg.mak b/tests/fate/ffmpeg.mak index 3c549b265e..077104c713 100644 --- a/tests/fate/ffmpeg.mak +++ b/tests/fate/ffmpeg.mak @@ -16,10 +16,10 @@ fate-ffmpeg-filter_colorkey: CMD = framecrc -auto_conversion_filters -idct simpl FATE_FFMPEG-$(call FILTERFRAMECRC, COLOR) += fate-ffmpeg-lavfi fate-ffmpeg-lavfi: CMD = framecrc -lavfi color=d=1:r=5 -fflags +bitexact -FATE_SAMPLES_FFMPEG-$(call ENCDEC2, MPEG4, RAWVIDEO, AVI, RAWVIDEO_DEMUXER FRAMECRC_MUXER) += fate-force_key_frames -fate-force_key_frames: tests/data/vsynth_lena.yuv +FATE_FFMPEG-$(call ENCDEC2, MPEG4, RAWVIDEO, AVI, RAWVIDEO_DEMUXER FRAMECRC_MUXER) += fate-force_key_frames +fate-force_key_frames: tests/data/vsynth1.yuv fate-force_key_frames: CMD = enc_dec \ - "rawvideo -s 352x288 -pix_fmt yuv420p" tests/data/vsynth_lena.yuv \ + "rawvideo -s 352x288 -pix_fmt yuv420p" tests/data/vsynth1.yuv \ avi "-c mpeg4 -g 240 -qscale 10 -force_key_frames 0.5,0:00:01.5" \ framecrc "" "-skip_frame nokey" @@ -87,12 +87,12 @@ fate-unknown_layout-ac3: CMD = md5 -auto_conversion_filters \ -guess_layout_max 0 -f s32le -ac 1 -ar 44100 -i $(TARGET_PATH)/$(AREF) \ -f ac3 -flags +bitexact -c ac3_fixed -FATE_SAMPLES_FFMPEG-$(call FILTERDEMDEC, AMIX ARESAMPLE SINE, RAWVIDEO, \ +FATE_FFMPEG-$(call FILTERDEMDEC, AMIX ARESAMPLE SINE, RAWVIDEO, \ PCM_S16LE RAWVIDEO, LAVFI_INDEV \ MPEG4_ENCODER AC3_FIXED_ENCODER) \ += fate-shortest -fate-shortest: tests/data/vsynth_lena.yuv -fate-shortest: CMD = framecrc -auto_conversion_filters -f lavfi -i "sine=3000:d=10" -f lavfi -i "sine=1000:d=1" -sws_flags +accurate_rnd+bitexact -fflags +bitexact -flags +bitexact -idct simple -f rawvideo -s 352x288 -pix_fmt yuv420p -i $(TARGET_PATH)/tests/data/vsynth_lena.yuv -filter_complex "[0:a:0][1:a:0]amix=inputs=2[audio]" -map 2:v:0 -map "[audio]" -sws_flags +accurate_rnd+bitexact -fflags +bitexact -flags +bitexact -idct simple -dct fastint -qscale 10 -threads 1 -c:v mpeg4 -c:a ac3_fixed -shortest +fate-shortest: tests/data/vsynth1.yuv +fate-shortest: CMD = framecrc -auto_conversion_filters -f lavfi -i "sine=3000:d=10" -f lavfi -i "sine=1000:d=1" -sws_flags +accurate_rnd+bitexact -fflags +bitexact -flags +bitexact -idct simple -f rawvideo -s 352x288 -pix_fmt yuv420p -i $(TARGET_PATH)/tests/data/vsynth1.yuv -filter_complex "[0:a:0][1:a:0]amix=inputs=2[audio]" -map 2:v:0 -map "[audio]" -sws_flags +accurate_rnd+bitexact -fflags +bitexact -flags +bitexact -idct simple -dct fastint -qscale 10 -threads 1 -c:v mpeg4 -c:a ac3_fixed -shortest # test interleaving video with a sparse subtitle stream FATE_SAMPLES_FFMPEG-$(call ALLYES, COLOR_FILTER, VOBSUB_DEMUXER, MATROSKA_DEMUXER,, \ @@ -240,24 +240,24 @@ FATE_SAMPLES_FFMPEG-$(call FRAMECRC, MOV, , SETTS_BSF) += fate-ffmpeg-bsf-input # Test behaviour when a complex filtergraph returns EOF on one of its inputs, # but other inputs are still active. # cf. #10803 -fate-ffmpeg-filter-in-eof: tests/data/vsynth_lena.yuv -fate-ffmpeg-filter-in-eof: CMD = framecrc \ - -f rawvideo -s 352x288 -pix_fmt yuv420p -t 1 -i $(TARGET_PATH)/tests/data/vsynth_lena.yuv \ - -f rawvideo -s 352x288 -pix_fmt yuv420p -t 1 -i $(TARGET_PATH)/tests/data/vsynth_lena.yuv \ +fate-ffmpeg-filter-in-eof: tests/data/vsynth1.yuv +fate-ffmpeg-filter-in-eof: CMD = framecrc \ + -f rawvideo -s 352x288 -pix_fmt yuv420p -t 1 -i $(TARGET_PATH)/tests/data/vsynth1.yuv \ + -f rawvideo -s 352x288 -pix_fmt yuv420p -t 1 -i $(TARGET_PATH)/tests/data/vsynth1.yuv \ -filter_complex "[0][1]concat" -c:v rawvideo FATE_FFMPEG-$(call FRAMECRC, RAWVIDEO, RAWVIDEO, CONCAT_FILTER) += fate-ffmpeg-filter-in-eof # Test termination on streamcopy with -t as an output option. -fate-ffmpeg-streamcopy-t: tests/data/vsynth_lena.yuv +fate-ffmpeg-streamcopy-t: tests/data/vsynth1.yuv fate-ffmpeg-streamcopy-t: CMP = null -fate-ffmpeg-streamcopy-t: CMD = ffmpeg \ - -stream_loop -1 -f rawvideo -s 352x288 -pix_fmt yuv420p -i $(TARGET_PATH)/tests/data/vsynth_lena.yuv \ +fate-ffmpeg-streamcopy-t: CMD = ffmpeg \ + -stream_loop -1 -f rawvideo -s 352x288 -pix_fmt yuv420p -i $(TARGET_PATH)/tests/data/vsynth1.yuv \ -c copy -f null -t 1 - FATE_FFMPEG-$(call REMUX, RAWVIDEO) += fate-ffmpeg-streamcopy-t # Test loopback decoding and passing the output to a complex graph. -fate-ffmpeg-loopback-decoding: tests/data/vsynth_lena.yuv +fate-ffmpeg-loopback-decoding: tests/data/vsynth1.yuv fate-ffmpeg-loopback-decoding: CMD = transcode \ - "rawvideo -s 352x288 -pix_fmt yuv420p" $(TARGET_PATH)/tests/data/vsynth_lena.yuv nut \ + "rawvideo -s 352x288 -pix_fmt yuv420p" $(TARGET_PATH)/tests/data/vsynth1.yuv nut \ "-map 0:v:0 -c:v mpeg2video -f null - -flags +bitexact -idct simple -threads $$threads -dec 0:0 -filter_complex '[0:v][dec:0]hstack[stack]' -map '[stack]' -c:v ffv1" "" FATE_FFMPEG-$(call ENCDEC2, MPEG2VIDEO, FFV1, NUT, HSTACK_FILTER PIPE_PROTOCOL FRAMECRC_MUXER) += fate-ffmpeg-loopback-decoding diff --git a/tests/ref/fate/ffmpeg-filter-in-eof b/tests/ref/fate/ffmpeg-filter-in-eof index 77be842408..5b376bd8c3 100644 --- a/tests/ref/fate/ffmpeg-filter-in-eof +++ b/tests/ref/fate/ffmpeg-filter-in-eof @@ -3,53 +3,53 @@ #codec_id 0: rawvideo #dimensions 0: 352x288 #sar 0: 0/1 -0, 0, 0, 1, 152064, 0x07945924 -0, 1, 1, 1, 152064, 0x08472470 -0, 2, 2, 1, 152064, 0x63fde13b -0, 3, 3, 1, 152064, 0x67ba9c55 -0, 4, 4, 1, 152064, 0x8aa34b24 -0, 5, 5, 1, 152064, 0x9fba089e -0, 6, 6, 1, 152064, 0xb040d8e3 -0, 7, 7, 1, 152064, 0x3061ae08 -0, 8, 8, 1, 152064, 0xf5907946 -0, 9, 9, 1, 152064, 0x0ea24935 -0, 10, 10, 1, 152064, 0x7d87276b -0, 11, 11, 1, 152064, 0x122c252b -0, 12, 12, 1, 152064, 0xdb0f3889 -0, 13, 13, 1, 152064, 0x88466739 -0, 14, 14, 1, 152064, 0xca87a583 -0, 15, 15, 1, 152064, 0x34f9da44 -0, 16, 16, 1, 152064, 0x1d4e1646 -0, 17, 17, 1, 152064, 0x29975c2b -0, 18, 18, 1, 152064, 0xbf82aae9 -0, 19, 19, 1, 152064, 0x33c2fd7c -0, 20, 20, 1, 152064, 0xa3c95f44 -0, 21, 21, 1, 152064, 0x5f93bc9d -0, 22, 22, 1, 152064, 0xa6f11b51 -0, 23, 23, 1, 152064, 0x39bc6b45 -0, 24, 24, 1, 152064, 0xfd509e1d -0, 25, 25, 1, 152064, 0x07945924 -0, 26, 26, 1, 152064, 0x08472470 -0, 27, 27, 1, 152064, 0x63fde13b -0, 28, 28, 1, 152064, 0x67ba9c55 -0, 29, 29, 1, 152064, 0x8aa34b24 -0, 30, 30, 1, 152064, 0x9fba089e -0, 31, 31, 1, 152064, 0xb040d8e3 -0, 32, 32, 1, 152064, 0x3061ae08 -0, 33, 33, 1, 152064, 0xf5907946 -0, 34, 34, 1, 152064, 0x0ea24935 -0, 35, 35, 1, 152064, 0x7d87276b -0, 36, 36, 1, 152064, 0x122c252b -0, 37, 37, 1, 152064, 0xdb0f3889 -0, 38, 38, 1, 152064, 0x88466739 -0, 39, 39, 1, 152064, 0xca87a583 -0, 40, 40, 1, 152064, 0x34f9da44 -0, 41, 41, 1, 152064, 0x1d4e1646 -0, 42, 42, 1, 152064, 0x29975c2b -0, 43, 43, 1, 152064, 0xbf82aae9 -0, 44, 44, 1, 152064, 0x33c2fd7c -0, 45, 45, 1, 152064, 0xa3c95f44 -0, 46, 46, 1, 152064, 0x5f93bc9d -0, 47, 47, 1, 152064, 0xa6f11b51 -0, 48, 48, 1, 152064, 0x39bc6b45 -0, 49, 49, 1, 152064, 0xfd509e1d +0, 0, 0, 1, 152064, 0x05b789ef +0, 1, 1, 1, 152064, 0x4bb46551 +0, 2, 2, 1, 152064, 0x9dddf64a +0, 3, 3, 1, 152064, 0x2a8380b0 +0, 4, 4, 1, 152064, 0x4de3b652 +0, 5, 5, 1, 152064, 0xedb5a8e6 +0, 6, 6, 1, 152064, 0xe20f7c23 +0, 7, 7, 1, 152064, 0x5ab58bac +0, 8, 8, 1, 152064, 0x1f1b8026 +0, 9, 9, 1, 152064, 0x91373915 +0, 10, 10, 1, 152064, 0x02344760 +0, 11, 11, 1, 152064, 0x30f5fcd5 +0, 12, 12, 1, 152064, 0xc711ad61 +0, 13, 13, 1, 152064, 0x24eca223 +0, 14, 14, 1, 152064, 0x52a48ddd +0, 15, 15, 1, 152064, 0xa91c0f05 +0, 16, 16, 1, 152064, 0x8e364e18 +0, 17, 17, 1, 152064, 0xb15d38c8 +0, 18, 18, 1, 152064, 0xf25f6acc +0, 19, 19, 1, 152064, 0xf34ddbff +0, 20, 20, 1, 152064, 0xfc7bf570 +0, 21, 21, 1, 152064, 0x9dc72412 +0, 22, 22, 1, 152064, 0x445d1d59 +0, 23, 23, 1, 152064, 0x2f2768ef +0, 24, 24, 1, 152064, 0xce09f9d6 +0, 25, 25, 1, 152064, 0x05b789ef +0, 26, 26, 1, 152064, 0x4bb46551 +0, 27, 27, 1, 152064, 0x9dddf64a +0, 28, 28, 1, 152064, 0x2a8380b0 +0, 29, 29, 1, 152064, 0x4de3b652 +0, 30, 30, 1, 152064, 0xedb5a8e6 +0, 31, 31, 1, 152064, 0xe20f7c23 +0, 32, 32, 1, 152064, 0x5ab58bac +0, 33, 33, 1, 152064, 0x1f1b8026 +0, 34, 34, 1, 152064, 0x91373915 +0, 35, 35, 1, 152064, 0x02344760 +0, 36, 36, 1, 152064, 0x30f5fcd5 +0, 37, 37, 1, 152064, 0xc711ad61 +0, 38, 38, 1, 152064, 0x24eca223 +0, 39, 39, 1, 152064, 0x52a48ddd +0, 40, 40, 1, 152064, 0xa91c0f05 +0, 41, 41, 1, 152064, 0x8e364e18 +0, 42, 42, 1, 152064, 0xb15d38c8 +0, 43, 43, 1, 152064, 0xf25f6acc +0, 44, 44, 1, 152064, 0xf34ddbff +0, 45, 45, 1, 152064, 0xfc7bf570 +0, 46, 46, 1, 152064, 0x9dc72412 +0, 47, 47, 1, 152064, 0x445d1d59 +0, 48, 48, 1, 152064, 0x2f2768ef +0, 49, 49, 1, 152064, 0xce09f9d6 diff --git a/tests/ref/fate/ffmpeg-loopback-decoding b/tests/ref/fate/ffmpeg-loopback-decoding index e535b9060f..ae92f32a37 100644 --- a/tests/ref/fate/ffmpeg-loopback-decoding +++ b/tests/ref/fate/ffmpeg-loopback-decoding @@ -1,57 +1,57 @@ -faefe475118cacc36dff3cab59baa6cf *tests/data/fate/ffmpeg-loopback-decoding.nut -6478832 tests/data/fate/ffmpeg-loopback-decoding.nut +e4e0e27eb8ed99eedc2458d92401c5e4 *tests/data/fate/ffmpeg-loopback-decoding.nut +7435259 tests/data/fate/ffmpeg-loopback-decoding.nut #tb 0: 1/25 #media_type 0: video #codec_id 0: rawvideo #dimensions 0: 704x288 #sar 0: 0/1 -0, 0, 0, 1, 304128, 0xe07dafdd -0, 1, 1, 1, 304128, 0xc5734e5d -0, 2, 2, 1, 304128, 0x855acdcc -0, 3, 3, 1, 304128, 0x4ad94309 -0, 4, 4, 1, 304128, 0x174ebea3 -0, 5, 5, 1, 304128, 0xdb416da6 -0, 6, 6, 1, 304128, 0x72442b79 -0, 7, 7, 1, 304128, 0x00ddf9ed -0, 8, 8, 1, 304128, 0xe7e7a773 -0, 9, 9, 1, 304128, 0x7df26501 -0, 10, 10, 1, 304128, 0x4f5a3eb3 -0, 11, 11, 1, 304128, 0x1ad35b6c -0, 12, 12, 1, 304128, 0xec8e6f56 -0, 13, 13, 1, 304128, 0xb237e0ef -0, 14, 14, 1, 304128, 0x55b26ce2 -0, 15, 15, 1, 304128, 0x22920436 -0, 16, 16, 1, 304128, 0x54eea0c0 -0, 17, 17, 1, 304128, 0x17113686 -0, 18, 18, 1, 304128, 0xeb9ae1af -0, 19, 19, 1, 304128, 0x1ba09d4c -0, 20, 20, 1, 304128, 0x0100748f -0, 21, 21, 1, 304128, 0xcc914570 -0, 22, 22, 1, 304128, 0x9bc21952 -0, 23, 23, 1, 304128, 0xc118d0af -0, 24, 24, 1, 304128, 0x7e4b2df0 -0, 25, 25, 1, 304128, 0x1078bff2 -0, 26, 26, 1, 304128, 0xeedbeda1 -0, 27, 27, 1, 304128, 0x35ac0a1b -0, 28, 28, 1, 304128, 0x3644fb76 -0, 29, 29, 1, 304128, 0x5efa175c -0, 30, 30, 1, 304128, 0x72c14f39 -0, 31, 31, 1, 304128, 0xd7c46bb0 -0, 32, 32, 1, 304128, 0x20f368ab -0, 33, 33, 1, 304128, 0x9bea7ced -0, 34, 34, 1, 304128, 0xf1b66b94 -0, 35, 35, 1, 304128, 0x3e5e6815 -0, 36, 36, 1, 304128, 0x6c2d5e3a -0, 37, 37, 1, 304128, 0x763046b0 -0, 38, 38, 1, 304128, 0x05f71f4c -0, 39, 39, 1, 304128, 0x3db72dff -0, 40, 40, 1, 304128, 0x86e34c11 -0, 41, 41, 1, 304128, 0x09334889 -0, 42, 42, 1, 304128, 0xc8566851 -0, 43, 43, 1, 304128, 0x4a7ec9da -0, 44, 44, 1, 304128, 0x609a176b -0, 45, 45, 1, 304128, 0x98deede0 -0, 46, 46, 1, 304128, 0x59ee66a3 -0, 47, 47, 1, 304128, 0x0fc5c8c2 -0, 48, 48, 1, 304128, 0x0371d7b0 -0, 49, 49, 1, 304128, 0xd81c18cf +0, 0, 0, 1, 304128, 0xf6aa0942 +0, 1, 1, 1, 304128, 0x5752d4ab +0, 2, 2, 1, 304128, 0x3052ede5 +0, 3, 3, 1, 304128, 0xdaf807b7 +0, 4, 4, 1, 304128, 0x8f5c9990 +0, 5, 5, 1, 304128, 0x75b58b80 +0, 6, 6, 1, 304128, 0x5b9c7b06 +0, 7, 7, 1, 304128, 0xee9c177a +0, 8, 8, 1, 304128, 0x4fefb449 +0, 9, 9, 1, 304128, 0x0a6d565d +0, 10, 10, 1, 304128, 0x25fe7635 +0, 11, 11, 1, 304128, 0x1d36be60 +0, 12, 12, 1, 304128, 0xa63f571a +0, 13, 13, 1, 304128, 0x7ec1f6b5 +0, 14, 14, 1, 304128, 0x8c240ccf +0, 15, 15, 1, 304128, 0x41bbbc2a +0, 16, 16, 1, 304128, 0x611319e8 +0, 17, 17, 1, 304128, 0x929d83ad +0, 18, 18, 1, 304128, 0x45ae42a0 +0, 19, 19, 1, 304128, 0x9dd20a04 +0, 20, 20, 1, 304128, 0x61230985 +0, 21, 21, 1, 304128, 0x643a6d0f +0, 22, 22, 1, 304128, 0x5dd530dd +0, 23, 23, 1, 304128, 0x92c56539 +0, 24, 24, 1, 304128, 0xc364f034 +0, 25, 25, 1, 304128, 0x7a476be9 +0, 26, 26, 1, 304128, 0xee4ac625 +0, 27, 27, 1, 304128, 0x9e9c13c4 +0, 28, 28, 1, 304128, 0x6097cda9 +0, 29, 29, 1, 304128, 0x3a6c370c +0, 30, 30, 1, 304128, 0xfa740b74 +0, 31, 31, 1, 304128, 0x9d13798e +0, 32, 32, 1, 304128, 0x61b5ffc1 +0, 33, 33, 1, 304128, 0x34b30667 +0, 34, 34, 1, 304128, 0x303681b4 +0, 35, 35, 1, 304128, 0xe63508fc +0, 36, 36, 1, 304128, 0x10ef6b65 +0, 37, 37, 1, 304128, 0x17c8d2b5 +0, 38, 38, 1, 304128, 0x053d9db5 +0, 39, 39, 1, 304128, 0x43dd5c5b +0, 40, 40, 1, 304128, 0xba4b65f2 +0, 41, 41, 1, 304128, 0x4dc70aa2 +0, 42, 42, 1, 304128, 0x9e2a528f +0, 43, 43, 1, 304128, 0x53df2931 +0, 44, 44, 1, 304128, 0xe1d12fbd +0, 45, 45, 1, 304128, 0xcb863c4c +0, 46, 46, 1, 304128, 0x528e2e81 +0, 47, 47, 1, 304128, 0x880c0b66 +0, 48, 48, 1, 304128, 0x83ec648a +0, 49, 49, 1, 304128, 0xa5d2555d diff --git a/tests/ref/fate/force_key_frames b/tests/ref/fate/force_key_frames index 26de0905e8..ef8ca5af32 100644 --- a/tests/ref/fate/force_key_frames +++ b/tests/ref/fate/force_key_frames @@ -1,4 +1,4 @@ -07567b9528b8de523faaf49e4e1e0fc6 *tests/data/fate/force_key_frames.avi -113312 tests/data/fate/force_key_frames.avi -b2e92b97bac0243242281d71108ffdbd *tests/data/fate/force_key_frames.out.framecrc -stddev:34612.83 PSNR: 5.54 MAXDIFF:61408 bytes: 7603200/ 264 +1cd5f12691d602ef806606b0dc22fddc *tests/data/fate/force_key_frames.avi +574816 tests/data/fate/force_key_frames.avi +7c41fec64a8d44148f4fb81d31c5027c *tests/data/fate/force_key_frames.out.framecrc +stddev:29597.16 PSNR: 6.90 MAXDIFF:60652 bytes: 7603200/ 264 diff --git a/tests/ref/fate/shortest b/tests/ref/fate/shortest index b5845508cf..0690799d8d 100644 --- a/tests/ref/fate/shortest +++ b/tests/ref/fate/shortest @@ -9,109 +9,109 @@ #sample_rate 1: 44100 #channel_layout_name 1: mono 1, -256, -256, 1536, 416, 0x69efcbcc -0, 0, 0, 1, 8749, 0x57039d10, S=1, 8 +0, 0, 0, 1, 27867, 0x1426a0d6, S=1, 8 1, 1280, 1280, 1536, 418, 0xa0ccc09d -0, 1, 1, 1, 975, 0x2fcf0617, F=0x0, S=1, 8 +0, 1, 1, 1, 9806, 0xbebc2826, F=0x0, S=1, 8 1, 2816, 2816, 1536, 418, 0xb873cb60 -0, 2, 2, 1, 1167, 0x6d32482b, F=0x0, S=1, 8 +0, 2, 2, 1, 10453, 0x4a188450, F=0x0, S=1, 8 1, 4352, 4352, 1536, 418, 0x1366c008 -0, 3, 3, 1, 1274, 0xab1d80c9, F=0x0, S=1, 8 +0, 3, 3, 1, 10248, 0x4c831c08, F=0x0, S=1, 8 1, 5888, 5888, 1536, 418, 0xeb24c8da -0, 4, 4, 1, 1361, 0x9dc28a69, F=0x0, S=1, 8 +0, 4, 4, 1, 11680, 0x5508c44d, F=0x0, S=1, 8 1, 7424, 7424, 1536, 418, 0xc75ac55e -0, 5, 5, 1, 1415, 0x41d8ba3e, F=0x0, S=1, 8 +0, 5, 5, 1, 11046, 0x096ca433, F=0x0, S=1, 8 1, 8960, 8960, 1536, 418, 0xe336d28d 1, 10496, 10496, 1536, 418, 0xd0acc452 -0, 6, 6, 1, 1421, 0x8c83ad35, F=0x0, S=1, 8 +0, 6, 6, 1, 9888, 0x440a5b45, F=0x0, S=1, 8 1, 12032, 12032, 1536, 418, 0xae88c75f -0, 7, 7, 1, 1474, 0x1025b9b0, F=0x0, S=1, 8 +0, 7, 7, 1, 10165, 0x116d4909, F=0x0, S=1, 8 1, 13568, 13568, 1536, 418, 0xa200b8f0 -0, 8, 8, 1, 1467, 0xf3c0c714, F=0x0, S=1, 8 +0, 8, 8, 1, 11704, 0xb334a24c, F=0x0, S=1, 8 1, 15104, 15104, 1536, 418, 0x009dccf6 -0, 9, 9, 1, 1469, 0x1b9faf72, F=0x0, S=1, 8 +0, 9, 9, 1, 11059, 0x49aa6515, F=0x0, S=1, 8 1, 16640, 16640, 1536, 418, 0x585ec129 -0, 10, 10, 1, 1506, 0x18a9c359, F=0x0, S=1, 8 +0, 10, 10, 1, 8764, 0x8214fab0, F=0x0, S=1, 8 1, 18176, 18176, 1536, 418, 0xda1acf75 -0, 11, 11, 1, 1520, 0x0ec1d39a, F=0x0, S=1, 8 +0, 11, 11, 1, 9328, 0x92987740, F=0x0, S=1, 8 1, 19712, 19712, 1536, 418, 0xd326d279 -0, 12, 12, 1, 8554, 0xfab776e0, S=1, 8 +0, 12, 12, 1, 27955, 0xe25edb6c, S=1, 8 1, 21248, 21248, 1536, 418, 0x1b54bf76 1, 22784, 22784, 1536, 418, 0xdb39cbd1 -0, 13, 13, 1, 1079, 0x13e40cb3, F=0x0, S=1, 8 +0, 13, 13, 1, 11181, 0x3cf56687, F=0x0, S=1, 8 1, 24320, 24320, 1536, 418, 0x6813cefa -0, 14, 14, 1, 1343, 0xf0058d2e, F=0x0, S=1, 8 +0, 14, 14, 1, 12002, 0x87942530, F=0x0, S=1, 8 1, 25856, 25856, 1536, 418, 0xb402d2ec -0, 15, 15, 1, 1486, 0x1da1c64e, F=0x0, S=1, 8 +0, 15, 15, 1, 10122, 0xbb10e8d9, F=0x0, S=1, 8 1, 27392, 27392, 1536, 418, 0x80c4c8d2 -0, 16, 16, 1, 1491, 0x872dd43d, F=0x0, S=1, 8 +0, 16, 16, 1, 9715, 0xa4a1325c, F=0x0, S=1, 8 1, 28928, 28928, 1536, 418, 0xaeaac123 -0, 17, 17, 1, 1504, 0x5907c6ca, F=0x0, S=1, 8 +0, 17, 17, 1, 11222, 0x15118a48, F=0x0, S=1, 8 1, 30464, 30464, 1536, 418, 0xe2c9c038 -0, 18, 18, 1, 1481, 0xde66ba0a, F=0x0, S=1, 8 +0, 18, 18, 1, 11384, 0xd4304391, F=0x0, S=1, 8 1, 32000, 32000, 1536, 418, 0x3f37c65b -0, 19, 19, 1, 1521, 0xf46dcef9, F=0x0, S=1, 8 +0, 19, 19, 1, 9141, 0xabd1eb90, F=0x0, S=1, 8 1, 33536, 33536, 1536, 418, 0xf9a2cf98 1, 35072, 35072, 1536, 418, 0xc951cbb5 -0, 20, 20, 1, 1514, 0x001ed7b1, F=0x0, S=1, 8 +0, 20, 20, 1, 10049, 0x5b388bc2, F=0x0, S=1, 8 1, 36608, 36608, 1536, 418, 0x4e92be94 -0, 21, 21, 1, 1562, 0x3974e095, F=0x0, S=1, 8 +0, 21, 21, 1, 9049, 0x214505c3, F=0x0, S=1, 8 1, 38144, 38144, 1536, 418, 0xa9d8c8d0 -0, 22, 22, 1, 1562, 0xa94bf1fc, F=0x0, S=1, 8 +0, 22, 22, 1, 9101, 0xdba6e5ba, F=0x0, S=1, 8 1, 39680, 39680, 1536, 418, 0xe4c8bc20 -0, 23, 23, 1, 1629, 0xdfcc0234, F=0x0, S=1, 8 +0, 23, 23, 1, 10351, 0x0aea5644, F=0x0, S=1, 8 1, 41216, 41216, 1536, 418, 0x2ccac571 -0, 24, 24, 1, 9664, 0xbf319bb0, S=1, 8 +0, 24, 24, 1, 27864, 0xd0287877, S=1, 8 1, 42752, 42752, 1536, 418, 0xd2a0cbff -0, 25, 25, 1, 1239, 0x1f9662f7, F=0x0, S=1, 8 +0, 25, 25, 1, 9026, 0x01ec7d47, F=0x0, S=1, 8 1, 44288, 44288, 1536, 418, 0xffadb489 1, 45824, 45824, 1536, 418, 0x1246cae7 -0, 26, 26, 1, 1568, 0xfbf8ed9d, F=0x0, S=1, 8 +0, 26, 26, 1, 8894, 0x5917d83b, F=0x0, S=1, 8 1, 47360, 47360, 1536, 418, 0xa74eb1f7 -0, 27, 27, 1, 1641, 0x46aafde5, F=0x0, S=1, 8 +0, 27, 27, 1, 10119, 0x3a2ede3a, F=0x0, S=1, 8 1, 48896, 48896, 1536, 418, 0x98cfc032 -0, 28, 28, 1, 1735, 0xa9363e9b, F=0x0, S=1, 8 +0, 28, 28, 1, 10290, 0xea641449, F=0x0, S=1, 8 1, 50432, 50432, 1536, 418, 0x8045c0a7 -0, 29, 29, 1, 1760, 0x99b82cbc, F=0x0, S=1, 8 +0, 29, 29, 1, 10922, 0xeb7e9700, F=0x0, S=1, 8 1, 51968, 51968, 1536, 418, 0x2180c196 -0, 30, 30, 1, 1798, 0xc0ba5286, F=0x0, S=1, 8 +0, 30, 30, 1, 9680, 0x929d1f59, F=0x0, S=1, 8 1, 53504, 53504, 1536, 418, 0x35f2b4d1 -0, 31, 31, 1, 1830, 0x4e8b4b80, F=0x0, S=1, 8 +0, 31, 31, 1, 8733, 0x8fa8fc4e, F=0x0, S=1, 8 1, 55040, 55040, 1536, 418, 0x876ec74d -0, 32, 32, 1, 1835, 0x218a69cb, F=0x0, S=1, 8 +0, 32, 32, 1, 9878, 0xe3f555e9, F=0x0, S=1, 8 1, 56576, 56576, 1536, 418, 0xbccebddd 1, 58112, 58112, 1536, 418, 0x40a1bcc7 -0, 33, 33, 1, 1902, 0x8f2b67d2, F=0x0, S=1, 8 +0, 33, 33, 1, 10926, 0x2a2bed74, F=0x0, S=1, 8 1, 59648, 59648, 1536, 418, 0xbd10bf09 -0, 34, 34, 1, 1886, 0xf4087481, F=0x0, S=1, 8 +0, 34, 34, 1, 12170, 0x70c8ab23, F=0x0, S=1, 8 1, 61184, 61184, 1536, 418, 0xb8e4b630 -0, 35, 35, 1, 1949, 0x142c8ac1, F=0x0, S=1, 8 +0, 35, 35, 1, 11631, 0x7d5e8297, F=0x0, S=1, 8 1, 62720, 62720, 1536, 418, 0xc667bd39 -0, 36, 36, 1, 10806, 0x603680c3, S=1, 8 +0, 36, 36, 1, 28056, 0x10bef294, S=1, 8 1, 64256, 64256, 1536, 418, 0x2985c4ac -0, 37, 37, 1, 1413, 0xc52395a2, F=0x0, S=1, 8 +0, 37, 37, 1, 11067, 0x490af43b, F=0x0, S=1, 8 1, 65792, 65792, 1536, 418, 0xb229b697 -0, 38, 38, 1, 1731, 0xa26a2fb2, F=0x0, S=1, 8 +0, 38, 38, 1, 11046, 0x6dba2441, F=0x0, S=1, 8 1, 67328, 67328, 1536, 418, 0xd2eec6d8 -0, 39, 39, 1, 1888, 0xa2995d2a, F=0x0, S=1, 8 +0, 39, 39, 1, 10922, 0x069cfa74, F=0x0, S=1, 8 1, 68864, 68864, 1536, 418, 0x74a9c1a9 1, 70400, 70400, 1536, 418, 0x2d1cc383 -0, 40, 40, 1, 1989, 0x0274904a, F=0x0, S=1, 8 +0, 40, 40, 1, 11477, 0x18baebc1, F=0x0, S=1, 8 1, 71936, 71936, 1536, 418, 0x0ad9c88a -0, 41, 41, 1, 1949, 0x66fa8de9, F=0x0, S=1, 8 +0, 41, 41, 1, 10285, 0x792623a6, F=0x0, S=1, 8 1, 73472, 73472, 1536, 418, 0x9aa3d0a7 -0, 42, 42, 1, 1956, 0x4e2e831d, F=0x0, S=1, 8 +0, 42, 42, 1, 9961, 0x69d8a3b1, F=0x0, S=1, 8 1, 75008, 75008, 1536, 416, 0x99f5b2b6 -0, 43, 43, 1, 2012, 0x1d75ac7a, F=0x0, S=1, 8 +0, 43, 43, 1, 11162, 0x6f3788c6, F=0x0, S=1, 8 1, 76544, 76544, 1536, 418, 0xfb7dc20d -0, 44, 44, 1, 1995, 0xdc478fec, F=0x0, S=1, 8 +0, 44, 44, 1, 10696, 0x524ad4f8, F=0x0, S=1, 8 1, 78080, 78080, 1536, 418, 0xebc8c568 -0, 45, 45, 1, 2078, 0x416aaf11, F=0x0, S=1, 8 +0, 45, 45, 1, 10319, 0x9d6ff8f7, F=0x0, S=1, 8 1, 79616, 79616, 1536, 418, 0x7361c949 -0, 46, 46, 1, 2116, 0x1416cc81, F=0x0, S=1, 8 +0, 46, 46, 1, 8796, 0xb0cc869e, F=0x0, S=1, 8 1, 81152, 81152, 1536, 418, 0x85d8bbd0 1, 82688, 82688, 1536, 418, 0x72e8bad1 -0, 47, 47, 1, 2024, 0xf1c1ad7d, F=0x0, S=1, 8 +0, 47, 47, 1, 8779, 0x2027399c, F=0x0, S=1, 8 1, 84224, 84224, 1536, 418, 0x4febb56f -0, 48, 48, 1, 11212, 0xc61a3f0a, S=1, 8 +0, 48, 48, 1, 28143, 0x1df268c5, S=1, 8 1, 85760, 85760, 1536, 418, 0xae06ca91 -0, 49, 49, 1, 1423, 0x45fba9e4, F=0x0, S=1, 8 +0, 49, 49, 1, 10073, 0xedb9f031, F=0x0, S=1, 8 From 6c701b5f6cda5f315f6385a3e0ded6a70942d17b Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 5 Apr 2024 17:13:15 -0300 Subject: [PATCH 056/562] doc/encoders: remove non-existent flag Signed-off-by: James Almer (cherry picked from commit 16ba7bdd764fc562a3fcdf86f65d8467537d9278) --- doc/encoders.texi | 3 --- 1 file changed, 3 deletions(-) diff --git a/doc/encoders.texi b/doc/encoders.texi index 7c223ed74c..3a34222bd6 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -3045,9 +3045,6 @@ Enable high quality AC prediction. @item gray Only encode grayscale. -@item gmc -Enable the use of global motion compensation (GMC). - @item qpel Enable quarter-pixel motion compensation. From d38bf5e08e768722096723b5c8781cd2eb18d070 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 5 Apr 2024 17:18:35 -0300 Subject: [PATCH 057/562] doc/encoders: add missing libxvid option Signed-off-by: James Almer (cherry picked from commit 6f13f5dd59675d76844fc798d90028ab442c2521) --- doc/encoders.texi | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/doc/encoders.texi b/doc/encoders.texi index 3a34222bd6..840382a25a 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -3056,7 +3056,9 @@ Place global headers in extradata instead of every keyframe. @end table -@item trellis +@item gmc +Enable the use of global motion compensation (GMC). Default is 0 +(disabled). @item me_quality Set motion estimation quality level. Possible values in decreasing order of @@ -3111,6 +3113,9 @@ be better than any of the two specified individually. In other words, the resulting quality will be the worse one of the two effects. +@item trellis +Set rate-distortion optimal quantization. + @item ssim Set structural similarity (SSIM) displaying method. Possible values: From 0d851a82dd974dcafe2f4f67ea0d72fb2e63c6bb Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sat, 13 Apr 2024 20:05:23 +0100 Subject: [PATCH 058/562] lavc/av1: Record reference ordering information for each frame This is needed by Vulkan. Constructing this can't be delegated to CBS because packets might contain multiple frames (when non-shown frames are present) but we need separate snapshots immediately before each frame for the decoder. (cherry picked from commit 22ced1edc6fc4100072e122d549fe379aff76954) --- libavcodec/av1dec.c | 26 ++++++++++++++++++++++++++ libavcodec/av1dec.h | 8 ++++++++ 2 files changed, 34 insertions(+) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index 32a795e758..2850dc96ff 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -358,6 +358,25 @@ static void coded_lossless_param(AV1DecContext *s) } } +static void order_hint_info(AV1DecContext *s) +{ + const AV1RawFrameHeader *header = s->raw_frame_header; + const AV1RawSequenceHeader *seq = s->raw_seq; + AV1Frame *frame = &s->cur_frame; + + frame->order_hint = header->order_hint; + + for (int i = 0; i < AV1_REFS_PER_FRAME; i++) { + int ref_name = i + AV1_REF_FRAME_LAST; + int ref_slot = header->ref_frame_idx[i]; + int ref_order_hint = s->ref[ref_slot].order_hint; + + frame->order_hints[ref_name] = ref_order_hint; + frame->ref_frame_sign_bias[ref_name] = + get_relative_dist(seq, ref_order_hint, frame->order_hint); + } +} + static void load_grain_params(AV1DecContext *s) { const AV1RawFrameHeader *header = s->raw_frame_header; @@ -700,6 +719,12 @@ static int av1_frame_ref(AVCodecContext *avctx, AV1Frame *dst, const AV1Frame *s sizeof(dst->film_grain)); dst->coded_lossless = src->coded_lossless; + dst->order_hint = src->order_hint; + memcpy(dst->ref_frame_sign_bias, src->ref_frame_sign_bias, + sizeof(dst->ref_frame_sign_bias)); + memcpy(dst->order_hints, src->order_hints, + sizeof(dst->order_hints)); + return 0; fail: @@ -1255,6 +1280,7 @@ static int get_current_frame(AVCodecContext *avctx) global_motion_params(s); skip_mode_params(s); coded_lossless_param(s); + order_hint_info(s); load_grain_params(s); return ret; diff --git a/libavcodec/av1dec.h b/libavcodec/av1dec.h index 336eb61359..79a0be510b 100644 --- a/libavcodec/av1dec.h +++ b/libavcodec/av1dec.h @@ -53,6 +53,14 @@ typedef struct AV1Frame { AV1RawFilmGrainParams film_grain; uint8_t coded_lossless; + + // OrderHint for this frame. + uint8_t order_hint; + // RefFrameSignBias[] used when decoding this frame. + uint8_t ref_frame_sign_bias[AV1_TOTAL_REFS_PER_FRAME]; + // OrderHints[] when this is the current frame, otherwise + // SavedOrderHints[s][] when is the reference frame in slot s. + uint8_t order_hints[AV1_TOTAL_REFS_PER_FRAME]; } AV1Frame; typedef struct TileGroupInfo { From 48721a415a057adde61b586f2eb9815a625abbf7 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sat, 13 Apr 2024 20:06:56 +0100 Subject: [PATCH 059/562] lavc/vulkan_av1: Use av1dec reference order hint information (cherry picked from commit 3cca8dfbd88dfbf9c20f2e8c8da47881b4596567) --- libavcodec/vulkan_av1.c | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/libavcodec/vulkan_av1.c b/libavcodec/vulkan_av1.c index c9e398eaec..fcc9a4f03b 100644 --- a/libavcodec/vulkan_av1.c +++ b/libavcodec/vulkan_av1.c @@ -76,7 +76,7 @@ static int vk_av1_fill_pict(AVCodecContext *avctx, const AV1Frame **ref_src, StdVideoDecodeAV1ReferenceInfo *vkav1_std_ref, VkVideoDecodeAV1DpbSlotInfoKHR *vkav1_ref, /* Goes in ^ */ const AV1Frame *pic, int is_current, int has_grain, - int *saved_order_hints) + const uint8_t *saved_order_hints) { FFVulkanDecodeContext *dec = avctx->internal->hwaccel_priv_data; AV1VulkanDecodePicture *hp = pic->hwaccel_picture_private; @@ -242,7 +242,6 @@ static int vk_av1_start_frame(AVCodecContext *avctx, const AV1RawFrameHeader *frame_header = s->raw_frame_header; const AV1RawFilmGrainParams *film_grain = &s->cur_frame.film_grain; - CodedBitstreamAV1Context *cbs_ctx = (CodedBitstreamAV1Context *)(s->cbc->priv_data); const int apply_grain = !(avctx->export_side_data & AV_CODEC_EXPORT_DATA_FILM_GRAIN) && film_grain->apply_grain; @@ -272,7 +271,7 @@ static int vk_av1_start_frame(AVCodecContext *avctx, ap->ref_frame_sign_bias_mask = 0x0; for (int i = 0; i < STD_VIDEO_AV1_TOTAL_REFS_PER_FRAME; i++) - ap->ref_frame_sign_bias_mask |= cbs_ctx->ref_frame_sign_bias[i] << i; + ap->ref_frame_sign_bias_mask |= pic->ref_frame_sign_bias[i] << i; for (int i = 0; i < STD_VIDEO_AV1_REFS_PER_FRAME; i++) { const int idx = pic->raw_frame_header->ref_frame_idx[i]; @@ -294,7 +293,7 @@ static int vk_av1_start_frame(AVCodecContext *avctx, err = vk_av1_fill_pict(avctx, &ap->ref_src[ref_count], &vp->ref_slots[ref_count], &vp->refs[ref_count], &ap->std_refs[ref_count], &ap->vkav1_refs[ref_count], - ref_frame, 0, 0, cbs_ctx->ref[idx].saved_order_hints); + ref_frame, 0, 0, ref_frame->order_hints); if (err < 0) return err; @@ -491,8 +490,14 @@ static int vk_av1_start_frame(AVCodecContext *avctx, } } - for (int i = 0; i < STD_VIDEO_AV1_TOTAL_REFS_PER_FRAME; i++) + for (int i = 0; i < STD_VIDEO_AV1_TOTAL_REFS_PER_FRAME; i++) { + ap->std_pic_info.OrderHints[i] = pic->order_hints[i]; ap->loop_filter.loop_filter_ref_deltas[i] = frame_header->loop_filter_ref_deltas[i]; + ap->global_motion.GmType[i] = s->cur_frame.gm_type[i]; + for (int j = 0; j < STD_VIDEO_AV1_GLOBAL_MOTION_PARAMS; j++) { + ap->global_motion.gm_params[i][j] = s->cur_frame.gm_params[i][j]; + } + } for (int i = 0; i < STD_VIDEO_AV1_MAX_CDEF_FILTER_STRENGTHS; i++) { ap->cdef.cdef_y_pri_strength[i] = frame_header->cdef_y_pri_strength[i]; @@ -501,14 +506,6 @@ static int vk_av1_start_frame(AVCodecContext *avctx, ap->cdef.cdef_uv_sec_strength[i] = frame_header->cdef_uv_sec_strength[i]; } - for (int i = 0; i < STD_VIDEO_AV1_NUM_REF_FRAMES; i++) { - ap->std_pic_info.OrderHints[i] = frame_header->ref_order_hint[i]; - ap->global_motion.GmType[i] = s->cur_frame.gm_type[i]; - for (int j = 0; j < STD_VIDEO_AV1_GLOBAL_MOTION_PARAMS; j++) { - ap->global_motion.gm_params[i][j] = s->cur_frame.gm_params[i][j]; - } - } - if (apply_grain) { for (int i = 0; i < STD_VIDEO_AV1_MAX_NUM_Y_POINTS; i++) { ap->film_grain.point_y_value[i] = film_grain->point_y_value[i]; From 8dfafe536657e5c5437cf24f7cb058ef7a9f1875 Mon Sep 17 00:00:00 2001 From: Lynne Date: Sun, 14 Apr 2024 14:11:44 +0200 Subject: [PATCH 060/562] vulkan_av1: add workaround for NVIDIA drivers tested on broken CTS The first release of the CTS for AV1 decoding had incorrect offsets for the OrderHints values. The CTS will be fixed, and eventually, the drivers will be updated to the proper spec-conforming behaviour, but we still need to add a workaround as this will take months. Only NVIDIA use these values at all, so limit the workaround to only NVIDIA. Also, other vendors don't tend to provide accurate CTS information. (cherry picked from commit db09f1a5d811a3ca8adc89c58e29932efd0c255e) --- libavcodec/vulkan_av1.c | 19 +++++++++++++++---- libavcodec/vulkan_decode.c | 9 +++++++++ libavcodec/vulkan_decode.h | 4 ++++ 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/libavcodec/vulkan_av1.c b/libavcodec/vulkan_av1.c index fcc9a4f03b..49cd69d051 100644 --- a/libavcodec/vulkan_av1.c +++ b/libavcodec/vulkan_av1.c @@ -97,9 +97,14 @@ static int vk_av1_fill_pict(AVCodecContext *avctx, const AV1Frame **ref_src, .RefFrameSignBias = hp->ref_frame_sign_bias_mask, }; - if (saved_order_hints) - for (int i = 0; i < AV1_TOTAL_REFS_PER_FRAME; i++) - vkav1_std_ref->SavedOrderHints[i] = saved_order_hints[i]; + if (saved_order_hints) { + if (dec->quirk_av1_offset) + for (int i = 1; i < STD_VIDEO_AV1_TOTAL_REFS_PER_FRAME; i++) + vkav1_std_ref->SavedOrderHints[i - 1] = saved_order_hints[i]; + else + for (int i = 0; i < STD_VIDEO_AV1_TOTAL_REFS_PER_FRAME; i++) + vkav1_std_ref->SavedOrderHints[i] = saved_order_hints[i]; + } *vkav1_ref = (VkVideoDecodeAV1DpbSlotInfoKHR) { .sType = VK_STRUCTURE_TYPE_VIDEO_DECODE_AV1_DPB_SLOT_INFO_KHR, @@ -490,8 +495,14 @@ static int vk_av1_start_frame(AVCodecContext *avctx, } } + if (dec->quirk_av1_offset) + for (int i = 1; i < STD_VIDEO_AV1_TOTAL_REFS_PER_FRAME; i++) + ap->std_pic_info.OrderHints[i - 1] = pic->order_hints[i]; + else + for (int i = 0; i < STD_VIDEO_AV1_TOTAL_REFS_PER_FRAME; i++) + ap->std_pic_info.OrderHints[i] = pic->order_hints[i]; + for (int i = 0; i < STD_VIDEO_AV1_TOTAL_REFS_PER_FRAME; i++) { - ap->std_pic_info.OrderHints[i] = pic->order_hints[i]; ap->loop_filter.loop_filter_ref_deltas[i] = frame_header->loop_filter_ref_deltas[i]; ap->global_motion.GmType[i] = s->cur_frame.gm_type[i]; for (int j = 0; j < STD_VIDEO_AV1_GLOBAL_MOTION_PARAMS; j++) { diff --git a/libavcodec/vulkan_decode.c b/libavcodec/vulkan_decode.c index 4561f26b62..5f6523920d 100644 --- a/libavcodec/vulkan_decode.c +++ b/libavcodec/vulkan_decode.c @@ -1114,6 +1114,7 @@ int ff_vk_decode_init(AVCodecContext *avctx) FFVulkanFunctions *vk; const VkVideoProfileInfoKHR *profile; const FFVulkanDecodeDescriptor *vk_desc; + const VkPhysicalDeviceDriverProperties *driver_props; VkVideoDecodeH264SessionParametersCreateInfoKHR h264_params = { .sType = VK_STRUCTURE_TYPE_VIDEO_DECODE_H264_SESSION_PARAMETERS_CREATE_INFO_KHR, @@ -1275,6 +1276,14 @@ int ff_vk_decode_init(AVCodecContext *avctx) return AVERROR_EXTERNAL; } + driver_props = &dec->shared_ctx->s.driver_props; + if (driver_props->driverID == VK_DRIVER_ID_NVIDIA_PROPRIETARY && + driver_props->conformanceVersion.major == 1 && + driver_props->conformanceVersion.minor == 3 && + driver_props->conformanceVersion.subminor == 8 && + driver_props->conformanceVersion.patch < 3) + dec->quirk_av1_offset = 1; + ff_vk_decode_flush(avctx); av_log(avctx, AV_LOG_VERBOSE, "Vulkan decoder initialization sucessful\n"); diff --git a/libavcodec/vulkan_decode.h b/libavcodec/vulkan_decode.h index 7ba8b239cb..076af93499 100644 --- a/libavcodec/vulkan_decode.h +++ b/libavcodec/vulkan_decode.h @@ -72,6 +72,10 @@ typedef struct FFVulkanDecodeContext { int external_fg; /* Oddity #2 - hardware can't apply film grain */ uint32_t frame_id_alloc_mask; /* For AV1 only */ + /* Workaround for NVIDIA drivers tested with CTS version 1.3.8 for AV1. + * The tests were incorrect as the OrderHints were offset by 1. */ + int quirk_av1_offset; + /* Thread-local state below */ struct HEVCHeaderSet *hevc_headers; size_t hevc_headers_size; From ed55219eddc96f6c41f88069d7e492976002f528 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 13 Apr 2024 10:11:03 -0300 Subject: [PATCH 061/562] avformat/mov: ignore old infe box versions Some files with no image items have them, and were working prior to the recent HEIF parsing overhaul. Ignore such boxes instead, to recover the old behavior. Fixes a regression since d9fed9df2a9e70c9375d3b2591db35c09303d369. Tested-by: Wu Jianhua Signed-off-by: James Almer (cherry picked from commit 5b9db32ccc9426dc2aa37f21eee4c9efd1baf75b) --- libavformat/mov.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 50fbcd1f9b..d9009f2eab 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8128,8 +8128,8 @@ static int mov_read_infe(MOVContext *c, AVIOContext *pb, MOVAtom atom, int idx) size -= 4; if (version < 2) { - av_log(c->fc, AV_LOG_ERROR, "infe: version < 2 not supported\n"); - return AVERROR_PATCHWELCOME; + avpriv_report_missing_feature(c->fc, "infe version < 2"); + return 1; } item_id = version > 2 ? avio_rb32(pb) : avio_rb16(pb); @@ -8200,6 +8200,8 @@ static int mov_read_iinf(MOVContext *c, AVIOContext *pb, MOVAtom atom) ret = mov_read_infe(c, pb, infe, i); if (ret < 0) return ret; + if (ret) + return 0; } c->found_iinf = 1; @@ -9495,14 +9497,15 @@ static int mov_read_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "error reading header\n"); return err; } - } while ((pb->seekable & AVIO_SEEKABLE_NORMAL) && !mov->found_moov && !mov->found_iloc && !mov->moov_retry++); - if (!mov->found_moov && !mov->found_iloc) { + } while ((pb->seekable & AVIO_SEEKABLE_NORMAL) && + !mov->found_moov && (!mov->found_iloc || !mov->found_iinf) && !mov->moov_retry++); + if (!mov->found_moov && !mov->found_iloc && !mov->found_iinf) { av_log(s, AV_LOG_ERROR, "moov atom not found\n"); return AVERROR_INVALIDDATA; } av_log(mov->fc, AV_LOG_TRACE, "on_parse_exit_offset=%"PRId64"\n", avio_tell(pb)); - if (mov->found_iloc) { + if (mov->found_iloc && mov->found_iinf) { for (i = 0; i < mov->nb_heif_item; i++) { HEIFItem *item = &mov->heif_item[i]; MOVStreamContext *sc; From cbd98447bcfd83bff98c18e144f50a603bebaf90 Mon Sep 17 00:00:00 2001 From: Frank Plowman Date: Thu, 18 Apr 2024 21:26:20 +0100 Subject: [PATCH 062/562] lavc/vvc: Skip enhancement layer NAL units The native VVC decoder does not yet support quality/spatial/multiview scalability. Bitstreams requiring this feature could cause crashes. Patch fixes this by skipping NAL units which are not in the base layer, warning the user while doing so. Signed-off-by: Frank Plowman Signed-off-by: James Almer (cherry picked from commit bb9e4ff355684b0325d1632b89baab96cc24dc51) --- libavcodec/vvc/vvcdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vvc/vvcdec.c b/libavcodec/vvc/vvcdec.c index e72bb48a50..2f8b84f63b 100644 --- a/libavcodec/vvc/vvcdec.c +++ b/libavcodec/vvc/vvcdec.c @@ -782,6 +782,12 @@ static int decode_nal_unit(VVCContext *s, VVCFrameContext *fc, const H2645NAL *n s->temporal_id = nal->temporal_id; + if (nal->nuh_layer_id > 0) { + avpriv_report_missing_feature(fc->log_ctx, + "Decoding of multilayer bitstreams"); + return AVERROR_PATCHWELCOME; + } + switch (unit->type) { case VVC_VPS_NUT: case VVC_SPS_NUT: From 30002d58fa4115fad26bc1fa302dfca5de10e853 Mon Sep 17 00:00:00 2001 From: Niklas Haas Date: Sat, 6 Apr 2024 13:11:09 +0200 Subject: [PATCH 063/562] avcodec/hevcdec: fix segfault on invalid film grain metadata Invalid input files may contain film grain metadata which survives ff_h274_film_grain_params_supported() but does not pass av_film_grain_params_select(), leading to a SIGSEGV on hevc_frame_end(). Fix this by duplicating the av_film_grain_params_select() check at frame init time. An alternative solution here would be to defer the incompatibility check to hevc_frame_end(), but this has the downside of allocating a film grain buffer even when we already know we can't apply film grain. Fixes: https://trac.ffmpeg.org/ticket/10951 (cherry picked from commit 459648761f5412acdc3317d5bac982ceaa257584) --- libavcodec/hevcdec.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 575836e340..5a3d6fc4f1 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -2892,10 +2892,15 @@ static int hevc_frame_start(HEVCContext *s) !(s->avctx->export_side_data & AV_CODEC_EXPORT_DATA_FILM_GRAIN) && !s->avctx->hwaccel; + ret = set_side_data(s); + if (ret < 0) + goto fail; + if (s->ref->needs_fg && - s->sei.common.film_grain_characteristics.present && - !ff_h274_film_grain_params_supported(s->sei.common.film_grain_characteristics.model_id, - s->ref->frame->format)) { + ( s->sei.common.film_grain_characteristics.present && + !ff_h274_film_grain_params_supported(s->sei.common.film_grain_characteristics.model_id, + s->ref->frame->format)) + || !av_film_grain_params_select(s->ref->frame)) { av_log_once(s->avctx, AV_LOG_WARNING, AV_LOG_DEBUG, &s->film_grain_warning_shown, "Unsupported film grain parameters. Ignoring film grain.\n"); s->ref->needs_fg = 0; @@ -2909,10 +2914,6 @@ static int hevc_frame_start(HEVCContext *s) goto fail; } - ret = set_side_data(s); - if (ret < 0) - goto fail; - s->frame->pict_type = 3 - s->sh.slice_type; if (!IS_IRAP(s)) From 2d3ee7c069d631e8a32b647cb765028ea76b3a2e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 19 Apr 2024 13:59:40 +0200 Subject: [PATCH 064/562] avcodec/hevcdec: Fix precedence, bogus film grain warning Reviewed-by: Niklas Haas Signed-off-by: Andreas Rheinhardt (cherry picked from commit bba996d6cdac15367f265e245987477d0f7b1899) --- libavcodec/hevcdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 5a3d6fc4f1..08fd3be43c 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -2897,10 +2897,10 @@ static int hevc_frame_start(HEVCContext *s) goto fail; if (s->ref->needs_fg && - ( s->sei.common.film_grain_characteristics.present && - !ff_h274_film_grain_params_supported(s->sei.common.film_grain_characteristics.model_id, - s->ref->frame->format)) - || !av_film_grain_params_select(s->ref->frame)) { + (s->sei.common.film_grain_characteristics.present && + !ff_h274_film_grain_params_supported(s->sei.common.film_grain_characteristics.model_id, + s->ref->frame->format) + || !av_film_grain_params_select(s->ref->frame))) { av_log_once(s->avctx, AV_LOG_WARNING, AV_LOG_DEBUG, &s->film_grain_warning_shown, "Unsupported film grain parameters. Ignoring film grain.\n"); s->ref->needs_fg = 0; From 13e93ffbfd08598b8952aa7ce42ec4abe6d5ebfd Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Wed, 17 Apr 2024 12:37:38 +0800 Subject: [PATCH 065/562] avcodec/mediacodecenc: Fix return empty packet when bsf is used Signed-off-by: Zhao Zhili (cherry picked from commit a5a3788f562066a830a925d71cdbe8650e457e3b) --- libavcodec/mediacodecenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mediacodecenc.c b/libavcodec/mediacodecenc.c index 984014f1b1..fcb84ef0ac 100644 --- a/libavcodec/mediacodecenc.c +++ b/libavcodec/mediacodecenc.c @@ -533,7 +533,7 @@ static int mediacodec_encode(AVCodecContext *avctx, AVPacket *pkt) return 0; } - if (ret != AVERROR(EAGAIN)) + if (ret < 0 && ret != AVERROR(EAGAIN)) return ret; if (!s->frame->buf[0]) { From 506fbe681c178560cb4ca65b8645b81a143b7d61 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 20 Apr 2024 20:26:24 -0300 Subject: [PATCH 066/562] avcodec/codec_par: always clear extradata_size in avcodec_parameters_to_context() Missed in d383ae43c266b160348db04f2fd17ccf30286784. Signed-off-by: James Almer (cherry picked from commit c4e3d6cdb066425a5f5a2e05def9470a47a6082c) --- libavcodec/codec_par.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/codec_par.c b/libavcodec/codec_par.c index 212cb97d77..790ea01d10 100644 --- a/libavcodec/codec_par.c +++ b/libavcodec/codec_par.c @@ -250,6 +250,7 @@ int avcodec_parameters_to_context(AVCodecContext *codec, } av_freep(&codec->extradata); + codec->extradata_size = 0; if (par->extradata) { codec->extradata = av_mallocz(par->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); if (!codec->extradata) From 9963b9e3c9e51ae6fb5ff4df5a26a459922dc51c Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Mon, 22 Apr 2024 21:24:20 +0100 Subject: [PATCH 067/562] av1dec: Fix RefFrameSignBias calculation (cherry picked from commit ba6b08c75b6e8394c5c53bde22623a393a2d1c47) --- libavcodec/av1dec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index 2850dc96ff..1d3c5dfc9d 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -372,8 +372,13 @@ static void order_hint_info(AV1DecContext *s) int ref_order_hint = s->ref[ref_slot].order_hint; frame->order_hints[ref_name] = ref_order_hint; - frame->ref_frame_sign_bias[ref_name] = - get_relative_dist(seq, ref_order_hint, frame->order_hint); + if (!seq->enable_order_hint) { + frame->ref_frame_sign_bias[ref_name] = 0; + } else { + frame->ref_frame_sign_bias[ref_name] = + get_relative_dist(seq, ref_order_hint, + frame->order_hint) > 0; + } } } From 96d941b30ea1d7195ee13dbab192984efb5572b7 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 24 Apr 2024 17:35:36 -0300 Subject: [PATCH 068/562] avutil/iamf: fix mix_gain_class name Signed-off-by: James Almer (cherry picked from commit b9af58184fd3bf6438924ce7e827ed198e517f7f) --- libavutil/iamf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/iamf.c b/libavutil/iamf.c index 84bed5a45e..c96100e7a0 100644 --- a/libavutil/iamf.c +++ b/libavutil/iamf.c @@ -74,7 +74,7 @@ static const AVOption mix_gain_options[] = { }; static const AVClass mix_gain_class = { - .class_name = "AVIAMFSubmixElement", + .class_name = "AVIAMFMixGain", .item_name = av_default_item_name, .version = LIBAVUTIL_VERSION_INT, .option = mix_gain_options, From 64a048d4cc0a2806c29348012165dea0c6a08613 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 27 Apr 2024 19:38:13 -0300 Subject: [PATCH 069/562] avformat/mov: fix the check for the heif item parsing loop Fixes: Null pointer dereference Fixes: 67861/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5352628142800896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: James Almer (cherry picked from commit 31327c2d075a413749c1461c06382993b9bba90e) --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index d9009f2eab..9291195a8f 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -9427,7 +9427,8 @@ static int mov_parse_tiles(AVFormatContext *s) break; } - if (k == grid->nb_tiles) { + if (k == mov->nb_heif_item) { + av_assert0(loop); av_log(s, AV_LOG_WARNING, "HEIF item id %d referenced by grid id %d doesn't " "exist\n", tile_id, grid->item->item_id); From 0085da21b4ca67d9c1d4423d081f7139ba666dea Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 1 Apr 2024 23:52:53 -0300 Subject: [PATCH 070/562] avformat/mov: take into account the first eight bytes in the keys atom Signed-off-by: James Almer (cherry picked from commit 3d12ba77d9a4660b2e71889d1c2f99e8f3ade98b) --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 9291195a8f..d551a0f8e0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5023,6 +5023,7 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_skip(pb, 4); count = avio_rb32(pb); + atom.size -= 8; if (count > UINT_MAX / sizeof(*c->meta_keys) - 1) { av_log(c->fc, AV_LOG_ERROR, "The 'keys' atom with the invalid key count: %"PRIu32"\n", count); From fb8f0ea7b31d78e8a14d79549a76fd71de390907 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 1 Apr 2024 23:54:53 -0300 Subject: [PATCH 071/562] avformat/mov: don't read key_size bytes twice in the keys atom We only support mdta as type, yet we were not skipping other types, but rather reading key_size worth of bytes twice per entry. Signed-off-by: James Almer (cherry picked from commit 5a06d3810e41134ee9c2941cc0b371da62b539db) --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index d551a0f8e0..056890c85b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5048,6 +5048,7 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) key_size -= 8; if (type != MKTAG('m','d','t','a')) { avio_skip(pb, key_size); + continue; } c->meta_keys[i] = av_mallocz(key_size + 1); if (!c->meta_keys[i]) From 5683aa6318d9e26f0d94002eaf2be71b79afe96c Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 15 Apr 2024 18:06:01 -0300 Subject: [PATCH 072/562] avformat/iamf_writer: reject duplicated stream ids in a stream group Signed-off-by: James Almer (cherry picked from commit 6b6a0fc53df592183c69e518967841272ab4e862) --- libavformat/iamf_writer.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavformat/iamf_writer.c b/libavformat/iamf_writer.c index 37ec8e732a..6d4e4082eb 100644 --- a/libavformat/iamf_writer.c +++ b/libavformat/iamf_writer.c @@ -275,6 +275,17 @@ int ff_iamf_add_audio_element(IAMFContext *iamf, const AVStreamGroup *stg, void } } + for (int i = 0; i < audio_element->nb_substreams; i++) { + for (int j = i + 1; j < audio_element->nb_substreams; j++) + if (audio_element->substreams[i].audio_substream_id == + audio_element->substreams[j].audio_substream_id) { + av_log(log_ctx, AV_LOG_ERROR, "Duplicate id %u in streams %u and %u from stream group %u\n", + audio_element->substreams[i].audio_substream_id, i, j, stg->index); + ret = AVERROR(EINVAL); + goto fail; + } + } + if (iamf_audio_element->demixing_info) { AVIAMFParamDefinition *param = iamf_audio_element->demixing_info; const IAMFParamDefinition *param_definition = ff_iamf_get_param_definition(iamf, param->parameter_id); From 1e6382a6b78883e4e7597dadb20f066870b21845 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 26 Apr 2024 21:26:01 -0300 Subject: [PATCH 073/562] avformat/mov: free the infe allocated item data on failure Fixes: memleak Fixes: 68212/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4963488540721152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Tested-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit e09164940e4ff0b0ee9228f9d27385211160c6da) --- libavformat/mov.c | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 056890c85b..6e3178f7c8 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -83,6 +83,7 @@ typedef struct MOVParseTableEntry { static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom); static int mov_read_mfra(MOVContext *c, AVIOContext *f); +static void mov_free_stream_context(AVFormatContext *s, AVStream *st); static int64_t add_ctts_entry(MOVCtts** ctts_data, unsigned int* ctts_count, unsigned int* allocated_size, int count, int duration); @@ -8131,6 +8132,7 @@ static int mov_read_infe(MOVContext *c, AVIOContext *pb, MOVAtom atom, int idx) if (version < 2) { avpriv_report_missing_feature(c->fc, "infe version < 2"); + avio_skip(pb, size); return 1; } @@ -8174,7 +8176,7 @@ static int mov_read_iinf(MOVContext *c, AVIOContext *pb, MOVAtom atom) { HEIFItem *heif_item; int entry_count; - int version, ret; + int version, got_stream = 0, ret, i; if (c->found_iinf) { av_log(c->fc, AV_LOG_WARNING, "Duplicate iinf box found\n"); @@ -8194,20 +8196,33 @@ static int mov_read_iinf(MOVContext *c, AVIOContext *pb, MOVAtom atom) sizeof(*c->heif_item) * (entry_count - c->nb_heif_item)); c->nb_heif_item = FFMAX(c->nb_heif_item, entry_count); - for (int i = 0; i < entry_count; i++) { + for (i = 0; i < entry_count; i++) { MOVAtom infe; infe.size = avio_rb32(pb) - 8; infe.type = avio_rl32(pb); ret = mov_read_infe(c, pb, infe, i); if (ret < 0) - return ret; - if (ret) - return 0; + goto fail; + if (!ret) + got_stream = 1; } - c->found_iinf = 1; + c->found_iinf = got_stream; return 0; +fail: + for (; i >= 0; i--) { + HEIFItem *item = &c->heif_item[i]; + + av_freep(&item->name); + if (!item->st) + continue; + + mov_free_stream_context(c->fc, item->st); + ff_remove_stream(c->fc, item->st); + item->st = NULL; + } + return ret; } static int mov_read_iref_dimg(MOVContext *c, AVIOContext *pb, int version) @@ -9550,6 +9565,10 @@ static int mov_read_header(AVFormatContext *s) return err; } } + // prevent iloc and iinf boxes from being parsed while reading packets. + // this is needed because an iinf box may have been parsed but ignored + // for having old infe boxes which create no streams. + mov->found_iloc = mov->found_iinf = 1; if (pb->seekable & AVIO_SEEKABLE_NORMAL) { if (mov->nb_chapter_tracks > 0 && !mov->ignore_chapters) From da8b2f9704438b80404a97e45015a3881452d6f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Apr 2024 20:51:45 +0200 Subject: [PATCH 074/562] avformat/iamfdec: check nb_streams in header read Fixes: Assertion pkt->stream_index < (unsigned)s->nb_streams && "Invalid stream index.\n" failed at libavformat/demux.c:572 Fixes: 67890/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-5166340789829632.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 9f54c13bc4650c59fe2ffb04f5b85145f196fbb7) --- libavformat/iamfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iamfdec.c b/libavformat/iamfdec.c index e34d13e74c..ce6d4aa064 100644 --- a/libavformat/iamfdec.c +++ b/libavformat/iamfdec.c @@ -154,6 +154,9 @@ static int iamf_read_header(AVFormatContext *s) } } + if (!s->nb_streams) + return AVERROR_INVALIDDATA; + return 0; } From a51c06b42c7b3f609b774983ee686ebe94186343 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 4 May 2024 21:20:35 -0300 Subject: [PATCH 075/562] avutil/iamf: fix offsets for mix_gain options Signed-off-by: James Almer (cherry picked from commit d6e877bbcde2a0d1422d7b5c7339bb03891d19fc) --- libavutil/iamf.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavutil/iamf.c b/libavutil/iamf.c index c96100e7a0..14f49cba93 100644 --- a/libavutil/iamf.c +++ b/libavutil/iamf.c @@ -66,10 +66,10 @@ child_type *av_iamf_ ## parent_name ## _add_ ## child_name(parent_type *parent_n static const AVOption mix_gain_options[] = { { "subblock_duration", "set subblock_duration", OFFSET(subblock_duration), AV_OPT_TYPE_INT, {.i64 = 1 }, 1, UINT_MAX, FLAGS }, { "animation_type", "set animation_type", OFFSET(animation_type), AV_OPT_TYPE_INT, {.i64 = 0 }, 0, 2, FLAGS }, - { "start_point_value", "set start_point_value", OFFSET(animation_type), AV_OPT_TYPE_RATIONAL, {.dbl = 0 }, -128.0, 128.0, FLAGS }, - { "end_point_value", "set end_point_value", OFFSET(animation_type), AV_OPT_TYPE_RATIONAL, {.dbl = 0 }, -128.0, 128.0, FLAGS }, - { "control_point_value", "set control_point_value", OFFSET(animation_type), AV_OPT_TYPE_RATIONAL, {.dbl = 0 }, -128.0, 128.0, FLAGS }, - { "control_point_relative_time", "set control_point_relative_time", OFFSET(animation_type), AV_OPT_TYPE_RATIONAL, {.dbl = 0 }, 0.0, 1.0, FLAGS }, + { "start_point_value", "set start_point_value", OFFSET(start_point_value), AV_OPT_TYPE_RATIONAL, {.dbl = 0 }, -128.0, 128.0, FLAGS }, + { "end_point_value", "set end_point_value", OFFSET(end_point_value), AV_OPT_TYPE_RATIONAL, {.dbl = 0 }, -128.0, 128.0, FLAGS }, + { "control_point_value", "set control_point_value", OFFSET(control_point_value), AV_OPT_TYPE_RATIONAL, {.dbl = 0 }, -128.0, 128.0, FLAGS }, + { "control_point_relative_time", "set control_point_relative_time", OFFSET(control_point_relative_time), AV_OPT_TYPE_RATIONAL, {.dbl = 0 }, 0.0, 1.0, FLAGS }, { NULL }, }; From c3665ee60f442069ba0322f53d947a1bf0be4007 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sat, 27 Apr 2024 16:22:05 +0100 Subject: [PATCH 076/562] av1dec: Add force_integer_mv derived field for decoder use This is not the same as the syntax element value in the frame header because the specification parsing tables override the value on intra frames. (cherry picked from commit 6f56e0e7e516fef419c6b4361612c8a9bc178a2b) --- libavcodec/av1dec.c | 7 +++++++ libavcodec/av1dec.h | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index 1d3c5dfc9d..11c852786f 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -730,6 +730,8 @@ static int av1_frame_ref(AVCodecContext *avctx, AV1Frame *dst, const AV1Frame *s memcpy(dst->order_hints, src->order_hints, sizeof(dst->order_hints)); + dst->force_integer_mv = src->force_integer_mv; + return 0; fail: @@ -1288,6 +1290,11 @@ static int get_current_frame(AVCodecContext *avctx) order_hint_info(s); load_grain_params(s); + s->cur_frame.force_integer_mv = + s->raw_frame_header->force_integer_mv || + s->raw_frame_header->frame_type == AV1_FRAME_KEY || + s->raw_frame_header->frame_type == AV1_FRAME_INTRA_ONLY; + return ret; } diff --git a/libavcodec/av1dec.h b/libavcodec/av1dec.h index 79a0be510b..b903b359c5 100644 --- a/libavcodec/av1dec.h +++ b/libavcodec/av1dec.h @@ -61,6 +61,12 @@ typedef struct AV1Frame { // OrderHints[] when this is the current frame, otherwise // SavedOrderHints[s][] when is the reference frame in slot s. uint8_t order_hints[AV1_TOTAL_REFS_PER_FRAME]; + + // force_integer_mv value at the end of the frame header parsing. + // This is not the same as the syntax element value in + // raw_frame_header because the specification parsing tables + // override the value on intra frames. + uint8_t force_integer_mv; } AV1Frame; typedef struct TileGroupInfo { From a4bc1dd92851fc1bed32e5898526ac71aa788a73 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sat, 27 Apr 2024 16:23:58 +0100 Subject: [PATCH 077/562] vaapi_av1: Fix force_integer_mv value (cherry picked from commit b73e6af3370f082d9385f418a03ed7baf69ada60) --- libavcodec/vaapi_av1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vaapi_av1.c b/libavcodec/vaapi_av1.c index 1f9a6071ba..5bf81fc97f 100644 --- a/libavcodec/vaapi_av1.c +++ b/libavcodec/vaapi_av1.c @@ -220,7 +220,7 @@ static int vaapi_av1_start_frame(AVCodecContext *avctx, .error_resilient_mode = frame_header->error_resilient_mode, .disable_cdf_update = frame_header->disable_cdf_update, .allow_screen_content_tools = frame_header->allow_screen_content_tools, - .force_integer_mv = frame_header->force_integer_mv, + .force_integer_mv = s->cur_frame.force_integer_mv, .allow_intrabc = frame_header->allow_intrabc, .use_superres = frame_header->use_superres, .allow_high_precision_mv = frame_header->allow_high_precision_mv, From e7d2238ad751e4ce4ebc5118af750fd5cc0c5055 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sat, 27 Apr 2024 16:24:21 +0100 Subject: [PATCH 078/562] vulkan_av1: Fix force_integer_mv value (cherry picked from commit 7b482815a07bce0d5428ec282f5fca6337163691) --- libavcodec/vulkan_av1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vulkan_av1.c b/libavcodec/vulkan_av1.c index 49cd69d051..e607c1fc5f 100644 --- a/libavcodec/vulkan_av1.c +++ b/libavcodec/vulkan_av1.c @@ -435,7 +435,7 @@ static int vk_av1_start_frame(AVCodecContext *avctx, .render_and_frame_size_different = frame_header->render_and_frame_size_different, .allow_screen_content_tools = frame_header->allow_screen_content_tools, .is_filter_switchable = frame_header->is_filter_switchable, - .force_integer_mv = frame_header->force_integer_mv, + .force_integer_mv = pic->force_integer_mv, .frame_size_override_flag = frame_header->frame_size_override_flag, .buffer_removal_time_present_flag = frame_header->buffer_removal_time_present_flag, .allow_intrabc = frame_header->allow_intrabc, From 6ab65792ab8e522f5a8a9f432ca11900f35a9d94 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sun, 5 May 2024 23:59:47 -0400 Subject: [PATCH 079/562] lavd/v4l2: Use proper field type for second parameter of ioctl() with BSD's The proper type was used until 73251678c83cbe24d08264da693411b166239bc7. This covers all of the OS's that currently have V4L2 support, permutations of Linux glibc/musl, Android bionic, FreeBSD, NetBSD, OpenBSD, Solaris. Copied from FreeBSD ports patch. Signed-off-by: Brad Smith Signed-off-by: Marton Balint (cherry picked from commit 9e674b31606c805dd31b4bb754364a72a5877238) Signed-off-by: Brad Smith --- libavdevice/v4l2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index 51291246b3..50ac47ec5a 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -107,10 +107,10 @@ struct video_data { int (*open_f)(const char *file, int oflag, ...); int (*close_f)(int fd); int (*dup_f)(int fd); -#ifdef __GLIBC__ - int (*ioctl_f)(int fd, unsigned long int request, ...); -#else +#if defined(__sun) || defined(__BIONIC__) || defined(__musl__) /* POSIX-like */ int (*ioctl_f)(int fd, int request, ...); +#else + int (*ioctl_f)(int fd, unsigned long int request, ...); #endif ssize_t (*read_f)(int fd, void *buffer, size_t n); void *(*mmap_f)(void *start, size_t length, int prot, int flags, int fd, int64_t offset); From 8b0fe91754f5250742c438f1fb574c62494d2229 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sat, 18 May 2024 07:38:40 -0400 Subject: [PATCH 080/562] avutil/ppc/cpu: Also use the machdep.altivec sysctl on NetBSD Use the machdep.altivec sysctl on NetBSD for AltiVec detection as is done with OpenBSD. (cherry picked from commit 115c96b9bd53e775f425f23d5b73fa0a9dedbd08) Signed-off-by: Brad Smith --- libavutil/ppc/cpu.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/ppc/cpu.c b/libavutil/ppc/cpu.c index bc8bb5f47c..2b13cda662 100644 --- a/libavutil/ppc/cpu.c +++ b/libavutil/ppc/cpu.c @@ -27,7 +27,7 @@ #if HAVE_UNISTD_H #include #endif -#elif defined(__OpenBSD__) +#elif defined(__NetBSD__) || defined(__OpenBSD__) #include #include #include @@ -56,8 +56,8 @@ int ff_get_cpu_flags_ppc(void) if (result == VECTORTYPE_ALTIVEC) return AV_CPU_FLAG_ALTIVEC; return 0; -#elif defined(__APPLE__) || defined(__OpenBSD__) -#ifdef __OpenBSD__ +#elif defined(__APPLE__) || defined(__NetBSD__) || defined(__OpenBSD__) +#if defined(__NetBSD__) || defined(__OpenBSD__) int sels[2] = {CTL_MACHDEP, CPU_ALTIVEC}; #else int sels[2] = {CTL_HW, HW_VECTORUNIT}; From 5f23eecfba603402e3e3f7f31b1d284df9d4e962 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 16 May 2024 11:55:00 -0300 Subject: [PATCH 081/562] avformat/vvc: fix writing general_constraint_info bytes The existing implementation was completely broken. Signed-off-by: James Almer (cherry picked from commit 415dfa89e29686786085c207fdebcf2c97883a33) --- libavformat/Makefile | 2 +- libavformat/bitstream.c | 1 + libavformat/vvc.c | 35 +++++++++++++++++++---------------- tests/ref/fate/source | 1 + 4 files changed, 22 insertions(+), 17 deletions(-) create mode 100644 libavformat/bitstream.c diff --git a/libavformat/Makefile b/libavformat/Makefile index a89df7e9a3..ae86954e7c 100644 --- a/libavformat/Makefile +++ b/libavformat/Makefile @@ -723,7 +723,7 @@ OBJS-$(CONFIG_LIBSSH_PROTOCOL) += libssh.o OBJS-$(CONFIG_LIBZMQ_PROTOCOL) += libzmq.o # Objects duplicated from other libraries for shared builds -SHLIBOBJS += log2_tab.o to_upper4.o +SHLIBOBJS += log2_tab.o to_upper4.o bitstream.o SHLIBOBJS-$(CONFIG_ISO_MEDIA) += mpegaudiotabs.o SHLIBOBJS-$(CONFIG_FLV_MUXER) += mpeg4audio_sample_rates.o SHLIBOBJS-$(CONFIG_HLS_DEMUXER) += ac3_channel_layout_tab.o diff --git a/libavformat/bitstream.c b/libavformat/bitstream.c new file mode 100644 index 0000000000..2afda37c30 --- /dev/null +++ b/libavformat/bitstream.c @@ -0,0 +1 @@ +#include "libavcodec/bitstream.c" diff --git a/libavformat/vvc.c b/libavformat/vvc.c index 14a4c0a2f3..12a8ef6b0e 100644 --- a/libavformat/vvc.c +++ b/libavformat/vvc.c @@ -21,8 +21,10 @@ */ #include "libavcodec/get_bits.h" +#include "libavcodec/put_bits.h" #include "libavcodec/golomb.h" #include "libavcodec/vvc.h" +#include "libavutil/avassert.h" #include "libavutil/intreadwrite.h" #include "avc.h" #include "avio.h" @@ -184,7 +186,7 @@ static void vvcc_parse_ptl(GetBitContext *gb, unsigned int profileTierPresentFlag, unsigned int max_sub_layers_minus1) { - VVCCProfileTierLevel general_ptl; + VVCCProfileTierLevel general_ptl = { 0 }; int j; if (profileTierPresentFlag) { @@ -325,6 +327,7 @@ static int vvcc_parse_vps(GetBitContext *gb, for (int i = 0; i <= vps_num_ptls_minus1; i++) vvcc_parse_ptl(gb, vvcc, vps_pt_present_flag[i], vps_ptl_max_tid[i]); + vvcc->ptl_present_flag = 1; /* nothing useful for vvcc past this point */ return 0; @@ -355,8 +358,10 @@ static int vvcc_parse_sps(GetBitContext *gb, vvcc->chroma_format_idc = get_bits(gb, 2); sps_log2_ctu_size_minus5 = get_bits(gb, 2); - if (get_bits1(gb)) // sps_ptl_dpb_hrd_params_present_flag + if (get_bits1(gb)) { // sps_ptl_dpb_hrd_params_present_flag + vvcc->ptl_present_flag = 1; vvcc_parse_ptl(gb, vvcc, 1, sps_max_sublayers_minus1); + } skip_bits1(gb); // sps_gdr_enabled_flag if (get_bits(gb, 1)) // sps_ref_pic_resampling_enabled_flag @@ -578,10 +583,6 @@ static void vvcc_init(VVCDecoderConfigurationRecord *vvcc) { memset(vvcc, 0, sizeof(VVCDecoderConfigurationRecord)); vvcc->lengthSizeMinusOne = 3; // 4 bytes - - vvcc->ptl.num_bytes_constraint_info = 1; - - vvcc->ptl_present_flag = 1; } static void vvcc_close(VVCDecoderConfigurationRecord *vvcc) @@ -602,7 +603,6 @@ static int vvcc_write(AVIOContext *pb, VVCDecoderConfigurationRecord *vvcc) { uint8_t i; uint16_t j, vps_count = 0, sps_count = 0, pps_count = 0; - unsigned char *buf = NULL; /* * It's unclear how to properly compute these fields, so * let's always set them to values meaning 'unspecified'. @@ -734,6 +734,10 @@ static int vvcc_write(AVIOContext *pb, VVCDecoderConfigurationRecord *vvcc) avio_w8(pb, vvcc->lengthSizeMinusOne << 1 | vvcc->ptl_present_flag | 0xf8); if (vvcc->ptl_present_flag) { + uint8_t buf[64]; + PutBitContext pbc; + + init_put_bits(&pbc, buf, sizeof(buf)); /* * unsigned int(9) ols_idx; * unsigned int(3) num_sublayers; @@ -765,15 +769,14 @@ static int vvcc_write(AVIOContext *pb, VVCDecoderConfigurationRecord *vvcc) * unsigned int (1) ptl_frame_only_constraint_flag * unsigned int (1) ptl_multilayer_enabled_flag * unsigned int (8*num_bytes_constraint_info -2) general_constraint_info */ - buf = - (unsigned char *) malloc(sizeof(unsigned char) * - vvcc->ptl.num_bytes_constraint_info); - *buf = vvcc->ptl.ptl_frame_only_constraint_flag << vvcc->ptl. - num_bytes_constraint_info * 8 - 1 | vvcc->ptl. - ptl_multilayer_enabled_flag << vvcc->ptl.num_bytes_constraint_info * - 8 - 2 | *vvcc->ptl.general_constraint_info >> 2; - avio_write(pb, buf, vvcc->ptl.num_bytes_constraint_info); - free(buf); + put_bits(&pbc, 1, vvcc->ptl.ptl_frame_only_constraint_flag); + put_bits(&pbc, 1, vvcc->ptl.ptl_multilayer_enabled_flag); + av_assert0(vvcc->ptl.num_bytes_constraint_info); + if (vvcc->ptl.num_bytes_constraint_info > 1) + ff_copy_bits(&pbc, vvcc->ptl.general_constraint_info, (vvcc->ptl.num_bytes_constraint_info - 1) * 8); + put_bits(&pbc, 6, vvcc->ptl.general_constraint_info[vvcc->ptl.num_bytes_constraint_info - 1] & 0x3f); + flush_put_bits(&pbc); + avio_write(pb, buf, put_bytes_count(&pbc, 1)); if (vvcc->num_sublayers > 1) { uint8_t ptl_sublayer_level_present_flags = 0; diff --git a/tests/ref/fate/source b/tests/ref/fate/source index 7b5f14b4f0..d8d4224145 100644 --- a/tests/ref/fate/source +++ b/tests/ref/fate/source @@ -10,6 +10,7 @@ libavdevice/reverse.c libavfilter/af_arnndn.c libavfilter/file_open.c libavfilter/log2_tab.c +libavformat/bitstream.c libavformat/file_open.c libavformat/golomb_tab.c libavformat/log2_tab.c From a8b8b1042f9959416c8b08d3099a8e9bb6407deb Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 17 May 2024 16:23:41 -0300 Subject: [PATCH 082/562] avformat/vvc: fix parsing some early VPS bitstream values vps_default_ptl_dpb_hrd_max_tid_flag needs to always be set, and vps_direct_ref_layer_flag needs to be read even when vps_max_tid_ref_present_flag is false. Signed-off-by: James Almer (cherry picked from commit a48203d51aa4836150f9379448f6b2a1d5ca9d36) --- libavformat/vvc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/vvc.c b/libavformat/vvc.c index 12a8ef6b0e..b1b519c92c 100644 --- a/libavformat/vvc.c +++ b/libavformat/vvc.c @@ -268,6 +268,8 @@ static int vvcc_parse_vps(GetBitContext *gb, if (vps_max_layers_minus1 > 0 && vps_max_sublayers_minus1 > 0) vps_default_ptl_dpb_hrd_max_tid_flag = get_bits1(gb); + else + vps_default_ptl_dpb_hrd_max_tid_flag = 0; if (vps_max_layers_minus1 > 0) vps_all_independent_layers_flag = get_bits1(gb); else @@ -276,10 +278,11 @@ static int vvcc_parse_vps(GetBitContext *gb, for (int i = 0; i <= vps_max_layers_minus1; i++) { skip_bits(gb, 6); //vps_layer_id[i] if (i > 0 && !vps_all_independent_layers_flag) { - if (get_bits1(gb)) { // vps_independent_layer_flag[i] + if (!get_bits1(gb)) { // vps_independent_layer_flag[i] unsigned int vps_max_tid_ref_present_flag = get_bits1(gb); for (int j = 0; j < i; j++) { - if (vps_max_tid_ref_present_flag && get_bits1(gb)) // vps_direct_ref_layer_flag[i][j] + unsigned int vps_direct_ref_layer_flag = get_bits1(gb); + if (vps_max_tid_ref_present_flag && vps_direct_ref_layer_flag) skip_bits(gb, 3); // vps_max_tid_il_ref_pics_plus1 } } From 00ccb7be2948929daa63978b6890e252b9161ba7 Mon Sep 17 00:00:00 2001 From: Nuo Mi Date: Wed, 27 Mar 2024 21:00:58 +0800 Subject: [PATCH 083/562] avcodec/cbs_h266: fix sh_collocated_from_l0_flag and sh_collocated_ref_idx infer we have to infer sh_collocated_from_l0_flag and sh_collocated_ref_idx from picture head if pps_rpl_info_in_ph_flag is true (cherry picked from commit 191fbd7ddc1a66fb48b6d4b4f2afd698245ab6ed) --- libavcodec/cbs_h266_syntax_template.c | 32 +++++++++++++++++---------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index 0aae9fdfd5..f56066d470 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -3221,19 +3221,27 @@ static int FUNC(slice_header) (CodedBitstreamContext *ctx, RWContext *rw, flag(sh_cabac_init_flag); else infer(sh_cabac_init_flag, 0); - if (ph->ph_temporal_mvp_enabled_flag && !pps->pps_rpl_info_in_ph_flag) { - if (current->sh_slice_type == VVC_SLICE_TYPE_B) - flag(sh_collocated_from_l0_flag); - else - infer(sh_collocated_from_l0_flag, 1); - if ((current->sh_collocated_from_l0_flag && - current->num_ref_idx_active[0] > 1) || - (!current->sh_collocated_from_l0_flag && - current->num_ref_idx_active[1] > 1)) { - unsigned int idx = current->sh_collocated_from_l0_flag ? 0 : 1; - ue(sh_collocated_ref_idx, 0, current->num_ref_idx_active[idx] - 1); + if (ph->ph_temporal_mvp_enabled_flag) { + if (!pps->pps_rpl_info_in_ph_flag) { + if (current->sh_slice_type == VVC_SLICE_TYPE_B) + flag(sh_collocated_from_l0_flag); + else + infer(sh_collocated_from_l0_flag, 1); + if ((current->sh_collocated_from_l0_flag && + current->num_ref_idx_active[0] > 1) || + (!current->sh_collocated_from_l0_flag && + current->num_ref_idx_active[1] > 1)) { + unsigned int idx = current->sh_collocated_from_l0_flag ? 0 : 1; + ue(sh_collocated_ref_idx, 0, current->num_ref_idx_active[idx] - 1); + } else { + infer(sh_collocated_ref_idx, 0); + } } else { - infer(sh_collocated_ref_idx, 0); + if (current->sh_slice_type == VVC_SLICE_TYPE_B) + infer(sh_collocated_from_l0_flag, ph->ph_collocated_from_l0_flag); + else + infer(sh_collocated_from_l0_flag, 1); + infer(sh_collocated_ref_idx, ph->ph_collocated_ref_idx); } } if (!pps->pps_wp_info_in_ph_flag && From 060d2ce8aed1a0ad37264c90bfce6738dc49511d Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 19 May 2024 10:26:38 -0300 Subject: [PATCH 084/562] avcodec/cbs_h266: read vps_ptl_max_tid before using it Reviewed-by: Nuo Mi Signed-off-by: James Almer (cherry picked from commit b113050d96d9d36ac2e7f10b3af8b9c61684c33f) --- libavcodec/cbs_h266_syntax_template.c | 28 ++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index f56066d470..281069f06e 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -790,6 +790,21 @@ static int FUNC(vps) (CodedBitstreamContext *ctx, RWContext *rw, infer(vps_each_layer_is_an_ols_flag, 1); infer(vps_num_ptls_minus1, 0); } + + for (i = 0; i <= current->vps_num_ptls_minus1; i++) { + if (i > 0) + flags(vps_pt_present_flag[i], 1, i); + else + infer(vps_pt_present_flag[i], 1); + + if (!current->vps_default_ptl_dpb_hrd_max_tid_flag) + us(3, vps_ptl_max_tid[i], 0, current->vps_max_sublayers_minus1, 1, i); + else + infer(vps_ptl_max_tid[i], current->vps_max_sublayers_minus1); + } + while (byte_alignment(rw) != 0) + fixed(1, vps_ptl_alignment_zero_bit, 0); + { //calc NumMultiLayerOlss int m; @@ -915,19 +930,6 @@ static int FUNC(vps) (CodedBitstreamContext *ctx, RWContext *rw, return AVERROR_INVALIDDATA; } - for (i = 0; i <= current->vps_num_ptls_minus1; i++) { - if (i > 0) - flags(vps_pt_present_flag[i], 1, i); - else - infer(vps_pt_present_flag[i], 1); - - if (!current->vps_default_ptl_dpb_hrd_max_tid_flag) - us(3, vps_ptl_max_tid[i], 0, current->vps_max_sublayers_minus1, 1, i); - else - infer(vps_ptl_max_tid[i], current->vps_max_sublayers_minus1); - } - while (byte_alignment(rw) != 0) - fixed(1, vps_ptl_alignment_zero_bit, 0); for (i = 0; i <= current->vps_num_ptls_minus1; i++) { CHECK(FUNC(profile_tier_level) (ctx, rw, current->vps_profile_tier_level + i, From 07ee3648b76ec0cbc5b333fc70ea825c169b598b Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 11 May 2024 22:54:24 +0200 Subject: [PATCH 085/562] avformat/mp3dec: only call ffio_ensure_seekback once Otherwise the subsequent ffio_ensure_seekback calls destroy the buffer of the earlier. The worst case ~66kB seekback is so small it is easier to request it entirely. Fixes ticket #10837, a regression since 0d17f5228f4d3854066ec1001f69c7d1714b0df9. Signed-off-by: Marton Balint (cherry picked from commit b0053172199b54a806a4147cda8567a2f1823bc0) --- libavformat/mp3dec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index ec6cf567bc..78d6c8c71c 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -32,6 +32,7 @@ #include "replaygain.h" #include "libavcodec/codec_id.h" +#include "libavcodec/mpegaudio.h" #include "libavcodec/mpegaudiodecheader.h" #define XING_FLAG_FRAMES 0x01 @@ -400,15 +401,16 @@ static int mp3_read_header(AVFormatContext *s) if (ret < 0) return ret; + ret = ffio_ensure_seekback(s->pb, 64 * 1024 + MPA_MAX_CODED_FRAME_SIZE + 4); + if (ret < 0) + return ret; + off = avio_tell(s->pb); for (i = 0; i < 64 * 1024; i++) { uint32_t header, header2; int frame_size; - if (!(i&1023)) - ffio_ensure_seekback(s->pb, i + 1024 + 4); frame_size = check(s->pb, off + i, &header); if (frame_size > 0) { - ffio_ensure_seekback(s->pb, i + 1024 + frame_size + 4); ret = check(s->pb, off + i + frame_size, &header2); if (ret >= 0 && (header & MP3_MASK) == (header2 & MP3_MASK)) From 89ea8af0b3ef27b11c889410e1718ebc43d2d7d9 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sun, 12 May 2024 19:10:18 +0200 Subject: [PATCH 086/562] avformat/mp3dec: simplify inner frame size check in mp3_read_header We are protecting the checked buffer with ffio_ensure_seekback(), so if the inner check fails with a seek error, that likely means the end of file was reached when checking for the next frame. This could also be the result of a wrongly guessed (larger than normal) frame size, so let's continue the loop instead of breaking out early. It will end sooner or later anyway. Signed-off-by: Marton Balint (cherry picked from commit b75e604fe5cd7da9ca713f20d1ade18d50319aff) --- libavformat/mp3dec.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 78d6c8c71c..4abc73966f 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -412,14 +412,8 @@ static int mp3_read_header(AVFormatContext *s) frame_size = check(s->pb, off + i, &header); if (frame_size > 0) { ret = check(s->pb, off + i + frame_size, &header2); - if (ret >= 0 && - (header & MP3_MASK) == (header2 & MP3_MASK)) - { + if (ret >= 0 && (header & MP3_MASK) == (header2 & MP3_MASK)) break; - } else if (ret == CHECK_SEEK_FAILED) { - av_log(s, AV_LOG_ERROR, "Invalid frame size (%d): Could not seek to %"PRId64".\n", frame_size, off + i + frame_size); - return AVERROR(EINVAL); - } } else if (frame_size == CHECK_SEEK_FAILED) { av_log(s, AV_LOG_ERROR, "Failed to read frame size: Could not seek to %"PRId64".\n", (int64_t) (i + 1024 + frame_size + 4)); return AVERROR(EINVAL); From 52132f4d6eab03a5fa34bab0c41a35b9a7a10b7b Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sun, 12 May 2024 19:26:24 +0200 Subject: [PATCH 087/562] avformat/mp3dec: change bogus error message if read_header encounters EOF Because of ffio_ensure_seekback() a seek error normally should only happen if the end of file is reached during checking for the junk run-in. Also use proper error code. Signed-off-by: Marton Balint (cherry picked from commit 49e018d6fee689af6b30b773d83f545d74b8d9aa) --- libavformat/mp3dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 4abc73966f..f421e03926 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -415,8 +415,8 @@ static int mp3_read_header(AVFormatContext *s) if (ret >= 0 && (header & MP3_MASK) == (header2 & MP3_MASK)) break; } else if (frame_size == CHECK_SEEK_FAILED) { - av_log(s, AV_LOG_ERROR, "Failed to read frame size: Could not seek to %"PRId64".\n", (int64_t) (i + 1024 + frame_size + 4)); - return AVERROR(EINVAL); + av_log(s, AV_LOG_ERROR, "Failed to find two consecutive MPEG audio frames.\n"); + return AVERROR_INVALIDDATA; } } if (i == 64 * 1024) { From 935279b85572cdd317d7d5c932f85dde3b90bb5a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 30 Apr 2024 19:16:49 +0200 Subject: [PATCH 088/562] avcodec/x86/vp3dsp_init: Set correct function pointer, fix crash Regression since fd172185580c1ccdcfb90bbfdb59fa806fad3117; triggered by vp4/KTkvw8dg1J8.avi in the FATE suite, but not when running fate as this code is not used when the bitexact flag is set. Bisecting done by ami_stuff, patch from user Mika Fischer in ticket #10027 (which this commit fixes). Signed-off-by: Andreas Rheinhardt (cherry picked from commit c3ca90a92e7211aef8ad1d044518a34f6ba137d7) --- libavcodec/x86/vp3dsp_init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/vp3dsp_init.c b/libavcodec/x86/vp3dsp_init.c index f54fa57b3e..edac1764cb 100644 --- a/libavcodec/x86/vp3dsp_init.c +++ b/libavcodec/x86/vp3dsp_init.c @@ -53,7 +53,7 @@ av_cold void ff_vp3dsp_init_x86(VP3DSPContext *c, int flags) if (!(flags & AV_CODEC_FLAG_BITEXACT)) { c->v_loop_filter = c->v_loop_filter_unaligned = ff_vp3_v_loop_filter_mmxext; - c->h_loop_filter = c->v_loop_filter_unaligned = ff_vp3_h_loop_filter_mmxext; + c->h_loop_filter = c->h_loop_filter_unaligned = ff_vp3_h_loop_filter_mmxext; } } From ba031f8771d2c88a85b0607da2fd1442c8fe368f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 00:43:19 +0200 Subject: [PATCH 089/562] avfilter/signature_lookup: Fix 2 differences to the refernce SW Fixes: CID1403227 Division or modulo by float zero Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 25cb66369e7b81bd280f0bdd6d51a0e2e11881e3) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 9c69c02fbf..625d38bd13 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -495,10 +495,10 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * continue; /* matching sequence is too short */ if ((double) goodfcount / (double) fcount < sc->thit) continue; - if ((double) goodfcount*0.5 < FFMAX(gooda, goodb)) + if ((double) goodfcount*0.5 <= FFMAX(gooda, goodb)) continue; - meandist = (double) goodfcount / (double) distsum; + meandist = (double) distsum / (double) goodfcount; if (meandist < minmeandist || status == (STATUS_END_REACHED | STATUS_BEGIN_REACHED) || From 4197c3203b63f8d90c264eff9ca783c4f8beaafd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 00:57:43 +0200 Subject: [PATCH 090/562] avfilter/signature_lookup: Dont copy uninitialized stuff around Fixes: CID1403238 Uninitialized pointer read Fixes: CID1403239 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e7174e66ac6025cea4b8e590525314d3aea6a134) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 625d38bd13..ad59106cf0 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -447,14 +447,14 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * } if (tolerancecount > 2) { - a = aprev; - b = bprev; if (dir == DIR_NEXT) { /* turn around */ a = infos->first; b = infos->second; dir = DIR_PREV; } else { + a = aprev; + b = bprev; break; } } From 1dbfdd2d306d29b9eadcc817896dd0dac9c9dcae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 03:09:54 +0200 Subject: [PATCH 091/562] avfilter/vf_thumbnail_cuda: Set ret before checking it Fixes: CID1418336 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: Timo Rothenpieler Signed-off-by: Michael Niedermayer (cherry picked from commit 02301017d28422e4d0a4badb16f2226e70ec534a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_thumbnail_cuda.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_thumbnail_cuda.c b/libavfilter/vf_thumbnail_cuda.c index c8dd905123..40a3b75dd0 100644 --- a/libavfilter/vf_thumbnail_cuda.c +++ b/libavfilter/vf_thumbnail_cuda.c @@ -290,7 +290,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) hist[i] = 4 * hist[i]; } - CHECK_CU(cu->cuCtxPopCurrent(&dummy)); + ret = CHECK_CU(cu->cuCtxPopCurrent(&dummy)); if (ret < 0) return ret; From ad26b2d05a4cfc583dc502cc6c7bc41bb45c4d69 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 03:23:10 +0200 Subject: [PATCH 092/562] avcodec/cbs_h2645: Check NAL space Found-by-reviewing: CID1419833 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b91e3c4c908228901b1ec120d59ddf5a86c3b3b8) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h2645.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index 8e4af7b2cc..db803ea351 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -708,7 +708,11 @@ static int cbs_h2645_split_fragment(CodedBitstreamContext *ctx, start = bytestream2_tell(&gbc); for(i = 0; i < num_nalus; i++) { + if (bytestream2_get_bytes_left(&gbc) < 2) + return AVERROR_INVALIDDATA; size = bytestream2_get_be16(&gbc); + if (bytestream2_get_bytes_left(&gbc) < size) + return AVERROR_INVALIDDATA; bytestream2_skip(&gbc, size); } end = bytestream2_tell(&gbc); From 53868f5193d63e499c0e36aeef9376b40ecbd189 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Apr 2024 03:20:38 +0200 Subject: [PATCH 093/562] doc/examples/qsv_transcode: Simplify loop Fixes: CID1428858(2/2) Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit 82cce209349d2a7c893a4f9691ec8698704b0486) Signed-off-by: Michael Niedermayer --- doc/examples/qsv_transcode.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/doc/examples/qsv_transcode.c b/doc/examples/qsv_transcode.c index 972126800b..3d98729474 100644 --- a/doc/examples/qsv_transcode.c +++ b/doc/examples/qsv_transcode.c @@ -334,10 +334,8 @@ static int dec_enc(AVPacket *pkt, const AVCodec *enc_codec, char *optstr) fail: av_frame_free(&frame); - if (ret < 0) - return ret; } - return 0; + return ret; } int main(int argc, char **argv) From 6b42ba2094e6ba56cfd66a746cb01e00c7a0d421 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Apr 2024 03:20:38 +0200 Subject: [PATCH 094/562] doc/examples/vaapi_transcode: Simplify loop Fixes: CID1428858(1/2) Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: "mypopy@gmail.com" Signed-off-by: Michael Niedermayer (cherry picked from commit c9c11a0866d45827201b034349bceb2dc58a3499) Signed-off-by: Michael Niedermayer --- doc/examples/vaapi_transcode.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/doc/examples/vaapi_transcode.c b/doc/examples/vaapi_transcode.c index 8367cb3040..e1b7a43883 100644 --- a/doc/examples/vaapi_transcode.c +++ b/doc/examples/vaapi_transcode.c @@ -215,10 +215,8 @@ static int dec_enc(AVPacket *pkt, const AVCodec *enc_codec) fail: av_frame_free(&frame); - if (ret < 0) - return ret; } - return 0; + return ret; } int main(int argc, char **argv) From 70191fc0a6bdc09b61ae53d3b93092596c4dd5a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Apr 2024 03:28:00 +0200 Subject: [PATCH 095/562] doc/examples/qsv_transcode: Simplify str_to_dict() loop Fixes: CID1517022 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit 191950d1bfc3924d1b54f236b2c35149ba4487a1) Signed-off-by: Michael Niedermayer --- doc/examples/qsv_transcode.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/examples/qsv_transcode.c b/doc/examples/qsv_transcode.c index 3d98729474..486910f09a 100644 --- a/doc/examples/qsv_transcode.c +++ b/doc/examples/qsv_transcode.c @@ -75,8 +75,7 @@ static int str_to_dict(char* optstr, AVDictionary **opt) if (value == NULL) return AVERROR(EINVAL); av_dict_set(opt, key, value, 0); - } while(key != NULL); - return 0; + } while(1); } static int dynamic_set_parameter(AVCodecContext *avctx) From 7fa0143d7e02c5cd575d14750198ae4dd2ef4166 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Apr 2024 03:30:20 +0200 Subject: [PATCH 096/562] doc/examples/qsv_transcode: Initialize pointer before free Fixees: CID1517023 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Reviewed-by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit cae0f2bc550312c99655057f8ffab5b59556ceeb) Signed-off-by: Michael Niedermayer --- doc/examples/qsv_transcode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/examples/qsv_transcode.c b/doc/examples/qsv_transcode.c index 486910f09a..ff115f3669 100644 --- a/doc/examples/qsv_transcode.c +++ b/doc/examples/qsv_transcode.c @@ -341,7 +341,7 @@ int main(int argc, char **argv) { const AVCodec *enc_codec; int ret = 0; - AVPacket *dec_pkt; + AVPacket *dec_pkt = NULL; if (argc < 5 || (argc - 5) % 2) { av_log(NULL, AV_LOG_ERROR, "Usage: %s " From 62d3e4fd298105026f47c4591db178600104862d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Apr 2024 00:09:02 +0200 Subject: [PATCH 097/562] avcodec/hevcdec: Check ref frame Fixes: NULL pointer dereferences Fixes: 68197/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6382538823106560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 5eb05f44503da3fdff82f1fed8ee2706d9841a9a) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 08fd3be43c..a130eb1d74 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -1968,13 +1968,13 @@ static void hls_prediction_unit(HEVCLocalContext *lc, int x0, int y0, if (current_mv.pred_flag & PF_L0) { ref0 = refPicList[0].ref[current_mv.ref_idx[0]]; - if (!ref0 || !ref0->frame->data[0]) + if (!ref0 || !ref0->frame) return; hevc_await_progress(s, ref0, ¤t_mv.mv[0], y0, nPbH); } if (current_mv.pred_flag & PF_L1) { ref1 = refPicList[1].ref[current_mv.ref_idx[1]]; - if (!ref1 || !ref1->frame->data[0]) + if (!ref1 || !ref1->frame) return; hevc_await_progress(s, ref1, ¤t_mv.mv[1], y0, nPbH); } From a0577e9877ef83c703a003fe76c82aeea761c2d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 23:22:53 +0200 Subject: [PATCH 098/562] avcodec/pngdec: Check last AVFrame before deref Fixes: NULL pointer dereference Fixes: 68184/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-4926478069334016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 091fdce87e88c8622d8af89ffa6cbb0dc20c3816) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index de50e6a5b6..90c286eb83 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1216,7 +1216,7 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } - if ((sequence_number == 0 || !s->last_picture.f->data[0]) && + if ((sequence_number == 0 || !s->last_picture.f) && dispose_op == APNG_DISPOSE_OP_PREVIOUS) { // No previous frame to revert to for the first frame // Spec says to just treat it as a APNG_DISPOSE_OP_BACKGROUND From c42248f4664840a14378eb4c4da9ea186ab92514 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 21:09:45 +0200 Subject: [PATCH 099/562] avcodec/ac3_parser: Check init_get_bits8() for failure Fixes: CID1420393 Unchecked return value Sponsored-by: Sovereign Tech Fund Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit 63415168dbd96475372e37ae0fd47bafe151e2f0) Signed-off-by: Michael Niedermayer --- libavcodec/ac3_parser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c index 13b8d3b7d8..283139288c 100644 --- a/libavcodec/ac3_parser.c +++ b/libavcodec/ac3_parser.c @@ -204,7 +204,9 @@ int av_ac3_parse_header(const uint8_t *buf, size_t size, AC3HeaderInfo hdr; int err; - init_get_bits8(&gb, buf, size); + err = init_get_bits8(&gb, buf, size); + if (err < 0) + return AVERROR_INVALIDDATA; err = ff_ac3_parse_header(&gb, &hdr); if (err < 0) return AVERROR_INVALIDDATA; From e806d36b38603c016f1e39c6c72b31b86253aa2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 22:57:53 +0200 Subject: [PATCH 100/562] avcodec/atrac9dec: Check init_get_bits8() for failure Fixes: CID1439569 Unchecked return value Fixes: CID1439578 Unchecked return value Sponsored-by: Sovereign Tech Fund Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit 615c994739cacbeb0a2f48f8271d911fcd0b4303) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index 5b84f0c6d6..91f2e50b05 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -801,7 +801,9 @@ static int atrac9_decode_frame(AVCodecContext *avctx, AVFrame *frame, if (ret < 0) return ret; - init_get_bits8(&gb, avpkt->data, avpkt->size); + ret = init_get_bits8(&gb, avpkt->data, avpkt->size); + if (ret < 0) + return ret; for (int i = 0; i < frames; i++) { for (int j = 0; j < s->block_config->count; j++) { @@ -921,7 +923,9 @@ static av_cold int atrac9_decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } - init_get_bits8(&gb, avctx->extradata + 4, avctx->extradata_size); + err = init_get_bits8(&gb, avctx->extradata + 4, avctx->extradata_size); + if (err < 0) + return err; if (get_bits(&gb, 8) != 0xFE) { av_log(avctx, AV_LOG_ERROR, "Incorrect magic byte!\n"); From dba4b859d86b54fbf4201ca5c86a45d5b0764842 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Apr 2024 23:44:25 +0200 Subject: [PATCH 101/562] avformat/kvag: Check sample_rate Fixes: Division by 0 Fixes: -copyts -start_at_zero -itsoffset 00:00:01 -itsscale 1 -ss 00:00:02 -i zgclab/ffmpeg_crash/poc1 output.mp4 Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory Signed-off-by: Michael Niedermayer (cherry picked from commit c26a762ea1bf028a33554a5f7a18d8dd7d82f5a8) Signed-off-by: Michael Niedermayer --- libavformat/kvag.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/kvag.c b/libavformat/kvag.c index 1d0aee0994..b55aa893ec 100644 --- a/libavformat/kvag.c +++ b/libavformat/kvag.c @@ -38,7 +38,7 @@ typedef struct KVAGHeader { uint32_t magic; uint32_t data_size; - uint32_t sample_rate; + int sample_rate; uint16_t stereo; } KVAGHeader; @@ -70,6 +70,9 @@ static int kvag_read_header(AVFormatContext *s) hdr.sample_rate = AV_RL32(buf + 8); hdr.stereo = AV_RL16(buf + 12); + if (hdr.sample_rate <= 0) + return AVERROR_INVALIDDATA; + par = st->codecpar; par->codec_type = AVMEDIA_TYPE_AUDIO; par->codec_id = AV_CODEC_ID_ADPCM_IMA_SSI; From 0e44de3b9b5c7dc99b47c30d24932d9856d3b646 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 03:46:33 +0200 Subject: [PATCH 102/562] avformat/mxfdec: Check body_offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 538976288 - -9223372036315799520 cannot be represented in type 'long' Fixes: 68060/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5523457266745344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 20a6bfda0f7c6447ac94611736cee6e9ce6972a0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 4e4beb40b0..518a507539 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -790,6 +790,9 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size partition->index_sid = avio_rb32(pb); partition->body_offset = avio_rb64(pb); partition->body_sid = avio_rb32(pb); + if (partition->body_offset < 0) + return AVERROR_INVALIDDATA; + if (avio_read(pb, op, sizeof(UID)) != sizeof(UID)) { av_log(mxf->fc, AV_LOG_ERROR, "Failed reading UID\n"); return AVERROR_INVALIDDATA; From 9a4199c71b6905aaad5d5b8980e692be6f08e411 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 02:53:51 +0200 Subject: [PATCH 103/562] avfilter/avfiltergraph: return value of ff_request_frame() is unused Fixes: CID1397741 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e757726e89ff636e0dc6743f635888639a196e36) Signed-off-by: Michael Niedermayer --- libavfilter/avfiltergraph.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index 12ff7d6ffb..8e091d95e0 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -1410,7 +1410,7 @@ int avfilter_graph_request_oldest(AVFilterGraph *graph) if (r == AVERROR(EAGAIN) && !oldest->frame_wanted_out && !oldesti->frame_blocked_in && !oldesti->status_in) - ff_request_frame(oldest); + (void)ff_request_frame(oldest); else if (r < 0) return r; } From ec35ed8bb2d1044dbe7640deef3a8d16f07f046e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 15:50:56 +0200 Subject: [PATCH 104/562] avcodec/avs2_parser: Assert init_get_bits8() success with const size 15 Fixes: CID1506708 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a7c4f119c91bcb3791a3c242ee61a5c60379db4f) Signed-off-by: Michael Niedermayer --- libavcodec/avs2_parser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/avs2_parser.c b/libavcodec/avs2_parser.c index 200134f91d..0d68ab1d00 100644 --- a/libavcodec/avs2_parser.c +++ b/libavcodec/avs2_parser.c @@ -72,13 +72,15 @@ static void parse_avs2_seq_header(AVCodecParserContext *s, const uint8_t *buf, unsigned aspect_ratio; unsigned frame_rate_code; int low_delay; + av_unused int ret; // update buf_size_min if parse more deeper const int buf_size_min = 15; if (buf_size < buf_size_min) return; - init_get_bits8(&gb, buf, buf_size_min); + ret = init_get_bits8(&gb, buf, buf_size_min); + av_assert1(ret >= 0); s->key_frame = 1; s->pict_type = AV_PICTURE_TYPE_I; From 13ef4f209f64cc73f6a6c4b668560d3797164dd9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 21:17:25 +0200 Subject: [PATCH 105/562] avcodec/avs3_parser: assert the return value of init_get_bits() Fixes: CID1492867 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f9218e4d52e16494ed816651a110dfe0ad22638c) Signed-off-by: Michael Niedermayer --- libavcodec/avs3_parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/avs3_parser.c b/libavcodec/avs3_parser.c index a819b5783d..ea495b1c7c 100644 --- a/libavcodec/avs3_parser.c +++ b/libavcodec/avs3_parser.c @@ -73,7 +73,8 @@ static void parse_avs3_nal_units(AVCodecParserContext *s, const uint8_t *buf, GetBitContext gb; int profile, ratecode, low_delay; - init_get_bits8(&gb, buf + 4, buf_size - 4); + av_unused int ret = init_get_bits(&gb, buf + 4, 100); + av_assert1(ret >= 0); s->key_frame = 1; s->pict_type = AV_PICTURE_TYPE_I; From c5671e9de91cb51e4a8d730d030fc3d7aaab1ad0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 13:10:57 +0200 Subject: [PATCH 106/562] avcodec/av1dec: bit_depth cannot be another values than 8,10,12 Fixes: CID1544265 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit fd7d24fa3f39fc1013fb0d06b42c98b8ff1f8942) Signed-off-by: Michael Niedermayer --- libavcodec/av1dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index 11c852786f..d13c2c4a6b 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -492,7 +492,7 @@ static enum AVPixelFormat get_sw_pixel_format(void *logctx, else if (bit_depth == 12) pix_fmt = AV_PIX_FMT_YUV444P12; else - av_log(logctx, AV_LOG_WARNING, "Unknown AV1 pixel format.\n"); + av_assert0(0); } else if (seq->color_config.subsampling_x == 1 && seq->color_config.subsampling_y == 0) { if (bit_depth == 8) @@ -502,7 +502,7 @@ static enum AVPixelFormat get_sw_pixel_format(void *logctx, else if (bit_depth == 12) pix_fmt = AV_PIX_FMT_YUV422P12; else - av_log(logctx, AV_LOG_WARNING, "Unknown AV1 pixel format.\n"); + av_assert0(0); } else if (seq->color_config.subsampling_x == 1 && seq->color_config.subsampling_y == 1) { if (bit_depth == 8) @@ -512,7 +512,7 @@ static enum AVPixelFormat get_sw_pixel_format(void *logctx, else if (bit_depth == 12) pix_fmt = AV_PIX_FMT_YUV420P12; else - av_log(logctx, AV_LOG_WARNING, "Unknown AV1 pixel format.\n"); + av_assert0(0); } } else { if (bit_depth == 8) @@ -522,7 +522,7 @@ static enum AVPixelFormat get_sw_pixel_format(void *logctx, else if (bit_depth == 12) pix_fmt = AV_PIX_FMT_GRAY12; else - av_log(logctx, AV_LOG_WARNING, "Unknown AV1 pixel format.\n"); + av_assert0(0); } return pix_fmt; From 8170914a34b6b29e3745a346e5ea46a1436c5310 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 May 2024 00:10:01 +0200 Subject: [PATCH 107/562] avcodec/av1dec: Change bit_depth to int Suggested-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 69b4d9736b0d0ad01c41fcae2d66eaa534b76969) Signed-off-by: Michael Niedermayer --- libavcodec/av1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index d13c2c4a6b..32c2379a45 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -468,7 +468,7 @@ static int get_tiles_info(AVCodecContext *avctx, const AV1RawTileGroup *tile_gro static enum AVPixelFormat get_sw_pixel_format(void *logctx, const AV1RawSequenceHeader *seq) { - uint8_t bit_depth; + int bit_depth; enum AVPixelFormat pix_fmt = AV_PIX_FMT_NONE; if (seq->seq_profile == 2 && seq->color_config.high_bitdepth) From ccd7fe3c6727705d00f483d6338048267081a720 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 05:08:35 +0200 Subject: [PATCH 108/562] swscale/output: Fix integer overflow in yuv2rgba64_1_c_template Fixes: signed integer overflow: -831176 * 9539 cannot be represented in type 'int' Fixes: 67869/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5117342091640832 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a56559e688ffde40fcda5588123ffcb978da86d7) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 8849a3201a..0b6c77e167 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1207,8 +1207,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1232,20 +1232,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1253,8 +1253,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A1 = 0xffff<<14, A2 = 0xffff<<14; for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1278,20 +1278,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From ef9d59defb10f36862e6041eb5f6dbaa5e48f5bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 05:08:36 +0200 Subject: [PATCH 109/562] swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() Fixes: signed integer overflow: -1082982400 + -1079364728 cannot be represented in type 'int' Fixes: 67910/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5329011971522560 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1330a73ccadd855542ac4386f75fd72ff0ab5ea1) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 0b6c77e167..b234f9c6b9 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1429,7 +1429,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < dstW; i++) { - int Y = (buf0[i]) >> 2; + SUINT Y = (buf0[i]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1448,9 +1448,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1462,7 +1462,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A = 0xffff<<14; for (i = 0; i < dstW; i++) { - int Y = (buf0[i] ) >> 2; + SUINT Y = (buf0[i] ) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1481,9 +1481,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From 0047b51b8dc10e0ea14eaaf767a566e38a56ba99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 05:08:38 +0200 Subject: [PATCH 110/562] avcodec/wavarc: fix integer overflow in decode_5elp() block type 2 Fixes: signed integer overflow: 2097152000 + 107142979 cannot be represented in type 'int' Fixes: 67919/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-5955101769400320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a2ec2bd49317ab16a3c30c0824efc580ea9a8aef) Signed-off-by: Michael Niedermayer --- libavcodec/wavarc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c index e121f1bc61..536c74e478 100644 --- a/libavcodec/wavarc.c +++ b/libavcodec/wavarc.c @@ -690,7 +690,7 @@ static int decode_5elp(AVCodecContext *avctx, for (int o = 0; o < order; o++) sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1]; - samples[n + 70] += ac_out[n] + (sum >> 4); + samples[n + 70] += ac_out[n] + (unsigned)(sum >> 4); } for (int n = 0; n < 70; n++) From c8ffda5684d1c85f7cf86fbedfd4e8ba69a77231 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 23:30:51 +0200 Subject: [PATCH 111/562] avcodec/amrwbdec: assert mode to be valid in decode_fixed_vector() Inspired-by: CID1473499 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a3bb269db92601e2dc0e99352468d02f7b26c7c2) Signed-off-by: Michael Niedermayer --- libavcodec/amrwbdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 9d75b972fa..21a730b835 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -26,6 +26,7 @@ #include "config.h" +#include "libavutil/avassert.h" #include "libavutil/channel_layout.h" #include "libavutil/common.h" #include "libavutil/lfg.h" @@ -554,6 +555,8 @@ static void decode_fixed_vector(float *fixed_vector, const uint16_t *pulse_hi, decode_6p_track(sig_pos[i], (int) pulse_lo[i] + ((int) pulse_hi[i] << 11), 4, 1); break; + default: + av_assert2(0); } memset(fixed_vector, 0, sizeof(float) * AMRWB_SFR_SIZE); From 67ca3a5ee7d4ddb55fbe93de9cf7898eb09b7887 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Apr 2024 18:38:42 +0200 Subject: [PATCH 112/562] avcodec/mpegvideo_enc: Fix 1 line and one column images Fixes: Ticket10952 Fixes: poc21ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 96449cfeaeb95fcfd7a2b8d9ccf7719e97471ed1) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index c20e364cac..9d048e3dec 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1198,8 +1198,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize; int h_shift = i ? s->chroma_x_shift : 0; int v_shift = i ? s->chroma_y_shift : 0; - int w = s->width >> h_shift; - int h = s->height >> v_shift; + int w = AV_CEIL_RSHIFT(s->width , h_shift); + int h = AV_CEIL_RSHIFT(s->height, v_shift); const uint8_t *src = pic_arg->data[i]; uint8_t *dst = pic->f->data[i]; int vpad = 16; From 4eccabcc262ab282bd16984518a49b409a32921d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Apr 2024 00:47:31 +0200 Subject: [PATCH 113/562] avformat/concatdec: Check file Fixes: null pointer dereference Fixes: -stream_loop 1 -ss 00:00:05 -i zgclab/ffmpeg_crash/poc2 -codec:v copy -codec:a aac -y output.mp4 Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory Signed-off-by: Michael Niedermayer (cherry picked from commit a5d1497f33afa17b6a3578b66638e69bf8a558de) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index b1d0de18f1..93cab01ce0 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -638,6 +638,11 @@ static int concat_parse_script(AVFormatContext *avf) } } + if (!file) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + if (file->inpoint != AV_NOPTS_VALUE && file->outpoint != AV_NOPTS_VALUE) { if (file->inpoint > file->outpoint || file->outpoint - (uint64_t)file->inpoint > INT64_MAX) From c8a9e355146e8258a368be05f89ac8061c45be60 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Apr 2024 03:08:14 +0200 Subject: [PATCH 114/562] doc/examples/demux_decode: Simplify loop Fixes: CID1463550 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 91d27f7e02e5bec4b6e53cc7a7f15df8be017bb3) Signed-off-by: Michael Niedermayer --- doc/examples/demux_decode.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/doc/examples/demux_decode.c b/doc/examples/demux_decode.c index f26611d8f4..64f5547bc4 100644 --- a/doc/examples/demux_decode.c +++ b/doc/examples/demux_decode.c @@ -138,11 +138,9 @@ static int decode_packet(AVCodecContext *dec, const AVPacket *pkt) ret = output_audio_frame(frame); av_frame_unref(frame); - if (ret < 0) - return ret; } - return 0; + return ret; } static int open_codec_context(int *stream_idx, From 4d920afb825856a83f140ccc6b8f4bdb050e4cb7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 18:33:24 +0200 Subject: [PATCH 115/562] tools/opt_common: Check for malloc failure Fixes: CID1539100 Negative loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ba7038043a46420bc86b060dbb13b956ea50ac03) Signed-off-by: Michael Niedermayer --- fftools/opt_common.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/fftools/opt_common.c b/fftools/opt_common.c index 947a226d8d..9d2d5184a0 100644 --- a/fftools/opt_common.c +++ b/fftools/opt_common.c @@ -724,10 +724,13 @@ int show_codecs(void *optctx, const char *opt, const char *arg) return 0; } -static void print_codecs(int encoder) +static int print_codecs(int encoder) { const AVCodecDescriptor **codecs; - unsigned i, nb_codecs = get_codecs_sorted(&codecs); + int i, nb_codecs = get_codecs_sorted(&codecs); + + if (nb_codecs < 0) + return nb_codecs; printf("%s:\n" " V..... = Video\n" @@ -762,18 +765,17 @@ static void print_codecs(int encoder) } } av_free(codecs); + return 0; } int show_decoders(void *optctx, const char *opt, const char *arg) { - print_codecs(0); - return 0; + return print_codecs(0); } int show_encoders(void *optctx, const char *opt, const char *arg) { - print_codecs(1); - return 0; + return print_codecs(1); } int show_bsfs(void *optctx, const char *opt, const char *arg) From 44b0e6a99f1d3adba1c9d3a799ecd90fbff47076 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 01:10:50 +0200 Subject: [PATCH 116/562] fftools/ffplay: Check return of swr_alloc_set_opts2() This probably makes no difference but its more correct Fixes: CID1503080 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f44f44155533822922f6d2f24e5c53c14e432612) Signed-off-by: Michael Niedermayer --- fftools/ffplay.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fftools/ffplay.c b/fftools/ffplay.c index fcd1319ce7..69d0b09a6a 100644 --- a/fftools/ffplay.c +++ b/fftools/ffplay.c @@ -2394,12 +2394,13 @@ static int audio_decode_frame(VideoState *is) av_channel_layout_compare(&af->frame->ch_layout, &is->audio_src.ch_layout) || af->frame->sample_rate != is->audio_src.freq || (wanted_nb_samples != af->frame->nb_samples && !is->swr_ctx)) { + int ret; swr_free(&is->swr_ctx); - swr_alloc_set_opts2(&is->swr_ctx, + ret = swr_alloc_set_opts2(&is->swr_ctx, &is->audio_tgt.ch_layout, is->audio_tgt.fmt, is->audio_tgt.freq, &af->frame->ch_layout, af->frame->format, af->frame->sample_rate, 0, NULL); - if (!is->swr_ctx || swr_init(is->swr_ctx) < 0) { + if (ret < 0 || swr_init(is->swr_ctx) < 0) { av_log(NULL, AV_LOG_ERROR, "Cannot create sample rate converter for conversion of %d Hz %s %d channels to %d Hz %s %d channels!\n", af->frame->sample_rate, av_get_sample_fmt_name(af->frame->format), af->frame->ch_layout.nb_channels, From 559dd6f68af7041268a4ac4bda4cbfc935f1740d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 21:44:33 +0200 Subject: [PATCH 117/562] avcodec/cbs_av1: Avoid shift overflow Fixes: CID1465488 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d7924a4f60f2088de1e6790345caba929eb97030) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index 1d9ac5ab44..fb82996022 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -301,7 +301,7 @@ static int cbs_av1_write_increment(CodedBitstreamContext *ctx, PutBitContext *pb return AVERROR(ENOSPC); if (len > 0) - put_bits(pbc, len, (1 << len) - 1 - (value != range_max)); + put_bits(pbc, len, (1U << len) - 1 - (value != range_max)); CBS_TRACE_WRITE_END_NO_SUBSCRIPTS(); From b9985f105ed5ca9dd049cff7ea9a31bdd2f8ccf0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 03:13:17 +0200 Subject: [PATCH 118/562] libavutil/base64: Try not to write over the array end Signed-off-by: Michael Niedermayer (cherry picked from commit 2d216566f258badd07bc58de1e089b6e4175dc46) Signed-off-by: Michael Niedermayer --- libavutil/base64.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/base64.c b/libavutil/base64.c index 3e66f4fcbe..69e11e6f5e 100644 --- a/libavutil/base64.c +++ b/libavutil/base64.c @@ -127,10 +127,12 @@ validity_check: } out3: - *dst++ = v >> 10; + if (end - dst) + *dst++ = v >> 10; v <<= 2; out2: - *dst++ = v >> 4; + if (end - dst) + *dst++ = v >> 4; out1: out0: return bits & 1 ? AVERROR_INVALIDDATA : out ? dst - out : 0; From 9eb6558fa91e2f3584769551dc396e189564f56d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 03:14:16 +0200 Subject: [PATCH 119/562] avutil/tests/base64: Check with too short output array Signed-off-by: Michael Niedermayer (cherry picked from commit c304784a86cc7e2af211ed80ce2121e788680a8e) Signed-off-by: Michael Niedermayer --- libavutil/tests/base64.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavutil/tests/base64.c b/libavutil/tests/base64.c index 400e01cefe..66d0fdc1fc 100644 --- a/libavutil/tests/base64.c +++ b/libavutil/tests/base64.c @@ -64,6 +64,16 @@ static int test_encode_decode(const uint8_t *data, unsigned int data_size, printf("Failed: decode to NULL buffer\n"); return 1; } + if (data_size > 0 && (data2_size = av_base64_decode(data2, encoded, data_size - 1)) != data_size - 1) { + printf("Failed: out of array write\n" + "Encoded:\n%s\n", encoded); + return 1; + } + if (data_size > 1 && (data2_size = av_base64_decode(data2, encoded, data_size - 2)) != data_size - 2) { + printf("Failed: out of array write\n" + "Encoded:\n%s\n", encoded); + return 1; + } if (strlen(encoded)) { char *end = strchr(encoded, '='); if (!end) From e94527f38fdb90f347b0206d2ccd94cfd5925b99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 20:50:44 +0200 Subject: [PATCH 120/562] avcodec/lpc: copy levenson coeffs only when they have been computed Fixes: CID1473514 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c2d897f3566fdf5c190583c6f5197ead5abec2ed) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/lpc.c b/libavcodec/lpc.c index 53f5c3d379..88ab37e761 100644 --- a/libavcodec/lpc.c +++ b/libavcodec/lpc.c @@ -281,8 +281,10 @@ int ff_lpc_calc_coefs(LPCContext *s, double av_uninit(weight); memset(var, 0, FFALIGN(MAX_LPC_ORDER+1,4)*sizeof(*var)); - for(j=0; j 1) + for(j=0; j Date: Mon, 6 May 2024 03:17:26 +0200 Subject: [PATCH 121/562] avcodec/h264_slice: Remove dead sps check Fixes: CID1439574 Dereference after null check Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a68aa951b21b8b7db0a5200bcfebc0a077a5f094) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index e9a404e41b..752735cc54 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1396,7 +1396,7 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl, sps = h->ps.sps; - if (sps && sps->bitstream_restriction_flag && + if (sps->bitstream_restriction_flag && h->avctx->has_b_frames < sps->num_reorder_frames) { h->avctx->has_b_frames = sps->num_reorder_frames; } From 15de2a9b969086cec71cea96ae8ab3961d1c03d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 May 2024 01:00:17 +0200 Subject: [PATCH 122/562] avcodec/h2645_sei: Remove dead checks Fixes: CID1596534 Dereference after null check Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit fdaa6ae2b62de51ac0584b51feec7b2369799549) Signed-off-by: Michael Niedermayer --- libavcodec/h2645_sei.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/h2645_sei.c b/libavcodec/h2645_sei.c index afc103b69c..3b58d22d6f 100644 --- a/libavcodec/h2645_sei.c +++ b/libavcodec/h2645_sei.c @@ -621,8 +621,7 @@ int ff_h2645_sei_to_frame(AVFrame *frame, H2645SEI *sei, if (!sd) av_buffer_unref(&a53->buf_ref); a53->buf_ref = NULL; - if (avctx) - avctx->properties |= FF_CODEC_PROPERTY_CLOSED_CAPTIONS; + avctx->properties |= FF_CODEC_PROPERTY_CLOSED_CAPTIONS; } for (unsigned i = 0; i < sei->unregistered.nb_buf_ref; i++) { @@ -718,8 +717,7 @@ FF_ENABLE_DEPRECATION_WARNINGS else fgc->present = fgc->persistence_flag; - if (avctx) - avctx->properties |= FF_CODEC_PROPERTY_FILM_GRAIN; + avctx->properties |= FF_CODEC_PROPERTY_FILM_GRAIN; } #if CONFIG_HEVC_SEI From 271c364eb59c867284b113a8226e3520047b8293 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 May 2024 23:29:26 +0200 Subject: [PATCH 123/562] avcodec/fmvc: remove dead assignment Fixes: CID1529220 Unused value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 96c116254527cc40b386f14b77e17fbe2388d5da) Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 5e26a541ca..a9e5afd17b 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -100,7 +100,6 @@ static int decode_type2(GetByteContext *gb, PutByteContext *pb) continue; } } - repeat = 0; } repeat = 1; } From b01e6a7e0b961d44138bf683713563ac0fedac32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 May 2024 21:51:42 +0200 Subject: [PATCH 124/562] avcodec/decode: decode_simple_internal() only implements audio and video Fixes: CID1538861 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e9bb586543d83fe0ed901834b853b6d64e327529) Signed-off-by: Michael Niedermayer --- libavcodec/decode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/decode.c b/libavcodec/decode.c index 34bcb7cc64..ac18544b2e 100644 --- a/libavcodec/decode.c +++ b/libavcodec/decode.c @@ -428,7 +428,8 @@ FF_ENABLE_DEPRECATION_WARNINGS } else if (avctx->codec->type == AVMEDIA_TYPE_AUDIO) { ret = !got_frame ? AVERROR(EAGAIN) : discard_samples(avctx, frame, discarded_samples); - } + } else + av_assert0(0); if (ret == AVERROR(EAGAIN)) av_frame_unref(frame); From 14bd2b4b87cef5016ded50be8cf059c5d7d22edd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 May 2024 23:25:10 +0200 Subject: [PATCH 125/562] avcodec/exr: Fix preview overflow Fixes: CID1515456 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 36126e4c142e43cc703f4b8c535d388ac5e403a4) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index e680f9b9e0..cf62953436 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1942,7 +1942,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) "preview", 16)) >= 0) { uint32_t pw = bytestream2_get_le32(gb); uint32_t ph = bytestream2_get_le32(gb); - uint64_t psize = pw * ph; + uint64_t psize = pw * (uint64_t)ph; if (psize > INT64_MAX / 4) { ret = AVERROR_INVALIDDATA; goto fail; From 1e67935ab196aa0072cfd84e1e2d3c99be71940d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2024 02:05:56 +0200 Subject: [PATCH 126/562] avcodec/qsvdec: Check av_image_get_buffer_size() for failure Fixes: CID1477406 Improper use of negative value Sponsored-by: Sovereign Tech Fund Reviewed-by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit 8789c550faf4587527faf0bd4f6c6c5c64a04ae2) Signed-off-by: Michael Niedermayer --- libavcodec/qsvdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/qsvdec.c b/libavcodec/qsvdec.c index fd9267c6f4..bacb21afdf 100644 --- a/libavcodec/qsvdec.c +++ b/libavcodec/qsvdec.c @@ -378,9 +378,12 @@ static int qsv_decode_init_context(AVCodecContext *avctx, QSVContext *q, mfxVide q->frame_info = param->mfx.FrameInfo; - if (!avctx->hw_frames_ctx) - q->pool = av_buffer_pool_init(av_image_get_buffer_size(avctx->pix_fmt, - FFALIGN(avctx->width, 128), FFALIGN(avctx->height, 64), 1), av_buffer_allocz); + if (!avctx->hw_frames_ctx) { + ret = av_image_get_buffer_size(avctx->pix_fmt, FFALIGN(avctx->width, 128), FFALIGN(avctx->height, 64), 1); + if (ret < 0) + return ret; + q->pool = av_buffer_pool_init(ret, av_buffer_allocz); + } return 0; } From 8c5358c617efeb8ba303bfa9580bd70bbeff6307 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 May 2024 16:07:04 +0200 Subject: [PATCH 127/562] avcodec/jpeg2000dec: remove ST=3 case MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: CID1460979 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 4ed4f9a6c0a99c823706bfc4bb4df53f963f2f5a) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 4d28be3656..72aaefbdb3 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -834,9 +834,6 @@ static int get_tlm(Jpeg2000DecoderContext *s, int n) case 2: bytestream2_get_be16(&s->g); break; - case 3: - bytestream2_get_be32(&s->g); - break; } if (SP == 0) { bytestream2_get_be16(&s->g); From 7f05002e05e8c2809455f6e36557f9498c015e8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 May 2024 03:06:46 +0200 Subject: [PATCH 128/562] avcodec/vp8: Forward return of ff_vpx_init_range_decoder() Fixes: CID1507483 Unchecked return value Sponsored-by: Sovereign Tech Fund Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 63feed1519c5e38d6ce146f265c48592236e3abc) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index dd6c1b361b..3ebf1c2df9 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -354,9 +354,8 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size) } s->coeff_partition_size[i] = buf_size; - ff_vpx_init_range_decoder(&s->coeff_partition[i], buf, buf_size); - return 0; + return ff_vpx_init_range_decoder(&s->coeff_partition[i], buf, buf_size); } static void vp7_get_quants(VP8Context *s) From 3a0320e95a76e7ba6fe48a7e656b3b1d49cce1e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 May 2024 03:16:08 +0200 Subject: [PATCH 129/562] avcodec/vp3: Replace check by assert Fixes: CID1452425 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 1b991e77b9b19392214f6a788541bea5662de337) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 89946135dc..96b0b66005 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2007,8 +2007,7 @@ static int vp4_mc_loop_filter(Vp3DecodeContext *s, int plane, int motion_x, int x_offset = (-(x + 2) & 7) + 2; y_offset = (-(y + 2) & 7) + 2; - if (x_offset > 8 + x_subpel && y_offset > 8 + y_subpel) - return 0; + av_assert1(!(x_offset > 8 + x_subpel && y_offset > 8 + y_subpel)); s->vdsp.emulated_edge_mc(loop, motion_source - stride - 1, loop_stride, stride, From 68763d6a6ffc7bc561513469f43afb51047a4b09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 May 2024 00:32:43 +0200 Subject: [PATCH 130/562] avcodec/vble: Check av_image_get_buffer_size() for failure Fixes: CID1461482 Improper use of negative value Sponsored-by: Sovereign Tech Fund Reviewed-.by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit dd5379db5d83d8b06654582afe327daa6be678a3) Signed-off-by: Michael Niedermayer --- libavcodec/vble.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vble.c b/libavcodec/vble.c index 7711bf1bb1..d27ab658dd 100644 --- a/libavcodec/vble.c +++ b/libavcodec/vble.c @@ -191,6 +191,9 @@ static av_cold int vble_decode_init(AVCodecContext *avctx) ctx->size = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + if (ctx->size < 0) + return ctx->size; + ctx->val = av_malloc_array(ctx->size, sizeof(*ctx->val)); if (!ctx->val) { From b27c156c155887c2a0db6180162513d3a627e929 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 01:21:37 +0200 Subject: [PATCH 131/562] avcodec/vvc/dec: Check init_get_bits8() for failure Fixes: CID1560042 Unchecked return value Sponsored-by: Sovereign Tech Fund Reviewed-by: Nuo Mi Signed-off-by: Michael Niedermayer (cherry picked from commit 4a8506c794d92744514aac26ac9a1b898a7401ab) Signed-off-by: Michael Niedermayer --- libavcodec/vvc/vvcdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/vvc/vvcdec.c b/libavcodec/vvc/vvcdec.c index 2f8b84f63b..c29d59a330 100644 --- a/libavcodec/vvc/vvcdec.c +++ b/libavcodec/vvc/vvcdec.c @@ -511,6 +511,7 @@ static int slice_init_entry_points(SliceContext *sc, int nb_eps = sh->r->num_entry_points + 1; int ctu_addr = 0; GetBitContext gb; + int ret; if (sc->nb_eps != nb_eps) { eps_free(sc); @@ -520,7 +521,9 @@ static int slice_init_entry_points(SliceContext *sc, sc->nb_eps = nb_eps; } - init_get_bits8(&gb, slice->data, slice->data_size); + ret = init_get_bits8(&gb, slice->data, slice->data_size); + if (ret < 0) + return ret; for (int i = 0; i < sc->nb_eps; i++) { EntryPoint *ep = sc->eps + i; From c250e3b101d91e86681796941ef0eb2ad75148f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 00:47:11 +0200 Subject: [PATCH 132/562] avcodec/vqcdec: Check init_get_bits8() for failure Fixes: CID1516090 Unchecked return value Sponsored-by: Sovereign Tech Fund Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 6a9302739f5b20791eac7f40d9d999f822227fd1) Signed-off-by: Michael Niedermayer --- libavcodec/vqcdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/vqcdec.c b/libavcodec/vqcdec.c index dc9248d99f..dbcaba7b23 100644 --- a/libavcodec/vqcdec.c +++ b/libavcodec/vqcdec.c @@ -146,10 +146,13 @@ static int decode_vectors(VqcContext * s, const uint8_t * buf, int size, int wid GetBitContext gb; uint8_t * vectors = s->vectors; uint8_t * vectors_end = s->vectors + (width * height * 3) / 2; + int ret; memset(vectors, 0, 3 * width * height / 2); - init_get_bits8(&gb, buf, size); + ret = init_get_bits8(&gb, buf, size); + if (ret < 0) + return ret; for (int i = 0; i < 3 * width * height / 2 / 32; i++) { uint8_t * dst = vectors; From 39da4ac79b3446d4ce0878b9eee5416b90655fcd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 21:04:00 +0200 Subject: [PATCH 133/562] avcodec/mpeg12dec: Use 64bit in bit computation I dont think this can actually overflow but 64bit seems reasonable to use Fixes: CID1521983 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4c725df059dd9a5f2071e204924105b3ceb74cbc) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 4ad1eb6572..d05d6355e0 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2733,7 +2733,7 @@ static int ipu_decode_frame(AVCodecContext *avctx, AVFrame *frame, int ret; // Check for minimal intra MB size (considering mb header, luma & chroma dc VLC, ac EOB VLC) - if (avpkt->size*8LL < (avctx->width+15)/16 * ((avctx->height+15)/16) * (2 + 3*4 + 2*2 + 2*6)) + if (avpkt->size*8LL < (avctx->width+15)/16 * ((avctx->height+15)/16) * (2LL + 3*4 + 2*2 + 2*6)) return AVERROR_INVALIDDATA; ret = ff_get_buffer(avctx, frame, 0); From b4fdbbe6aa805d867258e5fadc1b8682b0a65d4c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 22:08:21 +0200 Subject: [PATCH 134/562] avcodec/mpeg4videodec: assert impossible wrap points Helps: CID1473517 Uninitialized scalar variable Helps: CID1473497 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8fc649b931a3cbc3a2dd9b50b75a9261a2fb4b49) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 07de5d6d91..04a9ae504e 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -597,6 +597,8 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[0] = alpha + beta + rho - min_ab; ctx->sprite_shift[1] = alpha + beta + rho - min_ab + 2; break; + default: + av_assert0(0); } /* try to simplify the situation */ if (sprite_delta[0][0] == a << ctx->sprite_shift[0] && From 435b74c6a5d4e457d9526aa21e7a6e68926bf52c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 May 2024 00:13:58 +0200 Subject: [PATCH 135/562] avcodec/mpegvideo_enc: Fix potential overflow in RD Fixes: CID1500285 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b6b2b01025e016ce29e5add57305384a663edcfc) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 9d048e3dec..c4c174a02e 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1433,7 +1433,7 @@ static int estimate_best_b_count(MpegEncContext *s) goto fail; } - rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3); + rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3); } /* get the delayed frames */ @@ -1442,7 +1442,7 @@ static int estimate_best_b_count(MpegEncContext *s) ret = out_size; goto fail; } - rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3); + rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3); rd += c->error[0] + c->error[1] + c->error[2]; From a49a8dc0d69b916b856f57e9fb48aef1b4243751 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 May 2024 00:43:48 +0200 Subject: [PATCH 136/562] avcodec/mscc & mwsc: Check loop counts before use This could cause timeouts Fixes: CID1439568 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e35fe3d8b9e345527a05b1ae958ac851fe09f1ed) Signed-off-by: Michael Niedermayer --- libavcodec/mscc.c | 6 ++++++ libavcodec/mwsc.c | 11 +++++++++++ 2 files changed, 17 insertions(+) diff --git a/libavcodec/mscc.c b/libavcodec/mscc.c index d1d23e6751..e467b48baf 100644 --- a/libavcodec/mscc.c +++ b/libavcodec/mscc.c @@ -53,6 +53,9 @@ static int rle_uncompress(AVCodecContext *avctx, GetByteContext *gb, PutByteCont unsigned run = bytestream2_get_byte(gb); if (run) { + if (bytestream2_get_bytes_left_p(pb) < run * s->bpp) + return AVERROR_INVALIDDATA; + switch (avctx->bits_per_coded_sample) { case 8: fill = bytestream2_get_byte(gb); @@ -101,6 +104,9 @@ static int rle_uncompress(AVCodecContext *avctx, GetByteContext *gb, PutByteCont bytestream2_seek_p(pb, y * avctx->width * s->bpp + x * s->bpp, SEEK_SET); } else { + if (bytestream2_get_bytes_left_p(pb) < copy * s->bpp) + return AVERROR_INVALIDDATA; + for (j = 0; j < copy; j++) { switch (avctx->bits_per_coded_sample) { case 8: diff --git a/libavcodec/mwsc.c b/libavcodec/mwsc.c index f8c53c33ff..a7e8702580 100644 --- a/libavcodec/mwsc.c +++ b/libavcodec/mwsc.c @@ -50,6 +50,10 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext if (run == 0) { run = bytestream2_get_le32(gb); + + if (bytestream2_tell_p(pb) + width - w < run) + return AVERROR_INVALIDDATA; + for (int j = 0; j < run; j++, w++) { if (w == width) { w = 0; @@ -61,6 +65,10 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext int pos = bytestream2_tell_p(pb); bytestream2_seek(gbp, pos, SEEK_SET); + + if (pos + width - w < fill) + return AVERROR_INVALIDDATA; + for (int j = 0; j < fill; j++, w++) { if (w == width) { w = 0; @@ -72,6 +80,9 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext intra = 0; } else { + if (bytestream2_tell_p(pb) + width - w < run) + return AVERROR_INVALIDDATA; + for (int j = 0; j < run; j++, w++) { if (w == width) { w = 0; From 1a6995c6d687666eefbedaaf040eeec5c754664f Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 18 May 2024 16:50:55 -0300 Subject: [PATCH 137/562] avformat/vvc: initialize some ptl flags Signed-off-by: James Almer (cherry picked from commit 3bd7e3a336822c75865930f7fafb36d1a1c4c3c3) --- libavformat/vvc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/vvc.c b/libavformat/vvc.c index b1b519c92c..20be4bd8b8 100644 --- a/libavformat/vvc.c +++ b/libavformat/vvc.c @@ -586,6 +586,8 @@ static void vvcc_init(VVCDecoderConfigurationRecord *vvcc) { memset(vvcc, 0, sizeof(VVCDecoderConfigurationRecord)); vvcc->lengthSizeMinusOne = 3; // 4 bytes + vvcc->ptl.ptl_frame_only_constraint_flag = + vvcc->ptl.ptl_multilayer_enabled_flag = 1; } static void vvcc_close(VVCDecoderConfigurationRecord *vvcc) From 85d4df387347d63aee95e14a60cd9efa14e3c9d5 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 19 May 2024 10:21:14 -0300 Subject: [PATCH 138/562] avformat/vvc: fix parsing sps_subpic_id The length of the sps_subpic_id[i] syntax element is sps_subpic_id_len_minus1 + 1 bits. Signed-off-by: James Almer (cherry picked from commit 2d84ee374528a8a8eed345a8147e146a0112e43a) --- libavformat/vvc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/vvc.c b/libavformat/vvc.c index 20be4bd8b8..d5b3237aeb 100644 --- a/libavformat/vvc.c +++ b/libavformat/vvc.c @@ -392,6 +392,7 @@ static int vvcc_parse_sps(GetBitContext *gb, const int tmp_height_val = AV_CEIL_RSHIFT(sps_pic_height_max_in_luma_samples, ctb_log2_size_y); const int wlen = av_ceil_log2(tmp_width_val); const int hlen = av_ceil_log2(tmp_height_val); + unsigned int sps_subpic_id_len; if (sps_num_subpics_minus1 > 0) { // sps_num_subpics_minus1 sps_independent_subpics_flag = get_bits1(gb); sps_subpic_same_size_flag = get_bits1(gb); @@ -411,11 +412,11 @@ static int vvcc_parse_sps(GetBitContext *gb, skip_bits(gb, 2); // sps_subpic_treated_as_pic_flag && sps_loop_filter_across_subpic_enabled_flag } } - get_ue_golomb_long(gb); // sps_subpic_id_len_minus1 + sps_subpic_id_len = get_ue_golomb_long(gb) + 1; if (get_bits1(gb)) { // sps_subpic_id_mapping_explicitly_signalled_flag if (get_bits1(gb)) // sps_subpic_id_mapping_present_flag for (int i = 0; i <= sps_num_subpics_minus1; i++) { - skip_bits1(gb); // sps_subpic_id[i] + skip_bits_long(gb, sps_subpic_id_len); // sps_subpic_id[i] } } } From 17674b150f69e87c15796e014feba069290abf39 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 19 May 2024 22:38:21 -0300 Subject: [PATCH 139/562] avformat/mov: store sample_sizes as unsigned ints As defined in Section 8.7.3.2.1 of ISO 14496-12. Any unsupported value will be rejected in mov_build_index() without outright aborting demuxing. Fixes ticket #11005. Signed-off-by: James Almer (cherry picked from commit 3146b77a7d314f55b8ec5d8ce6fda2c5db049a27) --- libavformat/isom.h | 2 +- libavformat/mov.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/isom.h b/libavformat/isom.h index 07f09d6eff..c0a5788e08 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -193,7 +193,7 @@ typedef struct MOVStreamContext { unsigned int sample_size; ///< may contain value calculated from stsd or value from stsz atom unsigned int stsz_sample_size; ///< always contains sample size from stsz atom unsigned int sample_count; - int *sample_sizes; + unsigned int *sample_sizes; int keyframe_absent; unsigned int keyframe_count; int *keyframes; diff --git a/libavformat/mov.c b/libavformat/mov.c index 6e3178f7c8..c2538a9681 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3305,9 +3305,9 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries; i++) { sc->sample_sizes[i] = get_bits_long(&gb, field_size); - if (sc->sample_sizes[i] < 0) { + if (sc->sample_sizes[i] > INT64_MAX - sc->data_size) { av_free(buf); - av_log(c->fc, AV_LOG_ERROR, "Invalid sample size %d\n", sc->sample_sizes[i]); + av_log(c->fc, AV_LOG_ERROR, "Sample size overflow in STSZ\n"); return AVERROR_INVALIDDATA; } sc->data_size += sc->sample_sizes[i]; From 7050b247b28a117c099da3198a5d5dd64b4a23a4 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 27 Apr 2024 12:24:05 +0200 Subject: [PATCH 140/562] avcodec/vp8: Return error on error Regression since e1ba00ac8f755f37ebc8448d3dbea906d7b79da2. Reviewed-by: Ronald S. Bultje Signed-off-by: Andreas Rheinhardt (cherry picked from commit 67c7c44c7956c4ecde0d36652f3d34bca13bffdb) --- libavcodec/vp8.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 3ebf1c2df9..a9f519d7b8 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -106,8 +106,11 @@ static int vp8_alloc_frame(VP8Context *s, VP8Frame *f, int ref) if ((ret = ff_thread_get_ext_buffer(s->avctx, &f->tf, ref ? AV_GET_BUFFER_FLAG_REF : 0)) < 0) return ret; - if (!(f->seg_map = ff_refstruct_allocz(s->mb_width * s->mb_height))) + f->seg_map = ff_refstruct_allocz(s->mb_width * s->mb_height); + if (!f->seg_map) { + ret = AVERROR(ENOMEM); goto fail; + } ret = ff_hwaccel_frame_priv_alloc(s->avctx, &f->hwaccel_picture_private); if (ret < 0) goto fail; From a08da68e0a38a2eefb0b858227573aeceb756631 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 2 May 2024 23:23:17 +0200 Subject: [PATCH 141/562] avformat/movenc: Check av_malloc() Fixes Coverity issue #1596735. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 601873263e618e2dc2b615ae95e605575171ee30) --- libavformat/movenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index e40948edb8..e6a815107b 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1222,6 +1222,8 @@ static int mov_write_chnl_tag(AVFormatContext *s, AVIOContext *pb, MOVTrack *tra if (ret || !config) { config = 0; speaker_pos = av_malloc(layout->nb_channels); + if (!speaker_pos) + return AVERROR(ENOMEM); ret = ff_mov_get_channel_positions_from_layout(layout, speaker_pos, layout->nb_channels); if (ret) { From 2bfcc11f51455a64c2248c01a5374c64606351ab Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 9 May 2024 15:09:41 +0200 Subject: [PATCH 142/562] avcodec/adts_parser: Don't presume buffer to be padded The documentation of av_adts_header_parse() does not require the buffer to be padded at all. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 6c812a80ddfadb3e69018971a2e92ace5326db36) --- libavcodec/adts_parser.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/adts_parser.c b/libavcodec/adts_parser.c index f2e155fc99..28ad5ef5eb 100644 --- a/libavcodec/adts_parser.c +++ b/libavcodec/adts_parser.c @@ -27,9 +27,14 @@ int av_adts_header_parse(const uint8_t *buf, uint32_t *samples, uint8_t *frames) { #if CONFIG_ADTS_HEADER + uint8_t tmpbuf[AV_AAC_ADTS_HEADER_SIZE + AV_INPUT_BUFFER_PADDING_SIZE]; GetBitContext gb; AACADTSHeaderInfo hdr; - int err = init_get_bits8(&gb, buf, AV_AAC_ADTS_HEADER_SIZE); + int err; + if (!buf) + return AVERROR(EINVAL); + memcpy(tmpbuf, buf, AV_AAC_ADTS_HEADER_SIZE); + err = init_get_bits8(&gb, tmpbuf, AV_AAC_ADTS_HEADER_SIZE); if (err < 0) return err; err = ff_adts_header_parse(&gb, &hdr); From 45765b7c2efa9f0dce5dced4ac8ce5a6ec981751 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 17 May 2024 20:12:18 +0200 Subject: [PATCH 143/562] avformat/flacdec: Reorder allocations to avoid leak on error Fixes Coverity issue #1591795. Signed-off-by: Andreas Rheinhardt (cherry picked from commit b50c5d02900363c17560cf79e2af0ca3073ee81a) --- libavformat/flacdec.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index 4ce6251137..5fe835cd05 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -282,12 +282,6 @@ static av_unused int64_t flac_read_timestamp(AVFormatContext *s, int stream_inde if (avio_seek(s->pb, *ppos, SEEK_SET) < 0) return AV_NOPTS_VALUE; - parser = av_parser_init(st->codecpar->codec_id); - if (!parser){ - return AV_NOPTS_VALUE; - } - parser->flags |= PARSER_FLAG_USE_CODEC_TS; - if (!flac->parser_dec) { flac->parser_dec = avcodec_alloc_context3(NULL); if (!flac->parser_dec) @@ -298,6 +292,11 @@ static av_unused int64_t flac_read_timestamp(AVFormatContext *s, int stream_inde return ret; } + parser = av_parser_init(st->codecpar->codec_id); + if (!parser) + return AV_NOPTS_VALUE; + parser->flags |= PARSER_FLAG_USE_CODEC_TS; + for (;;){ uint8_t *data; int size; From 2d514f5d481af7822bac58464d832eca73e9c4d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= Date: Fri, 24 May 2024 20:17:10 +0300 Subject: [PATCH 144/562] lavc/flacdsp: do not assume maximum R-V VL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This loop correctly assumes that VLMAX=16 (4x128-bit vectors with 32-bit elements) and 32 >= pred_order > 16. We need to alternate between VL=16 and VL=t2=pred_order-16 elements to add up to pred_order. The current code requests AVL=a2=pred_order elements. In QEMU and on thte K230 hardware, this sets VL=16 as we need. But the specification merely guarantees that we get: ceil(AVL / 2) <= VL <= VLMAX. For instance, if pred_order equals 27, we could end up with VL=14 or VL=15 instead of VL=16. So instead, request literally VLMAX=16. (cherry picked from commit f8837465875205207bd281ecad9e4b9a12638c7e) Signed-off-by: Rémi Denis-Courmont --- libavcodec/riscv/flacdsp_rvv.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/riscv/flacdsp_rvv.S b/libavcodec/riscv/flacdsp_rvv.S index 2a0b50f7a9..5eb3c5bd55 100644 --- a/libavcodec/riscv/flacdsp_rvv.S +++ b/libavcodec/riscv/flacdsp_rvv.S @@ -55,11 +55,11 @@ func ff_flac_lpc32_rvv, zve32x vle32.v v16, (a0) sh2add a0, a2, a0 1: - vsetvli zero, a2, e32, m4, ta, ma + vsetvli t1, zero, e32, m4, ta, ma vwmul.vv v24, v8, v16 vsetvli zero, t2, e32, m4, tu, ma vwmacc.vv v24, v12, v20 - vsetvli zero, a2, e64, m8, ta, ma + vsetvli t1, zero, e64, m8, ta, ma vredsum.vs v24, v24, v0 lw t0, (a0) addi a4, a4, -1 From af25a4bfd2503caf3ee485b27b99b620302f5718 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 May 2024 22:02:18 +0200 Subject: [PATCH 145/562] Update for FFmpeg 7.0.1 release Signed-off-by: Michael Niedermayer --- Changelog | 96 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 98 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 58b5a45b29..16320d2fe5 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,102 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 7.0.1: + lavc/flacdsp: do not assume maximum R-V VL + avformat/flacdec: Reorder allocations to avoid leak on error + avcodec/adts_parser: Don't presume buffer to be padded + avformat/movenc: Check av_malloc() + avcodec/vp8: Return error on error + avformat/mov: store sample_sizes as unsigned ints + avformat/vvc: fix parsing sps_subpic_id + avformat/vvc: initialize some ptl flags + avcodec/mscc & mwsc: Check loop counts before use + avcodec/mpegvideo_enc: Fix potential overflow in RD + avcodec/mpeg4videodec: assert impossible wrap points + avcodec/mpeg12dec: Use 64bit in bit computation + avcodec/vqcdec: Check init_get_bits8() for failure + avcodec/vvc/dec: Check init_get_bits8() for failure + avcodec/vble: Check av_image_get_buffer_size() for failure + avcodec/vp3: Replace check by assert + avcodec/vp8: Forward return of ff_vpx_init_range_decoder() + avcodec/jpeg2000dec: remove ST=3 case + avcodec/qsvdec: Check av_image_get_buffer_size() for failure + avcodec/exr: Fix preview overflow + avcodec/decode: decode_simple_internal() only implements audio and video + avcodec/fmvc: remove dead assignment + avcodec/h2645_sei: Remove dead checks + avcodec/h264_slice: Remove dead sps check + avcodec/lpc: copy levenson coeffs only when they have been computed + avutil/tests/base64: Check with too short output array + libavutil/base64: Try not to write over the array end + avcodec/cbs_av1: Avoid shift overflow + fftools/ffplay: Check return of swr_alloc_set_opts2() + tools/opt_common: Check for malloc failure + doc/examples/demux_decode: Simplify loop + avformat/concatdec: Check file + avcodec/mpegvideo_enc: Fix 1 line and one column images + avcodec/amrwbdec: assert mode to be valid in decode_fixed_vector() + avcodec/wavarc: fix integer overflow in decode_5elp() block type 2 + swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() + swscale/output: Fix integer overflow in yuv2rgba64_1_c_template + avcodec/av1dec: Change bit_depth to int + avcodec/av1dec: bit_depth cannot be another values than 8,10,12 + avcodec/avs3_parser: assert the return value of init_get_bits() + avcodec/avs2_parser: Assert init_get_bits8() success with const size 15 + avfilter/avfiltergraph: return value of ff_request_frame() is unused + avformat/mxfdec: Check body_offset + avformat/kvag: Check sample_rate + avcodec/atrac9dec: Check init_get_bits8() for failure + avcodec/ac3_parser: Check init_get_bits8() for failure + avcodec/pngdec: Check last AVFrame before deref + avcodec/hevcdec: Check ref frame + doc/examples/qsv_transcode: Initialize pointer before free + doc/examples/qsv_transcode: Simplify str_to_dict() loop + doc/examples/vaapi_transcode: Simplify loop + doc/examples/qsv_transcode: Simplify loop + avcodec/cbs_h2645: Check NAL space + avfilter/vf_thumbnail_cuda: Set ret before checking it + avfilter/signature_lookup: Dont copy uninitialized stuff around + avfilter/signature_lookup: Fix 2 differences to the refernce SW + avcodec/x86/vp3dsp_init: Set correct function pointer, fix crash + avformat/mp3dec: change bogus error message if read_header encounters EOF + avformat/mp3dec: simplify inner frame size check in mp3_read_header + avformat/mp3dec: only call ffio_ensure_seekback once + avcodec/cbs_h266: read vps_ptl_max_tid before using it + avcodec/cbs_h266: fix sh_collocated_from_l0_flag and sh_collocated_ref_idx infer + avformat/vvc: fix parsing some early VPS bitstream values + avformat/vvc: fix writing general_constraint_info bytes + avutil/ppc/cpu: Also use the machdep.altivec sysctl on NetBSD + lavd/v4l2: Use proper field type for second parameter of ioctl() with BSD's + vulkan_av1: Fix force_integer_mv value + vaapi_av1: Fix force_integer_mv value + av1dec: Add force_integer_mv derived field for decoder use + avutil/iamf: fix offsets for mix_gain options + avformat/iamfdec: check nb_streams in header read + avformat/mov: free the infe allocated item data on failure + avformat/iamf_writer: reject duplicated stream ids in a stream group + avformat/mov: don't read key_size bytes twice in the keys atom + avformat/mov: take into account the first eight bytes in the keys atom + avformat/mov: fix the check for the heif item parsing loop + avutil/iamf: fix mix_gain_class name + av1dec: Fix RefFrameSignBias calculation + avcodec/codec_par: always clear extradata_size in avcodec_parameters_to_context() + avcodec/mediacodecenc: Fix return empty packet when bsf is used + avcodec/hevcdec: Fix precedence, bogus film grain warning + avcodec/hevcdec: fix segfault on invalid film grain metadata + lavc/vvc: Skip enhancement layer NAL units + avformat/mov: ignore old infe box versions + vulkan_av1: add workaround for NVIDIA drivers tested on broken CTS + lavc/vulkan_av1: Use av1dec reference order hint information + lavc/av1: Record reference ordering information for each frame + doc/encoders: add missing libxvid option + doc/encoders: remove non-existent flag + fate/ffmpeg: Avoid dependency on samples + avcodec/wavpack: Remove always-false check + avcodec/wavpack: Fix leak and segfault on reallocation error + avcodec/lossless_videoencdsp: Don't presume alignment in diff_bytes + avcodec/ppc/h264dsp: Fix left shifts of negative numbers + version 7.0: - DXV DXT1 encoder - LEAD MCMP decoder diff --git a/RELEASE b/RELEASE index 4fedf1d20e..9fe9ff9d99 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -7.0 +7.0.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index 3c40cb8c08..509241be17 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 7.0 +PROJECT_NUMBER = 7.0.1 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 58ac1f9ea800699fb4ee3aafbd52208103fc405b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= Date: Sat, 25 May 2024 21:09:26 +0300 Subject: [PATCH 146/562] lavc/sbrdsp: fix potential overflow in noise table MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since the SBR noise application optimisations are currently restricted to hardware with 128-bit vectors, and use a quadruple multipler, they can load up to 16 32-bit elements. But the "loads" are of 2 segments, or 16 pairs of single precision float. Thus we need to expand the dupiclated section of the noise table from 2x8 to 2x16 to avoid overflows. (cherry picked from commit e6b38c944f0ed1f28f78fcf0055708c7d208db07) Signed-off-by: Rémi Denis-Courmont --- libavcodec/sbrdsp_template.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/sbrdsp_template.c b/libavcodec/sbrdsp_template.c index c1e583ea56..75cf3dbdfc 100644 --- a/libavcodec/sbrdsp_template.c +++ b/libavcodec/sbrdsp_template.c @@ -373,4 +373,10 @@ const attribute_visibility_hidden DECLARE_ALIGNED(16, INTFLOAT, AAC_RENAME(ff_sb {Q31( 0.14130051758487f), Q31(-0.95090983575689f)}, {Q31(-0.47005496701697f), Q31(-0.37340549728647f)}, {Q31( 0.80705063769351f), Q31( 0.29653668284408f)}, {Q31(-0.38981478896926f), Q31( 0.89572605717087f)}, {Q31(-0.01053049862020f), Q31(-0.66959058036166f)}, {Q31(-0.91266367957293f), Q31(-0.11522938140034f)}, +#if ARCH_RISCV +{Q31( 0.54840422910309f), Q31( 0.75221367176302f)}, {Q31( 0.40009252867955f), Q31(-0.98929400334421f)}, +{Q31(-0.99867974711855f), Q31(-0.88147068645358f)}, {Q31(-0.95531076805040f), Q31( 0.90908757154593f)}, +{Q31(-0.45725933317144f), Q31(-0.56716323646760f)}, {Q31(-0.72929675029275f), Q31(-0.98008272727324f)}, +{Q31( 0.75622801399036f), Q31( 0.20950329995549f)}, {Q31( 0.07069442601050f), Q31(-0.78247898470706f)}, +#endif }; From f42c35b7c9c9a90cf0695343fc6c394a660ca19c Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sat, 18 May 2024 19:55:30 -0400 Subject: [PATCH 147/562] configure: enable ffnvcodec, nvenc, nvdec for FreeBSD Signed-off-by: Brad Smith (cherry picked from commit 43b1a956789bf0d5796769427d40c78e460c247f) Signed-off-by: Brad Smith --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 4f5353f84b..86425130bd 100755 --- a/configure +++ b/configure @@ -7311,7 +7311,7 @@ fi if enabled x86; then case $target_os in - mingw32*|mingw64*|win32|win64|linux|cygwin*) + freebsd|mingw32*|mingw64*|win32|win64|linux|cygwin*) ;; *) disable ffnvcodec cuvid nvdec nvenc From 180021357559bedbe5e4ab4bace5a130d0e0a852 Mon Sep 17 00:00:00 2001 From: llyyr Date: Thu, 23 May 2024 14:07:51 +0530 Subject: [PATCH 148/562] lavc/vp9: reset segmentation fields when segmentation isn't enabled Fields under the segmentation switch are never reset on a new frame, and retain the value from the previous frame. This bugs out a bunch of hwaccel drivers when segmentation is disabled but update_map isn't reset because they don't ignore values behind switches. This commit also resets the temporal field, though it may not be required. We also do this for vp8 [1] so this commit is just mirroring the vp8 logic. This fixes an issue with certain samples [2] that causes blocky artifacts with vaapi, d3d11va and cuda (and possibly others). Mesa worked around [3] this by ignoring these fields if segmentation.enabled is 0, but d3d11va still displays blocky artifacts. [1] https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/2e877090f958131accb8c7e5ac10e5b9865d1735:/libavcodec/vp8.c#l797 [2] https://github.com/mpv-player/mpv/issues/13533 [3] https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/27816 Signed-off-by: llyyr --- libavcodec/vp9.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 855936cdc1..4cc5281303 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -717,6 +717,12 @@ static int decode_frame_header(AVCodecContext *avctx, s->s.h.segmentation.feat[i].skip_enabled = get_bits1(&s->gb); } } + } else { + // Reset fields under segmentation switch if segmentation is disabled. + // This is necessary because some hwaccels don't ignore these fields + // if segmentation is disabled. + s->s.h.segmentation.temporal = 0; + s->s.h.segmentation.update_map = 0; } // set qmul[] based on Y/UV, AC/DC and segmentation Q idx deltas From 449cab7b16381ed80240297d92221d4add423c3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= Date: Mon, 27 May 2024 18:43:36 +0300 Subject: [PATCH 149/562] lavc/lpc: fix off-by-one in R-V V compute_autocorr MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit (cherry picked from commit af20fb9c4eb81383d4ef558d20af317e93b5acc8) Signed-off-by: Rémi Denis-Courmont --- libavcodec/riscv/lpc_init.c | 2 +- libavcodec/riscv/lpc_rvv.S | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/riscv/lpc_init.c b/libavcodec/riscv/lpc_init.c index ab91956f2d..08efae4da7 100644 --- a/libavcodec/riscv/lpc_init.c +++ b/libavcodec/riscv/lpc_init.c @@ -36,7 +36,7 @@ av_cold void ff_lpc_init_riscv(LPCContext *c) if ((flags & AV_CPU_FLAG_RVV_F64) && (flags & AV_CPU_FLAG_RVB_ADDR)) { c->lpc_apply_welch_window = ff_lpc_apply_welch_window_rvv; - if (ff_get_rv_vlenb() >= c->max_order) + if (ff_get_rv_vlenb() > c->max_order) c->lpc_compute_autocorr = ff_lpc_compute_autocorr_rvv; } #endif diff --git a/libavcodec/riscv/lpc_rvv.S b/libavcodec/riscv/lpc_rvv.S index d4ea515fee..3fdf80ebed 100644 --- a/libavcodec/riscv/lpc_rvv.S +++ b/libavcodec/riscv/lpc_rvv.S @@ -87,6 +87,7 @@ func ff_lpc_apply_welch_window_rvv, zve64d endfunc func ff_lpc_compute_autocorr_rvv, zve64d + addi a2, a2, 1 li t0, 1 vsetvli zero, a2, e64, m8, ta, ma fcvt.d.l ft0, t0 From edc7b57e26372e7bc3f6c2f03408b6e4f94a9ddc Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Thu, 23 May 2024 23:13:38 +0800 Subject: [PATCH 150/562] avcodec/mediacodecenc: workaround the alignment requirement only for H.264 There is no bsf for other codecs to modify crop info except H.265. For H.265, the assumption that FFALIGN(width, 16)xFFALIGN(height, 16) is the video resolution can be wrong, since the encoder can use CTU larger than 16x16. In that case, use FFALIGN(width, 16) - width as crop_right is incorrect. So disable the workaround for H.265 now. Signed-off-by: Zhao Zhili --- libavcodec/mediacodecenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mediacodecenc.c b/libavcodec/mediacodecenc.c index fcb84ef0ac..a898e335b5 100644 --- a/libavcodec/mediacodecenc.c +++ b/libavcodec/mediacodecenc.c @@ -200,7 +200,8 @@ static av_cold int mediacodec_init(AVCodecContext *avctx) ff_AMediaFormat_setString(format, "mime", codec_mime); // Workaround the alignment requirement of mediacodec. We can't do it // silently for AV_PIX_FMT_MEDIACODEC. - if (avctx->pix_fmt != AV_PIX_FMT_MEDIACODEC) { + if (avctx->pix_fmt != AV_PIX_FMT_MEDIACODEC && + avctx->codec_id == AV_CODEC_ID_H264) { s->width = FFALIGN(avctx->width, 16); s->height = FFALIGN(avctx->height, 16); } else { From f0b747ef1a9b9bfd0942a6d459f642b4b993b378 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Thu, 23 May 2024 23:13:39 +0800 Subject: [PATCH 151/562] avcodec/mediacodecenc: workaround the alignment requirement for H.265 Signed-off-by: Zhao Zhili --- libavcodec/mediacodecenc.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavcodec/mediacodecenc.c b/libavcodec/mediacodecenc.c index a898e335b5..d3bf27cb7f 100644 --- a/libavcodec/mediacodecenc.c +++ b/libavcodec/mediacodecenc.c @@ -201,9 +201,18 @@ static av_cold int mediacodec_init(AVCodecContext *avctx) // Workaround the alignment requirement of mediacodec. We can't do it // silently for AV_PIX_FMT_MEDIACODEC. if (avctx->pix_fmt != AV_PIX_FMT_MEDIACODEC && - avctx->codec_id == AV_CODEC_ID_H264) { + (avctx->codec_id == AV_CODEC_ID_H264 || + avctx->codec_id == AV_CODEC_ID_HEVC)) { s->width = FFALIGN(avctx->width, 16); s->height = FFALIGN(avctx->height, 16); + // If avctx video size is aligned to 16 already, we don't need to do + // anything. If align is needed for HEVC, we should use the maximum CTU + // size. + if (avctx->codec_id == AV_CODEC_ID_HEVC && + (s->width != avctx->width || s->height != avctx->height)) { + s->width = FFALIGN(avctx->width, 64); + s->height = FFALIGN(avctx->height, 64); + } } else { s->width = avctx->width; s->height = avctx->height; From 647e9834506dd77bda069b82200e7392cb7fec3f Mon Sep 17 00:00:00 2001 From: oltolm Date: Fri, 17 May 2024 21:10:49 +0200 Subject: [PATCH 152/562] avutil/hwcontext_qsv: fix GCC 14.1 warnings Tested-by: Tong Wu Signed-off-by: oltolm (cherry picked from commit 45d31614bcc54c5ccbaabf07e7336ac477e2b424) --- libavutil/hwcontext_qsv.c | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/libavutil/hwcontext_qsv.c b/libavutil/hwcontext_qsv.c index c7c7878644..50cf69327d 100644 --- a/libavutil/hwcontext_qsv.c +++ b/libavutil/hwcontext_qsv.c @@ -36,6 +36,7 @@ #include "hwcontext_d3d11va.h" #endif #if CONFIG_DXVA2 +#include #include "hwcontext_dxva2.h" #endif @@ -753,9 +754,11 @@ static int qsv_d3d9_update_config(void *ctx, mfxHDL handle, mfxConfig cfg) #if CONFIG_DXVA2 mfxStatus sts; IDirect3DDeviceManager9* devmgr = handle; - IDirect3DDevice9Ex *device = NULL; + IDirect3DDevice9 *device = NULL; + IDirect3DDevice9Ex *device_ex = NULL; HANDLE device_handle = 0; IDirect3D9Ex *d3d9ex = NULL; + IDirect3D9 *d3d9 = NULL; LUID luid; D3DDEVICE_CREATION_PARAMETERS params; HRESULT hr; @@ -773,18 +776,31 @@ static int qsv_d3d9_update_config(void *ctx, mfxHDL handle, mfxConfig cfg) IDirect3DDeviceManager9_CloseDeviceHandle(devmgr, device_handle); goto fail; } - - hr = IDirect3DDevice9Ex_GetCreationParameters(device, ¶ms); + hr = IDirect3DDevice9_QueryInterface(device, &IID_IDirect3DDevice9Ex, (void **)&device_ex); + IDirect3DDevice9_Release(device); if (FAILED(hr)) { - av_log(ctx, AV_LOG_ERROR, "Error IDirect3DDevice9_GetCreationParameters %d\n", hr); - IDirect3DDevice9Ex_Release(device); + av_log(ctx, AV_LOG_ERROR, "Error IDirect3DDevice9_QueryInterface %d\n", hr); goto unlock; } - hr = IDirect3DDevice9Ex_GetDirect3D(device, &d3d9ex); + hr = IDirect3DDevice9Ex_GetCreationParameters(device_ex, ¶ms); if (FAILED(hr)) { - av_log(ctx, AV_LOG_ERROR, "Error IDirect3DDevice9Ex_GetAdapterLUID %d\n", hr); - IDirect3DDevice9Ex_Release(device); + av_log(ctx, AV_LOG_ERROR, "Error IDirect3DDevice9_GetCreationParameters %d\n", hr); + IDirect3DDevice9Ex_Release(device_ex); + goto unlock; + } + + hr = IDirect3DDevice9Ex_GetDirect3D(device_ex, &d3d9); + if (FAILED(hr)) { + av_log(ctx, AV_LOG_ERROR, "Error IDirect3DDevice9Ex_GetDirect3D %d\n", hr); + IDirect3DDevice9Ex_Release(device_ex); + goto unlock; + } + hr = IDirect3D9_QueryInterface(d3d9, &IID_IDirect3D9Ex, (void **)&d3d9ex); + IDirect3D9_Release(d3d9); + if (FAILED(hr)) { + av_log(ctx, AV_LOG_ERROR, "Error IDirect3D9_QueryInterface3D %d\n", hr); + IDirect3DDevice9Ex_Release(device_ex); goto unlock; } @@ -808,7 +824,7 @@ static int qsv_d3d9_update_config(void *ctx, mfxHDL handle, mfxConfig cfg) release: IDirect3D9Ex_Release(d3d9ex); - IDirect3DDevice9Ex_Release(device); + IDirect3DDevice9Ex_Release(device_ex); unlock: IDirect3DDeviceManager9_UnlockDevice(devmgr, device_handle, FALSE); @@ -1368,8 +1384,9 @@ static int qsv_frames_derive_from(AVHWFramesContext *dst_ctx, case AV_HWDEVICE_TYPE_D3D11VA: { D3D11_TEXTURE2D_DESC texDesc; + AVD3D11VAFramesContext *dst_hwctx; dst_ctx->initial_pool_size = src_ctx->initial_pool_size; - AVD3D11VAFramesContext *dst_hwctx = dst_ctx->hwctx; + dst_hwctx = dst_ctx->hwctx; dst_hwctx->texture_infos = av_calloc(src_hwctx->nb_surfaces, sizeof(*dst_hwctx->texture_infos)); if (!dst_hwctx->texture_infos) From 0013970c6887abdbcb37a13f1589685264183bd9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 23:34:05 +0200 Subject: [PATCH 153/562] qsv: Initialize impl_value Fixes: The warnings from CID1598553 Uninitialized scalar variable Passing partly initialized structs is ugly and asking for hard to rieproduce bugs, The uninitialized fields where not used Reviewed-by: "Xiang, Haihao" Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c841cb45e81ebece26768c820c459b085668a37a) --- libavcodec/qsv.c | 2 +- libavutil/hwcontext_qsv.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/qsv.c b/libavcodec/qsv.c index 7563625627..452c0c6856 100644 --- a/libavcodec/qsv.c +++ b/libavcodec/qsv.c @@ -496,7 +496,7 @@ static int qsv_new_mfx_loader(AVCodecContext *avctx, mfxStatus sts; mfxLoader loader = NULL; mfxConfig cfg; - mfxVariant impl_value; + mfxVariant impl_value = {0}; loader = MFXLoad(); if (!loader) { diff --git a/libavutil/hwcontext_qsv.c b/libavutil/hwcontext_qsv.c index 50cf69327d..ce71d0ff2d 100644 --- a/libavutil/hwcontext_qsv.c +++ b/libavutil/hwcontext_qsv.c @@ -688,7 +688,7 @@ static int qsv_d3d11_update_config(void *ctx, mfxHDL handle, mfxConfig cfg) IDXGIDevice *pDXGIDevice = NULL; HRESULT hr; ID3D11Device *device = handle; - mfxVariant impl_value; + mfxVariant impl_value = {0}; hr = ID3D11Device_QueryInterface(device, &IID_IDXGIDevice, (void**)&pDXGIDevice); if (SUCCEEDED(hr)) { @@ -762,7 +762,7 @@ static int qsv_d3d9_update_config(void *ctx, mfxHDL handle, mfxConfig cfg) LUID luid; D3DDEVICE_CREATION_PARAMETERS params; HRESULT hr; - mfxVariant impl_value; + mfxVariant impl_value = {0}; hr = IDirect3DDeviceManager9_OpenDeviceHandle(devmgr, &device_handle); if (FAILED(hr)) { @@ -844,7 +844,7 @@ static int qsv_va_update_config(void *ctx, mfxHDL handle, mfxConfig cfg) VADisplayAttribute attr = { .type = VADisplayPCIID, }; - mfxVariant impl_value; + mfxVariant impl_value = {0}; vas = vaGetDisplayAttributes(dpy, &attr, 1); if (vas == VA_STATUS_SUCCESS && attr.flags != VA_DISPLAY_ATTRIB_NOT_SUPPORTED) { @@ -885,7 +885,7 @@ static int qsv_new_mfx_loader(void *ctx, mfxStatus sts; mfxLoader loader = NULL; mfxConfig cfg; - mfxVariant impl_value; + mfxVariant impl_value = {0}; *ploader = NULL; loader = MFXLoad(); From 173673f3592f1f8bce3c9221007084ccdbcacd6e Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Mon, 24 Jun 2024 20:48:34 +0200 Subject: [PATCH 154/562] fftools/ffplay_renderer: use correct NULL value for Vulkan type (cherry picked from commit 6d4eba51f29b1755537afe31d992f5559a0b05b9) --- fftools/ffplay_renderer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fftools/ffplay_renderer.c b/fftools/ffplay_renderer.c index 73072a2851..fbb68b2376 100644 --- a/fftools/ffplay_renderer.c +++ b/fftools/ffplay_renderer.c @@ -765,7 +765,7 @@ static void destroy(VkRenderer *renderer) vkDestroySurfaceKHR = (PFN_vkDestroySurfaceKHR) ctx->get_proc_addr(ctx->inst, "vkDestroySurfaceKHR"); vkDestroySurfaceKHR(ctx->inst, ctx->vk_surface, NULL); - ctx->vk_surface = NULL; + ctx->vk_surface = VK_NULL_HANDLE; } av_buffer_unref(&ctx->hw_device_ref); From 887e6f404da5f2b0270212164b03a85e223d0f44 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sat, 22 Jun 2024 22:49:14 -0400 Subject: [PATCH 155/562] aarch64: Add OpenBSD runtime detection of dotprod and i8mm using sysctl Signed-off-by: Brad Smith (cherry picked from commit 41190da9e11f536cb590df45ce9839974e5e6777) Signed-off-by: Brad Smith --- libavutil/aarch64/cpu.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/libavutil/aarch64/cpu.c b/libavutil/aarch64/cpu.c index 7a05391343..5ddc7ca888 100644 --- a/libavutil/aarch64/cpu.c +++ b/libavutil/aarch64/cpu.c @@ -64,6 +64,44 @@ static int detect_flags(void) return flags; } +#elif defined(__OpenBSD__) +#include +#include +#include +#include + +static int detect_flags(void) +{ + int flags = 0; + +#ifdef CPU_ID_AA64ISAR0 + int mib[2]; + uint64_t isar0; + uint64_t isar1; + size_t len; + + mib[0] = CTL_MACHDEP; + mib[1] = CPU_ID_AA64ISAR0; + len = sizeof(isar0); + if (sysctl(mib, 2, &isar0, &len, NULL, 0) != -1) { + if (ID_AA64ISAR0_DP(isar0) >= ID_AA64ISAR0_DP_IMPL) + flags |= AV_CPU_FLAG_DOTPROD; + } + + mib[0] = CTL_MACHDEP; + mib[1] = CPU_ID_AA64ISAR1; + len = sizeof(isar1); + if (sysctl(mib, 2, &isar1, &len, NULL, 0) != -1) { +#ifdef ID_AA64ISAR1_I8MM_IMPL + if (ID_AA64ISAR1_I8MM(isar1) >= ID_AA64ISAR1_I8MM_IMPL) + flags |= AV_CPU_FLAG_I8MM; +#endif + } +#endif + + return flags; +} + #elif defined(_WIN32) #include From 40ddddca45c326cb474b3b2cd29f1474369af2ce Mon Sep 17 00:00:00 2001 From: Theo Fabi Date: Sun, 9 Jun 2024 15:51:08 -0400 Subject: [PATCH 156/562] avdevice/avfoundation: add external video devices Video devices categorized by AVFoundation as 'AVCaptureDeviceTypeExternal(Unknown)' (like USB video streams) were not recognized by libavdevice. Signed-off-by: Theo Fabi --- libavdevice/avfoundation.m | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavdevice/avfoundation.m b/libavdevice/avfoundation.m index d9b17ccdae..3fe3df2cb7 100644 --- a/libavdevice/avfoundation.m +++ b/libavdevice/avfoundation.m @@ -787,6 +787,9 @@ static NSArray* getDevicesWithMediaType(AVMediaType mediaType) { #endif #if (TARGET_OS_IPHONE && __IPHONE_OS_VERSION_MIN_REQUIRED >= 170000 || (TARGET_OS_OSX && __MAC_OS_X_VERSION_MIN_REQUIRED >= 140000)) [deviceTypes addObject: AVCaptureDeviceTypeContinuityCamera]; + [deviceTypes addObject: AVCaptureDeviceTypeExternal]; + #elif (TARGET_OS_OSX && __MAC_OS_X_VERSION_MIN_REQUIRED < 140000) + [deviceTypes addObject: AVCaptureDeviceTypeExternalUnknown]; #endif } else if (mediaType == AVMediaTypeAudio) { #if (TARGET_OS_IPHONE && __IPHONE_OS_VERSION_MIN_REQUIRED >= 170000 || (TARGET_OS_OSX && __MAC_OS_X_VERSION_MIN_REQUIRED >= 140000)) From a7fa1049d7d7f8c77cce29b3853f5bafa24092a0 Mon Sep 17 00:00:00 2001 From: Josh Allmann Date: Thu, 20 Jun 2024 17:33:55 -0700 Subject: [PATCH 157/562] avcodec/nvenc: fix segfault in intra-only mode In intra-only mode, frameIntervalP is 0, which means the frame data array is smaller than the number of surfaces. Together with using the wrong size on deallocation of the frame_data_array, this lead to a crash. Signed-off-by: Timo Rothenpieler (cherry picked from commit c9151ea50715c4ce47ad1c8df519781565db01f6) --- libavcodec/nvenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 8327496937..a44beb349f 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -982,7 +982,7 @@ static av_cold int nvenc_recalc_surfaces(AVCodecContext *avctx) // Output in the worst case will only start when the surface buffer is completely full. // Hence we need to keep at least the max amount of surfaces plus the max reorder delay around. - ctx->frame_data_array_nb = ctx->nb_surfaces + ctx->encode_config.frameIntervalP - 1; + ctx->frame_data_array_nb = FFMAX(ctx->nb_surfaces, ctx->nb_surfaces + ctx->encode_config.frameIntervalP - 1); return 0; } @@ -1891,7 +1891,7 @@ av_cold int ff_nvenc_encode_close(AVCodecContext *avctx) av_fifo_freep2(&ctx->unused_surface_queue); if (ctx->frame_data_array) { - for (i = 0; i < ctx->nb_surfaces; i++) + for (i = 0; i < ctx->frame_data_array_nb; i++) av_buffer_unref(&ctx->frame_data_array[i].frame_opaque_ref); av_freep(&ctx->frame_data_array); } From 5ce0c378966f6bc328f643549cad288ab1d3a163 Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Tue, 2 Jul 2024 09:24:18 -0400 Subject: [PATCH 158/562] avcodec/pngdec: fix mDCv typo When mDCv support was added, there was a typo in both variable names and also the MKTAG itself, incorrectly listing it as mDVc. The tag name stands for Mastering Display Color Volume so mDCv is correct. See other files such as av1dec.c which uses mdcv. Typo originally introduced in c7a57b0f70f8d1574aa0f0dbe98db85d8ac91c76. Signed-off-by: Leo Izen Reported-by: Ramiro Polla --- libavcodec/pngdec.c | 53 +++++++++++++++++++++++---------------------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 90c286eb83..6444425102 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -85,11 +85,12 @@ typedef struct PNGDecContext { int have_clli; uint32_t clli_max; uint32_t clli_avg; - int have_mdvc; - uint16_t mdvc_primaries[3][2]; - uint16_t mdvc_white_point[2]; - uint32_t mdvc_max_lum; - uint32_t mdvc_min_lum; + /* Mastering Display Color Volume */ + int have_mdcv; + uint16_t mdcv_primaries[3][2]; + uint16_t mdcv_white_point[2]; + uint32_t mdcv_max_lum; + uint32_t mdcv_min_lum; enum PNGHeaderState hdr_state; enum PNGImageState pic_state; @@ -762,24 +763,24 @@ static int populate_avctx_color_fields(AVCodecContext *avctx, AVFrame *frame) } } - if (s->have_mdvc) { - AVMasteringDisplayMetadata *mdvc; + if (s->have_mdcv) { + AVMasteringDisplayMetadata *mdcv; - ret = ff_decode_mastering_display_new(avctx, frame, &mdvc); + ret = ff_decode_mastering_display_new(avctx, frame, &mdcv); if (ret < 0) return ret; - if (mdvc) { - mdvc->has_primaries = 1; + if (mdcv) { + mdcv->has_primaries = 1; for (int i = 0; i < 3; i++) { - mdvc->display_primaries[i][0] = av_make_q(s->mdvc_primaries[i][0], 50000); - mdvc->display_primaries[i][1] = av_make_q(s->mdvc_primaries[i][1], 50000); + mdcv->display_primaries[i][0] = av_make_q(s->mdcv_primaries[i][0], 50000); + mdcv->display_primaries[i][1] = av_make_q(s->mdcv_primaries[i][1], 50000); } - mdvc->white_point[0] = av_make_q(s->mdvc_white_point[0], 50000); - mdvc->white_point[1] = av_make_q(s->mdvc_white_point[1], 50000); - mdvc->has_luminance = 1; - mdvc->max_luminance = av_make_q(s->mdvc_max_lum, 10000); - mdvc->min_luminance = av_make_q(s->mdvc_min_lum, 10000); + mdcv->white_point[0] = av_make_q(s->mdcv_white_point[0], 50000); + mdcv->white_point[1] = av_make_q(s->mdcv_white_point[1], 50000); + mdcv->has_luminance = 1; + mdcv->max_luminance = av_make_q(s->mdcv_max_lum, 10000); + mdcv->min_luminance = av_make_q(s->mdcv_min_lum, 10000); } } @@ -1569,20 +1570,20 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, s->clli_max = bytestream2_get_be32u(&gb_chunk); s->clli_avg = bytestream2_get_be32u(&gb_chunk); break; - case MKTAG('m', 'D', 'V', 'c'): + case MKTAG('m', 'D', 'C', 'v'): if (bytestream2_get_bytes_left(&gb_chunk) != 24) { - av_log(avctx, AV_LOG_WARNING, "Invalid mDVc chunk size: %d\n", bytestream2_get_bytes_left(&gb_chunk)); + av_log(avctx, AV_LOG_WARNING, "Invalid mDCv chunk size: %d\n", bytestream2_get_bytes_left(&gb_chunk)); break; } - s->have_mdvc = 1; + s->have_mdcv = 1; for (int i = 0; i < 3; i++) { - s->mdvc_primaries[i][0] = bytestream2_get_be16u(&gb_chunk); - s->mdvc_primaries[i][1] = bytestream2_get_be16u(&gb_chunk); + s->mdcv_primaries[i][0] = bytestream2_get_be16u(&gb_chunk); + s->mdcv_primaries[i][1] = bytestream2_get_be16u(&gb_chunk); } - s->mdvc_white_point[0] = bytestream2_get_be16u(&gb_chunk); - s->mdvc_white_point[1] = bytestream2_get_be16u(&gb_chunk); - s->mdvc_max_lum = bytestream2_get_be32u(&gb_chunk); - s->mdvc_min_lum = bytestream2_get_be32u(&gb_chunk); + s->mdcv_white_point[0] = bytestream2_get_be16u(&gb_chunk); + s->mdcv_white_point[1] = bytestream2_get_be16u(&gb_chunk); + s->mdcv_max_lum = bytestream2_get_be32u(&gb_chunk); + s->mdcv_min_lum = bytestream2_get_be32u(&gb_chunk); break; case MKTAG('I', 'E', 'N', 'D'): if (!(s->pic_state & PNG_ALLIMAGE)) From 89a85efbf1f708e8eb9170d89ec49c065a066cee Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Tue, 2 Jul 2024 09:39:01 -0400 Subject: [PATCH 159/562] avcodec/pngenc: fix mDCv typo When mDCv support was added, there was a typo in both variable names and also the MKTAG itself, incorrectly listing it as mDVc. The tag name stands for Mastering Display Color Volume so mDCv is correct. Typo originally introduced in 78949041417caaef0c82b2b23d7defdd88aa2378. Signed-off-by: Leo Izen Reported-by: Ramiro Polla --- libavcodec/pngenc.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c index 28d645ea48..e4c6bdc563 100644 --- a/libavcodec/pngenc.c +++ b/libavcodec/pngenc.c @@ -449,17 +449,17 @@ static int encode_headers(AVCodecContext *avctx, const AVFrame *pict) side_data = av_frame_get_side_data(pict, AV_FRAME_DATA_MASTERING_DISPLAY_METADATA); if (side_data) { - AVMasteringDisplayMetadata *mdvc = (AVMasteringDisplayMetadata *) side_data->data; - if (mdvc->has_luminance && mdvc->has_primaries) { + AVMasteringDisplayMetadata *mdcv = (AVMasteringDisplayMetadata *) side_data->data; + if (mdcv->has_luminance && mdcv->has_primaries) { for (int i = 0; i < 3; i++) { - AV_WB16(s->buf + 2*i, PNG_Q2D(mdvc->display_primaries[i][0], 50000)); - AV_WB16(s->buf + 2*i + 2, PNG_Q2D(mdvc->display_primaries[i][1], 50000)); + AV_WB16(s->buf + 2*i, PNG_Q2D(mdcv->display_primaries[i][0], 50000)); + AV_WB16(s->buf + 2*i + 2, PNG_Q2D(mdcv->display_primaries[i][1], 50000)); } - AV_WB16(s->buf + 12, PNG_Q2D(mdvc->white_point[0], 50000)); - AV_WB16(s->buf + 14, PNG_Q2D(mdvc->white_point[1], 50000)); - AV_WB32(s->buf + 16, PNG_Q2D(mdvc->max_luminance, 10000)); - AV_WB32(s->buf + 20, PNG_Q2D(mdvc->min_luminance, 10000)); - png_write_chunk(&s->bytestream, MKTAG('m', 'D', 'V', 'c'), s->buf, 24); + AV_WB16(s->buf + 12, PNG_Q2D(mdcv->white_point[0], 50000)); + AV_WB16(s->buf + 14, PNG_Q2D(mdcv->white_point[1], 50000)); + AV_WB32(s->buf + 16, PNG_Q2D(mdcv->max_luminance, 10000)); + AV_WB32(s->buf + 20, PNG_Q2D(mdcv->min_luminance, 10000)); + png_write_chunk(&s->bytestream, MKTAG('m', 'D', 'C', 'v'), s->buf, 24); } } From b44758d8e43595b7505034ed347f7448f53547c6 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 30 Jun 2024 23:40:19 -0300 Subject: [PATCH 160/562] avformat/mov: check that iloc offset values fit on an int64_t Signed-off-by: James Almer --- libavformat/mov.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index c2538a9681..a64b89b821 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8010,7 +8010,7 @@ static int mov_read_SAND(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; } -static int rb_size(AVIOContext *pb, uint64_t* value, int size) +static int rb_size(AVIOContext *pb, int64_t *value, int size) { if (size == 0) *value = 0; @@ -8020,9 +8020,11 @@ static int rb_size(AVIOContext *pb, uint64_t* value, int size) *value = avio_rb16(pb); else if (size == 4) *value = avio_rb32(pb); - else if (size == 8) + else if (size == 8) { *value = avio_rb64(pb); - else + if (*value < 0) + return -1; + } else return -1; return size; } From fbe52bd65c3484806cf5ad56a5fb7a7bd55fc7db Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 30 Jun 2024 23:40:20 -0300 Subject: [PATCH 161/562] avformat/mov: check extent_offset calculation for overflow Signed-off-by: James Almer --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index a64b89b821..e7673d9469 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8104,7 +8104,8 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom) } for (int j = 0; j < extent_count; j++) { if (rb_size(pb, &extent_offset, offset_size) < 0 || - rb_size(pb, &extent_length, length_size) < 0) + rb_size(pb, &extent_length, length_size) < 0 || + base_offset > INT64_MAX - extent_offset) return AVERROR_INVALIDDATA; if (offset_type == 1) c->heif_item[i].is_idat_relative = 1; From dc51d491cfb97bd27fe82960c9dffe5026777c72 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 30 Jun 2024 23:40:21 -0300 Subject: [PATCH 162/562] avformat/mov: check for EOF inside the infe list parsing loop Signed-off-by: James Almer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index e7673d9469..2c47610d0e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8202,6 +8202,8 @@ static int mov_read_iinf(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entry_count; i++) { MOVAtom infe; + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; infe.size = avio_rb32(pb) - 8; infe.type = avio_rl32(pb); ret = mov_read_infe(c, pb, infe, i); From 28b1dbb4ee23e471bb1f8e6e6e6a46ce59a2dcce Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 30 Jun 2024 23:40:22 -0300 Subject: [PATCH 163/562] avformat/mov: add more checks for infe atom size Signed-off-by: James Almer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 2c47610d0e..be8add7603 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8132,6 +8132,8 @@ static int mov_read_infe(MOVContext *c, AVIOContext *pb, MOVAtom atom, int idx) version = avio_r8(pb); avio_rb24(pb); // flags. size -= 4; + if (size < 0) + return AVERROR_INVALIDDATA; if (version < 2) { avpriv_report_missing_feature(c->fc, "infe version < 2"); @@ -8143,6 +8145,8 @@ static int mov_read_infe(MOVContext *c, AVIOContext *pb, MOVAtom atom, int idx) avio_rb16(pb); // item_protection_index item_type = avio_rl32(pb); size -= 8; + if (size < 1) + return AVERROR_INVALIDDATA; av_bprint_init(&item_name, 0, AV_BPRINT_SIZE_UNLIMITED); ret = ff_read_string_to_bprint_overwrite(pb, &item_name, size); From c75cabef94e0985d1aa3f8d5ea9f4f7b8795d5ab Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 17 Jun 2024 22:30:26 +0200 Subject: [PATCH 164/562] avutil/timestamp: avoid possible FPE when 0 is passed to av_ts_make_time_string2() Signed-off-by: Marton Balint (cherry picked from commit 0d5e3f5a4034b6c9312b7c621e25aa4303a00b6f) --- libavutil/timestamp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/timestamp.c b/libavutil/timestamp.c index 2a3e3012a4..6c231a517d 100644 --- a/libavutil/timestamp.c +++ b/libavutil/timestamp.c @@ -24,7 +24,7 @@ char *av_ts_make_time_string2(char *buf, int64_t ts, AVRational tb) snprintf(buf, AV_TS_MAX_STRING_SIZE, "NOPTS"); } else { double val = av_q2d(tb) * ts; - double log = floor(log10(fabs(val))); + double log = (fpclassify(val) == FP_ZERO ? -INFINITY : floor(log10(fabs(val)))); int precision = (isfinite(log) && log < 0) ? -log + 5 : 6; int last = snprintf(buf, AV_TS_MAX_STRING_SIZE, "%.*f", precision, val); last = FFMIN(last, AV_TS_MAX_STRING_SIZE - 1) - 1; From 2df8aaa8c58d9372bd0e1472ea387c2be86d3e21 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 4 Jul 2024 14:55:23 -0300 Subject: [PATCH 165/562] avfilter/vf_tiltandshift: fix buffer offset for yuv422p input Fixes ticket #10950. Signed-off-by: James Almer --- libavfilter/vf_tiltandshift.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_tiltandshift.c b/libavfilter/vf_tiltandshift.c index dc30f4ff1b..b31d088d11 100644 --- a/libavfilter/vf_tiltandshift.c +++ b/libavfilter/vf_tiltandshift.c @@ -177,14 +177,14 @@ static void copy_column(AVFilterLink *outlink, const uint8_t *src[4]; dst[0] = dst_data[0] + ncol; - dst[1] = dst_data[1] + (ncol >> s->desc->log2_chroma_h); - dst[2] = dst_data[2] + (ncol >> s->desc->log2_chroma_h); + dst[1] = dst_data[1] + (ncol >> s->desc->log2_chroma_w); + dst[2] = dst_data[2] + (ncol >> s->desc->log2_chroma_w); if (!tilt) ncol = 0; src[0] = src_data[0] + ncol; - src[1] = src_data[1] + (ncol >> s->desc->log2_chroma_h); - src[2] = src_data[2] + (ncol >> s->desc->log2_chroma_h); + src[1] = src_data[1] + (ncol >> s->desc->log2_chroma_w); + src[2] = src_data[2] + (ncol >> s->desc->log2_chroma_w); av_image_copy(dst, dst_linesizes, src, src_linesizes, outlink->format, 1, outlink->h); } From b5d42852d05509d8970452fdd573e0bf9ad3cb4a Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Fri, 12 Jul 2024 15:03:16 -0400 Subject: [PATCH 166/562] avcodec/pngdec: avoid erroring with sBIT on indexed-color images Indexed color images use three colors for sBIT, but the function ff_png_get_nb_channels returns 1 in this case. We should avoid erroring out on valid files in this scenario. Regression since 84b454935fae2633a8a5dd075e22393f3e8f932f. Signed-off-by: Leo Izen Reported-by: Ramiro Polla Reviewed-by: Marton Balint --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 6444425102..8a881963b5 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1082,7 +1082,7 @@ static int decode_sbit_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } - channels = ff_png_get_nb_channels(s->color_type); + channels = s->color_type & PNG_COLOR_MASK_PALETTE ? 3 : ff_png_get_nb_channels(s->color_type); if (bytestream2_get_bytes_left(gb) != channels) return AVERROR_INVALIDDATA; From daffde0544aa7db7964d7a9dc8e36cee831709f7 Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Fri, 12 Jul 2024 15:03:17 -0400 Subject: [PATCH 167/562] avcodec/png: more informative error message for invalid sBIT size If the sBIT chunk size is invalid, we should print a more informative error message rather than return an error and print nothing. Signed-off-by: Leo Izen --- libavcodec/pngdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 8a881963b5..ac39b3277b 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1084,8 +1084,11 @@ static int decode_sbit_chunk(AVCodecContext *avctx, PNGDecContext *s, channels = s->color_type & PNG_COLOR_MASK_PALETTE ? 3 : ff_png_get_nb_channels(s->color_type); - if (bytestream2_get_bytes_left(gb) != channels) + if (bytestream2_get_bytes_left(gb) != channels) { + av_log(avctx, AV_LOG_ERROR, "Invalid sBIT size: %d, expected: %d\n", + bytestream2_get_bytes_left(gb), channels); return AVERROR_INVALIDDATA; + } for (int i = 0; i < channels; i++) { int b = bytestream2_get_byteu(gb); From fd789a087eed3c980074816a23ec096d83388297 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 00:12:54 +0200 Subject: [PATCH 168/562] avformat/iamf_parse: Remove dead case Fixes: CID1559546 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c21fb3624bb7e10f9ee5a182bf9cfbf64990c78e) --- libavformat/iamf_parse.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 210cadd85a..013bf5bba4 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -1077,8 +1077,6 @@ int ff_iamfdec_read_descriptors(IAMFContext *c, AVIOContext *pb, case IAMF_OBU_IA_MIX_PRESENTATION: ret = mix_presentation_obu(log_ctx, c, pb, obu_size); break; - case IAMF_OBU_IA_TEMPORAL_DELIMITER: - break; default: { int64_t offset = avio_skip(pb, obu_size); if (offset < 0) From ce939aa59aee1867277bd7f38ad35485386a8506 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2024 01:08:25 +0200 Subject: [PATCH 169/562] avformat/iamf_parse: consider nb_substreams when accessing substreams array Fixes: out of array access Fixes: 68584/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6256656668229632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit c69e6cccd7e14fc6ee9df179f19e9de2cecba3d8) --- libavformat/iamf_parse.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 013bf5bba4..98854e564e 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -355,6 +355,9 @@ static int scalable_channel_layout_config(void *s, AVIOContext *pb, substream_count = avio_r8(pb); coupled_substream_count = avio_r8(pb); + if (substream_count + k > audio_element->nb_substreams) + return AVERROR_INVALIDDATA; + audio_element->layers[i].substream_count = substream_count; audio_element->layers[i].coupled_substream_count = coupled_substream_count; if (output_gain_is_present_flag) { From 3d4d2897e63057291668ac65107d3ed2df6134c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2024 01:08:26 +0200 Subject: [PATCH 170/562] avformat/iamf_parse: 0 layers are not allowed Fixes: out of array access Fixes: 68302/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4665793796177920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 7fab9b97613e5ec6954fb8118f9ca43f04847cfe) --- libavformat/iamf_parse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 98854e564e..fc7b0c5362 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -330,7 +330,7 @@ static int scalable_channel_layout_config(void *s, AVIOContext *pb, nb_layers = avio_r8(pb) >> 5; // get_bits(&gb, 3); // skip_bits(&gb, 5); //reserved - if (nb_layers > 6) + if (nb_layers > 6 || nb_layers == 0) return AVERROR_INVALIDDATA; audio_element->layers = av_calloc(nb_layers, sizeof(*audio_element->layers)); From 29d626ea854c90c692e73b9e0fd88c0eaa9c7aaa Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 17 Jun 2024 21:47:50 -0300 Subject: [PATCH 171/562] avformat/iamf_parse: add missing padding to AAC extradata Fixes: out of array access Fixes: 68863/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4833546039525376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: James Almer (cherry picked from commit 0ae157b3603f27d8057febd8f2680ac1030722ee) --- libavformat/iamf_parse.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index fc7b0c5362..d52dec792b 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -92,13 +92,16 @@ static int aac_decoder_config(IAMFCodecConfig *codec_config, if (left <= 0) return AVERROR_INVALIDDATA; - codec_config->extradata = av_malloc(left); + // We pad extradata here because avpriv_mpeg4audio_get_config2() needs it. + codec_config->extradata = av_malloc((size_t)left + AV_INPUT_BUFFER_PADDING_SIZE); if (!codec_config->extradata) return AVERROR(ENOMEM); codec_config->extradata_size = avio_read(pb, codec_config->extradata, left); if (codec_config->extradata_size < left) return AVERROR_INVALIDDATA; + memset(codec_config->extradata + codec_config->extradata_size, 0, + AV_INPUT_BUFFER_PADDING_SIZE); ret = avpriv_mpeg4audio_get_config2(&cfg, codec_config->extradata, codec_config->extradata_size, 1, logctx); From 507348799c9cc78fec4d67e0f6f935f2e5e760a1 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 23 Jun 2024 23:27:29 +0200 Subject: [PATCH 172/562] avformat/iamf_parse: keep substream count consistent Fixes: member access within null pointer of type 'IAMFSubStream' (aka 'struct IAMFSubStream') Fixes: 69795/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6216287009701888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b248dace929e97b10de17663caab32fbb1c42f0f) --- libavformat/iamf_parse.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index d52dec792b..2d48d4c177 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -594,7 +594,7 @@ static int audio_element_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) FFIOContext b; AVIOContext *pbc; uint8_t *buf; - unsigned audio_element_id, codec_config_id, num_parameters; + unsigned audio_element_id, nb_substreams, codec_config_id, num_parameters; int audio_element_type, ret; buf = av_malloc(len); @@ -649,14 +649,15 @@ static int audio_element_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) goto fail; } - audio_element->nb_substreams = ffio_read_leb(pbc); + nb_substreams = ffio_read_leb(pbc); audio_element->codec_config_id = codec_config_id; audio_element->audio_element_id = audio_element_id; - audio_element->substreams = av_calloc(audio_element->nb_substreams, sizeof(*audio_element->substreams)); + audio_element->substreams = av_calloc(nb_substreams, sizeof(*audio_element->substreams)); if (!audio_element->substreams) { ret = AVERROR(ENOMEM); goto fail; } + audio_element->nb_substreams = nb_substreams; element = audio_element->element = av_iamf_audio_element_alloc(); if (!element) { From a3bc5cd841f62eed95295da8d4609fe38d561b55 Mon Sep 17 00:00:00 2001 From: Felicia Lim Date: Tue, 9 Jul 2024 15:23:43 -0700 Subject: [PATCH 173/562] avformat/movenc: fix channel count and samplerate fields for IAMF tracks Clause 6.2.3 of IAMF[1] states both of these shall be set to 0. [1]https://aomediacodec.github.io/iamf/v1.0.0-errata.html#iasampleentry-section Signed-off-by: James Almer (cherry picked from commit 180c869faf96dbf1396fa3aba43b7488f9a7090b) --- libavformat/movenc.c | 10 +++++++--- tests/ref/fate/mov-mp4-iamf-5_1_4 | 2 +- tests/ref/fate/mov-mp4-iamf-7_1_4 | 2 +- tests/ref/fate/mov-mp4-iamf-ambisonic_1 | 2 +- tests/ref/fate/mov-mp4-iamf-stereo | 2 +- 5 files changed, 11 insertions(+), 7 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index e6a815107b..2d3a4db1d2 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1341,7 +1341,8 @@ static int mov_write_audio_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex avio_wb16(pb, 16); avio_wb16(pb, track->audio_vbr ? -2 : 0); /* compression ID */ } else { /* reserved for mp4/3gp */ - avio_wb16(pb, track->par->ch_layout.nb_channels); + avio_wb16(pb, track->tag == MKTAG('i', 'a', 'm', 'f') ? + 0 : track->par->ch_layout.nb_channels); if (track->par->codec_id == AV_CODEC_ID_FLAC || track->par->codec_id == AV_CODEC_ID_ALAC) { avio_wb16(pb, track->par->bits_per_raw_sample); @@ -1352,7 +1353,9 @@ static int mov_write_audio_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex } avio_wb16(pb, 0); /* packet size (= 0) */ - if (track->par->codec_id == AV_CODEC_ID_OPUS) + if (track->tag == MKTAG('i','a','m','f')) + avio_wb16(pb, 0); /* samplerate must be 0 for IAMF */ + else if (track->par->codec_id == AV_CODEC_ID_OPUS) avio_wb16(pb, 48000); else if (track->par->codec_id == AV_CODEC_ID_TRUEHD) avio_wb32(pb, track->par->sample_rate); @@ -4873,7 +4876,8 @@ static int mov_write_isml_manifest(AVIOContext *pb, MOVMuxContext *mov, AVFormat param_write_int(pb, "AudioTag", ff_codec_get_tag(ff_codec_wav_tags, track->par->codec_id)); param_write_int(pb, "Channels", track->par->ch_layout.nb_channels); - param_write_int(pb, "SamplingRate", track->par->sample_rate); + param_write_int(pb, "SamplingRate", track->tag == MKTAG('i','a','m','f') ? + 0 : track->par->sample_rate); param_write_int(pb, "BitsPerSample", 16); param_write_int(pb, "PacketSize", track->par->block_align ? track->par->block_align : 4); diff --git a/tests/ref/fate/mov-mp4-iamf-5_1_4 b/tests/ref/fate/mov-mp4-iamf-5_1_4 index 36a94143b5..a6d5a76b0d 100644 --- a/tests/ref/fate/mov-mp4-iamf-5_1_4 +++ b/tests/ref/fate/mov-mp4-iamf-5_1_4 @@ -1,4 +1,4 @@ -5585ed23481b6f28437b3707a1ed632d *tests/data/fate/mov-mp4-iamf-5_1_4.mp4 +0316d0a483480ccd582fd20f06c77420 *tests/data/fate/mov-mp4-iamf-5_1_4.mp4 86340 tests/data/fate/mov-mp4-iamf-5_1_4.mp4 #extradata 0: 34, 0xafa70d5e #extradata 1: 34, 0xafa70d5e diff --git a/tests/ref/fate/mov-mp4-iamf-7_1_4 b/tests/ref/fate/mov-mp4-iamf-7_1_4 index d5014387b6..0641cb0c3c 100644 --- a/tests/ref/fate/mov-mp4-iamf-7_1_4 +++ b/tests/ref/fate/mov-mp4-iamf-7_1_4 @@ -1,4 +1,4 @@ -690d2b7a15b5489c59a9148fcd7975be *tests/data/fate/mov-mp4-iamf-7_1_4.mp4 +d9ef5d14bbd37c5a06c1494cacdb8f29 *tests/data/fate/mov-mp4-iamf-7_1_4.mp4 100588 tests/data/fate/mov-mp4-iamf-7_1_4.mp4 #extradata 0: 34, 0xafa70d5e #extradata 1: 34, 0xafa70d5e diff --git a/tests/ref/fate/mov-mp4-iamf-ambisonic_1 b/tests/ref/fate/mov-mp4-iamf-ambisonic_1 index 088fc9a028..a5b3581124 100644 --- a/tests/ref/fate/mov-mp4-iamf-ambisonic_1 +++ b/tests/ref/fate/mov-mp4-iamf-ambisonic_1 @@ -1,4 +1,4 @@ -2b3517591f7bf20e0f74f3ec1381af1e *tests/data/fate/mov-mp4-iamf-ambisonic_1.mp4 +b0f4accdb8f1f3dfe594a6cbd6c00603 *tests/data/fate/mov-mp4-iamf-ambisonic_1.mp4 57743 tests/data/fate/mov-mp4-iamf-ambisonic_1.mp4 #extradata 0: 34, 0xad120cfe #extradata 1: 34, 0xad120cfe diff --git a/tests/ref/fate/mov-mp4-iamf-stereo b/tests/ref/fate/mov-mp4-iamf-stereo index bf141c6755..6526a7bcf4 100644 --- a/tests/ref/fate/mov-mp4-iamf-stereo +++ b/tests/ref/fate/mov-mp4-iamf-stereo @@ -1,4 +1,4 @@ -88c2b547f069f2d4a11d24f7f922251a *tests/data/fate/mov-mp4-iamf-stereo.mp4 +87c17d1a9fd07e16c369d386d39c3249 *tests/data/fate/mov-mp4-iamf-stereo.mp4 15163 tests/data/fate/mov-mp4-iamf-stereo.mp4 #extradata 0: 34, 0xafa70d5e #tb 0: 1/44100 From df2d21a47b91aa95a228ab01b31cd10798a6c6bf Mon Sep 17 00:00:00 2001 From: Felicia Lim Date: Tue, 9 Jul 2024 15:26:29 -0700 Subject: [PATCH 174/562] avformat/iamf_writer: fix PCM endian-ness flag The value was swapped from what's defined in clause 3.11.4 of IAMF[1] [1]https://aomediacodec.github.io/iamf/#lpcm-specific Signed-off-by: James Almer (cherry picked from commit 709a5687ed13a153b7ccbe096c1fa8783733f1d9) --- libavformat/iamf_writer.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/iamf_writer.c b/libavformat/iamf_writer.c index 6d4e4082eb..35db078147 100644 --- a/libavformat/iamf_writer.c +++ b/libavformat/iamf_writer.c @@ -441,32 +441,32 @@ static int iamf_write_codec_config(const IAMFContext *iamf, avio_write(dyn_bc, codec_config->extradata, codec_config->extradata_size); break; case AV_CODEC_ID_PCM_S16LE: - avio_w8(dyn_bc, 0); + avio_w8(dyn_bc, 1); avio_w8(dyn_bc, 16); avio_wb32(dyn_bc, codec_config->sample_rate); break; case AV_CODEC_ID_PCM_S24LE: - avio_w8(dyn_bc, 0); + avio_w8(dyn_bc, 1); avio_w8(dyn_bc, 24); avio_wb32(dyn_bc, codec_config->sample_rate); break; case AV_CODEC_ID_PCM_S32LE: - avio_w8(dyn_bc, 0); + avio_w8(dyn_bc, 1); avio_w8(dyn_bc, 32); avio_wb32(dyn_bc, codec_config->sample_rate); break; case AV_CODEC_ID_PCM_S16BE: - avio_w8(dyn_bc, 1); + avio_w8(dyn_bc, 0); avio_w8(dyn_bc, 16); avio_wb32(dyn_bc, codec_config->sample_rate); break; case AV_CODEC_ID_PCM_S24BE: - avio_w8(dyn_bc, 1); + avio_w8(dyn_bc, 0); avio_w8(dyn_bc, 24); avio_wb32(dyn_bc, codec_config->sample_rate); break; case AV_CODEC_ID_PCM_S32BE: - avio_w8(dyn_bc, 1); + avio_w8(dyn_bc, 0); avio_w8(dyn_bc, 32); avio_wb32(dyn_bc, codec_config->sample_rate); break; From 5e43483206736e83caaa20676d6055dbcb678a0f Mon Sep 17 00:00:00 2001 From: Felicia Lim Date: Tue, 9 Jul 2024 15:27:16 -0700 Subject: [PATCH 175/562] avformat/iamf_writer: fix coded audio_roll_distance values 'seek_preroll' corresponds to 'audio_roll_distance' in IAMF[1] [1]https://aomediacodec.github.io/iamf/v1.0.0-errata.html#audio_roll_distance Signed-off-by: James Almer (cherry picked from commit 2094f4029563d8fe5e62663bc04fc1f109448182) --- libavformat/iamf_parse.c | 2 +- libavformat/iamf_writer.c | 30 +++++++++++++++++++++++++++++- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 2d48d4c177..d1511c3470 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -683,7 +683,7 @@ static int audio_element_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) substream->codecpar->codec_id = codec_config->codec_id; substream->codecpar->frame_size = codec_config->nb_samples; substream->codecpar->sample_rate = codec_config->sample_rate; - substream->codecpar->seek_preroll = codec_config->seek_preroll; + substream->codecpar->seek_preroll = -codec_config->seek_preroll * codec_config->nb_samples; switch(substream->codecpar->codec_id) { case AV_CODEC_ID_AAC: diff --git a/libavformat/iamf_writer.c b/libavformat/iamf_writer.c index 35db078147..94bfffa95b 100644 --- a/libavformat/iamf_writer.c +++ b/libavformat/iamf_writer.c @@ -72,6 +72,34 @@ static int update_extradata(IAMFCodecConfig *codec_config) return 0; } +static int populate_audio_roll_distance(IAMFCodecConfig *codec_config) +{ + switch (codec_config->codec_id) { + case AV_CODEC_ID_OPUS: + if (!codec_config->nb_samples) + return AVERROR(EINVAL); + // ceil(3840 / nb_samples) + codec_config->seek_preroll = -(1 + ((3840 - 1) / codec_config->nb_samples)); + break; + case AV_CODEC_ID_AAC: + codec_config->seek_preroll = -1; + break; + case AV_CODEC_ID_FLAC: + case AV_CODEC_ID_PCM_S16BE: + case AV_CODEC_ID_PCM_S24BE: + case AV_CODEC_ID_PCM_S32BE: + case AV_CODEC_ID_PCM_S16LE: + case AV_CODEC_ID_PCM_S24LE: + case AV_CODEC_ID_PCM_S32LE: + codec_config->seek_preroll = 0; + break; + default: + return AVERROR(EINVAL); + } + + return 0; +} + static int fill_codec_config(IAMFContext *iamf, const AVStreamGroup *stg, IAMFCodecConfig *codec_config) { @@ -83,7 +111,7 @@ static int fill_codec_config(IAMFContext *iamf, const AVStreamGroup *stg, codec_config->sample_rate = st->codecpar->sample_rate; codec_config->codec_tag = st->codecpar->codec_tag; codec_config->nb_samples = st->codecpar->frame_size; - codec_config->seek_preroll = st->codecpar->seek_preroll; + populate_audio_roll_distance(codec_config); if (st->codecpar->extradata_size) { codec_config->extradata = av_memdup(st->codecpar->extradata, st->codecpar->extradata_size); if (!codec_config->extradata) From 5fc5b33319902ca151246d40a9853d238cb230ef Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 18 Jul 2024 18:56:54 -0300 Subject: [PATCH 176/562] avformat/iamf: rename Codec Config seek_preroll to audio_roll_distance The semantics for the field are different than the one in AVCodecParameters, so use the name defined in the IAMF spec to prevent confusion. Signed-off-by: James Almer (cherry picked from commit 54b8d5e201c97464625cfb6cfd851ed80976aa44) --- libavformat/iamf.h | 2 +- libavformat/iamf_parse.c | 8 ++++---- libavformat/iamf_writer.c | 8 ++++---- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/libavformat/iamf.h b/libavformat/iamf.h index 68f05c635b..fd8b57a096 100644 --- a/libavformat/iamf.h +++ b/libavformat/iamf.h @@ -68,7 +68,7 @@ typedef struct IAMFCodecConfig { enum AVCodecID codec_id; uint32_t codec_tag; unsigned nb_samples; - int seek_preroll; + int audio_roll_distance; int sample_rate; int extradata_size; uint8_t *extradata; diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index d1511c3470..ce463f00e6 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -166,7 +166,7 @@ static int codec_config_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) uint8_t *buf; enum AVCodecID avcodec_id; unsigned codec_config_id, nb_samples, codec_id; - int16_t seek_preroll; + int16_t audio_roll_distance; int ret; buf = av_malloc(len); @@ -186,7 +186,7 @@ static int codec_config_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) codec_config_id = ffio_read_leb(pbc); codec_id = avio_rb32(pbc); nb_samples = ffio_read_leb(pbc); - seek_preroll = avio_rb16(pbc); + audio_roll_distance = avio_rb16(pbc); switch(codec_id) { case MKBETAG('O','p','u','s'): @@ -225,7 +225,7 @@ static int codec_config_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) codec_config->codec_config_id = codec_config_id; codec_config->codec_id = avcodec_id; codec_config->nb_samples = nb_samples; - codec_config->seek_preroll = seek_preroll; + codec_config->audio_roll_distance = audio_roll_distance; switch(codec_id) { case MKBETAG('O','p','u','s'): @@ -683,7 +683,7 @@ static int audio_element_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) substream->codecpar->codec_id = codec_config->codec_id; substream->codecpar->frame_size = codec_config->nb_samples; substream->codecpar->sample_rate = codec_config->sample_rate; - substream->codecpar->seek_preroll = -codec_config->seek_preroll * codec_config->nb_samples; + substream->codecpar->seek_preroll = -codec_config->audio_roll_distance * codec_config->nb_samples; switch(substream->codecpar->codec_id) { case AV_CODEC_ID_AAC: diff --git a/libavformat/iamf_writer.c b/libavformat/iamf_writer.c index 94bfffa95b..c955e1ecaf 100644 --- a/libavformat/iamf_writer.c +++ b/libavformat/iamf_writer.c @@ -79,10 +79,10 @@ static int populate_audio_roll_distance(IAMFCodecConfig *codec_config) if (!codec_config->nb_samples) return AVERROR(EINVAL); // ceil(3840 / nb_samples) - codec_config->seek_preroll = -(1 + ((3840 - 1) / codec_config->nb_samples)); + codec_config->audio_roll_distance = -(1 + ((3840 - 1) / codec_config->nb_samples)); break; case AV_CODEC_ID_AAC: - codec_config->seek_preroll = -1; + codec_config->audio_roll_distance = -1; break; case AV_CODEC_ID_FLAC: case AV_CODEC_ID_PCM_S16BE: @@ -91,7 +91,7 @@ static int populate_audio_roll_distance(IAMFCodecConfig *codec_config) case AV_CODEC_ID_PCM_S16LE: case AV_CODEC_ID_PCM_S24LE: case AV_CODEC_ID_PCM_S32LE: - codec_config->seek_preroll = 0; + codec_config->audio_roll_distance = 0; break; default: return AVERROR(EINVAL); @@ -455,7 +455,7 @@ static int iamf_write_codec_config(const IAMFContext *iamf, avio_wl32(dyn_bc, codec_config->codec_tag); ffio_write_leb(dyn_bc, codec_config->nb_samples); - avio_wb16(dyn_bc, codec_config->seek_preroll); + avio_wb16(dyn_bc, codec_config->audio_roll_distance); switch(codec_config->codec_id) { case AV_CODEC_ID_OPUS: From db90c46fff420dbcbe62ef6e4603e15ef246c25f Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 16 Jul 2024 20:32:40 -0300 Subject: [PATCH 177/562] avformat/iamf: byteswap values in OpusHeader Clause 3.11.1 of IAMF[1] states the values are stored in big endian, in contrast to the Ogg Encapsulation for Opus[2] where they are in little endian. [1]https://aomediacodec.github.io/iamf/v1.0.0-errata.html#opus-specific [2]https://datatracker.ietf.org/doc/html/rfc7845#section-5.1 Signed-off-by: James Almer (cherry picked from commit 7dabad079b783e921747de96597ea47cab244a11) --- libavformat/iamf_parse.c | 3 +++ libavformat/iamf_writer.c | 8 ++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index ce463f00e6..4ac3454f41 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -272,6 +272,9 @@ static int update_extradata(AVCodecParameters *codecpar) switch(codecpar->codec_id) { case AV_CODEC_ID_OPUS: AV_WB8(codecpar->extradata + 9, codecpar->ch_layout.nb_channels); + AV_WL16(codecpar->extradata + 10, AV_RB16(codecpar->extradata + 10)); // Byte swap pre-skip + AV_WL32(codecpar->extradata + 12, AV_RB32(codecpar->extradata + 12)); // Byte swap sample rate + AV_WL16(codecpar->extradata + 16, AV_RB16(codecpar->extradata + 16)); // Byte swap Output Gain break; case AV_CODEC_ID_AAC: { uint8_t buf[5]; diff --git a/libavformat/iamf_writer.c b/libavformat/iamf_writer.c index c955e1ecaf..afe7a149cb 100644 --- a/libavformat/iamf_writer.c +++ b/libavformat/iamf_writer.c @@ -42,8 +42,12 @@ static int update_extradata(IAMFCodecConfig *codec_config) if (codec_config->extradata_size < 19) return AVERROR_INVALIDDATA; codec_config->extradata_size -= 8; - memmove(codec_config->extradata, codec_config->extradata + 8, codec_config->extradata_size); - AV_WB8(codec_config->extradata + 1, 2); // set channels to stereo + AV_WB8(codec_config->extradata + 0, AV_RL8(codec_config->extradata + 8)); // version + AV_WB8(codec_config->extradata + 1, 2); // set channels to stereo + AV_WB16(codec_config->extradata + 2, AV_RL16(codec_config->extradata + 10)); // Byte swap pre-skip + AV_WB32(codec_config->extradata + 4, AV_RL32(codec_config->extradata + 12)); // Byte swap sample rate + AV_WB16(codec_config->extradata + 8, 0); // set Output Gain to 0 + AV_WB8(codec_config->extradata + 10, AV_RL8(codec_config->extradata + 18)); // Mapping family break; case AV_CODEC_ID_FLAC: { uint8_t buf[13]; From fdd3e3504eba150c3e47aee42743cb0f3226ca6a Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 19 Jul 2024 00:00:43 -0300 Subject: [PATCH 178/562] avformat/iamf_parse: sanitize audio_roll_distance values Ensure the values are spec complaint and that no integer overflow can happen. Signed-off-by: James Almer (cherry picked from commit 9ce065c90decf1a07a810ccb699a491d41a720d2) --- libavformat/iamf_parse.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 4ac3454f41..0d80e6e725 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -38,7 +38,7 @@ static int opus_decoder_config(IAMFCodecConfig *codec_config, { int left = len - avio_tell(pb); - if (left < 11) + if (left < 11 || codec_config->audio_roll_distance >= 0) return AVERROR_INVALIDDATA; codec_config->extradata = av_malloc(left + 8); @@ -64,6 +64,9 @@ static int aac_decoder_config(IAMFCodecConfig *codec_config, int object_type_id, codec_id, stream_type; int ret, tag, left; + if (codec_config->audio_roll_distance >= 0) + return AVERROR_INVALIDDATA; + tag = avio_r8(pb); if (tag != MP4DecConfigDescrTag) return AVERROR_INVALIDDATA; @@ -118,6 +121,9 @@ static int flac_decoder_config(IAMFCodecConfig *codec_config, { int left; + if (codec_config->audio_roll_distance) + return AVERROR_INVALIDDATA; + avio_skip(pb, 4); // METADATA_BLOCK_HEADER left = len - avio_tell(pb); @@ -146,7 +152,7 @@ static int ipcm_decoder_config(IAMFCodecConfig *codec_config, }; int sample_format = avio_r8(pb); // 0 = BE, 1 = LE int sample_size = (avio_r8(pb) / 8 - 2); // 16, 24, 32 - if (sample_format > 1 || sample_size > 2) + if (sample_format > 1 || sample_size > 2 || codec_config->audio_roll_distance) return AVERROR_INVALIDDATA; codec_config->codec_id = sample_fmt[sample_format][sample_size]; @@ -246,6 +252,12 @@ static int codec_config_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) if (ret < 0) goto fail; + if ((codec_config->nb_samples > INT_MAX) || + (-codec_config->audio_roll_distance > INT_MAX / codec_config->nb_samples)) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + c->codec_configs[c->nb_codec_configs++] = codec_config; len -= avio_tell(pbc); From 1ef18d022373b3cd478ad50e7017591667f0d15c Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 19 Jul 2024 20:50:52 -0300 Subject: [PATCH 179/562] avformat/iamf_writer: disallow Opus extradata with mapping family other than 0 Clause 3.11.1 of IAMF[1] states the Opus ID Header should conform to ChannelMappingFamily == 0. [1]https://aomediacodec.github.io/iamf/#opus-specific Signed-off-by: James Almer (cherry picked from commit 2aab4e4cc0b4a666c7e5a752b25a337710b20bdb) --- libavformat/iamf_writer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iamf_writer.c b/libavformat/iamf_writer.c index afe7a149cb..5e8d8f768b 100644 --- a/libavformat/iamf_writer.c +++ b/libavformat/iamf_writer.c @@ -39,7 +39,7 @@ static int update_extradata(IAMFCodecConfig *codec_config) switch(codec_config->codec_id) { case AV_CODEC_ID_OPUS: - if (codec_config->extradata_size < 19) + if (codec_config->extradata_size != 19) return AVERROR_INVALIDDATA; codec_config->extradata_size -= 8; AV_WB8(codec_config->extradata + 0, AV_RL8(codec_config->extradata + 8)); // version From 87f805613cf6876c3cc07d0e92f5863b30982101 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 May 2024 02:51:08 +0200 Subject: [PATCH 180/562] tools/enc_recon_frame_test: Assert that av_image_get_linesize() succeeds Helps: CID1524598 Improper use of negative value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b6fa2ed77e57e82f3155b83ca4f4b3be8da5ff5c) Signed-off-by: Michael Niedermayer --- tools/enc_recon_frame_test.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/enc_recon_frame_test.c b/tools/enc_recon_frame_test.c index a8e152bf44..798fb772e8 100644 --- a/tools/enc_recon_frame_test.c +++ b/tools/enc_recon_frame_test.c @@ -28,6 +28,7 @@ #include "decode_simple.h" #include "libavutil/adler32.h" +#include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/error.h" #include "libavutil/frame.h" @@ -88,6 +89,8 @@ static int frame_hash(FrameChecksum **pc, size_t *nb_c, int64_t ts, int linesize = av_image_get_linesize(frame->format, frame->width, p); uint32_t checksum = 0; + av_assert0(linesize >= 0); + for (int j = 0; j < frame->height >> shift_v[p]; j++) { checksum = av_adler32_update(checksum, data, linesize); data += frame->linesize[p]; From d17dcd63b12356dd90e1228ef9db79ca67a696da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 02:37:04 +0200 Subject: [PATCH 181/562] avcodec/tests/bitstream_template: Assert bits_init8() return Helps: CID1518967 Unchecked return value Helps: CID1518968 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e7775973f037724f26676015a364134fd728babf) Signed-off-by: Michael Niedermayer --- libavcodec/tests/bitstream_template.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/tests/bitstream_template.c b/libavcodec/tests/bitstream_template.c index ef59845154..b4c8821a90 100644 --- a/libavcodec/tests/bitstream_template.c +++ b/libavcodec/tests/bitstream_template.c @@ -61,6 +61,7 @@ int main(int argc, char **argv) uint64_t val, val1; int32_t sval, sval1; unsigned count; + int ret; /* generate random input, using a given or random seed */ if (argc > 1) @@ -74,7 +75,8 @@ int main(int argc, char **argv) for (unsigned i = 0; i < SIZE; i++) buf[i] = av_lfg_get(&lfg); - bits_init8 (&bc, buf, SIZE); + ret = bits_init8 (&bc, buf, SIZE); + av_assert0(ret >= 0); init_put_bits(&pb, dst, SIZE); /* use a random sequence of bitreading operations to transfer data From 4b11e29881bd3fcf26b62c47edb5c3ecdc851549 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 23:25:42 +0200 Subject: [PATCH 182/562] avformat/demux: resurrect dead stores Fixes: CID1473512 Unused value Fixes: CID1529228 Unused value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 33da5f4e2717cc947cf44ad9a52668694ea4ee82) Signed-off-by: Michael Niedermayer --- libavformat/demux.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/demux.c b/libavformat/demux.c index 147f3b93ac..5027b84206 100644 --- a/libavformat/demux.c +++ b/libavformat/demux.c @@ -2499,7 +2499,7 @@ static int extract_extradata(FFFormatContext *si, AVStream *st, const AVPacket * int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) { FFFormatContext *const si = ffformatcontext(ic); - int count = 0, ret = 0; + int count = 0, ret = 0, err; int64_t read_size; AVPacket *pkt1 = si->pkt; int64_t old_offset = avio_tell(ic->pb); @@ -3010,9 +3010,11 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) } } - ret = compute_chapters_end(ic); - if (ret < 0) + err = compute_chapters_end(ic); + if (err < 0) { + ret = err; goto find_stream_info_err; + } /* update the stream parameters from the internal codec contexts */ for (unsigned i = 0; i < ic->nb_streams; i++) { From 447e9fea755eb2588da17047010b6aa2becb2a42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 00:50:02 +0200 Subject: [PATCH 183/562] avdevice/dshow: fix badly indented line Signed-off-by: Michael Niedermayer (cherry picked from commit c4004605b2fa6e2ecbd1cfc2a1da382e4f5237a5) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 0330d1d0b6..eb98c57b09 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -1370,7 +1370,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, goto error; } } - if (ctx->device_filter[otherDevType]) { + if (ctx->device_filter[otherDevType]) { // avoid adding add two instances of the same device to the graph, one for video, one for audio // a few devices don't support this (could also do this check earlier to avoid double crossbars, etc. but they seem OK) if (strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { From 57a22f0994ac0903e8e95a258066ecd746c45e91 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2024 21:55:44 +0200 Subject: [PATCH 184/562] avutil/tests/dict: Check av_dict_set() before get for failure Failure is possible due to strdup() Fixes: CID1516764 Dereference null return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e8a1e1899d9ededd78f8ec4722fe80c345bbf8f7) Signed-off-by: Michael Niedermayer --- libavutil/tests/dict.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavutil/tests/dict.c b/libavutil/tests/dict.c index bececefb31..d60081889f 100644 --- a/libavutil/tests/dict.c +++ b/libavutil/tests/dict.c @@ -148,12 +148,15 @@ int main(void) //valgrind sensible test printf("\nTesting av_dict_set() with existing AVDictionaryEntry.key as key\n"); - av_dict_set(&dict, "key", "old", 0); + if (av_dict_set(&dict, "key", "old", 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); - av_dict_set(&dict, e->key, "new val OK", 0); + if (av_dict_set(&dict, e->key, "new val OK", 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); printf("%s\n", e->value); - av_dict_set(&dict, e->key, e->value, 0); + if (av_dict_set(&dict, e->key, e->value, 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); printf("%s\n", e->value); av_dict_free(&dict); From 31afbc0e4cc004e9b1c2587ec7353dbbe404d06c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2024 22:52:38 +0200 Subject: [PATCH 185/562] avutil/tests/opt: Check av_set_options_string() for failure This is test code after all so it should test things Fixes: CID1518990 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e3481730ed9b3b781a0d85370826bcc57d601958) Signed-off-by: Michael Niedermayer --- libavutil/tests/opt.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavutil/tests/opt.c b/libavutil/tests/opt.c index ccf3a54f96..281ad0dc35 100644 --- a/libavutil/tests/opt.c +++ b/libavutil/tests/opt.c @@ -264,6 +264,7 @@ int main(void) { TestContext test_ctx = { 0 }; char *buf; + int ret; test_ctx.class = &test_class; av_log_set_level(AV_LOG_QUIET); @@ -274,8 +275,10 @@ int main(void) av_opt_free(&test_ctx); memset(&test_ctx, 0, sizeof(test_ctx)); test_ctx.class = &test_class; - av_set_options_string(&test_ctx, buf, "=", ","); + ret = av_set_options_string(&test_ctx, buf, "=", ","); av_free(buf); + if (ret < 0) + printf("Error ret '%d'\n", ret); if (av_opt_serialize(&test_ctx, 0, 0, &buf, '=', ',') >= 0) { printf("%s\n", buf); av_free(buf); From 98a1c887c327f47bb6694e758d6258b3a8ecf878 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 May 2024 01:30:13 +0200 Subject: [PATCH 186/562] swscale/x86/swscale: use a clearer name for INPUT_PLANER_RGB_A_FUNC_CASE related: CID1497114 Missing break in switch Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 3f9daf1c18c2f0fb9e6d0b94af8e92cafc0cf010) Signed-off-by: Michael Niedermayer --- libswscale/x86/swscale.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libswscale/x86/swscale.c b/libswscale/x86/swscale.c index ff16398988..fff8bb4396 100644 --- a/libswscale/x86/swscale.c +++ b/libswscale/x86/swscale.c @@ -649,7 +649,7 @@ switch(c->dstBpc){ \ } -#define INPUT_PLANER_RGB_A_FUNC_CASE(fmt, name, opt) \ +#define INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(fmt, name, opt) \ case fmt: \ c->readAlpPlanar = ff_planar_##name##_to_a_##opt; @@ -672,15 +672,15 @@ switch(c->dstBpc){ \ break; #define INPUT_PLANER_RGBAXX_YUVA_FUNC_CASE(rgb_fmt, rgba_fmt, name, opt) \ - INPUT_PLANER_RGB_A_FUNC_CASE(rgba_fmt##LE, name##le, opt) \ + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(rgba_fmt##LE, name##le, opt) \ INPUT_PLANER_RGB_YUV_FUNC_CASE(rgb_fmt##LE, name##le, opt) \ - INPUT_PLANER_RGB_A_FUNC_CASE(rgba_fmt##BE, name##be, opt) \ + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(rgba_fmt##BE, name##be, opt) \ INPUT_PLANER_RGB_YUV_FUNC_CASE(rgb_fmt##BE, name##be, opt) #define INPUT_PLANER_RGBAXX_UVA_FUNC_CASE(rgb_fmt, rgba_fmt, name, opt) \ - INPUT_PLANER_RGB_A_FUNC_CASE(rgba_fmt##LE, name##le, opt) \ + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(rgba_fmt##LE, name##le, opt) \ INPUT_PLANER_RGB_UV_FUNC_CASE(rgb_fmt##LE, name##le, opt) \ - INPUT_PLANER_RGB_A_FUNC_CASE(rgba_fmt##BE, name##be, opt) \ + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(rgba_fmt##BE, name##be, opt) \ INPUT_PLANER_RGB_UV_FUNC_CASE(rgb_fmt##BE, name##be, opt) #define INPUT_PLANER_RGBAXX_YUV_FUNC_CASE(rgb_fmt, rgba_fmt, name, opt) \ @@ -696,7 +696,7 @@ switch(c->dstBpc){ \ INPUT_PLANER_RGB_UV_FUNC_CASE(rgb_fmt##BE, name##be, opt) #define INPUT_PLANER_RGB_YUVA_ALL_CASES(opt) \ - INPUT_PLANER_RGB_A_FUNC_CASE( AV_PIX_FMT_GBRAP, rgb, opt) \ + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(AV_PIX_FMT_GBRAP, rgb, opt) \ INPUT_PLANER_RGB_YUV_FUNC_CASE( AV_PIX_FMT_GBRP, rgb, opt) \ INPUT_PLANER_RGBXX_YUV_FUNC_CASE( AV_PIX_FMT_GBRP9, rgb9, opt) \ INPUT_PLANER_RGBAXX_YUVA_FUNC_CASE(AV_PIX_FMT_GBRP10, AV_PIX_FMT_GBRAP10, rgb10, opt) \ @@ -708,7 +708,7 @@ switch(c->dstBpc){ \ if (EXTERNAL_SSE2(cpu_flags)) { switch (c->srcFormat) { - INPUT_PLANER_RGB_A_FUNC_CASE( AV_PIX_FMT_GBRAP, rgb, sse2); + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(AV_PIX_FMT_GBRAP, rgb, sse2); INPUT_PLANER_RGB_UV_FUNC_CASE( AV_PIX_FMT_GBRP, rgb, sse2); INPUT_PLANER_RGBXX_UV_FUNC_CASE( AV_PIX_FMT_GBRP9, rgb9, sse2); INPUT_PLANER_RGBAXX_UVA_FUNC_CASE( AV_PIX_FMT_GBRP10, AV_PIX_FMT_GBRAP10, rgb10, sse2); From eb1e40909bad10c4aabcb451a6e59404ee5b993f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 May 2024 01:35:08 +0200 Subject: [PATCH 187/562] swscale/yuv2rgb: Use 64bit for brightness computation This will not overflow for normal values Fixes: CID1500280 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit bfc22f364d31d8f2dc2acae1bd03d5894a00b8c5) Signed-off-by: Michael Niedermayer --- libswscale/yuv2rgb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 0a84b662f9..d57a87ce07 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -831,7 +831,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], cbu = (cbu * contrast * saturation) >> 32; cgu = (cgu * contrast * saturation) >> 32; cgv = (cgv * contrast * saturation) >> 32; - oy -= 256 * brightness; + oy -= 256LL * brightness; c->uOffset = 0x0400040004000400LL; c->vOffset = 0x0400040004000400LL; From 1e23d86cd589417135962f7328f8300fa8433747 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 May 2024 02:24:17 +0200 Subject: [PATCH 188/562] tools/decode_simple: Check avcodec_send_packet() for errors on flushing This will not error but the API allows errors so we should check it Fixes: CID1489999 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6df8bd64ffa5ea3864a433c5e78b8d8f642c1305) Signed-off-by: Michael Niedermayer --- tools/decode_simple.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/decode_simple.c b/tools/decode_simple.c index 6532e368d4..e8c1d6a407 100644 --- a/tools/decode_simple.c +++ b/tools/decode_simple.c @@ -94,8 +94,9 @@ int ds_run(DecodeContext *dc) goto finish; } - avcodec_send_packet(dc->decoder, NULL); - ret = decode_read(dc, 1); + ret = avcodec_send_packet(dc->decoder, NULL); + if (ret >= 0) + ret = decode_read(dc, 1); if (ret < 0) { fprintf(stderr, "Error flushing: %d\n", ret); return ret; From 24658e9ee2a3787f6ce48ef90b9f28fc5c12f0fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2024 23:53:28 +0200 Subject: [PATCH 189/562] avcodec/tiff: Assert init_get_bits8() success in horizontal_fill() Helps: CID1441167 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8814cedb079d5827e07a92e9424c2314bd0a6047) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 7ce1ab32f6..9bf69afa4d 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -421,7 +421,8 @@ static void av_always_inline horizontal_fill(TiffContext *s, uint8_t shift = is_dng ? 0 : 16 - bpp; GetBitContext gb; - init_get_bits8(&gb, src, width); + int ret = init_get_bits8(&gb, src, width); + av_assert1(ret >= 0); for (int i = 0; i < s->width; i++) { dst16[i] = get_bits(&gb, bpp) << shift; } From 4bc1462acff477e9eea2465ba498142317cacfee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2024 23:58:30 +0200 Subject: [PATCH 190/562] avcodec/tiff: Assert init_get_bits8() success in unpack_gray() Helps: CID1441939 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a287f17db22c0c85f0445a1d31139cc70e73205e) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 9bf69afa4d..ee3aba3e86 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -456,7 +456,8 @@ static void unpack_gray(TiffContext *s, AVFrame *p, GetBitContext gb; uint16_t *dst = (uint16_t *)(p->data[0] + lnum * p->linesize[0]); - init_get_bits8(&gb, src, width); + int ret = init_get_bits8(&gb, src, width); + av_assert1(ret >= 0); for (int i = 0; i < s->width; i++) { dst[i] = get_bits(&gb, bpp); From 23e3356b86d32c94d0c31ee72c211177d5685a5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 May 2024 02:45:39 +0200 Subject: [PATCH 191/562] avcodec/vlc: Cleanup on multi table alloc failure in ff_vlc_init_multi_from_lengths() Fixes: CID1544630 Resource leak Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 62d7106c36037d1bedd5a2e216540740f8f735eb) Signed-off-by: Michael Niedermayer --- libavcodec/vlc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c index e01cc41689..7d940915df 100644 --- a/libavcodec/vlc.c +++ b/libavcodec/vlc.c @@ -529,7 +529,7 @@ int ff_vlc_init_multi_from_lengths(VLC *vlc, VLC_MULTI *multi, int nb_bits, int multi->table = av_malloc(sizeof(*multi->table) << nb_bits); if (!multi->table) - return AVERROR(ENOMEM); + goto fail; j = code = 0; for (int i = 0; i < nb_codes; i++, lens += lens_wrap) { From 4175b435330656e8d0d66bbf9d872eeb12c20858 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 01:25:50 +0200 Subject: [PATCH 192/562] avdevice/pulse_audio_enc: Use av_rescale() to avoid integer overflow Fixes: CID1503075 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6f52b64bcc345842a88a40ddf3873559f1160e34) Signed-off-by: Michael Niedermayer --- libavdevice/pulse_audio_enc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavdevice/pulse_audio_enc.c b/libavdevice/pulse_audio_enc.c index 3e2cc91f69..80136d1e20 100644 --- a/libavdevice/pulse_audio_enc.c +++ b/libavdevice/pulse_audio_enc.c @@ -471,10 +471,11 @@ static av_cold int pulse_write_header(AVFormatContext *h) s->nonblocking = (h->flags & AVFMT_FLAG_NONBLOCK); if (s->buffer_duration) { - int64_t bytes = s->buffer_duration; - bytes *= st->codecpar->ch_layout.nb_channels * st->codecpar->sample_rate * - av_get_bytes_per_sample(st->codecpar->format); - bytes /= 1000; + int64_t bytes = av_rescale(s->buffer_duration, + st->codecpar->ch_layout.nb_channels * + (int64_t)st->codecpar->sample_rate * + av_get_bytes_per_sample(st->codecpar->format), + 1000); buffer_attributes.tlength = FFMAX(s->buffer_size, av_clip64(bytes, 0, UINT32_MAX - 1)); av_log(s, AV_LOG_DEBUG, "Buffer duration: %ums recalculated into %"PRId64" bytes buffer.\n", From 78ad74a20a3c2d9dcfa0edcea668ea7d3768309d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 01:43:42 +0200 Subject: [PATCH 193/562] avformat/ac4dec: Check remaining space in ac4_probe() Fixes: CID1538298 Untrusted loop bound Fixes: undefined behavior Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2f04cb673cb394b6e1cda160af8faa733b62bae2) Signed-off-by: Michael Niedermayer --- libavformat/ac4dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ac4dec.c b/libavformat/ac4dec.c index f647f557cc..dc6638de3a 100644 --- a/libavformat/ac4dec.c +++ b/libavformat/ac4dec.c @@ -43,6 +43,8 @@ static int ac4_probe(const AVProbeData *p) size += 4; if (buf[1] == 0x41) size += 2; + if (left < size) + break; max_frames++; left -= size; buf += size; From bf5aba6b88e9aee008ab5a0b1003ae155d3f2ffb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 01:51:53 +0200 Subject: [PATCH 194/562] avformat/ape: Use 64bit for final frame size Fixes: CID1505963 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a2b8d03347930c051358fcbbdc557e57e157d9c9) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index 231064be61..c664cd60fe 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -291,7 +291,7 @@ static int ape_read_header(AVFormatContext * s) final_size -= final_size & 3; } if (file_size <= 0 || final_size <= 0) - final_size = ape->finalframeblocks * 8; + final_size = ape->finalframeblocks * 8LL; ape->frames[ape->totalframes - 1].size = final_size; for (i = 0; i < ape->totalframes; i++) { From c684c13ee4dd821ea89331ad2b3d7d4116085f67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 02:12:09 +0200 Subject: [PATCH 195/562] avformat/argo_asf: Use 64bit in offset intermediate Fixes: CID1467435 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d9d1f65308d40502015272a3d1cc9f805c77e075) Signed-off-by: Michael Niedermayer --- libavformat/argo_asf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/argo_asf.c b/libavformat/argo_asf.c index 61bfc6de1f..e08f029f80 100644 --- a/libavformat/argo_asf.c +++ b/libavformat/argo_asf.c @@ -259,7 +259,7 @@ static int argo_asf_seek(AVFormatContext *s, int stream_index, return -1; offset = asf->fhdr.chunk_offset + ASF_CHUNK_HEADER_SIZE + - (block * st->codecpar->block_align); + block * (int64_t)st->codecpar->block_align; if ((offset = avio_seek(s->pb, offset, SEEK_SET)) < 0) return offset; From 376e36d25382d380eb4f6dcfcbef99c1fb1b101c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 02:27:28 +0200 Subject: [PATCH 196/562] avformat/asfdec_f: Use 64bit for preroll computation Fixes: CID1500342 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 70b499476213a198ac0f39450cddaea4b34662f5) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 9713c02b0a..8daae216a6 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -674,7 +674,7 @@ static int asf_read_marker(AVFormatContext *s) avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time - pres_time = av_sat_sub64(pres_time, asf->hdr.preroll * 10000); + pres_time = av_sat_sub64(pres_time, asf->hdr.preroll * 10000LL); avio_rl16(pb); // entry length avio_rl32(pb); // send time avio_rl32(pb); // flags From 0eda3eaac40fc148c90944eb7e9652dfe41ec057 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 02:33:37 +0200 Subject: [PATCH 197/562] avcodec/sga: Make it clear that the return is intentionally not checked Related: CID1473496 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 00d029d5c0b7029720265d579389a348220decfb) Signed-off-by: Michael Niedermayer --- libavcodec/sga.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sga.c b/libavcodec/sga.c index 4ced6e9890..f474ffba9a 100644 --- a/libavcodec/sga.c +++ b/libavcodec/sga.c @@ -72,7 +72,7 @@ static int decode_palette(GetByteContext *gb, uint32_t *pal) return AVERROR_INVALIDDATA; memset(pal, 0, 16 * sizeof(*pal)); - init_get_bits8(&gbit, gb->buffer, 18); + (void)init_get_bits8(&gbit, gb->buffer, 18); for (int RGBIndex = 0; RGBIndex < 3; RGBIndex++) { for (int index = 0; index < 16; index++) { From e292a764c03cc16472600c4a1c74eba6a93b37a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 May 2024 13:18:13 +0200 Subject: [PATCH 198/562] avformat/fwse: Remove always false expression Fixes: CID1460758 Operands don't affect result Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 348c3a7ffe0c3aecf35f1a26a9f321a4e608dab7) Signed-off-by: Michael Niedermayer --- libavformat/fwse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/fwse.c b/libavformat/fwse.c index 6c1103da14..dc4750d946 100644 --- a/libavformat/fwse.c +++ b/libavformat/fwse.c @@ -67,7 +67,7 @@ static int fwse_read_header(AVFormatContext *s) av_channel_layout_default(&par->ch_layout, channels); st->duration = avio_rl32(pb); par->sample_rate = avio_rl32(pb); - if (par->sample_rate <= 0 || par->sample_rate > INT_MAX) + if (par->sample_rate <= 0) return AVERROR_INVALIDDATA; par->block_align = 1; From 0fc0a84c039069cff3f13ea5f685311a8d3d0d15 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 22:07:31 +0200 Subject: [PATCH 199/562] avcodec/tests/jpeg2000dwt: Use 64bit in err2 computation This issue cannot happen with the current function parameters Fixes: CID1500309 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 847a53f264db0b22dcc5a23ca9ade71a627f1c6c) Signed-off-by: Michael Niedermayer --- libavcodec/tests/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tests/jpeg2000dwt.c b/libavcodec/tests/jpeg2000dwt.c index 0e5a6ed947..6148f0dacf 100644 --- a/libavcodec/tests/jpeg2000dwt.c +++ b/libavcodec/tests/jpeg2000dwt.c @@ -57,7 +57,7 @@ static int test_dwt(int *array, int *ref, int border[2][2], int decomp_levels, i j, array[j], ref[j],decomp_levels, border[0][0], border[0][1], border[1][0], border[1][1]); return 2; } - err2 += (array[j] - ref[j]) * (array[j] - ref[j]); + err2 += (array[j] - ref[j]) * (int64_t)(array[j] - ref[j]); array[j] = ref[j]; } ff_dwt_destroy(s); From 4d6197911edcda8b5e8176c3d70db454e6853349 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 22:07:32 +0200 Subject: [PATCH 200/562] avcodec/tests/jpeg2000dwt: Use 64bit in comparission Found while reviewing: CID1500309 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 12391b732f811fc6e868be2f08dc188e508d2567) Signed-off-by: Michael Niedermayer --- libavcodec/tests/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tests/jpeg2000dwt.c b/libavcodec/tests/jpeg2000dwt.c index 6148f0dacf..520ecc05a3 100644 --- a/libavcodec/tests/jpeg2000dwt.c +++ b/libavcodec/tests/jpeg2000dwt.c @@ -52,7 +52,7 @@ static int test_dwt(int *array, int *ref, int border[2][2], int decomp_levels, i return 1; } for (j = 0; j max_diff) { + if (FFABS(array[j] - (int64_t)ref[j]) > max_diff) { fprintf(stderr, "missmatch at %d (%d != %d) decomp:%d border %d %d %d %d\n", j, array[j], ref[j],decomp_levels, border[0][0], border[0][1], border[1][0], border[1][1]); return 2; From 0e746e97a329b9100cc2bb2ca8328e5e62185716 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 01:32:57 +0200 Subject: [PATCH 201/562] avcodec/vvc/mvs: Initialize mvf This might not be needed for correctness but it could help general reproducability of issues Related to: CID1560037 Uninitialized scalar variable Related to: CID1560044 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2e5433dc1209cf95a6a76dab2ddf21df4dfd630e) Signed-off-by: Michael Niedermayer --- libavcodec/vvc/vvc_mvs.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/vvc/vvc_mvs.c b/libavcodec/vvc/vvc_mvs.c index 6398fd3571..51d5e3b6b0 100644 --- a/libavcodec/vvc/vvc_mvs.c +++ b/libavcodec/vvc/vvc_mvs.c @@ -407,12 +407,11 @@ void ff_vvc_store_sb_mvs(const VVCLocalContext *lc, PredictionUnit *pu) const int sbw = cu->cb_width / mi->num_sb_x; const int sbh = cu->cb_height / mi->num_sb_y; SubblockParams params[2]; - MvField mvf; + MvField mvf = {0}; mvf.pred_flag = mi->pred_flag; mvf.bcw_idx = mi->bcw_idx; mvf.hpel_if_idx = mi->hpel_if_idx; - mvf.ciip_flag = 0; for (int i = 0; i < 2; i++) { const PredFlag mask = i + 1; if (mi->pred_flag & mask) { @@ -500,12 +499,11 @@ void ff_vvc_store_mvf(const VVCLocalContext *lc, const MvField *mvf) void ff_vvc_store_mv(const VVCLocalContext *lc, const MotionInfo *mi) { const CodingUnit *cu = lc->cu; - MvField mvf; + MvField mvf = {0}; mvf.hpel_if_idx = mi->hpel_if_idx; mvf.bcw_idx = mi->bcw_idx; mvf.pred_flag = mi->pred_flag; - mvf.ciip_flag = 0; for (int i = 0; i < 2; i++) { const PredFlag mask = i + 1; From 7a73598b3f082fede2530d6bfa2fc68922df2326 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 04:49:15 +0200 Subject: [PATCH 202/562] avcodec/wavpackenc: Use unsigned for potential 31bit shift Fixes: CID1465481 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6f976db251864ad698c935130370774783bf12f4) Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 33a5dfcc89..923eae55fc 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -1978,7 +1978,7 @@ static void encode_flush(WavPackEncodeContext *s) put_bits(pb, 31, 0x7FFFFFFF); cbits -= 31; } else { - put_bits(pb, cbits, (1 << cbits) - 1); + put_bits(pb, cbits, (1U << cbits) - 1); cbits = 0; } } while (cbits); @@ -2007,7 +2007,7 @@ static void encode_flush(WavPackEncodeContext *s) put_bits(pb, 31, 0x7FFFFFFF); cbits -= 31; } else { - put_bits(pb, cbits, (1 << cbits) - 1); + put_bits(pb, cbits, (1U << cbits) - 1); cbits = 0; } } while (cbits); From 956f4cc431ec55859c481f2bc17a3c9e43babd6b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 May 2024 04:13:14 +0200 Subject: [PATCH 203/562] avcodec/rv34: assert that size is not 0 in rv34_gen_vlc_ext() Helps: CID1548380 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e5098589b0ca74b3f52e09bae277306a1fc0cd43) Signed-off-by: Michael Niedermayer --- libavcodec/rv34.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 914bde4a2a..ed630cd597 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -97,6 +97,8 @@ static av_cold void rv34_gen_vlc_ext(const uint8_t *bits, int size, VLC *vlc, uint16_t cw[MAX_VLC_SIZE]; int maxbits; + av_assert1(size > 0); + for (int i = 0; i < size; i++) counts[bits[i]]++; From 5dc306967340f59c7856bf540ce72f2cecc0fe75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 May 2024 21:16:00 +0200 Subject: [PATCH 204/562] avcodec/scpr3: Check add_dec() for failure Fixes: CID1441459 Improper use of negative value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d741638042d827aed994b819857d6587121627ab) Signed-off-by: Michael Niedermayer --- libavcodec/scpr3.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/scpr3.c b/libavcodec/scpr3.c index 5271717ac7..e91c198308 100644 --- a/libavcodec/scpr3.c +++ b/libavcodec/scpr3.c @@ -465,6 +465,8 @@ static int decode_adaptive6(PixelModel3 *m, uint32_t code, uint32_t *value, return 0; grow_dec(m); c = add_dec(m, q, g, f); + if (c < 0) + return AVERROR_INVALIDDATA; } incr_cntdec(m, c); @@ -868,11 +870,11 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t sync_code3(gb, rc); break; case 6: - if (!decode_adaptive6(m, code, value, &a, &b)) { + ret = decode_adaptive6(m, code, value, &a, &b); + if (!ret) ret = update_model6_to_7(m); - if (ret < 0) - return AVERROR_INVALIDDATA; - } + if (ret < 0) + return ret; decode3(gb, rc, a, b); sync_code3(gb, rc); break; From 8689e9d178e919225358efb6617b7667b40f6bc7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2024 00:46:24 +0200 Subject: [PATCH 205/562] avcodec/tests/dct: Use 64bit in intermediate for error computation Fixes: CID1500284 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 161d0aa2a8d18f1f8a01cbc4c1061eadcbe592e5) Signed-off-by: Michael Niedermayer --- libavcodec/tests/dct.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/tests/dct.c b/libavcodec/tests/dct.c index 010d0c1ac3..17a0814459 100644 --- a/libavcodec/tests/dct.c +++ b/libavcodec/tests/dct.c @@ -226,8 +226,8 @@ static int dct_error(const struct algo *dct, int test, int is_idct, int speed, c v = abs(err); if (v > err_inf) err_inf = v; - err2_matrix[i] += v * v; - err2 += v * v; + err2_matrix[i] += v * (int64_t)v; + err2 += v * (int64_t)v; sysErr[i] += block[i] - block1[i]; blockSumErr += v; if (abs(block[i]) > maxout) From 23e085b743437e3ccf0be675a673780c6ddcd70c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2024 00:45:29 +0200 Subject: [PATCH 206/562] avcodec/notchlc: Check init_get_bits8() for failure Fixes: CID1500300 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 19db9636c52c040d364fe9af94ddeeb1ecfd2c2a) Signed-off-by: Michael Niedermayer --- libavcodec/notchlc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/notchlc.c b/libavcodec/notchlc.c index 0feb0918f0..6351a313f8 100644 --- a/libavcodec/notchlc.c +++ b/libavcodec/notchlc.c @@ -242,7 +242,9 @@ static int decode_blocks(AVCodecContext *avctx, AVFrame *p, bytestream2_seek(&dgb, s->y_data_offset + row_offset, SEEK_SET); - init_get_bits8(&bit, dgb.buffer, bytestream2_get_bytes_left(&dgb)); + ret = init_get_bits8(&bit, dgb.buffer, bytestream2_get_bytes_left(&dgb)); + if (ret < 0) + return ret; for (int x = 0; x < avctx->width; x += 4) { unsigned item = bytestream2_get_le32(gb); unsigned y_min = item & 4095; From d2295ca9453048981555901dfb247cd160bd690c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2024 01:14:21 +0200 Subject: [PATCH 207/562] avcodec/pcm-dvdenc: 64bit pkt-size It seems nothing prevents such overflow even though odd Fixes: CID1441934 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 160b81ce2a87b0835125da7c72ab7ed8c0918c45) Signed-off-by: Michael Niedermayer --- libavcodec/pcm-dvdenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pcm-dvdenc.c b/libavcodec/pcm-dvdenc.c index 1e7ee644f6..71e9b6915a 100644 --- a/libavcodec/pcm-dvdenc.c +++ b/libavcodec/pcm-dvdenc.c @@ -116,7 +116,7 @@ static int pcm_dvd_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, { PCMDVDContext *s = avctx->priv_data; int samples = frame->nb_samples * avctx->ch_layout.nb_channels; - int64_t pkt_size = (frame->nb_samples / s->samples_per_block) * s->block_size + 3; + int64_t pkt_size = (int64_t)(frame->nb_samples / s->samples_per_block) * s->block_size + 3; int blocks = (pkt_size - 3) / s->block_size; const int16_t *src16; const int32_t *src32; From 063c906f1f0550aeff9e39a135b5bdb5dcbd0d42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2024 01:22:18 +0200 Subject: [PATCH 208/562] avcodec/proresenc_anatoliy: Assert that AV_PROFILE_UNKNOWN is replaced If its not replaced we would have a negative index used in an array potentially Helps: CID1440385 Negative array index read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6106177ad66ab28f44520534f386239d2405eeab) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_anatoliy.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/proresenc_anatoliy.c b/libavcodec/proresenc_anatoliy.c index 02ab07d28e..b1a173e953 100644 --- a/libavcodec/proresenc_anatoliy.c +++ b/libavcodec/proresenc_anatoliy.c @@ -856,7 +856,8 @@ static av_cold int prores_encode_init(AVCodecContext *avctx) avctx->profile = AV_PROFILE_PRORES_4444; av_log(avctx, AV_LOG_INFO, "encoding with ProRes 4444+ (ap4h) profile\n"); - } + } else + av_assert0(0); } else if (avctx->profile < AV_PROFILE_PRORES_PROXY || avctx->profile > AV_PROFILE_PRORES_XQ) { av_log( From 02cb95ba0c2395af3b4012b3372745d85601fae0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 23:50:40 +0200 Subject: [PATCH 209/562] avcodec/vp8: Check mutex init Fixes: CID1598556 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4ac7405aafb8e66dff2ac926f33b7ff755f224cf) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index a9f519d7b8..b8dfe298ed 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -263,7 +263,11 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) return AVERROR(ENOMEM); } #if HAVE_THREADS - pthread_mutex_init(&s->thread_data[i].lock, NULL); + ret = pthread_mutex_init(&s->thread_data[i].lock, NULL); + if (ret) { + free_buffers(s); + return AVERROR(ret); + } pthread_cond_init(&s->thread_data[i].cond, NULL); #endif } From 58dc78387d6ddbeb4fa4f692424b363e444d80f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 23:50:40 +0200 Subject: [PATCH 210/562] avcodec/vp8: Check cond init Fixes: CID1598563 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9b76e49061a321467df23f7b1c8e8e715c8dec71) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index b8dfe298ed..faca7ecc1b 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -268,7 +268,11 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) free_buffers(s); return AVERROR(ret); } - pthread_cond_init(&s->thread_data[i].cond, NULL); + ret = pthread_cond_init(&s->thread_data[i].cond, NULL); + if (ret) { + free_buffers(s); + return AVERROR(ret); + } #endif } From caed56c6c55b81d4358409e6b47f581456eea67b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 May 2024 23:30:49 +0200 Subject: [PATCH 211/562] avcodec/ilbcdec: Remove dead code Yes the same dead code is in "iLBC Speech Coder ANSI-C Source Code" Fixes: CID1509370 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8a64a003b5d567354e82af679e056615c8464a6f) Signed-off-by: Michael Niedermayer --- libavcodec/ilbcdec.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c index 4ecdff4183..ba1da168bc 100644 --- a/libavcodec/ilbcdec.c +++ b/libavcodec/ilbcdec.c @@ -1095,12 +1095,6 @@ static void do_plc(int16_t *plc_residual, /* (o) concealed residual */ if (s->consPLICount * s->block_samples > 320) { use_gain = 29491; /* 0.9 in Q15 */ - } else if (s->consPLICount * s->block_samples > 640) { - use_gain = 22938; /* 0.7 in Q15 */ - } else if (s->consPLICount * s->block_samples > 960) { - use_gain = 16384; /* 0.5 in Q15 */ - } else if (s->consPLICount * s->block_samples > 1280) { - use_gain = 0; /* 0.0 in Q15 */ } /* Compute mixing factor of picth repeatition and noise: From ca087aac86564b0b31af9d203db40003645db51a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 May 2024 03:48:10 +0200 Subject: [PATCH 212/562] avcodec/libx264: Check init_get_bits8() return code Fixes: CID1594529 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit dce69ba89e37a956236b30663be893b7dae1567b) Signed-off-by: Michael Niedermayer --- libavcodec/libx264.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index eadb20d2b3..813ccbbdb3 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -929,7 +929,9 @@ static int set_avcc_extradata(AVCodecContext *avctx, x264_nal_t *nal, int nnal) * * +4 to skip until sps id. */ - init_get_bits8(&gbc, sps + 4, sps_nal->i_payload - 4 - 4); + ret = init_get_bits8(&gbc, sps + 4, sps_nal->i_payload - 4 - 4); + if (ret < 0) + return ret; // Skip sps id get_ue_golomb_31(&gbc); chroma_format_idc = get_ue_golomb_31(&gbc); From b09cadf2efcf928b79b61df3654773cda3364eed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 May 2024 04:07:40 +0200 Subject: [PATCH 213/562] avformat/sdp: Check before appending "," Found by reviewing code related to CID1500301 String not null terminated Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 5b82852519e92a2b94de0f22da1a81df5b3e0412) Signed-off-by: Michael Niedermayer --- libavformat/sdp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sdp.c b/libavformat/sdp.c index 6888936290..69e285afe6 100644 --- a/libavformat/sdp.c +++ b/libavformat/sdp.c @@ -202,6 +202,8 @@ static int extradata2psets(AVFormatContext *s, const AVCodecParameters *par, continue; } if (p != (psets + strlen(pset_string))) { + if (p - psets >= MAX_PSET_SIZE) + goto fail_in_loop; *p = ','; p++; } @@ -212,6 +214,7 @@ static int extradata2psets(AVFormatContext *s, const AVCodecParameters *par, if (!av_base64_encode(p, MAX_PSET_SIZE - (p - psets), r, r1 - r)) { av_log(s, AV_LOG_ERROR, "Cannot Base64-encode %"PTRDIFF_SPECIFIER" %"PTRDIFF_SPECIFIER"!\n", MAX_PSET_SIZE - (p - psets), r1 - r); +fail_in_loop: av_free(psets); av_free(tmpbuf); From 45eabb1ef6a56c3c93bde188a5127950c13aaac5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 00:53:51 +0200 Subject: [PATCH 214/562] fftools/cmdutils: Add protective () to FLAGS issue found while reviewing CID1452612 Free of array-typed value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d9b9fc4be26014eb7221d9bbc297a5323d5ad40b) Signed-off-by: Michael Niedermayer --- fftools/cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fftools/cmdutils.c b/fftools/cmdutils.c index f3c258bb99..309ec4d32f 100644 --- a/fftools/cmdutils.c +++ b/fftools/cmdutils.c @@ -581,7 +581,7 @@ static const AVOption *opt_find(void *obj, const char *name, const char *unit, return o; } -#define FLAGS (o->type == AV_OPT_TYPE_FLAGS && (arg[0]=='-' || arg[0]=='+')) ? AV_DICT_APPEND : 0 +#define FLAGS ((o->type == AV_OPT_TYPE_FLAGS && (arg[0]=='-' || arg[0]=='+')) ? AV_DICT_APPEND : 0) int opt_default(void *optctx, const char *opt, const char *arg) { const AVOption *o; From 1973b87dda5084d6fad37fbacc54bf43ab9213fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Jun 2024 23:32:43 +0200 Subject: [PATCH 215/562] avdevice/xcbgrab: Check sscanf() return Alot more input checking can be performed, this is only checking the obvious missing case Fixes: CID1598562 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 78d6d13babc62fa14727ee590e5a9661f23a0d9f) Signed-off-by: Michael Niedermayer --- libavdevice/xcbgrab.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavdevice/xcbgrab.c b/libavdevice/xcbgrab.c index b2ff1f9828..329e79bf3f 100644 --- a/libavdevice/xcbgrab.c +++ b/libavdevice/xcbgrab.c @@ -827,7 +827,10 @@ static av_cold int xcbgrab_read_header(AVFormatContext *s) if (!sscanf(s->url, "%[^+]+%d,%d", display_name, &c->x, &c->y)) { *display_name = 0; - sscanf(s->url, "+%d,%d", &c->x, &c->y); + if(sscanf(s->url, "+%d,%d", &c->x, &c->y) != 2) { + if (*s->url) + av_log(s, AV_LOG_WARNING, "Ambigous URL: %s\n", s->url); + } } c->conn = xcb_connect(display_name[0] ? display_name : NULL, &screen_num); From 54f57cb532e15b531d268905d38a746de14abdc6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 00:16:18 +0200 Subject: [PATCH 216/562] avformat/imfdec: Simplify get_next_track_with_minimum_timestamp() This also makes the code more robust Fixes: CID1512414 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Reviewed-by: Pierre-Anthony Lemieux Signed-off-by: Michael Niedermayer (cherry picked from commit f10493f6fc2a79f706138d90420a4369b9655a47) Signed-off-by: Michael Niedermayer --- libavformat/imfdec.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavformat/imfdec.c b/libavformat/imfdec.c index 4625d720ac..bf56c78266 100644 --- a/libavformat/imfdec.c +++ b/libavformat/imfdec.c @@ -695,12 +695,9 @@ static int imf_read_header(AVFormatContext *s) static IMFVirtualTrackPlaybackCtx *get_next_track_with_minimum_timestamp(AVFormatContext *s) { IMFContext *c = s->priv_data; - IMFVirtualTrackPlaybackCtx *track; + IMFVirtualTrackPlaybackCtx *track = NULL; AVRational minimum_timestamp = av_make_q(INT32_MAX, 1); - if (!c->track_count) - return NULL; - for (uint32_t i = c->track_count; i > 0; i--) { av_log(s, AV_LOG_TRACE, "Compare track %d timestamp " AVRATIONAL_FORMAT " to minimum " AVRATIONAL_FORMAT From 2ea4dfd68467d0b9678bf347c8715fe9e2dcc0c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 00:28:16 +0200 Subject: [PATCH 217/562] avformat/img2dec: Move DQT after unrelated if() Fixes: CID1494636 Missing break in switch Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7d04c6016b0971fecb890d3a0afe4e6706a1a68e) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index ff0065aff7..dc1af1fbe3 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -794,7 +794,6 @@ static int jpeg_probe(const AVProbeData *p) return 0; state = EOI; break; - case DQT: case APP0: if (AV_RL32(&b[i + 4]) == MKTAG('J','F','I','F')) got_header = 1; @@ -815,6 +814,7 @@ static int jpeg_probe(const AVProbeData *p) case APP13: case APP14: case APP15: + case DQT: /* fallthrough */ case COM: i += AV_RB16(&b[i + 2]) + 1; break; From b8ee22e1dd014d643022722a94a53325ee88d591 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 00:56:31 +0200 Subject: [PATCH 218/562] avformat/img2dec: Little JFIF / Exif cleanup This changes the behavior and makes it behave how it probably was intended. Either way this is unlikely to result in any user visible change Fixes: CID1494637 Missing break in switch Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 5712f36dd0ee0144b92edd2147e24b3724d7ec89) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index dc1af1fbe3..cd2ed30117 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -795,11 +795,13 @@ static int jpeg_probe(const AVProbeData *p) state = EOI; break; case APP0: - if (AV_RL32(&b[i + 4]) == MKTAG('J','F','I','F')) + if (c == APP0 && AV_RL32(&b[i + 4]) == MKTAG('J','F','I','F')) got_header = 1; + /* fallthrough */ case APP1: - if (AV_RL32(&b[i + 4]) == MKTAG('E','x','i','f')) + if (c == APP1 && AV_RL32(&b[i + 4]) == MKTAG('E','x','i','f')) got_header = 1; + /* fallthrough */ case APP2: case APP3: case APP4: From 871c89e0bab9c1f9db5a570f61a8fabbf9975c5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 01:19:36 +0200 Subject: [PATCH 219/562] avformat/libzmq: Check av_strstart() Fixes: CID1453457 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0263b6a48caaff839e4c28df15b299b89c7da92d) Signed-off-by: Michael Niedermayer --- libavformat/libzmq.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/libzmq.c b/libavformat/libzmq.c index 04c72ac601..f4bb849e46 100644 --- a/libavformat/libzmq.c +++ b/libavformat/libzmq.c @@ -94,7 +94,10 @@ static int zmq_proto_open(URLContext *h, const char *uri, int flags) return AVERROR_EXTERNAL; } - av_strstart(uri, "zmq:", &uri); + if (av_strstart(uri, "zmq:", &uri)) { + av_log(h, AV_LOG_ERROR, "URL %s lacks prefix\n", uri); + return AVERROR(EINVAL); + } /*publish during write*/ if (h->flags & AVIO_FLAG_WRITE) { From 9e6950dcb49227875c2d909a81d3abea92b35f89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 01:25:59 +0200 Subject: [PATCH 220/562] avformat/matroskadec: Assert that num_levels is non negative Maybe Closes: CID1452496 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 019fce18bb0628ac8bc47a81d647a23d604b6123) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index e37fcfa018..ae3565b0c3 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4207,7 +4207,7 @@ static int matroska_parse_cluster(MatroskaDemuxContext *matroska) MatroskaBlock *block = &cluster->block; int res; - av_assert0(matroska->num_levels <= 2); + av_assert0(matroska->num_levels <= 2U); if (matroska->num_levels == 1) { res = ebml_parse(matroska, matroska_segment, NULL); From 488aa523712c6a1ae6f88b014e01a235dfed2b3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 03:17:27 +0200 Subject: [PATCH 221/562] avformat/mov: Use 64bit in intermediate for current_dts Fixes: CID1500304 Unintentional integer overflow Fixes: CID1500318 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0c977d37aad609f6ed7d148c012da8bc83df8f0b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index be8add7603..06998d588c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3386,12 +3386,12 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) corrected_dts += sample_duration * sample_count; } - current_dts += sc->stts_data[i].duration * sample_count; + current_dts += sc->stts_data[i].duration * (int64_t)sample_count; if (current_dts > corrected_dts) { int64_t drift = (current_dts - corrected_dts)/FFMAX(sample_count, 1); uint32_t correction = (sc->stts_data[i].duration > drift) ? drift : sc->stts_data[i].duration - 1; - current_dts -= correction * sample_count; + current_dts -= correction * (uint64_t)sample_count; sc->stts_data[i].duration -= correction; } From d44a75849c2ec11ea190e6f89c4744a16939cd2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 03:20:41 +0200 Subject: [PATCH 222/562] avformat/mov: Use int64_t in intermediate for corrected_dts Fixes: CID1500312 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 034054b3706bea8524cf8846813e17636ca5ab33) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 06998d588c..c3f3fec550 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3383,7 +3383,7 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc->stts_data[i].duration = 1; corrected_dts += (delta_magnitude < 0 ? (int64_t)delta_magnitude : 1) * sample_count; } else { - corrected_dts += sample_duration * sample_count; + corrected_dts += sample_duration * (int64_t)sample_count; } current_dts += sc->stts_data[i].duration * (int64_t)sample_count; From c818250194c6f8d7773f668398786c4d731f2af6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 19:51:49 +0200 Subject: [PATCH 223/562] avfilter/vf_rotate: Check ff_draw_init2() return value Fixes: NULL pointer dereference Fixes: 3_343 Found-by: De3mond Signed-off-by: Michael Niedermayer (cherry picked from commit 9c9f095e30c196c0e3d510dc5300182ddb49a803) Signed-off-by: Michael Niedermayer --- libavfilter/vf_rotate.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_rotate.c b/libavfilter/vf_rotate.c index 3adde22c09..3e65f26552 100644 --- a/libavfilter/vf_rotate.c +++ b/libavfilter/vf_rotate.c @@ -288,7 +288,9 @@ static int config_props(AVFilterLink *outlink) double res; char *expr; - ff_draw_init2(&rot->draw, inlink->format, inlink->colorspace, inlink->color_range, 0); + ret = ff_draw_init2(&rot->draw, inlink->format, inlink->colorspace, inlink->color_range, 0); + if (ret < 0) + return ret; ff_draw_color(&rot->draw, &rot->color, rot->fillcolor); rot->hsub = pixdesc->log2_chroma_w; From 9d7811aa65fcbc5b50db4e04188f798a62e3681f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Jun 2024 19:37:15 +0200 Subject: [PATCH 224/562] doc/developer: Provide information about git send-email and gmail The 2 links are the clearest i found. Signed-off-by: Michael Niedermayer (cherry picked from commit 959cb2e2e36cad50b88d45c1201c2c3d64d4e48c) Signed-off-by: Michael Niedermayer --- doc/developer.texi | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/developer.texi b/doc/developer.texi index 63835dfa06..ed998adecb 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -638,6 +638,11 @@ patch is inline or attached per mail. You can check @url{https://patchwork.ffmpeg.org}, if your patch does not show up, its mime type likely was wrong. +@subheading How to setup git send-email? + +Please see @url{https://git-send-email.io/}. +For gmail additionally see @url{https://shallowsky.com/blog/tech/email/gmail-app-passwds.html}. + @subheading Sending patches from email clients Using @code{git send-email} might not be desirable for everyone. The following trick allows to send patches via email clients in a safe From 8abfa9e42fc903b32409d6559f604886cd4242f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 22:32:03 +0200 Subject: [PATCH 225/562] MAINTAINERS: Update the entries for the release maintainer for FFmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97ecfb5a193c43eef2e47b3e45afd3fc629c107d) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index dd633f37e8..32581643e6 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -535,10 +535,12 @@ wm4 Releases ======== +7.0 Michael Niedermayer +6.1 Michael Niedermayer +5.1 Michael Niedermayer +4.4 Michael Niedermayer +3.4 Michael Niedermayer 2.8 Michael Niedermayer -2.7 Michael Niedermayer -2.6 Michael Niedermayer -2.5 Michael Niedermayer If you want to maintain an older release, please contact us From 13067aa562e38be1b0406c0021200ecdea569a19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2024 01:08:28 +0200 Subject: [PATCH 226/562] avcodec/libvpxenc: Cleanup on error This or fifo needs to be freed on errors explicitly Fixes: memleak Fixes: 68937/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVPX_VP8_fuzzer-4830831016214528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Zern Signed-off-by: Michael Niedermayer (cherry picked from commit 2b2ced61eba03a1afc83e37614c6635ee9f2b551) Signed-off-by: Michael Niedermayer --- libavcodec/libvpxenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index 4b89e47e83..b1aa1c85ad 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -2040,6 +2040,7 @@ const FFCodec ff_libvpx_vp8_encoder = { FF_CODEC_ENCODE_CB(vpx_encode), .close = vpx_free, .caps_internal = FF_CODEC_CAP_NOT_INIT_THREADSAFE | + FF_CODEC_CAP_INIT_CLEANUP | FF_CODEC_CAP_AUTO_THREADS, .p.pix_fmts = (const enum AVPixelFormat[]){ AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUVA420P, AV_PIX_FMT_NONE }, .p.priv_class = &class_vp8, @@ -2116,6 +2117,7 @@ FFCodec ff_libvpx_vp9_encoder = { FF_CODEC_ENCODE_CB(vpx_encode), .close = vpx_free, .caps_internal = FF_CODEC_CAP_NOT_INIT_THREADSAFE | + FF_CODEC_CAP_INIT_CLEANUP | FF_CODEC_CAP_AUTO_THREADS, .defaults = defaults, .init_static_data = vp9_init_static, From 40cca1cf87a20cbeae7f5d8f6f62264907a14cc5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 02:32:13 +0200 Subject: [PATCH 227/562] avformat/mxfdec: Check container_ul->desc before use MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: CID1592939 Dereference after null check Sponsored-by: Sovereign Tech Fund Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 4cab028bd0e381f2ed4ccb7f139407f1f6f537c0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 518a507539..a04c521994 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3030,6 +3030,7 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) if (container_ul->desc) av_dict_set(&st->metadata, "data_type", container_ul->desc, 0); if (mxf->eia608_extract && + container_ul->desc && !strcmp(container_ul->desc, "vbi_vanc_smpte_436M")) { st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_EIA_608; From 7180b3f213ba510ae6b418757786091aeebd9fcd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jul 2023 01:19:48 +0200 Subject: [PATCH 228/562] tools/target_dec_fuzzer: Adjust threshold for jpeg2000 Fixes: Timeout Fixes: 57385/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5394334324490240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 749994194cc222f6ee01762b16c0574a947e0e9f) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 8d19988999..99532b4bbf 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -248,7 +248,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_IFF_ILBM: maxpixels /= 4096; break; case AV_CODEC_ID_INDEO4: maxpixels /= 128; break; case AV_CODEC_ID_INTERPLAY_ACM: maxsamples /= 16384; break; - case AV_CODEC_ID_JPEG2000: maxpixels /= 4096; break; + case AV_CODEC_ID_JPEG2000: maxpixels /= 16384; break; case AV_CODEC_ID_LAGARITH: maxpixels /= 1024; break; case AV_CODEC_ID_LOCO: maxpixels /= 1024; break; case AV_CODEC_ID_VORBIS: maxsamples /= 1024; break; From ee71ffc8f0dc692cb144a82aada755220cedc30e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Dec 2023 23:07:16 +0100 Subject: [PATCH 229/562] tools/target_dec_fuzzer: Adjust threshold for MV30 Fixes: 60867/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-6381933108527104 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f81602fb3ac5b5ff68a3d5425117c1562371242f) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 99532b4bbf..8adbc0809e 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -261,6 +261,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_MSS2: maxpixels /= 16384; break; case AV_CODEC_ID_MSZH: maxpixels /= 128; break; case AV_CODEC_ID_MTS2: maxpixels /= 4096; break; + case AV_CODEC_ID_MV30: maxpixels /= 128; break; case AV_CODEC_ID_MVC2: maxpixels /= 128; break; case AV_CODEC_ID_MVHA: maxpixels /= 16384; break; case AV_CODEC_ID_MVDV: maxpixels /= 1024; break; From 4e40e893cc1aad403ee03cecd8c4081c95fcef36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2024 15:48:23 +0200 Subject: [PATCH 230/562] avcodec/snowenc: MV limits due to mv_penalty table size Fixes: out of array read Fixes: 69673/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5476592894148608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3a9292aff320d7b5048b371b1babea2f9b3c4e69) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index d81ff6f2aa..70a2de1671 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -411,6 +411,7 @@ static int encode_q_branch(SnowEncContext *enc, int level, int x, int y) int my_context= av_log2(2*FFABS(left->my - top->my)); int s_context= 2*left->level + 2*top->level + tl->level + tr->level; int ref, best_ref, ref_score, ref_mx, ref_my; + int range = MAX_MV >> (1 + qpel); av_assert0(sizeof(s->block_state) >= 256); if(s->keyframe){ @@ -452,6 +453,11 @@ static int encode_q_branch(SnowEncContext *enc, int level, int x, int y) c->xmax = - (x+1)*block_w + (w<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3; c->ymax = - (y+1)*block_w + (h<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3; + c->xmin = FFMAX(c->xmin,-range); + c->xmax = FFMIN(c->xmax, range); + c->ymin = FFMAX(c->ymin,-range); + c->ymax = FFMIN(c->ymax, range); + if(P_LEFT[0] > (c->xmax<xmax< (c->ymax<ymax< (c->xmax<xmax< Date: Tue, 18 Jun 2024 15:48:24 +0200 Subject: [PATCH 231/562] avcodec/jfdctint_template: Fewer integer anomalies Fixes: signed integer overflow: 105788 * -20995 cannot be represented in type 'int' Fixes: signed integer overflow: 923211729 + 2073948236 cannot be represented in type 'int' Fixes: signed integer overflow: 1281179284 + 2073948236 cannot be represented in type 'int' Fixes: 68975/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_fuzzer-6266769177116672 Fixes: 68997/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-6284237161431040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 228f255b5d9b839149cd53f0537ce76b068228ae) Signed-off-by: Michael Niedermayer --- libavcodec/jfdctint_template.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/jfdctint_template.c b/libavcodec/jfdctint_template.c index ca17300c32..aa2680132e 100644 --- a/libavcodec/jfdctint_template.c +++ b/libavcodec/jfdctint_template.c @@ -69,7 +69,7 @@ #define GLOBAL(x) x #define RIGHT_SHIFT(x, n) ((x) >> (n)) #define MULTIPLY16C16(var,const) ((var)*(const)) -#define DESCALE(x,n) RIGHT_SHIFT((x) + (1 << ((n) - 1)), n) +#define DESCALE(x,n) RIGHT_SHIFT((int)(x) + (1 << ((n) - 1)), n) /* @@ -175,7 +175,7 @@ #if BITS_IN_JSAMPLE == 8 && CONST_BITS<=13 && PASS1_BITS<=2 #define MULTIPLY(var,const) MULTIPLY16C16(var,const) #else -#define MULTIPLY(var,const) ((var) * (const)) +#define MULTIPLY(var,const) (int)((var) * (unsigned)(const)) #endif @@ -261,7 +261,7 @@ FUNC(ff_jpeg_fdct_islow)(int16_t *data) { int tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7; int tmp10, tmp11, tmp12, tmp13; - int z1, z2, z3, z4, z5; + unsigned z1, z2, z3, z4, z5; int16_t *dataptr; int ctr; From 806be9f6b6877f53711355a3b83b7ee68a9aa73a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 23:42:37 +0200 Subject: [PATCH 232/562] avcodec/r210enc: Use av_rescale for bitrate Fixes: signed integer overflow: 281612954574848 * 65344 cannot be represented in type 'long' Fixes: 68956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_R210_fuzzer-6459074458746880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d34d4b6a7ce7fa72239c47d22ab6592d0687ac86) Signed-off-by: Michael Niedermayer --- libavcodec/r210enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/r210enc.c b/libavcodec/r210enc.c index 91e3452874..ec1ebc8d60 100644 --- a/libavcodec/r210enc.c +++ b/libavcodec/r210enc.c @@ -35,7 +35,7 @@ static av_cold int encode_init(AVCodecContext *avctx) avctx->bits_per_coded_sample = 32; if (avctx->width > 0) - avctx->bit_rate = ff_guess_coded_bitrate(avctx) * aligned_width / avctx->width; + avctx->bit_rate = av_rescale(ff_guess_coded_bitrate(avctx), aligned_width, avctx->width); return 0; } From d478214f7224a5cb1ca84ce880673767ab2229f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 19:33:02 +0200 Subject: [PATCH 233/562] avcodec/targaenc: Allocate space for the palette Fixes: out of array access Fixes: 68927/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TARGA_fuzzer-5105665067515904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a7220bd5c1871827ee0edba14fc88f63173e169) Signed-off-by: Michael Niedermayer --- libavcodec/targaenc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/targaenc.c b/libavcodec/targaenc.c index d9c500b97d..8f496c62bd 100644 --- a/libavcodec/targaenc.c +++ b/libavcodec/targaenc.c @@ -21,6 +21,7 @@ #include +#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" @@ -89,10 +90,11 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt, TargaContext *s = avctx->priv_data; int bpp, picsize, datasize = -1, ret, i; uint8_t *out; + int maxpal = 32*32; picsize = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); - if ((ret = ff_alloc_packet(avctx, pkt, picsize + 45)) < 0) + if ((ret = ff_alloc_packet(avctx, pkt, picsize + 45 + maxpal)) < 0) return ret; /* zero out the header and only set applicable fields */ @@ -125,6 +127,7 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt, AV_WL24(pkt->data + 18 + 3 * i, *(uint32_t *)(p->data[1] + i * 4)); } out += 32 * pal_bpp; /* skip past the palette we just output */ + av_assert0(32 * pal_bpp <= maxpal); break; } case AV_PIX_FMT_GRAY8: From b3e53af1e5df881ab25bf72f19e39599962f869f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 01:51:22 +0200 Subject: [PATCH 234/562] swscale/output: alpha can become negative after scaling, use multiply Fixes: left shift of negative value -3245 Fixes: 69047/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6571511551950848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e6c5b6e865a6b1b9c3a471fc06143f11e69d71b) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index b234f9c6b9..f9ce43dde8 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1221,8 +1221,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { - A1 = abuf0[i * 2 ] << 11; - A2 = abuf0[i * 2 + 1] << 11; + A1 = abuf0[i * 2 ] * (1 << 11); + A2 = abuf0[i * 2 + 1] * (1 << 11); A1 += 1 << 13; A2 += 1 << 13; @@ -1267,8 +1267,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { - A1 = abuf0[i * 2 ] << 11; - A2 = abuf0[i * 2 + 1] << 11; + A1 = abuf0[i * 2 ] * (1 << 11); + A2 = abuf0[i * 2 + 1] * (1 << 11); A1 += 1 << 13; A2 += 1 << 13; @@ -1439,7 +1439,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y += (1 << 13) - (1 << 29); if (hasAlpha) { - A = abuf0[i] << 11; + A = abuf0[i] * (1 << 11); A += 1 << 13; } @@ -1472,7 +1472,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y += (1 << 13) - (1 << 29); if (hasAlpha) { - A = abuf0[i] << 11; + A = abuf0[i] * (1 << 11); A += 1 << 13; } From 345ff46a692289c93b74076d545d7c6d2628905b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 01:59:23 +0200 Subject: [PATCH 235/562] swscale/output: Avoid undefined overflow in yuv2rgb_write_full() Fixes: signed integer overflow: -140140 * 16525 cannot be represented in type 'int' Fixes: 68859/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-4516387130245120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c221c7422f07f2245db5c4cdc958b42ca25eb2b7) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index f9ce43dde8..0e6181b3e0 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1925,9 +1925,9 @@ static av_always_inline void yuv2rgb_write_full(SwsContext *c, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; Y += 1 << 21; - R = (unsigned)Y + V*c->yuv2rgb_v2r_coeff; - G = (unsigned)Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff; - B = (unsigned)Y + U*c->yuv2rgb_u2b_coeff; + R = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2r_coeff; + G = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2g_coeff + U*(unsigned)c->yuv2rgb_u2g_coeff; + B = (unsigned)Y + U*(unsigned)c->yuv2rgb_u2b_coeff; if ((R | G | B) & 0xC0000000) { R = av_clip_uintp2(R, 30); G = av_clip_uintp2(G, 30); From 01af7b97e61184a57b4f55f8b4d93730034fbaa9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2024 18:38:28 +0200 Subject: [PATCH 236/562] MAINTAINERS: Add Timo Rothenpieler to server admins Signed-off-by: Michael Niedermayer (cherry picked from commit ca4ff242d897c4bb0dbff49cb9d7a758ffc5f2a5) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 32581643e6..a1599c7b0c 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -34,8 +34,8 @@ Miscellaneous Areas =================== documentation Stefano Sabatini, Mike Melanson, Timothy Gu, Gyan Doshi -project server day to day operations Árpád Gereöffy, Michael Niedermayer, Reimar Doeffinger, Alexander Strasser, Nikolay Aleksandrov -project server emergencies Árpád Gereöffy, Reimar Doeffinger, Alexander Strasser, Nikolay Aleksandrov +project server day to day operations Árpád Gereöffy, Michael Niedermayer, Reimar Doeffinger, Alexander Strasser, Nikolay Aleksandrov, Timo Rothenpieler +project server emergencies Árpád Gereöffy, Reimar Doeffinger, Alexander Strasser, Nikolay Aleksandrov, Timo Rothenpieler presets Robert Swain metadata subsystem Aurelien Jacobs release management Michael Niedermayer From 2d8a4ca3b19f5734923b31d5a9ff0b7f5b7b63c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2024 19:35:01 +0200 Subject: [PATCH 237/562] avcodec/vvc/dec: Check ff_init_cabac_decoder() for failure Fixes: signed integer overflow: 1107820800 + 1107820800 cannot be represented in type 'int' Fixes: left shift of 1091059712 by 6 places cannot be represented in type 'int' Fixes: 69910/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-5162839971528704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nuo Mi Signed-off-by: Michael Niedermayer (cherry picked from commit 6398242bb2b9bfdef9d7fd4614a3518ffb1fefec) Signed-off-by: Michael Niedermayer --- libavcodec/vvc/vvcdec.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/vvc/vvcdec.c b/libavcodec/vvc/vvcdec.c index c29d59a330..46e938bc30 100644 --- a/libavcodec/vvc/vvcdec.c +++ b/libavcodec/vvc/vvcdec.c @@ -476,13 +476,14 @@ static int slices_realloc(VVCFrameContext *fc) return 0; } -static void ep_init_cabac_decoder(SliceContext *sc, const int index, +static int ep_init_cabac_decoder(SliceContext *sc, const int index, const H2645NAL *nal, GetBitContext *gb, const CodedBitstreamUnit *unit) { const H266RawSlice *slice = unit->content_ref; const H266RawSliceHeader *rsh = sc->sh.r; EntryPoint *ep = sc->eps + index; int size; + int ret; if (index < rsh->num_entry_points) { int skipped = 0; @@ -499,8 +500,11 @@ static void ep_init_cabac_decoder(SliceContext *sc, const int index, } else { size = get_bits_left(gb) / 8; } - ff_init_cabac_decoder (&ep->cc, gb->buffer + get_bits_count(gb) / 8, size); + ret = ff_init_cabac_decoder (&ep->cc, gb->buffer + get_bits_count(gb) / 8, size); + if (ret < 0) + return ret; skip_bits(gb, size * 8); + return 0; } static int slice_init_entry_points(SliceContext *sc, @@ -536,7 +540,9 @@ static int slice_init_entry_points(SliceContext *sc, fc->tab.slice_idx[rs] = sc->slice_idx; } - ep_init_cabac_decoder(sc, i, nal, &gb, unit); + ret = ep_init_cabac_decoder(sc, i, nal, &gb, unit); + if (ret < 0) + return ret; if (i + 1 < sc->nb_eps) ctu_addr = sh->entry_point_start_ctu[i]; From 2191f4f5d6cc7bfc74f1b94e70b57a4a2e60008b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2024 22:23:06 +0200 Subject: [PATCH 238/562] fftools/ffmpeg: Check read() for failure Fixes: CID1591932 Ignoring number of bytes read Sponsored-by: Sovereign Tech Fund Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 34fd247c3bf06418c1eaafacf0d6052e3bbe4f5e) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index d4e5f978f1..4a0c7d5c4d 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -306,8 +306,9 @@ static int read_key(void) } //Read it if(nchars != 0) { - read(0, &ch, 1); - return ch; + if (read(0, &ch, 1) == 1) + return ch; + return 0; }else{ return -1; } From 8941956c32fd125e00fb36e7a2b8641fc7d4bf6e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Mar 2024 03:13:50 +0100 Subject: [PATCH 239/562] avformat/mov: Check edit list for overflow Fixes: 67492/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5778297231310848 Fixes: signed integer overflow: 2314885530818453536 + 7782220156096217088 cannot be represented in type 'long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2882d30e3acfc3155e2be11db653c7c721f94f34) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index c3f3fec550..a4b842ebd6 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3683,6 +3683,10 @@ static int get_edit_list_entry(MOVContext *mov, } *edit_list_duration = av_rescale(*edit_list_duration, msc->time_scale, global_timescale); + + if (*edit_list_duration + (uint64_t)*edit_list_media_time > INT64_MAX) + *edit_list_duration = 0; + return 1; } From 43dfbdcae5fbd1dd4f7c7146cff7d94385561f42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Apr 2024 22:20:25 +0200 Subject: [PATCH 240/562] fftools/ffmpeg_enc: simplify opaque_ref check Found-while-revieweing: CID1520670 Dereference after null check Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 97b2ab15de964d9455aa902ab616881f76d2cb67) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fftools/ffmpeg_enc.c b/fftools/ffmpeg_enc.c index 5f7fcf8a5f..f408a78752 100644 --- a/fftools/ffmpeg_enc.c +++ b/fftools/ffmpeg_enc.c @@ -506,7 +506,7 @@ void enc_stats_write(OutputStream *ost, EncStats *es, const FrameData *fd; - if ((frame && frame->opaque_ref) || (pkt && pkt->opaque_ref)) { + if (frame ? frame->opaque_ref : pkt->opaque_ref) { fd = (const FrameData*)(frame ? frame->opaque_ref->data : pkt->opaque_ref->data); tbi = fd->dec.tb; ptsi = fd->dec.pts; From 031c758482d8de979a7905b3c86732af29c0a32d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Apr 2024 22:25:41 +0200 Subject: [PATCH 241/562] fftools/ffmpeg_enc: Initialize fd Fixes: CID1520677 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 462bd44b032c660abb8d450d342adea3aba89e06) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fftools/ffmpeg_enc.c b/fftools/ffmpeg_enc.c index f408a78752..d80ce7b0c2 100644 --- a/fftools/ffmpeg_enc.c +++ b/fftools/ffmpeg_enc.c @@ -504,7 +504,7 @@ void enc_stats_write(OutputStream *ost, EncStats *es, AVRational tbi = (AVRational){ 0, 1}; int64_t ptsi = INT64_MAX; - const FrameData *fd; + const FrameData *fd = NULL; if (frame ? frame->opaque_ref : pkt->opaque_ref) { fd = (const FrameData*)(frame ? frame->opaque_ref->data : pkt->opaque_ref->data); From 4042d0166075d9883be6301216cb8d93dff69d27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Apr 2024 23:42:33 +0200 Subject: [PATCH 242/562] fftools/ffmpeg_enc: Initialize Decoder Fixes: CID1591439 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 935d9a57120b5b322555af611d3871ce3084bbf1) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fftools/ffmpeg_enc.c b/fftools/ffmpeg_enc.c index d80ce7b0c2..447f133137 100644 --- a/fftools/ffmpeg_enc.c +++ b/fftools/ffmpeg_enc.c @@ -171,7 +171,7 @@ int enc_open(void *opaque, const AVFrame *frame) InputStream *ist = ost->ist; Encoder *e = ost->enc; AVCodecContext *enc_ctx = ost->enc_ctx; - Decoder *dec; + Decoder *dec = NULL; const AVCodec *enc = enc_ctx->codec; OutputFile *of = ost->file; FrameData *fd; From bd3a6b668144bd0ebd41fa22338b15e8d975c7af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 01:15:16 +0200 Subject: [PATCH 243/562] fftools/ffplay: Check vulkan_params Fixes: CID1550133 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4bca1474157f19cbf80a64f055ecd655060f9f1b) Signed-off-by: Michael Niedermayer --- fftools/ffplay.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fftools/ffplay.c b/fftools/ffplay.c index 69d0b09a6a..048a4a8704 100644 --- a/fftools/ffplay.c +++ b/fftools/ffplay.c @@ -3843,8 +3843,13 @@ int main(int argc, char **argv) if (vk_renderer) { AVDictionary *dict = NULL; - if (vulkan_params) - av_dict_parse_string(&dict, vulkan_params, "=", ":", 0); + if (vulkan_params) { + int ret = av_dict_parse_string(&dict, vulkan_params, "=", ":", 0); + if (ret < 0) { + av_log(NULL, AV_LOG_FATAL, "Failed to parse, %s\n", vulkan_params); + do_exit(NULL); + } + } ret = vk_renderer_create(vk_renderer, window, dict); av_dict_free(&dict); if (ret < 0) { From d304d1ea306bebe4f32894c6a217c2f83f42b3d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 22:33:14 +0200 Subject: [PATCH 244/562] avcodec/cbs_jpeg: Try to move the read entity to one side in a test The checked entity should be alone on one side of the check, this avoids complex considerations of overflows. This fixes a issue of bad style in our code and a coverity issue. Fixes: CID1439654 Untrusted pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 385784a148d2886884aac69acc31bf179fac3ac2) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_jpeg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c index 5921d624a1..f2aa496610 100644 --- a/libavcodec/cbs_jpeg.c +++ b/libavcodec/cbs_jpeg.c @@ -145,13 +145,13 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx, } } else { i = start; - if (i + 2 > frag->data_size) { + if (i > frag->data_size - 2) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: " "truncated at %02x marker.\n", marker); return AVERROR_INVALIDDATA; } length = AV_RB16(frag->data + i); - if (i + length > frag->data_size) { + if (length > frag->data_size - i) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: " "truncated at %02x marker segment.\n", marker); return AVERROR_INVALIDDATA; From 886045ca87193c36d7835be23e0e8aaa3ec48daf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 May 2024 04:15:50 +0200 Subject: [PATCH 245/562] avformat/img2dec: assert no pipe on ts_from_file Help coverity with CID1500302 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4824156fa06bd60b27f9f0673fbd6a3cfc780e56) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index cd2ed30117..69cce36bed 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -25,6 +25,7 @@ #define _DEFAULT_SOURCE #define _BSD_SOURCE #include +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/log.h" #include "libavutil/opt.h" @@ -504,6 +505,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) pkt->flags |= AV_PKT_FLAG_KEY; if (s->ts_from_file) { struct stat img_stat; + av_assert0(!s->is_pipe); // The ts_from_file option is not supported by piped input demuxers if (stat(filename, &img_stat)) { res = AVERROR(EIO); goto fail; From 1056db9bf8ee93c71e66a0ea504c8639cbe7ee79 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 01:20:00 +0200 Subject: [PATCH 246/562] avcodec/vvc/dec: Remove constant eos_at_start Fixes: CID1560041 'Constant' variable guards dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d22a33710acb004f90c7454daf8145c3943ecbeb) Signed-off-by: Michael Niedermayer --- libavcodec/vvc/vvcdec.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/libavcodec/vvc/vvcdec.c b/libavcodec/vvc/vvcdec.c index 46e938bc30..ccb1b59862 100644 --- a/libavcodec/vvc/vvcdec.c +++ b/libavcodec/vvc/vvcdec.c @@ -831,7 +831,6 @@ static int decode_nal_units(VVCContext *s, VVCFrameContext *fc, AVPacket *avpkt) const CodedBitstreamH266Context *h266 = s->cbc->priv_data; CodedBitstreamFragment *frame = &s->current_frame; int ret = 0; - int eos_at_start = 1; s->last_eos = s->eos; s->eos = 0; @@ -847,10 +846,7 @@ static int decode_nal_units(VVCContext *s, VVCFrameContext *fc, AVPacket *avpkt) const CodedBitstreamUnit *unit = frame->units + i; if (unit->type == VVC_EOB_NUT || unit->type == VVC_EOS_NUT) { - if (eos_at_start) - s->last_eos = 1; - else - s->eos = 1; + s->last_eos = 1; } else { ret = decode_nal_unit(s, fc, nal, unit); if (ret < 0) { From 8c378a78c9d2e038ca038895016361a76bd5b76f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 01:17:05 +0200 Subject: [PATCH 247/562] avcodec/vvc/ctu: Remove dead ret check Fixes: CID1560040 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 97ae47f9e928f6163dfbfbe30415c253ae8780bb) Signed-off-by: Michael Niedermayer --- libavcodec/vvc/vvc_ctu.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/vvc/vvc_ctu.c b/libavcodec/vvc/vvc_ctu.c index e48ffda938..ffd83e4ea0 100644 --- a/libavcodec/vvc/vvc_ctu.c +++ b/libavcodec/vvc/vvc_ctu.c @@ -1867,8 +1867,6 @@ static int hls_coding_unit(VVCLocalContext *lc, int x0, int y0, int cb_width, in cu->lfnst_idx = lfnst_idx_decode(lc); cu->mts_idx = mts_idx_decode(lc); set_qp_c(lc); - if (ret < 0) - return ret; } else { ret = skipped_transform_tree_unit(lc); if (ret < 0) From 45b2c1f810d6224395332f6475a6eb15d86146e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 May 2022 01:45:44 +0200 Subject: [PATCH 248/562] avcodec/vc1_loopfilter: Factor duplicate code in vc1_b_h_intfi_loop_filter() Fixes: CID1435168 Signed-off-by: Michael Niedermayer (cherry picked from commit 63ecce9ba87867b21a7cdcd677bb268c0d807db1) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_loopfilter.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/vc1_loopfilter.c b/libavcodec/vc1_loopfilter.c index 0f990cccef..ee694ede28 100644 --- a/libavcodec/vc1_loopfilter.c +++ b/libavcodec/vc1_loopfilter.c @@ -1125,10 +1125,7 @@ static av_always_inline void vc1_b_h_intfi_loop_filter(VC1Context *v, uint8_t *d dst = dest + (block_num & 2) * 4 * s->linesize + (block_num & 1) * 8; if (!(flags & RIGHT_EDGE) || !(block_num & 5)) { - if (block_num > 3) - v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); - else - v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); + v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); } tt = ttblk[0] >> (block_num * 4) & 0xf; From c40b96982d9aa0a57d9e18b2223163e044d0b23e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:18 +0200 Subject: [PATCH 249/562] avcodec/mfenc: check IMFSample_ConvertToContiguousBuffer() for failure Fixes: CID1591911 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 86cd7c68bc65df6703391f0cdcdbf7c57d6c4780) Signed-off-by: Michael Niedermayer --- libavcodec/mfenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mfenc.c b/libavcodec/mfenc.c index 9225692c51..a674a35aa4 100644 --- a/libavcodec/mfenc.c +++ b/libavcodec/mfenc.c @@ -248,7 +248,7 @@ static int mf_sample_to_avpacket(AVCodecContext *avctx, IMFSample *sample, AVPac if ((ret = ff_get_encode_buffer(avctx, avpkt, len, 0)) < 0) return ret; - IMFSample_ConvertToContiguousBuffer(sample, &buffer); + hr = IMFSample_ConvertToContiguousBuffer(sample, &buffer); if (FAILED(hr)) return AVERROR_EXTERNAL; From 266ea4d8403f82a74bab3a4371e096a0de3d618e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:25 +0200 Subject: [PATCH 250/562] avdevice/dshow: Check ICaptureGraphBuilder2_SetFiltergraph() for failure Fixes: CID1591939 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4c285bb2789667bcf014ede8b0ab06ebbbee833f) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index eb98c57b09..dce41e80c6 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -1465,7 +1465,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, av_log(avctx, AV_LOG_ERROR, "Could not create CaptureGraphBuilder2\n"); goto error; } - ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph); + r = ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph); if (r != S_OK) { av_log(avctx, AV_LOG_ERROR, "Could not set graph for CaptureGraphBuilder2\n"); goto error; From a4f8bb40e189a3c1997ef533972732bcf5ba892d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 00:55:46 +0200 Subject: [PATCH 251/562] avformat/mxfenc: resurrects the error print Fixes: CID1524681 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a469e48b6dd8c9dfd0cd7dba7b28d1987168ed8b) Signed-off-by: Michael Niedermayer --- libavformat/mxfenc.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index adc31c1cf4..d4fa2bc5bb 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -2605,9 +2605,6 @@ static int mxf_parse_ffv1_frame(AVFormatContext *s, AVStream *st, AVPacket *pkt) ff_build_rac_states(&c, 0.05 * (1LL << 32), 256 - 8); v = get_ffv1_unsigned_symbol(&c, state); av_assert0(v >= 2); - if (v > 4) { - return 0; - } if (v > 4) { av_log(s, AV_LOG_ERROR, "unsupported ffv1 version %d\n", v); return 0; From 624f15e77d69cd3b54277c63965926787a3a1d83 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 00:19:01 +0200 Subject: [PATCH 252/562] avformat/mpeg: Check len in mpegps_probe() Fixes: CID1473590 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ca237a841e9e78ac02694124d81ff78c74b0bf72) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 904a79d9a7..d48f95c456 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -75,6 +75,9 @@ static int mpegps_probe(const AVProbeData *p) int pes = endpes <= i && check_pes(p->buf + i, p->buf + p->buf_size); int pack = check_pack_header(p->buf + i); + if (len > INT_MAX - i) + break; + if (code == SYSTEM_HEADER_START_CODE) sys++; else if (code == PACK_START_CODE && pack) From 82dcc0fb8e9ed499ceb3f54cece19b756fae4ce5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 01:50:00 +0200 Subject: [PATCH 253/562] avformat/rdt: Check pkt_len Fixes: CID1473553 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0d0373de3bc6aa6fa5c71247191afccfaf20723d) Signed-off-by: Michael Niedermayer --- libavformat/rdt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rdt.c b/libavformat/rdt.c index 4721f01ace..9a6b9b53d8 100644 --- a/libavformat/rdt.c +++ b/libavformat/rdt.c @@ -205,6 +205,8 @@ ff_rdt_parse_header(const uint8_t *buf, int len, return -1; /* not followed by a data packet */ pkt_len = AV_RB16(buf+3); + if (pkt_len > len) + return AVERROR_INVALIDDATA; buf += pkt_len; len -= pkt_len; consumed += pkt_len; From 09806744ccd68602d92bfe581c7196cd169d4f2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Jun 2024 22:44:46 +0200 Subject: [PATCH 254/562] avfilter/avf_showcwt: Check av_parse_video_rate() for failure Fixes: CID1539147 Unused value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit aab0c344c5d1d5b1020f87c62da3e523161a660f) Signed-off-by: Michael Niedermayer --- libavfilter/avf_showcwt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/avf_showcwt.c b/libavfilter/avf_showcwt.c index 9436881f2a..c498f0a7bf 100644 --- a/libavfilter/avf_showcwt.c +++ b/libavfilter/avf_showcwt.c @@ -1029,6 +1029,8 @@ static int config_output(AVFilterLink *outlink) s->auto_frame_rate = av_make_q(inlink->sample_rate, s->hop_size); if (strcmp(s->rate_str, "auto")) { ret = av_parse_video_rate(&s->frame_rate, s->rate_str); + if (ret < 0) + return ret; } else { s->frame_rate = s->auto_frame_rate; } From 7e2396e890385b223242c95617c079955d4ac56c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Jun 2024 22:53:14 +0200 Subject: [PATCH 255/562] avfilter/drawutils: Fix depthb computation Fixes: CID1496940 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 34f821e44821804e1954ca6eb38269183978a62c) Signed-off-by: Michael Niedermayer --- libavfilter/drawutils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/drawutils.c b/libavfilter/drawutils.c index 1081938d86..95525d38b4 100644 --- a/libavfilter/drawutils.c +++ b/libavfilter/drawutils.c @@ -61,6 +61,7 @@ int ff_fill_rgba_map(uint8_t *rgba_map, enum AVPixelFormat pix_fmt) had0 |= pos == 0; rgba_map[i] = pos; + depthb = db; } if (desc->nb_components == 3) From 38f2f4555aff6aca8f142afcbe0e73710713e6c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Jun 2024 23:43:37 +0200 Subject: [PATCH 256/562] avfilter/vf_avgblur: Check plane instead of AVFrame Fixes: CID1551694 Use after free (false positive based on assuming that out == in and one is freed and one used) Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c296d4fdec198a32ea3995e312cede7be83352c7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_avgblur.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_avgblur.c b/libavfilter/vf_avgblur.c index 8ff6111bcc..d1ce029b5c 100644 --- a/libavfilter/vf_avgblur.c +++ b/libavfilter/vf_avgblur.c @@ -287,7 +287,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) const int width = s->planewidth[plane]; if (!(s->planes & (1 << plane))) { - if (out != in) + if (out->data[plane] != in->data[plane]) av_image_copy_plane(out->data[plane], out->linesize[plane], in->data[plane], in->linesize[plane], width * ((s->depth + 7) / 8), height); From 4d00378da8155cf3802a48d0a03577fcdc7eeb09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Jul 2024 23:18:47 +0200 Subject: [PATCH 257/562] tools/coverity: Phase 1 study of anti-halicogenic for coverity av_rescale() Signed-off-by: Michael Niedermayer (cherry picked from commit 380a8213b165d1fda419c566241d2641cb6f5c3c) Signed-off-by: Michael Niedermayer --- tools/coverity.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tools/coverity.c b/tools/coverity.c index 19a132a976..541e108238 100644 --- a/tools/coverity.c +++ b/tools/coverity.c @@ -31,6 +31,17 @@ #define NULL (void *)0 +typedef long long int64_t; + +enum AVRounding { + AV_ROUND_ZERO = 0, + AV_ROUND_INF = 1, + AV_ROUND_DOWN = 2, + AV_ROUND_UP = 3, + AV_ROUND_NEAR_INF = 5, + AV_ROUND_PASS_MINMAX = 8192, +}; + // Based on https://scan.coverity.com/models void *av_malloc(size_t size) { int has_memory; @@ -77,3 +88,10 @@ void *av_free(void *ptr) { __coverity_mark_as_afm_freed__(ptr, "av_free"); } + +int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) { + __coverity_negative_sink__(b); + __coverity_negative_sink__(c); + + return (double)a * (double)b / (double)c; +} From ca5ffb7f46b72dda1bfb66956acb6fbfda3a909a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 21:24:47 +0200 Subject: [PATCH 258/562] avfilter/af_aresample: Cleanup on av_channel_layout_copy() failure Fixes: CID1503078 Resource leak Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7a0ea15c7afb8abd823303b9a525cc5e6572f199) Signed-off-by: Michael Niedermayer --- libavfilter/af_aresample.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/af_aresample.c b/libavfilter/af_aresample.c index d6bd77beb3..8ff2fe5973 100644 --- a/libavfilter/af_aresample.c +++ b/libavfilter/af_aresample.c @@ -195,8 +195,11 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *insamplesref) av_frame_copy_props(outsamplesref, insamplesref); outsamplesref->format = outlink->format; ret = av_channel_layout_copy(&outsamplesref->ch_layout, &outlink->ch_layout); - if (ret < 0) + if (ret < 0) { + av_frame_free(&outsamplesref); + av_frame_free(&insamplesref); return ret; + } outsamplesref->sample_rate = outlink->sample_rate; if(insamplesref->pts != AV_NOPTS_VALUE) { From adab1e6f0c78225738610e39dbb72de1e1977442 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 21:58:51 +0200 Subject: [PATCH 259/562] avfilter/af_channelsplit: Assert that av_channel_layout_channel_from_index() succeeds Maybe Helps: CID1503077 Bad bit shift operation Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cef720ab429244ac9e56f48d983d6086e0a227a7) Signed-off-by: Michael Niedermayer --- libavfilter/af_channelsplit.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/af_channelsplit.c b/libavfilter/af_channelsplit.c index f026c74494..92e605e1bf 100644 --- a/libavfilter/af_channelsplit.c +++ b/libavfilter/af_channelsplit.c @@ -22,7 +22,7 @@ * * Split an audio stream into per-channel streams. */ - +#include "libavutil/avassert.h" #include "libavutil/attributes.h" #include "libavutil/channel_layout.h" #include "libavutil/internal.h" @@ -156,6 +156,8 @@ static int filter_frame(AVFilterLink *outlink, AVFrame *buf) enum AVChannel channel = av_channel_layout_channel_from_index(&buf->ch_layout, s->map[i]); int ret; + av_assert1(channel >= 0); + AVFrame *buf_out = av_frame_clone(buf); if (!buf_out) return AVERROR(ENOMEM); From dd3075434ec84c5fca7961152191d178f7f5f337 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 23:18:53 +0200 Subject: [PATCH 260/562] avfilter/af_mcompand: compute half frequency in double Fixes: CID1422217 Result is not floating-point Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2d0d502ff10378e545a1fe42a9503ab44d19fa67) Signed-off-by: Michael Niedermayer --- libavfilter/af_mcompand.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/af_mcompand.c b/libavfilter/af_mcompand.c index 1267cd9f34..9347f06d87 100644 --- a/libavfilter/af_mcompand.c +++ b/libavfilter/af_mcompand.c @@ -417,8 +417,8 @@ static int config_output(AVFilterLink *outlink) } new_nb_items += sscanf(tstr2, "%lf", &s->bands[i].topfreq) == 1; - if (s->bands[i].topfreq < 0 || s->bands[i].topfreq >= outlink->sample_rate / 2) { - av_log(ctx, AV_LOG_ERROR, "crossover_frequency: %f, should be >=0 and lower than half of sample rate: %d.\n", s->bands[i].topfreq, outlink->sample_rate / 2); + if (s->bands[i].topfreq < 0 || s->bands[i].topfreq >= outlink->sample_rate / 2.0) { + av_log(ctx, AV_LOG_ERROR, "crossover_frequency: %f, should be >=0 and lower than half of sample rate: %f.\n", s->bands[i].topfreq, outlink->sample_rate / 2.0); return AVERROR(EINVAL); } From 3c85e12e5afdc3efe5e686312a27f4353567521f Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sun, 22 Oct 2023 19:35:52 +0100 Subject: [PATCH 261/562] cbs_av1: Reject thirty-two zero bits in uvlc code The spec allows at least thirty-two zero bits followed by a one to mean 2^32-1, with no constraint on the number of zeroes. The libaom reference decoder does not match this, instead reading thirty-two zeroes but not the following one to mean 2^32-1. These two interpretations are incompatible and other implementations may follow one or the other. Therefore reject thirty-two zeroes because the intended behaviour is not clear. Signed-off-by: Michael Niedermayer (cherry picked from commit 7110a36ba07f85ca2996d3b99898a4819e72d9bb) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index fb82996022..458381f038 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -36,7 +36,7 @@ static int cbs_av1_read_uvlc(CodedBitstreamContext *ctx, GetBitContext *gbc, CBS_TRACE_READ_START(); zeroes = 0; - while (1) { + while (zeroes < 32) { if (get_bits_left(gbc) < 1) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid uvlc code at " "%s: bitstream ended.\n", name); @@ -49,10 +49,18 @@ static int cbs_av1_read_uvlc(CodedBitstreamContext *ctx, GetBitContext *gbc, } if (zeroes >= 32) { - // Note that the spec allows an arbitrarily large number of - // zero bits followed by a one bit in this case, but the - // libaom implementation does not support it. - value = MAX_UINT_BITS(32); + // The spec allows at least thirty-two zero bits followed by a + // one to mean 2^32-1, with no constraint on the number of + // zeroes. The libaom reference decoder does not match this, + // instead reading thirty-two zeroes but not the following one + // to mean 2^32-1. These two interpretations are incompatible + // and other implementations may follow one or the other. + // Therefore we reject thirty-two zeroes because the intended + // behaviour is not clear. + av_log(ctx->log_ctx, AV_LOG_ERROR, "Thirty-two zero bits in " + "%s uvlc code: considered invalid due to conflicting " + "standard and reference decoder behaviour.\n", name); + return AVERROR_INVALIDDATA; } else { if (get_bits_left(gbc) < zeroes) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid uvlc code at " From 9f2917aaf3732d51c8c4ba03aebb84a814d2901a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 23:41:07 +0200 Subject: [PATCH 262/562] avfilter/af_pan: check nb_output_channels before use Fixes: CID1500281 Out-of-bounds write Fixes: CID1500331 Out-of-bounds write Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 5fe8bf4aa51350b14d0babd47b0314232e703caf) Signed-off-by: Michael Niedermayer --- libavfilter/af_pan.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 34073203d2..04bf7d3fe3 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -118,6 +118,14 @@ static av_cold int init(AVFilterContext *ctx) if (ret < 0) goto fail; + if (pan->nb_output_channels > MAX_CHANNELS) { + av_log(ctx, AV_LOG_ERROR, + "af_pan supports a maximum of %d channels. " + "Feel free to ask for a higher limit.\n", MAX_CHANNELS); + ret = AVERROR_PATCHWELCOME; + goto fail; + } + /* parse channel specifications */ while ((arg = arg0 = av_strtok(NULL, "|", &tokenizer))) { int used_in_ch[MAX_CHANNELS] = {0}; From 315766e2902e2052aa35c20866b9cf1c877b69f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 14:53:44 +0200 Subject: [PATCH 263/562] avfilter/af_afftdn: Assert format Maybe helps: CID1515514 Uninitialized scalar variable Maybe helps: CID1515517 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8f9a6c4ea8de3e58f32622424c97203e6ba582c3) Signed-off-by: Michael Niedermayer --- libavfilter/af_afftdn.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/af_afftdn.c b/libavfilter/af_afftdn.c index b3ee6a4222..5c8712daf0 100644 --- a/libavfilter/af_afftdn.c +++ b/libavfilter/af_afftdn.c @@ -20,6 +20,7 @@ #include +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/channel_layout.h" #include "libavutil/opt.h" @@ -375,6 +376,8 @@ static void process_frame(AVFilterContext *ctx, case AV_SAMPLE_FMT_DBLP: noisy_data[i] = mag = hypot(fft_data_dbl[i].re, fft_data_dbl[i].im); break; + default: + av_assert2(0); } power = mag * mag; @@ -969,6 +972,8 @@ static void sample_noise_block(AudioFFTDeNoiseContext *s, mag2 = fft_out_dbl[n].re * fft_out_dbl[n].re + fft_out_dbl[n].im * fft_out_dbl[n].im; break; + default: + av_assert2(0); } mag2 = fmax(mag2, s->sample_floor); From acd5523b7aa050935aa925cd5b27e696f2bec947 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 14:53:44 +0200 Subject: [PATCH 264/562] avfilter/af_afir: Assert format Maybe helps: CID1516805 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a5c815f937a80d7689bc0f2deb3ac968f2630176) Signed-off-by: Michael Niedermayer --- libavfilter/af_afir.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/af_afir.c b/libavfilter/af_afir.c index 6e54a7239d..9df9c28c7b 100644 --- a/libavfilter/af_afir.c +++ b/libavfilter/af_afir.c @@ -25,6 +25,7 @@ #include +#include "libavutil/avassert.h" #include "libavutil/cpu.h" #include "libavutil/tx.h" #include "libavutil/avstring.h" @@ -154,6 +155,8 @@ static int init_segment(AVFilterContext *ctx, AudioFIRSegment *seg, int selir, iscale.d = 1.0 / sqrt(2.0 * part_size); tx_type = AV_TX_DOUBLE_RDFT; break; + default: + av_assert1(0); } for (int ch = 0; ch < ctx->inputs[0]->ch_layout.nb_channels && part_size >= 1; ch++) { From 9ca0577c5e4cf1e54466282bd56fcad1793b7e09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 15:18:07 +0200 Subject: [PATCH 265/562] avfilter/af_amerge: Cleanup on av_channel_layout_copy() failure Fixes: CID1503088 Resource leak Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 62d4414d54f57612ac444643a92de7d10455b6c6) Signed-off-by: Michael Niedermayer --- libavfilter/af_amerge.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/af_amerge.c b/libavfilter/af_amerge.c index 5daf639e74..26040e5ed5 100644 --- a/libavfilter/af_amerge.c +++ b/libavfilter/af_amerge.c @@ -245,8 +245,11 @@ static int try_push_frame(AVFilterContext *ctx, int nb_samples) av_make_q(1, outlink->sample_rate), outlink->time_base); - if ((ret = av_channel_layout_copy(&outbuf->ch_layout, &outlink->ch_layout)) < 0) + if ((ret = av_channel_layout_copy(&outbuf->ch_layout, &outlink->ch_layout)) < 0) { + free_frames(s->nb_inputs, inbuf); + av_frame_free(&outbuf); return ret; + } while (nb_samples) { /* Unroll the most common sample formats: speed +~350% for the loop, From 9b52ca7ca5d4ad9f1062bb991fc3ce3c3c6091a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 16:31:28 +0200 Subject: [PATCH 266/562] swscale/swscale: Use ptrdiff_t for linesize computations This is unlikely to make a difference Fixes: CID1591896 Unintentional integer overflow Fixes: CID1591901 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 66b60bae68a3124fb176b0c2d4580f0f76c31dc4) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index fe0e74f871..f08f2ac3b7 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -1172,7 +1172,7 @@ int sws_receive_slice(struct SwsContext *c, unsigned int slice_start, } for (int i = 0; i < FF_ARRAY_ELEMS(dst); i++) { - ptrdiff_t offset = c->frame_dst->linesize[i] * (slice_start >> c->chrDstVSubSample); + ptrdiff_t offset = c->frame_dst->linesize[i] * (ptrdiff_t)(slice_start >> c->chrDstVSubSample); dst[i] = FF_PTR_ADD(c->frame_dst->data[i], offset); } @@ -1233,7 +1233,7 @@ void ff_sws_slice_worker(void *priv, int jobnr, int threadnr, for (int i = 0; i < FF_ARRAY_ELEMS(dst) && parent->frame_dst->data[i]; i++) { const int vshift = (i == 1 || i == 2) ? c->chrDstVSubSample : 0; const ptrdiff_t offset = parent->frame_dst->linesize[i] * - ((slice_start + parent->dst_slice_start) >> vshift); + (ptrdiff_t)((slice_start + parent->dst_slice_start) >> vshift); dst[i] = parent->frame_dst->data[i] + offset; } From b2da9efb71bada90ff28382cc1d43708bea79a6d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:46 +0200 Subject: [PATCH 267/562] avfilter/af_aderivative: Free out on error Fixes: CID1197065 Resource leak Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 382e9e79f3a0011d93af4b11ca6ba6b85113a09a) Signed-off-by: Michael Niedermayer --- libavfilter/af_aderivative.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/af_aderivative.c b/libavfilter/af_aderivative.c index eeaa23ff88..4883972dcf 100644 --- a/libavfilter/af_aderivative.c +++ b/libavfilter/af_aderivative.c @@ -126,6 +126,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) s->prev = ff_get_audio_buffer(inlink, 1); if (!s->prev) { av_frame_free(&in); + av_frame_free(&out); return AVERROR(ENOMEM); } } From 6cf8d4ea3dd5e4fad27f351369368a61e7af6e4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 10:17:42 +0200 Subject: [PATCH 268/562] avformat/rtpenc_vc2hq: Check sizes Fixes: CID1452585 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7a9ddb705152d5090d2cb815f905bf592cc487f5) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc_vc2hq.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavformat/rtpenc_vc2hq.c b/libavformat/rtpenc_vc2hq.c index 085204fa64..cf548191d2 100644 --- a/libavformat/rtpenc_vc2hq.c +++ b/libavformat/rtpenc_vc2hq.c @@ -45,7 +45,7 @@ static void send_packet(AVFormatContext *ctx, uint8_t parse_code, int info_hdr_s ff_rtp_send_data(ctx, rtp_ctx->buf, RTP_VC2HQ_PL_HEADER_SIZE + info_hdr_size + size, rtp_m); } -static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int interlaced) +static int send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int interlaced) { RTPMuxContext *rtp_ctx = ctx->priv_data; GetBitContext gc; @@ -54,6 +54,9 @@ static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int uint16_t frag_len; char *info_hdr = &rtp_ctx->buf[4]; + if (size < DIRAC_PIC_NR_SIZE) + return AVERROR(EINVAL); + pic_nr = AV_RB32(&buf[0]); buf += DIRAC_PIC_NR_SIZE; size -= DIRAC_PIC_NR_SIZE; @@ -97,6 +100,7 @@ static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int send_packet(ctx, DIRAC_RTP_PCODE_HQ_PIC_FRAGMENT, 16, buf, frag_len, interlaced, second_field, size > 0 ? 0 : 1); buf += frag_len; } + return 0; } void ff_rtp_send_vc2hq(AVFormatContext *ctx, const uint8_t *frame_buf, int frame_size, int interlaced) @@ -110,16 +114,21 @@ void ff_rtp_send_vc2hq(AVFormatContext *ctx, const uint8_t *frame_buf, int frame parse_code = unit[4]; unit_size = AV_RB32(&unit[5]); + if (unit_size > end - unit) + break; + switch (parse_code) { /* sequence header */ /* end of sequence */ case DIRAC_PCODE_SEQ_HEADER: case DIRAC_PCODE_END_SEQ: - send_packet(ctx, parse_code, 0, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, 0, 0, 0); + if (unit_size >= DIRAC_DATA_UNIT_HEADER_SIZE) + send_packet(ctx, parse_code, 0, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, 0, 0, 0); break; /* HQ picture */ case DIRAC_PCODE_PICTURE_HQ: - send_picture(ctx, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, interlaced); + if (unit_size >= DIRAC_DATA_UNIT_HEADER_SIZE) + send_picture(ctx, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, interlaced); break; /* parse codes without specification */ case DIRAC_PCODE_AUX: From 2f0fe13450a55e3364dceadf6ea19c84aa90636d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 18:23:47 +0200 Subject: [PATCH 269/562] avformat/rtsp: use < 0 for error check Found while reviewing CID1473532 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9bb38ba2b782cdb6052ddcb415ef1554b0462401) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 9a20481f21..2a555bbc4d 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1428,7 +1428,7 @@ retry: cur_auth_type = rt->auth_state.auth_type; if ((ret = rtsp_send_cmd_with_content_async(s, method, url, header, send_content, - send_content_length))) + send_content_length)) < 0) return ret; if ((ret = ff_rtsp_read_reply(s, reply, content_ptr, 0, method) ) < 0) From 75c8afab033ec92ac1dbea5db5133a0fff9e9cf8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 18:28:49 +0200 Subject: [PATCH 270/562] avformat/rtsp: initialize reply1 It seems reply1 is initialized by ff_rtsp_send_cmd() in most cases but there are code paths like "continue" which look like they could skip it but even if not writing this so a complex loop after several layers of calls initialized a local variable through a pointer is just bad design. This patch simply initialized the variable. Fixes: CID1473532 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 498ce4e8b82e2312690613df45f87e592dcb91a9) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 2a555bbc4d..3ff26d0010 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1461,6 +1461,8 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, char cmd[MAX_URL_SIZE]; const char *trans_pref; + memset(&reply1, 0, sizeof(reply1)); + if (rt->transport == RTSP_TRANSPORT_RDT) trans_pref = "x-pn-tng"; else if (rt->transport == RTSP_TRANSPORT_RAW) From 6b1e91a52c2a4f05b3e866bd03439deec7946be5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 19:43:15 +0200 Subject: [PATCH 271/562] avformat/rtsp: Check that lower transport is handled in one of the if() Fixes: CID1473554 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c8200d382503f5fd839a72af7ba93d53880ad4b7) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 3ff26d0010..caf7fcd2d2 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1577,7 +1577,11 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, else if (lower_transport == RTSP_LOWER_TRANSPORT_UDP_MULTICAST) { snprintf(transport, sizeof(transport) - 1, "%s/UDP;multicast", trans_pref); + } else { + err = AVERROR(EINVAL); + goto fail; // transport would be uninitialized } + if (s->oformat) { av_strlcat(transport, ";mode=record", sizeof(transport)); } else if (rt->server_type == RTSP_SERVER_REAL || From a7beed1a117cf135a949d465a23fd55a43fbbfd4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 20:45:32 +0200 Subject: [PATCH 272/562] avformat/subfile: Merge if into switch() Found while reviewing CID1452449 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2a0a7d964bfd5da8859c715627eeb7a048bddb79) Signed-off-by: Michael Niedermayer --- libavformat/subfile.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/subfile.c b/libavformat/subfile.c index 633a9e3c62..eedac1524e 100644 --- a/libavformat/subfile.c +++ b/libavformat/subfile.c @@ -123,9 +123,9 @@ static int64_t subfile_seek(URLContext *h, int64_t pos, int whence) return end; } - if (whence == AVSEEK_SIZE) - return end - c->start; switch (whence) { + case AVSEEK_SIZE: + return end - c->start; case SEEK_SET: new_pos = c->start + pos; break; From b2f7532ac7c8938dcef289549e976476bbec2e0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 20:46:28 +0200 Subject: [PATCH 273/562] avformat/subfile: Assert that whence is a known case This may help CID1452449 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 426d8c84c37064eef93bbcfaffd886d00a9a4ee8) Signed-off-by: Michael Niedermayer --- libavformat/subfile.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/subfile.c b/libavformat/subfile.c index eedac1524e..be48ef72ef 100644 --- a/libavformat/subfile.c +++ b/libavformat/subfile.c @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/opt.h" #include "url.h" @@ -135,6 +136,8 @@ static int64_t subfile_seek(URLContext *h, int64_t pos, int whence) case SEEK_END: new_pos = end + pos; break; + default: + av_assert0(0); } if (new_pos < c->start) return AVERROR(EINVAL); From a88516b6f716f7daa02b1e16c865645261874247 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 00:09:24 +0200 Subject: [PATCH 274/562] avformat/tls_schannel: Initialize ret Fixes: CID1591881 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f022afea77ced5067f511530dd8ff137967db1d9) Signed-off-by: Michael Niedermayer --- libavformat/tls_schannel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c index d4959f75fa..bbeb8a81f2 100644 --- a/libavformat/tls_schannel.c +++ b/libavformat/tls_schannel.c @@ -388,7 +388,7 @@ static int tls_read(URLContext *h, uint8_t *buf, int len) SECURITY_STATUS sspi_ret = SEC_E_OK; SecBuffer inbuf[4]; SecBufferDesc inbuf_desc; - int size, ret; + int size, ret = 0; int min_enc_buf_size = len + SCHANNEL_FREE_BUFFER_SIZE; /* If we have some left-over data from previous network activity, From 6b76648dc0342da20bceaf2f94cd42b4bda1b870 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 00:42:01 +0200 Subject: [PATCH 275/562] avformat/usmdec: Initialize value Fixes: CID1551685 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 06191386396344ee1906c6016b7d94ee8754fd61) Signed-off-by: Michael Niedermayer --- libavformat/usmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/usmdec.c b/libavformat/usmdec.c index 0c4e8d41be..5a57c59ea0 100644 --- a/libavformat/usmdec.c +++ b/libavformat/usmdec.c @@ -119,7 +119,7 @@ static int parse_utf(AVFormatContext *s, AVIOContext *pb, for (int i = 0; i < nb_items; i++) { GetByteContext *xgb; uint8_t key[256]; - int64_t value; + int64_t value = -1; int n = 0; type = bytestream2_get_byte(&gb); From f3505e4d29c175d2654abc326400394f86ad3d47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Jul 2024 01:47:33 +0200 Subject: [PATCH 276/562] doc/examples/vaapi_encode: Try to check fwrite() for failure Fixes: CID1604548 Unused value Sponsored-by: Sovereign Tech Fund Reviewed-by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit 3e4bfff21192aed328c906c85424737128b108f1) Signed-off-by: Michael Niedermayer --- doc/examples/vaapi_encode.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/examples/vaapi_encode.c b/doc/examples/vaapi_encode.c index d5f472f6dd..ff3ebb1e2b 100644 --- a/doc/examples/vaapi_encode.c +++ b/doc/examples/vaapi_encode.c @@ -88,6 +88,10 @@ static int encode_write(AVCodecContext *avctx, AVFrame *frame, FILE *fout) enc_pkt->stream_index = 0; ret = fwrite(enc_pkt->data, enc_pkt->size, 1, fout); av_packet_unref(enc_pkt); + if (ret != enc_pkt->size) { + ret = AVERROR(errno); + break; + } } end: From dad5fcb33ddba7248ea912053099a376372dc106 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2024 20:47:26 +0200 Subject: [PATCH 277/562] avcodec/vvc/refs: Use unsigned mask Not a bugfix, but might fix CID1604361 Overflowed constant Sponsored-by: Sovereign Tech Fund Reviewed-by: Nuo Mi Signed-off-by: Michael Niedermayer (cherry picked from commit eb552ecd543ad656c40849c6b2bcaf5fd667c9b9) Signed-off-by: Michael Niedermayer --- libavcodec/vvc/vvc_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vvc/vvc_refs.c b/libavcodec/vvc/vvc_refs.c index 336705c620..893048454b 100644 --- a/libavcodec/vvc/vvc_refs.c +++ b/libavcodec/vvc/vvc_refs.c @@ -295,7 +295,7 @@ void ff_vvc_bump_frame(VVCContext *s, VVCFrameContext *fc) static VVCFrame *find_ref_idx(VVCContext *s, VVCFrameContext *fc, int poc, uint8_t use_msb) { - const int mask = use_msb ? ~0 : fc->ps.sps->max_pic_order_cnt_lsb - 1; + const unsigned mask = use_msb ? ~0 : fc->ps.sps->max_pic_order_cnt_lsb - 1; for (int i = 0; i < FF_ARRAY_ELEMS(fc->DPB); i++) { VVCFrame *ref = &fc->DPB[i]; From 6f452f4ea0580ce79def9907d9a7a800900ef423 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:41 +0200 Subject: [PATCH 278/562] avutil/hwcontext_d3d11va: correct sizeof AVD3D11FrameDescriptor Fixes: CID1591909 Wrong sizeof argument Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit 698ed0d5a5a3a1219179facb5538eea463fae13f) Signed-off-by: Michael Niedermayer --- libavutil/hwcontext_d3d11va.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/hwcontext_d3d11va.c b/libavutil/hwcontext_d3d11va.c index e30c8fc238..6b8a7e0acf 100644 --- a/libavutil/hwcontext_d3d11va.c +++ b/libavutil/hwcontext_d3d11va.c @@ -201,7 +201,7 @@ static AVBufferRef *wrap_texture_buf(AVHWFramesContext *ctx, ID3D11Texture2D *te desc->texture = tex; desc->index = index; - buf = av_buffer_create((uint8_t *)desc, sizeof(desc), free_texture, tex, 0); + buf = av_buffer_create((uint8_t *)desc, sizeof(*desc), free_texture, tex, 0); if (!buf) { ID3D11Texture2D_Release(tex); av_free(desc); From 19631babab2853d5a1068e063d2b0cf25ba63d49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:42 +0200 Subject: [PATCH 279/562] avutil/hwcontext_d3d11va: Free AVD3D11FrameDescriptor on error Fixes: CID1598558 Resource leak Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit cf22f944d55c8eb0119fb20354a625f8c41eb11f) Signed-off-by: Michael Niedermayer --- libavutil/hwcontext_d3d11va.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/hwcontext_d3d11va.c b/libavutil/hwcontext_d3d11va.c index 6b8a7e0acf..553428e67f 100644 --- a/libavutil/hwcontext_d3d11va.c +++ b/libavutil/hwcontext_d3d11va.c @@ -189,6 +189,7 @@ static AVBufferRef *wrap_texture_buf(AVHWFramesContext *ctx, ID3D11Texture2D *te sizeof(*frames_hwctx->texture_infos)); if (!frames_hwctx->texture_infos) { ID3D11Texture2D_Release(tex); + av_free(desc); return NULL; } s->nb_surfaces = s->nb_surfaces_used + 1; From d7912a6d4a4f318e4ed82ae13febb3ec1c4d36a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:43 +0200 Subject: [PATCH 280/562] avutil/hwcontext_d3d11va: correct sizeof IDirect3DSurface9 Fixes: CID1591944 Wrong sizeof argument Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit 628ba061c8d5ae018c3e8aa8ce05b8dfcdfd8410) Signed-off-by: Michael Niedermayer --- libavutil/hwcontext_dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/hwcontext_dxva2.c b/libavutil/hwcontext_dxva2.c index 77f34919a8..377bf6eb7f 100644 --- a/libavutil/hwcontext_dxva2.c +++ b/libavutil/hwcontext_dxva2.c @@ -146,7 +146,7 @@ static AVBufferRef *dxva2_pool_alloc(void *opaque, size_t size) if (s->nb_surfaces_used < hwctx->nb_surfaces) { s->nb_surfaces_used++; return av_buffer_create((uint8_t*)s->surfaces_internal[s->nb_surfaces_used - 1], - sizeof(*hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); + sizeof(**hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); } return NULL; From 740fb498e11181740592493ff4f3235757defd76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:44 +0200 Subject: [PATCH 281/562] avutil/wchar_filename: Correct sizeof Fixes: CID1591930 Wrong sizeof argument Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit e9e8bea2e79bc3c481a6f81f75f6c871e3e0f367) Signed-off-by: Michael Niedermayer --- libavutil/wchar_filename.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/wchar_filename.h b/libavutil/wchar_filename.h index 868a30b532..23cc92aa2d 100644 --- a/libavutil/wchar_filename.h +++ b/libavutil/wchar_filename.h @@ -57,7 +57,7 @@ static inline int wchartocp(unsigned int code_page, const wchar_t *filename_w, errno = EINVAL; return -1; } - *filename = (char*)av_malloc_array(num_chars, sizeof *filename); + *filename = av_malloc_array(num_chars, sizeof **filename); if (!*filename) { errno = ENOMEM; return -1; From 594c2086faacc12373eb74d2f6683d72c46f05a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 21:57:40 +0200 Subject: [PATCH 282/562] avformat/rmdec: use 64bit for audio_framesize checks It is not entirely clear what would prevent such overflow so even if it is not possible, it is better to use 64bit Fixes: CID1491898 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 665be4fa2f47910bf85a6f17b6cac9dabc6591f0) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 2e75aba2a6..70e1b4d4b2 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -267,9 +267,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, case DEINT_ID_INT4: if (ast->coded_framesize > ast->audio_framesize || sub_packet_h <= 1 || - ast->coded_framesize * (uint64_t)sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) + ast->coded_framesize * (uint64_t)sub_packet_h > (2LL + (sub_packet_h & 1)) * ast->audio_framesize) return AVERROR_INVALIDDATA; - if (ast->coded_framesize * (uint64_t)sub_packet_h != 2*ast->audio_framesize) { + if (ast->coded_framesize * (uint64_t)sub_packet_h != 2LL*ast->audio_framesize) { avpriv_request_sample(s, "mismatching interleaver parameters"); return AVERROR_INVALIDDATA; } From a0988dae8e4eafac9bfcf8f02a287644f4a7204b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 23:05:47 +0200 Subject: [PATCH 283/562] avformat/rtmppkt: Simplify and deobfuscate amf_tag_skip() slightly Found while reviewing: CID1530313 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cedbef03946625bc0f7f96e9f77ad59c512b9900) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index a602bf6a96..905469c14f 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -441,7 +441,6 @@ static int amf_tag_skip(GetByteContext *gb) { AMFDataType type; unsigned nb = -1; - int parse_key = 1; if (bytestream2_get_bytes_left(gb) < 1) return -1; @@ -466,13 +465,12 @@ static int amf_tag_skip(GetByteContext *gb) bytestream2_skip(gb, 10); return 0; case AMF_DATA_TYPE_ARRAY: - parse_key = 0; case AMF_DATA_TYPE_MIXEDARRAY: nb = bytestream2_get_be32(gb); case AMF_DATA_TYPE_OBJECT: - while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) { + while (type != AMF_DATA_TYPE_ARRAY || nb-- > 0) { int t; - if (parse_key) { + if (type != AMF_DATA_TYPE_ARRAY) { int size = bytestream2_get_be16(gb); if (!size) { bytestream2_get_byte(gb); From b93e62052f6deee025b1e30c9556aaff821d8f3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 23:12:08 +0200 Subject: [PATCH 284/562] avformat/rtmpproto: Use AV_DICT_MATCH_CASE instead of litteral number Found by reviewing: CID1530166 Free of array-typed value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 38c2e6a2c7c993d2076984de4ddd9776259397db) Signed-off-by: Michael Niedermayer --- libavformat/rtmpproto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 4b01b67d28..871d97e8a9 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -2667,7 +2667,7 @@ static int rtmp_open(URLContext *s, const char *uri, int flags, AVDictionary **o } if (!strcmp(proto, "rtmpt") || !strcmp(proto, "rtmpts")) { if (!strcmp(proto, "rtmpts")) - av_dict_set(opts, "ffrtmphttp_tls", "1", 1); + av_dict_set(opts, "ffrtmphttp_tls", "1", AV_DICT_MATCH_CASE); /* open the http tunneling connection */ ff_url_join(buf, sizeof(buf), "ffrtmphttp", NULL, hostname, port, NULL); From 3b70bc4bd6b6dd0af931f6e0d51fd276f752aad2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 00:13:59 +0200 Subject: [PATCH 285/562] avformat/rtpenc_rfc4175: Use 64bit in computation if copy_offset Found while reviewing: CID1494441 Untrusted value as argument Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f13ae632591b043cb69b66de01e8b178037cdd0e) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc_rfc4175.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rtpenc_rfc4175.c b/libavformat/rtpenc_rfc4175.c index 257d072cd3..2120274f01 100644 --- a/libavformat/rtpenc_rfc4175.c +++ b/libavformat/rtpenc_rfc4175.c @@ -116,7 +116,7 @@ void ff_rtp_send_raw_rfc4175(AVFormatContext *s1, const uint8_t *buf, int size, int l_field; int l_line; int l_off; - int copy_offset; + int64_t copy_offset; length = (headers[0] << 8) | headers[1]; l_field = (headers[2] & 0x80) >> 7; @@ -127,7 +127,7 @@ void ff_rtp_send_raw_rfc4175(AVFormatContext *s1, const uint8_t *buf, int size, if (interlaced) l_line = 2 * l_line + l_field; - copy_offset = (l_line * width + l_off) * pgroup / xinc; + copy_offset = (l_line * (int64_t)width + l_off) * pgroup / xinc; if (copy_offset + length > size) break; memcpy (dest, buf + copy_offset, length); From eebdb93d94fb79fb4a17104ee45c6c27e768505f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2024 15:48:26 +0200 Subject: [PATCH 286/562] avcodec/proresenc_kostya: use unsigned alpha for rotation Fixes: left shift of negative value -208 Fixes: 69073/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-4745020002336768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93e0265e27e6dd567812a8661988109421c5447a) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index 90cc87e388..9d9f705ce4 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -342,7 +342,7 @@ static void get_slice_data(ProresContext *ctx, const uint16_t *src, static void get_alpha_data(ProresContext *ctx, const uint16_t *src, ptrdiff_t linesize, int x, int y, int w, int h, - int16_t *blocks, int mbs_per_slice, int abits) + uint16_t *blocks, int mbs_per_slice, int abits) { const int slice_width = 16 * mbs_per_slice; int i, j, copy_w, copy_h; From f07a35b5e5b0501123885b5dbe92e1d4c6b918cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2024 22:00:04 +0200 Subject: [PATCH 287/562] doc/examples/mux: remove nop Found through code review related to CID1604493 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e6c0c5731e85f00b5840d9a7d14e38cc3e07d5bc) Signed-off-by: Michael Niedermayer --- doc/examples/mux.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/examples/mux.c b/doc/examples/mux.c index b034aad56f..0f3a2bb125 100644 --- a/doc/examples/mux.c +++ b/doc/examples/mux.c @@ -347,8 +347,7 @@ static int write_audio_frame(AVFormatContext *oc, OutputStream *ost) if (frame) { /* convert samples from native format to destination codec format, using the resampler */ /* compute destination number of samples */ - dst_nb_samples = av_rescale_rnd(swr_get_delay(ost->swr_ctx, c->sample_rate) + frame->nb_samples, - c->sample_rate, c->sample_rate, AV_ROUND_UP); + dst_nb_samples = swr_get_delay(ost->swr_ctx, c->sample_rate) + frame->nb_samples; av_assert0(dst_nb_samples == frame->nb_samples); /* when we pass a frame to the encoder, it may keep a reference to it From 62a772263ecc08b47b67c2be47a4cfa1140592a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 00:50:07 +0200 Subject: [PATCH 288/562] avfilter/vf_tiltandshift: Free dst on error Fixes: CID1559901 Resource leak Sponsored-by: Sovereign Tech Fund Reviewed-by: Vittorio Giovara Signed-off-by: Michael Niedermayer (cherry picked from commit 20e59af07e5e9a73cb3227355fe0a78afffdfe45) Signed-off-by: Michael Niedermayer --- libavfilter/vf_tiltandshift.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_tiltandshift.c b/libavfilter/vf_tiltandshift.c index b31d088d11..0149cd44d5 100644 --- a/libavfilter/vf_tiltandshift.c +++ b/libavfilter/vf_tiltandshift.c @@ -239,8 +239,10 @@ static int output_frame(AVFilterLink *outlink) // set correct timestamps and props as long as there is proper input ret = av_frame_copy_props(dst, s->input); - if (ret < 0) + if (ret < 0) { + av_frame_free(&dst); return ret; + } // discard frame at the top of the list since it has been fully processed list_remove_head(s); From 5f59b54041a8ebb1e6ffc2b139e860556a6c3512 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2024 17:49:56 +0200 Subject: [PATCH 289/562] avutil/imgutils: av_image_check_size2() ensure width and height fit in 32bit width and height > 32bit is not supported and its easier to check in a central place Signed-off-by: Michael Niedermayer (cherry picked from commit ba63e329572b74207045fd82c93fcc0fa0479bc4) Signed-off-by: Michael Niedermayer --- libavutil/imgutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index 1e15f7c920..b5413aa419 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -298,7 +298,7 @@ int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enu stride = 8LL*w; stride += 128*8; - if ((int)w<=0 || (int)h<=0 || stride >= INT_MAX || stride*(uint64_t)(h+128) >= INT_MAX) { + if (w==0 || h==0 || w > INT32_MAX || h > INT32_MAX || stride >= INT_MAX || stride*(h + 128ULL) >= INT_MAX) { av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h); return AVERROR(EINVAL); } From 72b087cf0d7ca6dd850cb8b4a705e235fbb42796 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:42 +0200 Subject: [PATCH 290/562] avcodec/xsubdec: Check parse_timecode() Fixes: CID1604490 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 96fd9417e250540f228d1ad5b43a77c120208eba) Signed-off-by: Michael Niedermayer --- libavcodec/xsubdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/xsubdec.c b/libavcodec/xsubdec.c index f86b7c58e7..b804a90298 100644 --- a/libavcodec/xsubdec.c +++ b/libavcodec/xsubdec.c @@ -59,6 +59,7 @@ static int decode_frame(AVCodecContext *avctx, AVSubtitle *sub, int64_t packet_time = 0; GetBitContext gb; int has_alpha = avctx->codec_tag == MKTAG('D','X','S','A'); + int64_t start_display_time, end_display_time; // check that at least header fits if (buf_size < 27 + 7 * 2 + 4 * (3 + has_alpha)) { @@ -73,8 +74,14 @@ static int decode_frame(AVCodecContext *avctx, AVSubtitle *sub, } if (avpkt->pts != AV_NOPTS_VALUE) packet_time = av_rescale_q(avpkt->pts, AV_TIME_BASE_Q, (AVRational){1, 1000}); - sub->start_display_time = parse_timecode(buf + 1, packet_time); - sub->end_display_time = parse_timecode(buf + 14, packet_time); + + sub->start_display_time = start_display_time = parse_timecode(buf + 1, packet_time); + sub->end_display_time = end_display_time = parse_timecode(buf + 14, packet_time); + if (sub->start_display_time != start_display_time || + sub-> end_display_time != end_display_time) { + av_log(avctx, AV_LOG_ERROR, "time code not representable in 32bit\n"); + return -1; + } buf += 27; // read header From d6efa604a2a2d9adc6a72d9b209b5ee8475f8a54 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:43 +0200 Subject: [PATCH 291/562] avcodec/cri: Check length Fixes: CID1604394 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 69dcd123f19acf851f85166159a3719565813fd0) Signed-off-by: Michael Niedermayer --- libavcodec/cri.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cri.c b/libavcodec/cri.c index 990e52ac99..7297c0350f 100644 --- a/libavcodec/cri.c +++ b/libavcodec/cri.c @@ -234,10 +234,14 @@ static int cri_decode_frame(AVCodecContext *avctx, AVFrame *p, s->data_size = length; goto skip; case 105: + if (length <= 0) + return AVERROR_INVALIDDATA; hflip = bytestream2_get_byte(gb) != 0; length--; goto skip; case 106: + if (length <= 0) + return AVERROR_INVALIDDATA; vflip = bytestream2_get_byte(gb) != 0; length--; goto skip; From f66256651bc88b02357522c108b482d07ef2143f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:44 +0200 Subject: [PATCH 292/562] avcodec/dxv: Fix type in get_opcodes() Found by code review related to CID1604386 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e5af1c6e91e86b184101ef2abb49178ff409703b) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index b5553a0c86..e3107414c8 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -240,7 +240,7 @@ static int get_opcodes(GetByteContext *gb, uint32_t *table, uint8_t *dst, int op size_in_bits = bytestream2_get_le32(gb); endoffset = ((size_in_bits + 7) >> 3) - 4; - if (endoffset <= 0 || bytestream2_get_bytes_left(gb) < endoffset) + if ((int)endoffset <= 0 || bytestream2_get_bytes_left(gb) < endoffset) return AVERROR_INVALIDDATA; offset = endoffset; From da5d4377576752bbf4885c19e5e7de3533e7e1e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:45 +0200 Subject: [PATCH 293/562] avcodec/golomb: Document return for get_ur_golomb_jpegls() and get_sr_golomb_flac() Found while reviewing code related to CID1604409 Overflowed return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7cf5b83f6fa367f99aefc1321bafc0a7e8db33cd) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 164c2583b6..9f60fe0397 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -424,6 +424,8 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit, /** * read unsigned golomb rice code (jpegls). + * + * @returns -1 on error */ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, int esc_len) @@ -535,6 +537,8 @@ static inline int get_sr_golomb(GetBitContext *gb, int k, int limit, /** * read signed golomb rice code (flac). + * + * @returns INT_MIN on error */ static inline int get_sr_golomb_flac(GetBitContext *gb, int k, int limit, int esc_len) From 01458ce44631bb1ab2aa61200c7775ed63bc78c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:46 +0200 Subject: [PATCH 294/562] avcodec/golomb: Assert that k is in the supported range for get_ur/sr_golomb() Found by code review related to CID1604563 Overflowed return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b2aaeb81f65aaa61238d74a77034b118055340d3) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 9f60fe0397..742334978d 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -402,6 +402,7 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit, log = av_log2(buf); if (log > 31 - limit) { + av_assert2(log >= k); buf >>= log - k; buf += (30U - log) << k; LAST_SKIP_BITS(re, gb, 32 + k - log); From 76cabac818fbeb80beb375b7639558412950c0c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:48 +0200 Subject: [PATCH 295/562] avcodec/iff: Use signed count This is more a style fix than a bugfix (CID1604392 Overflowed constant) Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cfe66dfebb8a1e1394bcf834b6cc785f280ccecf) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index faf4e21c42..32d771b887 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -522,7 +522,7 @@ static int decode_byterun2(uint8_t *dst, int height, int line_size, GetByteContext *gb) { GetByteContext cmds; - unsigned count; + int count; int i, y_pos = 0, x_pos = 0; if (bytestream2_get_be32(gb) != MKBETAG('V', 'D', 'A', 'T')) @@ -530,7 +530,7 @@ static int decode_byterun2(uint8_t *dst, int height, int line_size, bytestream2_skip(gb, 4); count = bytestream2_get_be16(gb) - 2; - if (bytestream2_get_bytes_left(gb) < count) + if (count < 0 || bytestream2_get_bytes_left(gb) < count) return 0; bytestream2_init(&cmds, gb->buffer, count); From 4da94437350f22a76181a600df8c404d29e4a977 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:49 +0200 Subject: [PATCH 296/562] avcodec/imm4: check cbphi for error Fixes: CID1604356 Overflowed constant Fixes: CID1604573 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6e4c037833c3ca0e0bd3e348701c4c0dc58bed91) Signed-off-by: Michael Niedermayer --- libavcodec/imm4.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/imm4.c b/libavcodec/imm4.c index 656fc9c05f..ef7e692b84 100644 --- a/libavcodec/imm4.c +++ b/libavcodec/imm4.c @@ -219,12 +219,15 @@ static int decode_intra(AVCodecContext *avctx, GetBitContext *gb, AVFrame *frame for (y = 0; y < avctx->height; y += 16) { for (x = 0; x < avctx->width; x += 16) { - unsigned flag, cbphi, cbplo; + unsigned flag, cbplo; + int cbphi; cbplo = get_vlc2(gb, cbplo_tab, CBPLO_VLC_BITS, 1); flag = get_bits1(gb); cbphi = get_cbphi(gb, 1); + if (cbphi < 0) + return cbphi; ret = decode_blocks(avctx, gb, cbplo | (cbphi << 2), 0, offset, flag); if (ret < 0) @@ -272,7 +275,8 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb, for (y = 0; y < avctx->height; y += 16) { for (x = 0; x < avctx->width; x += 16) { int reverse, intra_block, value; - unsigned cbphi, cbplo, flag2 = 0; + unsigned cbplo, flag2 = 0; + int cbphi; if (get_bits1(gb)) { copy_block16(frame->data[0] + y * frame->linesize[0] + x, @@ -298,6 +302,9 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb, cbplo = value >> 4; cbphi = get_cbphi(gb, reverse); + if (cbphi < 0) + return cbphi; + if (intra_block) { ret = decode_blocks(avctx, gb, cbplo | (cbphi << 2), 0, offset, flag2); if (ret < 0) From 31bc90cd2f92bad233bd861f6f824683c494b1a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:50 +0200 Subject: [PATCH 297/562] avcodec/leaddec: Check init_get_bits8() for failure Fixes: CID1604416 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0e3e7e8aeb4448a355979ddec87b0e1676ca9f15) Signed-off-by: Michael Niedermayer --- libavcodec/leaddec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/leaddec.c b/libavcodec/leaddec.c index f7d31681b8..a6f6c3cc87 100644 --- a/libavcodec/leaddec.c +++ b/libavcodec/leaddec.c @@ -196,7 +196,9 @@ static int lead_decode_frame(AVCodecContext *avctx, AVFrame * frame, i++; } - init_get_bits8(&gb, s->bitstream_buf, size); + ret = init_get_bits8(&gb, s->bitstream_buf, size); + if (ret < 0) + return ret; if (avctx->pix_fmt == AV_PIX_FMT_YUV420P && zero) { for (int mb_y = 0; mb_y < avctx->height / 8; mb_y++) From 66f42ad1d5ac82e7b4e35bac62c7d51c3298382c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:51 +0200 Subject: [PATCH 298/562] avcodec/loco: check get_ur_golomb_jpegls() for failure Fixes: CID1604400 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b9899866418cb3bd930846271470e3096917f5f6) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 3d11823284..65168d52be 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -92,10 +92,15 @@ static inline int loco_get_rice(RICEContext *r) if (get_bits_left(&r->gb) < 1) return INT_MIN; v = get_ur_golomb_jpegls(&r->gb, loco_get_rice_param(r), INT_MAX, 0); + if (v == -1) + return INT_MIN; loco_update_rice_param(r, (v + 1) >> 1); if (!v) { if (r->save >= 0) { - r->run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0); + int run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0); + if (run == -1) + return INT_MIN; + r->run = run; if (r->run > 1) r->save += r->run + 1; else From ecfdecabfb704353d0f4ea1ec94e6e2db9ace3b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:52 +0200 Subject: [PATCH 299/562] avcodec/loco: Check loco_get_rice() for failure Fixes: CID1604495 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d55327684349b4db5d5905eefaa7d2aec597908d) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 65168d52be..8cc270acbb 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -157,6 +157,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh /* restore top left pixel */ val = loco_get_rice(&rc); + if (val == INT_MIN) + return AVERROR_INVALIDDATA; data[0] = 128 + val; /* restore top line */ for (i = 1; i < width; i++) { From d3d97983128dff79ce30495561fdde4732a51bb3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:54 +0200 Subject: [PATCH 300/562] avcodec/mlpenc: Use 64 for ml, mr Fixes: CID1604429 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 06f01d9fa0ecfa7dd785b3dfe2957999472930b2) Signed-off-by: Michael Niedermayer --- libavcodec/mlpenc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/mlpenc.c b/libavcodec/mlpenc.c index 67e0e109aa..06670de456 100644 --- a/libavcodec/mlpenc.c +++ b/libavcodec/mlpenc.c @@ -1414,7 +1414,8 @@ static int estimate_coeff(MLPEncodeContext *ctx, MLPSubstream *s, int32_t maxl = INT32_MIN, maxr = INT32_MIN, minl = INT32_MAX, minr = INT32_MAX; int64_t summ = 0, sums = 0, suml = 0, sumr = 0, enl = 0, enr = 0; const int shift = 14 - ctx->rematrix_precision; - int32_t cf0, cf1, e[4], d[4], ml, mr; + int32_t cf0, cf1, e[4], d[4]; + int64_t ml, mr; int i, count = 0; for (int j = 0; j <= ctx->cur_restart_interval; j++) { @@ -1447,8 +1448,8 @@ static int estimate_coeff(MLPEncodeContext *ctx, MLPSubstream *s, summ -= FFABS(suml + sumr); sums -= FFABS(suml - sumr); - ml = maxl - minl; - mr = maxr - minr; + ml = maxl - (int64_t)minl; + mr = maxr - (int64_t)minr; if (!summ && !sums) return 0; From 8982bf0d84e42effb7754e4c21af9a231ab49efe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:55 +0200 Subject: [PATCH 301/562] avcodec/motion_est: Fix score squaring overflow Fixes: CID1604552 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f18b442370d714b930e3e983c2e5d789229f3356) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index df9d1befa8..2091acbbec 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1446,7 +1446,7 @@ static inline int direct_search(MpegEncContext * s, int mb_x, int mb_y) s->b_direct_mv_table[mot_xy][0]= 0; s->b_direct_mv_table[mot_xy][1]= 0; - return 256*256*256*64; + return 256*256*256*64-1; } c->xmin= xmin; From 64c26cd18aa5af6b787019f70c13274db7bc987e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:56 +0200 Subject: [PATCH 302/562] avcodec/pixlet: Simplify pfx computation Found by reviewing code related to CID1604365 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0474614e6cf8edcd0077b95772c29fae894a7db9) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 6e925308b8..914f0636bc 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -230,8 +230,8 @@ static int read_high_coeffs(AVCodecContext *avctx, const uint8_t *src, int16_t * if (cnt1 >= length) { cnt1 = get_bits(bc, nbits); } else { - pfx = 14 + ((((uint64_t)(value - 14)) >> 32) & (value - 14)); - if (pfx < 1 || pfx > 25) + pfx = FFMIN(value, 14); + if (pfx < 1) return AVERROR_INVALIDDATA; cnt1 *= (1 << pfx) - 1; shbits = show_bits(bc, pfx); From 7669cc2b8bc2f31fcf710437cb8d90b38ab86594 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2024 21:35:48 +0200 Subject: [PATCH 303/562] avcodec/osq: avoid signed overflow in downsample path Fixes: signed integer overflow: 865309950 * 256 cannot be represented in type 'int' Fixes: 69191/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6310214413385728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ed34b0c54ebdce7f741d9fb6a9ac11a1816df59c) Signed-off-by: Michael Niedermayer --- libavcodec/osq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/osq.c b/libavcodec/osq.c index 650cfcd98c..fa4aeee35e 100644 --- a/libavcodec/osq.c +++ b/libavcodec/osq.c @@ -320,7 +320,7 @@ static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int cb->prev = prev; if (downsample) - dst[n] *= 256; + dst[n] *= 256U; dst[E] = dst[D]; dst[D] = dst[C]; From 386e7ac113214554c76a8f71e8359f426a198d08 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 May 2024 01:51:59 +0200 Subject: [PATCH 304/562] avcodec/flac_parser: Assert that we do not overrun the link_penalty array Helps: CID1454676 Out-of-bounds read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9af348bd1aa41ea10d6719c56ed2b4eda97642f3) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index bd91cc1a05..99460e7ea6 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -519,6 +519,8 @@ static int check_header_mismatch(FLACParseContext *fpc, for (i = 0; i < FLAC_MAX_SEQUENTIAL_HEADERS && curr != child; i++) curr = curr->next; + av_assert0(i < FLAC_MAX_SEQUENTIAL_HEADERS); + if (header->link_penalty[i] < FLAC_HEADER_CRC_FAIL_PENALTY || header->link_penalty[i] == FLAC_HEADER_NOT_PENALIZED_YET) { FLACHeaderMarker *start, *end; From 11ecd11ee530b8b731db8d4757e0324a9ea30ac9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:34:48 +0200 Subject: [PATCH 305/562] avdevice/dshow_filter: Use wcscpy_s() Fixes: CID1591929 Copy into fixed size buffer Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit daf61dddc8e27424c320d5c3abe3e0c5182cd5c0) Signed-off-by: Michael Niedermayer --- libavdevice/dshow_filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow_filter.c b/libavdevice/dshow_filter.c index 4642ac077c..2122c84626 100644 --- a/libavdevice/dshow_filter.c +++ b/libavdevice/dshow_filter.c @@ -135,7 +135,7 @@ long WINAPI ff_dshow_filter_JoinFilterGraph(DShowFilter *this, IFilterGraph *gra this->info.pGraph = graph; if (name) - wcscpy(this->info.achName, name); + wcscpy_s(this->info.achName, sizeof(this->info.achName) / sizeof(wchar_t), name); return S_OK; } From 3d37e3aa9b401b891d2edbe8029b2c9e07b8866c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:26 +0200 Subject: [PATCH 306/562] avdevice/dshow: Cleanup also on av_log case Fixes: CID1598550 Resource leak Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 25f9211bdd61641cb8739efcb45bf31b46557178) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index dce41e80c6..4d587c936f 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -1001,7 +1001,7 @@ dshow_cycle_formats(AVFormatContext *avctx, enum dshowDeviceType devtype, " ch=%2u, bits=%2u, rate=%6lu\n", fx->nChannels, fx->wBitsPerSample, fx->nSamplesPerSec ); - continue; + goto next; } if ( (requested_sample_rate && requested_sample_rate != fx->nSamplesPerSec) || From 365c58cfabf68492f5f9a51c20a9296b9f7bb91f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:24 +0200 Subject: [PATCH 307/562] avdevice/dshow: Check device_filter_unique_name before use Fixes: CID1591931 Explicit null dereferenced Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 175c19166824bd93b02f60c5178365014212366e) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 4d587c936f..5caf282aea 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -1373,7 +1373,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, if (ctx->device_filter[otherDevType]) { // avoid adding add two instances of the same device to the graph, one for video, one for audio // a few devices don't support this (could also do this check earlier to avoid double crossbars, etc. but they seem OK) - if (strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { + if (!device_filter_unique_name || strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { av_log(avctx, AV_LOG_DEBUG, "reusing previous graph capture filter... %s\n", device_filter_unique_name); IBaseFilter_Release(device_filter); device_filter = ctx->device_filter[otherDevType]; From 04abb63b7cc9e9d80536d0dc45461ee49ffbc656 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:27 +0200 Subject: [PATCH 308/562] avdevice/dshow: check ff_dshow_pin_ConnectionMediaType() for failure Maybe Fixes: CID1598557 Explicit null dereferenced Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 2c2e72708831ca0cc76f72368676a8ccf624a2fe) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 5caf282aea..4581f9405c 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -1546,7 +1546,10 @@ dshow_add_device(AVFormatContext *avctx, ctx->capture_filter[devtype]->stream_index = st->index; - ff_dshow_pin_ConnectionMediaType(ctx->capture_pin[devtype], &type); + if (ff_dshow_pin_ConnectionMediaType(ctx->capture_pin[devtype], &type) != S_OK) { + ret = AVERROR(EIO); + goto error; + } fmt_info = dshow_get_format_info(&type); if (!fmt_info) { ret = AVERROR(EIO); From 45a91d998f5789e4e38c2d8be4ed02b765a3ff69 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:22 +0200 Subject: [PATCH 309/562] avdevice/dshow: Remove NULL check on pin The pointer is used before the check Fixes: CID1591884 Dereference before null check Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 989e11acb65e640d336d0d911e958a6008311a9d) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 4581f9405c..403e56fe13 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -432,8 +432,8 @@ dshow_get_device_media_types(AVFormatContext *avctx, enum dshowDeviceType devtyp IEnumMediaTypes_Release(types); if (p) IKsPropertySet_Release(p); - if (pin) - IPin_Release(pin); + + IPin_Release(pin); } IEnumPins_Release(pins); From 2e442aa82073971490bd4ecf9201fe3b33e9a725 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2024 00:22:10 +0200 Subject: [PATCH 310/562] avfilter/vf_bm3d: Dont round MSE2SSE to an integer Fixes: CID1439581 Result is not floating-point Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ec18ec9fc1080c37a02f3709afda5c4b08d4ea89) Signed-off-by: Michael Niedermayer --- libavfilter/vf_bm3d.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_bm3d.c b/libavfilter/vf_bm3d.c index 17d39ee7cf..11d373c643 100644 --- a/libavfilter/vf_bm3d.c +++ b/libavfilter/vf_bm3d.c @@ -273,7 +273,7 @@ static void do_block_matching_multi(BM3DContext *s, const uint8_t *src, int src_ int r_y, int r_x, int plane, int jobnr) { SliceContext *sc = &s->slices[jobnr]; - double MSE2SSE = s->group_size * s->block_size * s->block_size * src_range * src_range / (s->max * s->max); + double MSE2SSE = s->group_size * s->block_size * s->block_size * src_range * src_range / (double)(s->max * s->max); double distMul = 1. / MSE2SSE; double th_sse = th_mse * MSE2SSE; int index = sc->nb_match_blocks; From 333a623915b9327c33b37a8aabc5ea6aab770e82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2024 00:22:11 +0200 Subject: [PATCH 311/562] avfilter/vf_convolution_opencl: Assert that the filter name is one of the filters Helps with: CID1439572 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 19a5a8997c93d72d6fe169c42a2a04ad4bb6e03a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_convolution_opencl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_convolution_opencl.c b/libavfilter/vf_convolution_opencl.c index 0eff9f40d3..40938436f2 100644 --- a/libavfilter/vf_convolution_opencl.c +++ b/libavfilter/vf_convolution_opencl.c @@ -20,6 +20,7 @@ #include "config_components.h" +#include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/imgutils.h" #include "libavutil/mem.h" @@ -80,6 +81,8 @@ static int convolution_opencl_init(AVFilterContext *avctx) kernel_name = "prewitt_global"; } else if (!strcmp(avctx->filter->name, "roberts_opencl")){ kernel_name = "roberts_global"; + } else { + av_assert0(0); } ctx->kernel = clCreateKernel(ctx->ocf.program, kernel_name, &cle); CL_FAIL_ON_ERROR(AVERROR(EIO), "Failed to create " From 3e0da83058bc6d295169f8c9bcfd5c0bed3063c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2024 20:47:24 +0200 Subject: [PATCH 312/562] avcodec/tiff: Check value on positive signed targets Fixes: CID1604593 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 66d6b8033b4bf8e9b33f26729c4ab9f9b328c5a2) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index ee3aba3e86..bfa345b3d8 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1297,9 +1297,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->is_thumbnail = (value != 0); break; case TIFF_WIDTH: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->width = value; break; case TIFF_HEIGHT: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->height = value; break; case TIFF_BPP: @@ -1431,12 +1435,18 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->tile_byte_counts_offset = off; break; case TIFF_TILE_LENGTH: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->tile_length = value; break; case TIFF_TILE_WIDTH: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->tile_width = value; break; case TIFF_PREDICTOR: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->predictor = value; break; case TIFF_SUB_IFDS: @@ -1581,12 +1591,18 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) } break; case TIFF_T4OPTIONS: - if (s->compr == TIFF_G3) + if (s->compr == TIFF_G3) { + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->fax_opts = value; + } break; case TIFF_T6OPTIONS: - if (s->compr == TIFF_G4) + if (s->compr == TIFF_G4) { + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->fax_opts = value; + } break; #define ADD_METADATA(count, name, sep)\ if ((ret = add_metadata(count, type, name, sep, s, frame)) < 0) {\ From 7c7624d2b72130f2a5b57f7ee3ef6d5c8924ca6c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2024 20:47:27 +0200 Subject: [PATCH 313/562] avdevice/dshow_capture: Fix error handling in ff_dshow_##prefix##_Create() Untested, needs review Fixes: CID1591856 Resource leak Fixes: CID1591887 Resource leak Fixes: CID1591874 Resource leak Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 348968e9f7d8abb743a5dfca8e522ae0cf1ddc8b) Signed-off-by: Michael Niedermayer --- libavdevice/dshow_capture.h | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavdevice/dshow_capture.h b/libavdevice/dshow_capture.h index 81e684b9be..bb39d4947a 100644 --- a/libavdevice/dshow_capture.h +++ b/libavdevice/dshow_capture.h @@ -124,14 +124,15 @@ void ff_dshow_##prefix##_Destroy(class *this) \ class *ff_dshow_##prefix##_Create(__VA_ARGS__) \ { \ class *this = CoTaskMemAlloc(sizeof(class)); \ - void *vtbl = CoTaskMemAlloc(sizeof(*this->vtbl)); \ dshowdebug("ff_dshow_"AV_STRINGIFY(prefix)"_Create(%p)\n", this); \ - if (!this || !vtbl) \ + if (!this) \ goto fail; \ ZeroMemory(this, sizeof(class)); \ - ZeroMemory(vtbl, sizeof(*this->vtbl)); \ + this->vtbl = CoTaskMemAlloc(sizeof(*this->vtbl)); \ + if (!this->vtbl) \ + goto fail; \ + ZeroMemory(this->vtbl, sizeof(*this->vtbl)); \ this->ref = 1; \ - this->vtbl = vtbl; \ if (!setup) \ goto fail; \ dshowdebug("created ff_dshow_"AV_STRINGIFY(prefix)" %p\n", this); \ From 72d3f1f8020deef6453431845192c6b969c9010a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Jun 2024 00:44:08 +0200 Subject: [PATCH 314/562] avcodec/mpegvideo_enc: Do not duplicate pictures on shifting Fixes: out of array access Fixes: 69098/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG2VIDEO_fuzzer-6107989688778752 Fixes: 69599/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4848626296225792.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c8881cb3534b257d6e6539f563006599cd96b48) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index c4c174a02e..5fab302148 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1252,6 +1252,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) /* shift buffer entries */ for (int i = flush_offset; i <= MAX_B_FRAMES; i++) s->input_picture[i - flush_offset] = s->input_picture[i]; + for (int i = MAX_B_FRAMES + 1 - flush_offset; i <= MAX_B_FRAMES; i++) + s->input_picture[i] = NULL; s->input_picture[encoding_delay] = pic; From d02a49ba010515120a97afc7972ac954b98b51a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2024 22:43:22 +0200 Subject: [PATCH 315/562] avcodec/vc2enc: Fix overflows with storing large values Fixes: left shift of 1431634944 by 2 places cannot be represented in type 'int' Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: 69061/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC2_fuzzer-6325700826038272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit af9935835335cae1ae5a4ec7fc14c1b5e25c1f2d) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index 6fbac29032..349174c8c7 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -185,7 +185,9 @@ typedef struct VC2EncContext { static av_always_inline void put_vc2_ue_uint(PutBitContext *pb, uint32_t val) { int i; - int pbits = 0, bits = 0, topbit = 1, maxval = 1; + int bits = 0; + unsigned topbit = 1, maxval = 1; + uint64_t pbits = 0; if (!val++) { put_bits(pb, 1, 1); @@ -202,12 +204,13 @@ static av_always_inline void put_vc2_ue_uint(PutBitContext *pb, uint32_t val) for (i = 0; i < bits; i++) { topbit >>= 1; + av_assert2(pbits <= UINT64_MAX>>3); pbits <<= 2; if (val & topbit) pbits |= 0x1; } - put_bits(pb, bits*2 + 1, (pbits << 1) | 1); + put_bits64(pb, bits*2 + 1, (pbits << 1) | 1); } static av_always_inline int count_vc2_ue_uint(uint32_t val) From 8d294ee692b01bd9a03de71f202465beaf17f382 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jun 2024 20:58:05 +0200 Subject: [PATCH 316/562] avcodec/j2kenc: Merge dwt_norm into lambda This moves computations out of a loop This may help with UB in vsynth*-jpeg2000-yuva444p16 Fixes: signed integer overflow: 31665934879948800 * 9998 cannot be represented in type 'long' Fixes: 69024/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5949662967169024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a84fbd747119841942c67d2f55cc796ab25cd245) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index a80e74d4ec..6f827be05b 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1348,7 +1348,7 @@ static void makelayers(Jpeg2000EncoderContext *s, Jpeg2000Tile *tile) } } -static int getcut(Jpeg2000Cblk *cblk, uint64_t lambda, int dwt_norm) +static int getcut(Jpeg2000Cblk *cblk, uint64_t lambda) { int passno, res = 0; for (passno = 0; passno < cblk->npasses; passno++){ @@ -1360,7 +1360,7 @@ static int getcut(Jpeg2000Cblk *cblk, uint64_t lambda, int dwt_norm) dd = cblk->passes[passno].disto - (res ? cblk->passes[res-1].disto : 0); - if (((dd * dwt_norm) >> WMSEDEC_SHIFT) * dwt_norm >= dr * lambda) + if (dd >= dr * lambda) res = passno+1; } return res; @@ -1383,11 +1383,12 @@ static void truncpasses(Jpeg2000EncoderContext *s, Jpeg2000Tile *tile) Jpeg2000Band *band = reslevel->band + bandno; Jpeg2000Prec *prec = band->prec + precno; + int64_t dwt_norm = dwt_norms[codsty->transform == FF_DWT53][bandpos][lev] * (int64_t)band->i_stepsize >> 15; + int64_t lambda_prime = av_rescale(s->lambda, 1 << WMSEDEC_SHIFT, dwt_norm * dwt_norm); for (cblkno = 0; cblkno < prec->nb_codeblocks_height * prec->nb_codeblocks_width; cblkno++){ Jpeg2000Cblk *cblk = prec->cblk + cblkno; - cblk->ninclpasses = getcut(cblk, s->lambda, - (int64_t)dwt_norms[codsty->transform == FF_DWT53][bandpos][lev] * (int64_t)band->i_stepsize >> 15); + cblk->ninclpasses = getcut(cblk, lambda_prime); cblk->layers[0].data_start = cblk->data; cblk->layers[0].cum_passes = cblk->ninclpasses; cblk->layers[0].npasses = cblk->ninclpasses; From 964a3e2fa7e65a14f786d373a38fc2de365c4837 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jun 2024 23:55:01 +0200 Subject: [PATCH 317/562] avcodec/utvideoenc: Use unsigned shift to build flags Fixes: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 69083/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_fuzzer-5608202363273216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 69e90491f15d8eef643f8dfd1b75805829496678) Signed-off-by: Michael Niedermayer --- libavcodec/utvideoenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utvideoenc.c b/libavcodec/utvideoenc.c index 36dcb8283a..ad8d73fbb4 100644 --- a/libavcodec/utvideoenc.c +++ b/libavcodec/utvideoenc.c @@ -239,7 +239,7 @@ static av_cold int utvideo_encode_init(AVCodecContext *avctx) * - Compression mode (none/huff) * And write the flags. */ - c->flags = (c->slices - 1) << 24; + c->flags = (c->slices - 1U) << 24; c->flags |= 0 << 11; // bit field to signal interlaced encoding mode c->flags |= c->compression; From b10323ef646fcafa00b5e93d275cc2751688a516 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Jun 2024 00:05:12 +0200 Subject: [PATCH 318/562] avcodec/mpeg12enc: Use av_rescale() in vbv_buffer_size computation Fixes: signed integer overflow: 20 * 2314885530818453759 cannot be represented in type 'long' Fixes: 69098/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG2VIDEO_fuzzer-6107989688778752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0993ef675f06042402a97b08a60155c65dae8ba7) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index f956dde78f..76377aea1b 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -333,7 +333,7 @@ static void mpeg1_encode_sequence_header(MpegEncContext *s) else /* VBV calculation: Scaled so that a VCD has the proper * VBV size of 40 kilobytes */ - vbv_buffer_size = ((20 * s->bit_rate) / (1151929 / 2)) * 8 * 1024; + vbv_buffer_size = av_rescale_rnd(s->bit_rate, 20, 1151929 / 2, AV_ROUND_ZERO) * 8 * 1024; vbv_buffer_size = (vbv_buffer_size + 16383) / 16384; put_sbits(&s->pb, 18, v); From 996ce2b3797a1dfaae75a86639e7acf3e285c438 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Jul 2024 18:50:09 +0200 Subject: [PATCH 319/562] avformat/mov: Check extradata in mov_read_iacb() Fixes: MemLeak Fixes: 69853/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4660448545275904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 167bf8f61e671833c9d1234f12973e71c414b621) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index a4b842ebd6..1af869cb48 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -896,6 +896,11 @@ static int mov_read_iacb(MOVContext *c, AVIOContext *pb, MOVAtom atom) st = c->fc->streams[c->fc->nb_streams - 1]; sc = st->priv_data; + if (st->codecpar->extradata) { + av_log(c->fc, AV_LOG_WARNING, "ignoring iacb\n"); + return 0; + } + sc->iamf = av_mallocz(sizeof(*sc->iamf)); if (!sc->iamf) return AVERROR(ENOMEM); From 587acd0d4020859e67d1f07aeff2c885797ebcce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Jul 2024 21:12:54 +0200 Subject: [PATCH 320/562] avcodec/pnmdec: Use 64bit for input size check Fixes: out of array read Fixes: poc3 Reported-by: VulDB CNA Team Found-by: CookedMelon Signed-off-by: Michael Niedermayer (cherry picked from commit 3faadbe2a27e74ff5bb5f7904ec27bb1f5287dc8) Signed-off-by: Michael Niedermayer --- libavcodec/pnmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index acd77ea810..40cc2ae868 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -264,7 +264,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, AVFrame *p, break; case AV_PIX_FMT_GBRPF32: if (!s->half) { - if (avctx->width * avctx->height * 12 > s->bytestream_end - s->bytestream) + if (avctx->width * avctx->height * 12LL > s->bytestream_end - s->bytestream) return AVERROR_INVALIDDATA; scale = 1.f / s->scale; if (s->endian) { From 76779f2b87df3ce1b16070c6e62cbe8fadf3ad02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Jul 2024 21:23:40 +0200 Subject: [PATCH 321/562] avutil/timecode: Use a 64bit framenum internally Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 68550/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6424065930756096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d5ca373d7efa37d2d3911f0afbc85fad0dc86b38) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index bd879bd3cc..f40a10eb38 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -100,11 +100,12 @@ uint32_t av_timecode_get_smpte(AVRational rate, int drop, int hh, int mm, int ss return tc; } -char *av_timecode_make_string(const AVTimecode *tc, char *buf, int framenum) +char *av_timecode_make_string(const AVTimecode *tc, char *buf, int framenum_arg) { int fps = tc->fps; int drop = tc->flags & AV_TIMECODE_FLAG_DROPFRAME; int hh, mm, ss, ff, ff_len, neg = 0; + int64_t framenum = framenum_arg; framenum += tc->start; if (drop) From 175c3d6cc5d5d6f7738eb0e848207483cd011266 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Jul 2024 21:31:21 +0200 Subject: [PATCH 322/562] avformat/mxfdec: Reorder elements of expression in bisect loop Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long' Fixes: 68578/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6032171648221184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8d288479d3431d65318d957aab710b13714fc05) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index a04c521994..0f9c4fa730 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3819,8 +3819,7 @@ static int mxf_get_next_track_edit_unit(MXFContext *mxf, MXFTrack *track, int64_ a = -1; b = track->original_duration; - - while (b - a > 1) { + while (b - 1 > a) { m = (a + b) >> 1; if (mxf_edit_unit_absolute_offset(mxf, t, m, track->edit_rate, NULL, &offset, NULL, 0) < 0) return -1; From b926b87f3ca07f103d1405b5aa4dd0dac65fc045 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Jul 2024 23:44:04 +0200 Subject: [PATCH 323/562] swscale/output: Fix integer overflows in yuv2rgba64_X_c_template Fixes: signed integer overflow: -1082982400 + -1068681048 cannot be represented in type 'int' Fixes: 69995/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6285740271534080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcab9789ef750670277956e79736bca442aec2ff) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 0e6181b3e0..e8dd2145ce 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1059,8 +1059,8 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, for (i = 0; i < ((dstW + 1) >> 1); i++) { int j; - int Y1 = -0x40000000; - int Y2 = -0x40000000; + unsigned Y1 = -0x40000000; + unsigned Y2 = -0x40000000; int U = -(128 << 23); // 19 int V = -(128 << 23); int R, G, B; @@ -1088,9 +1088,9 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, } // 8 bits: 12+15=27; 16 bits: 12+19=31 - Y1 >>= 14; // 10 + Y1 = (int)Y1 >> 14; // 10 Y1 += 0x10000; - Y2 >>= 14; + Y2 = (int)Y2 >> 14; Y2 += 0x10000; U >>= 14; V >>= 14; @@ -1109,20 +1109,20 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8 bits: 30 - 22 = 8 bits, 16 bits: 30 bits - 14 = 16 bits - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From ca19dbf33d8f1346588c49d3123ee7ad40649cf0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Jul 2024 00:56:58 +0200 Subject: [PATCH 324/562] avformat/iamf_parse: Check for negative sample sizes Fixes: index -2 out of bounds for type 'const enum AVCodecID [3]' Fixes: 69866/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4971166119821312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9b9e02f2ff6575e934e8e991a471b3086d1c0d53) Signed-off-by: Michael Niedermayer --- libavformat/iamf_parse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 0d80e6e725..3eb36f56f5 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -152,7 +152,7 @@ static int ipcm_decoder_config(IAMFCodecConfig *codec_config, }; int sample_format = avio_r8(pb); // 0 = BE, 1 = LE int sample_size = (avio_r8(pb) / 8 - 2); // 16, 24, 32 - if (sample_format > 1 || sample_size > 2 || codec_config->audio_roll_distance) + if (sample_format > 1 || sample_size > 2U || codec_config->audio_roll_distance) return AVERROR_INVALIDDATA; codec_config->codec_id = sample_fmt[sample_format][sample_size]; From 39d083cb73836d0b3e86625cdcf0e2b585e75bc0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 14 Jun 2024 01:50:15 +0200 Subject: [PATCH 325/562] avfilter/vf_deshake_opencl: Ensure that the first iteration initializes the best variables Fixes: CID1452759 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9385847af47211e8c618198499ffea99614bb55d) Signed-off-by: Michael Niedermayer --- libavfilter/vf_deshake_opencl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_deshake_opencl.c b/libavfilter/vf_deshake_opencl.c index e49c808a8e..128545a982 100644 --- a/libavfilter/vf_deshake_opencl.c +++ b/libavfilter/vf_deshake_opencl.c @@ -703,7 +703,7 @@ static int minimize_error( total_err += deshake_ctx->ransac_err[j]; } - if (total_err < best_err) { + if (i == 0 || total_err < best_err) { for (int mi = 0; mi < 6; ++mi) { best_model[mi] = model[mi]; } From be3e6ba7adbee7078c72724fb0da689b5c88ae28 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2024 21:50:12 +0200 Subject: [PATCH 326/562] avfilter/vf_premultiply: Use AV_PIX_MAX_PLANES Helps: CID1435164 Out-of-bounds read Helps: CID1435165 Out-of-bounds read Helps: CID1435167 Out-of-bounds read Helps: CID1435169 Out-of-bounds read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 05e21b89024301f3fcf97b349ffe2ae4a80c83b6) Signed-off-by: Michael Niedermayer --- libavfilter/vf_premultiply.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_premultiply.c b/libavfilter/vf_premultiply.c index e077d46a9a..5e97c2000f 100644 --- a/libavfilter/vf_premultiply.c +++ b/libavfilter/vf_premultiply.c @@ -36,8 +36,8 @@ typedef struct ThreadData { typedef struct PreMultiplyContext { const AVClass *class; - int width[4], height[4]; - int linesize[4]; + int width[AV_VIDEO_MAX_PLANES], height[AV_VIDEO_MAX_PLANES]; + int linesize[AV_VIDEO_MAX_PLANES]; int nb_planes; int planes; int inverse; @@ -45,7 +45,7 @@ typedef struct PreMultiplyContext { int half, depth, offset, max; FFFrameSync fs; - void (*premultiply[4])(const uint8_t *msrc, const uint8_t *asrc, + void (*premultiply[AV_VIDEO_MAX_PLANES])(const uint8_t *msrc, const uint8_t *asrc, uint8_t *dst, ptrdiff_t mlinesize, ptrdiff_t alinesize, ptrdiff_t dlinesize, From 893992cf00eb108bc15247a6dc96d1c3d0d28153 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2024 00:45:45 +0200 Subject: [PATCH 327/562] avfilter/vf_elbg: Use unsigned for shifting into the top bit Fixes: part of CID1355110 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2af95b9214a6bf75f946440d36c349963396e23b) Signed-off-by: Michael Niedermayer --- libavfilter/vf_elbg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_elbg.c b/libavfilter/vf_elbg.c index 17947e226a..863366ccc2 100644 --- a/libavfilter/vf_elbg.c +++ b/libavfilter/vf_elbg.c @@ -194,7 +194,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) p0 = (uint8_t *)out->data[0]; for (i = 0; i < elbg->codebook_length; i++) { - const int al = elbg->use_alpha ? elbg->codebook[i*4+3] : 0xff; + const unsigned al = elbg->use_alpha ? elbg->codebook[i*4+3] : 0xff; pal[i] = al << 24 | (elbg->codebook[i*4+2] << 16) | (elbg->codebook[i*4+1] << 8) | From e2ba5abaa764245413e288e86f111242aa7b2d32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2024 01:33:11 +0200 Subject: [PATCH 328/562] avfilter/vf_lut3d: Check av_scanf() Fixes: CID1604398 Unchecked return value Fixes: CID1604542 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ace2e25720b8a26906b15aab7eebbac860bb7bf0) Signed-off-by: Michael Niedermayer --- libavfilter/vf_lut3d.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_lut3d.c b/libavfilter/vf_lut3d.c index a312ca76c9..a03fdb33ae 100644 --- a/libavfilter/vf_lut3d.c +++ b/libavfilter/vf_lut3d.c @@ -702,7 +702,8 @@ try_again: else if (!strncmp(line + 7, "MAX ", 4)) vals = max; if (!vals) return AVERROR_INVALIDDATA; - av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2); + if (av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2) != 3) + return AVERROR_INVALIDDATA; av_log(ctx, AV_LOG_DEBUG, "min: %f %f %f | max: %f %f %f\n", min[0], min[1], min[2], max[0], max[1], max[2]); goto try_again; @@ -1733,12 +1734,14 @@ try_again: else if (!strncmp(line + 7, "MAX ", 4)) vals = max; if (!vals) return AVERROR_INVALIDDATA; - av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2); + if (av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2) != 3) + return AVERROR_INVALIDDATA; av_log(ctx, AV_LOG_DEBUG, "min: %f %f %f | max: %f %f %f\n", min[0], min[1], min[2], max[0], max[1], max[2]); goto try_again; } else if (!strncmp(line, "LUT_1D_INPUT_RANGE ", 19)) { - av_sscanf(line + 19, "%f %f", min, max); + if (av_sscanf(line + 19, "%f %f", min, max) != 2) + return AVERROR_INVALIDDATA; min[1] = min[2] = min[0]; max[1] = max[2] = max[0]; goto try_again; From a841e90cfd35d24e0b1771d9f28462b0ffd0fc96 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2024 22:01:29 +0200 Subject: [PATCH 329/562] avfilter/scale_eval: Use 64bit, check values in ff_scale_adjust_dimensions() Found by reviewing CID1513722 Operands don't affect result Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ad9df8bcfebc1085cb8b42dae9ab688af824cdab) Signed-off-by: Michael Niedermayer --- libavfilter/scale_eval.c | 9 ++++++--- libavfilter/scale_eval.h | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/libavfilter/scale_eval.c b/libavfilter/scale_eval.c index 75ed503f15..dc8d522b1e 100644 --- a/libavfilter/scale_eval.c +++ b/libavfilter/scale_eval.c @@ -114,7 +114,7 @@ int ff_scale_adjust_dimensions(AVFilterLink *inlink, int *ret_w, int *ret_h, int force_original_aspect_ratio, int force_divisible_by) { - int w, h; + int64_t w, h; int factor_w, factor_h; w = *ret_w; @@ -149,9 +149,9 @@ int ff_scale_adjust_dimensions(AVFilterLink *inlink, * unless force_divisible_by is defined as well */ if (force_original_aspect_ratio) { // Including force_divisible_by here rounds to the nearest multiple of it. - int tmp_w = av_rescale(h, inlink->w, inlink->h * (int64_t)force_divisible_by) + int64_t tmp_w = av_rescale(h, inlink->w, inlink->h * (int64_t)force_divisible_by) * force_divisible_by; - int tmp_h = av_rescale(w, inlink->h, inlink->w * (int64_t)force_divisible_by) + int64_t tmp_h = av_rescale(w, inlink->h, inlink->w * (int64_t)force_divisible_by) * force_divisible_by; if (force_original_aspect_ratio == 1) { @@ -173,6 +173,9 @@ int ff_scale_adjust_dimensions(AVFilterLink *inlink, } } + if ((int32_t)w != w || (int32_t)h != h) + return AVERROR(EINVAL); + *ret_w = w; *ret_h = h; diff --git a/libavfilter/scale_eval.h b/libavfilter/scale_eval.h index 2eb6970aad..b489528404 100644 --- a/libavfilter/scale_eval.h +++ b/libavfilter/scale_eval.h @@ -41,7 +41,7 @@ int ff_scale_eval_dimensions(void *ctx, * force_original_aspect_ratio is set. force_divisible_by is used only when * force_original_aspect_ratio is set and must be at least 1. * - * Returns 0. + * Returns negative error code on error or non negative on success */ int ff_scale_adjust_dimensions(AVFilterLink *inlink, int *ret_w, int *ret_h, From 640f35b83e384653f359cd6b1f6835980d4902a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2024 22:42:44 +0200 Subject: [PATCH 330/562] avfilter/vf_scale: Check ff_scale_adjust_dimensions() for failure Helps: CID1513722 Operands don't affect result Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2a8fb3c2cc07e741bca556eee8aea704fda4c33f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_scale.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index fc3b5a91e6..960ce42b54 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -551,10 +551,13 @@ static int config_props(AVFilterLink *outlink) outlink->w = scale->w; outlink->h = scale->h; - ff_scale_adjust_dimensions(inlink, &outlink->w, &outlink->h, + ret = ff_scale_adjust_dimensions(inlink, &outlink->w, &outlink->h, scale->force_original_aspect_ratio, scale->force_divisible_by); + if (ret < 0) + goto fail; + if (outlink->w > INT_MAX || outlink->h > INT_MAX || (outlink->h * inlink->w) > INT_MAX || From 0e529f8a93d3b611703ecc475958e70f4cb0a3da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 17:38:08 +0200 Subject: [PATCH 331/562] avformat/asfdec_o: Check size of index object We subtract 24 so it must be at least 24 Fixes: CID1604482 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 891bc070f0294e564a02f9a71f6591b6a62c90cc) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 484fb64b36..8ec1c80943 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -866,6 +866,9 @@ static int asf_read_simple_index(AVFormatContext *s, const GUIDParseTable *g) int64_t offset; uint64_t size = avio_rl64(pb); + if (size < 24) + return AVERROR_INVALIDDATA; + // simple index objects should be ordered by stream number, this loop tries to find // the first not indexed video stream for (i = 0; i < asf->nb_streams; i++) { From 9350f387e8f06c05a992ac5373a3ee00813a7efe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 18:10:00 +0200 Subject: [PATCH 332/562] avformat/bintext: Check avio_size() return Fixes: CID1604503 Overflowed constant Fixes: CID1604566 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit bf61f811e73dc62d1b53ed4ef6044b4e9e195113) Signed-off-by: Michael Niedermayer --- libavformat/bintext.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/libavformat/bintext.c b/libavformat/bintext.c index 90d48b6691..c96c14ccd9 100644 --- a/libavformat/bintext.c +++ b/libavformat/bintext.c @@ -93,9 +93,12 @@ static int next_tag_read(AVFormatContext *avctx, uint64_t *fsize) AVIOContext *pb = avctx->pb; char buf[36]; int len; - uint64_t start_pos = avio_size(pb) - 256; + int64_t start_pos = avio_size(pb); - avio_seek(pb, start_pos, SEEK_SET); + if (start_pos < 256) + return AVERROR_INVALIDDATA; + + avio_seek(pb, start_pos - 256, SEEK_SET); if (avio_read(pb, buf, sizeof(next_magic)) != sizeof(next_magic)) return -1; if (memcmp(buf, next_magic, sizeof(next_magic))) @@ -245,7 +248,10 @@ static int xbin_read_header(AVFormatContext *s) return AVERROR(EIO); if (pb->seekable & AVIO_SEEKABLE_NORMAL) { - bin->fsize = avio_size(pb) - 9 - st->codecpar->extradata_size; + int64_t fsize = avio_size(pb); + if (fsize < 9 + st->codecpar->extradata_size) + return 0; + bin->fsize = fsize - 9 - st->codecpar->extradata_size; ff_sauce_read(s, &bin->fsize, NULL, 0); avio_seek(pb, 9 + st->codecpar->extradata_size, SEEK_SET); } @@ -285,7 +291,10 @@ static int adf_read_header(AVFormatContext *s) if (pb->seekable & AVIO_SEEKABLE_NORMAL) { int got_width = 0; - bin->fsize = avio_size(pb) - 1 - 192 - 4096; + int64_t fsize = avio_size(pb); + if (fsize < 1 + 192 + 4096) + return 0; + bin->fsize = fsize - 1 - 192 - 4096; st->codecpar->width = 80<<3; ff_sauce_read(s, &bin->fsize, &got_width, 0); if (st->codecpar->width < 8) @@ -318,6 +327,7 @@ static int idf_read_header(AVFormatContext *s) AVIOContext *pb = s->pb; AVStream *st; int got_width = 0, ret; + int64_t fsize; if (!(pb->seekable & AVIO_SEEKABLE_NORMAL)) return AVERROR(EIO); @@ -332,14 +342,18 @@ static int idf_read_header(AVFormatContext *s) st->codecpar->extradata[0] = 16; st->codecpar->extradata[1] = BINTEXT_PALETTE|BINTEXT_FONT; - avio_seek(pb, avio_size(pb) - 4096 - 48, SEEK_SET); + fsize = avio_size(pb); + if (fsize < 12 + 4096 + 48) + return AVERROR_INVALIDDATA; + bin->fsize = fsize - 12 - 4096 - 48; + + avio_seek(pb, bin->fsize + 12, SEEK_SET); if (avio_read(pb, st->codecpar->extradata + 2 + 48, 4096) < 0) return AVERROR(EIO); if (avio_read(pb, st->codecpar->extradata + 2, 48) < 0) return AVERROR(EIO); - bin->fsize = avio_size(pb) - 12 - 4096 - 48; ff_sauce_read(s, &bin->fsize, &got_width, 0); if (st->codecpar->width < 8) return AVERROR_INVALIDDATA; From 444789f647e342d26481d95dfeceb1b95214d32e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 18:37:54 +0200 Subject: [PATCH 333/562] avformat/hlsenc: Check ret Fixes: CID1609624 Unused value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7e577165c101513b4d8afe164e604cbef6901546) Signed-off-by: Michael Niedermayer --- libavformat/hlsenc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 2202ce64e4..1ec4d50485 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -2601,8 +2601,10 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) " will retry with a new http session.\n"); ff_format_io_close(s, &vs->out); ret = hlsenc_io_open(s, &vs->out, filename, &options); - reflush_dynbuf(vs, &range_length); - ret = hlsenc_io_close(s, &vs->out, filename); + if (ret >= 0) { + reflush_dynbuf(vs, &range_length); + ret = hlsenc_io_close(s, &vs->out, filename); + } } av_dict_free(&options); av_freep(&vs->temp_buffer); @@ -2613,6 +2615,9 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) hls_rename_temp_file(s, oc); } + if (ret < 0) + return ret; + old_filename = av_strdup(oc->url); if (!old_filename) { return AVERROR(ENOMEM); From 0a6d42ce38fda5fbbb6136a5b9063ceac550429c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 18:40:46 +0200 Subject: [PATCH 334/562] avformat/hnm: Check *chunk_size Fixes: CID1604419 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 291356f58b8a1af491c692a89e6c4e70e9496f9d) Signed-off-by: Michael Niedermayer --- libavformat/hnm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/hnm.c b/libavformat/hnm.c index 42efaaa3e8..425dadc5e3 100644 --- a/libavformat/hnm.c +++ b/libavformat/hnm.c @@ -114,6 +114,8 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt) if (hnm->superchunk_remaining == 0) { /* parse next superchunk */ superchunk_size = avio_rl24(pb); + if (superchunk_size < 4) + return AVERROR_INVALIDDATA; avio_skip(pb, 1); hnm->superchunk_remaining = superchunk_size - 4; @@ -124,7 +126,7 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt) chunk_id = avio_rl16(pb); avio_skip(pb, 2); - if (chunk_size > hnm->superchunk_remaining || !chunk_size) { + if (chunk_size > hnm->superchunk_remaining || chunk_size < 8) { av_log(s, AV_LOG_ERROR, "invalid chunk size: %"PRIu32", offset: %"PRId64"\n", chunk_size, avio_tell(pb)); From 1b4795df0885566739323580a83dd8b782d3a5c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 19:29:14 +0200 Subject: [PATCH 335/562] avformat/mm: Check length Fixes: CID1220824 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 139bf412464e62a83984cd49093936dcaa7a0865) Signed-off-by: Michael Niedermayer --- libavformat/mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mm.c b/libavformat/mm.c index 23c025d852..e377ed4fbb 100644 --- a/libavformat/mm.c +++ b/libavformat/mm.c @@ -95,7 +95,7 @@ static int read_header(AVFormatContext *s) type = avio_rl16(pb); length = avio_rl32(pb); - if (type != MM_TYPE_HEADER) + if (type != MM_TYPE_HEADER || length < 10) return AVERROR_INVALIDDATA; /* read header */ From 6b772034ffffeef741b34001dfc91d0827be3fa3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:03:45 +0200 Subject: [PATCH 336/562] avformat/mov: Use 64bit for str_size We assign a 64bit variable to it before checking Fixes: CID1604544 Overflowed integer argument Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 046d069552f5c2824f36fcf95d409670208dc94b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 1af869cb48..48997bde1e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -332,7 +332,8 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) char *str = NULL; const char *key = NULL; uint16_t langcode = 0; - uint32_t data_type = 0, str_size, str_size_alloc; + uint32_t data_type = 0, str_size_alloc; + uint64_t str_size; int (*parse)(MOVContext*, AVIOContext*, unsigned, const char*) = NULL; int raw = 0; int num = 0; From e86687bd6c9ed4b97b849663dc1aac830d83f05f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:17:00 +0200 Subject: [PATCH 337/562] avformat/mp3dec; Check for avio_size() failure Fixes: CID1608710 Improper use of negative value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit bb936a1a720856a51c48bf907475daa8065920c9) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index f421e03926..6443b80596 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -137,9 +137,10 @@ static void read_xing_toc(AVFormatContext *s, int64_t filesize, int64_t duration int fill_index = (mp3->usetoc || fast_seek) && duration > 0; if (!filesize && - !(filesize = avio_size(s->pb))) { + (filesize = avio_size(s->pb)) <= 0) { av_log(s, AV_LOG_WARNING, "Cannot determine file size, skipping TOC table.\n"); fill_index = 0; + filesize = 0; } for (i = 0; i < XING_TOC_COUNT; i++) { From 8804d76aa5ebc51a84d941235876bbbc778d6f01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:20:53 +0200 Subject: [PATCH 338/562] avformat/mp3dec: Check header_filesize Fixes: CID1608714 Division or modulo by float zero Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cea4dbc903eaf8cb7a4ea53b281deff495ff8fa0) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 6443b80596..0029ba63aa 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -585,7 +585,7 @@ static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp, if (best_pos < 0) return best_pos; - if (mp3->is_cbr && ie == &ie1 && mp3->frames) { + if (mp3->is_cbr && ie == &ie1 && mp3->frames && mp3->header_filesize > 0) { int frame_duration = av_rescale(st->duration, 1, mp3->frames); ie1.timestamp = frame_duration * av_rescale(best_pos - si->data_offset, mp3->frames, mp3->header_filesize); } From 400fff4ba7c48096356ad594d066359d87607e8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:29:10 +0200 Subject: [PATCH 339/562] avformat/nsvdec: Check asize for PCM Fixes: CID1604527 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e83e24650489e63f6b31e8c72a973db6367947b9) Signed-off-by: Michael Niedermayer --- libavformat/nsvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 112c21fc8e..bb91db8378 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -616,7 +616,7 @@ null_chunk_retry: pkt = &nsv->ahead[NSV_ST_AUDIO]; /* read raw audio specific header on the first audio chunk... */ /* on ALL audio chunks ?? seems so! */ - if (asize && st[NSV_ST_AUDIO]->codecpar->codec_tag == MKTAG('P', 'C', 'M', ' ')/* && fill_header*/) { + if (asize >= 4 && st[NSV_ST_AUDIO]->codecpar->codec_tag == MKTAG('P', 'C', 'M', ' ')/* && fill_header*/) { uint8_t bps; uint8_t channels; uint16_t samplerate; From d0937f480e13a3ee0cbdfdd20b3eb11f5bac91b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:44:45 +0200 Subject: [PATCH 340/562] avformat/sapdec: Check ffurl_get_file_handle() for error Fixes: CID1604506 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 3e305a0e703843765d4dd7042092c3a38c0f97af) Signed-off-by: Michael Niedermayer --- libavformat/sapdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sapdec.c b/libavformat/sapdec.c index 7480697f83..710eb408b4 100644 --- a/libavformat/sapdec.c +++ b/libavformat/sapdec.c @@ -197,6 +197,9 @@ static int sap_fetch_packet(AVFormatContext *s, AVPacket *pkt) struct pollfd p = {fd, POLLIN, 0}; uint8_t recvbuf[RTP_MAX_PACKET_LENGTH]; + if (fd < 0) + return fd; + if (sap->eof) return AVERROR_EOF; From 68770bfe171a36fba0cdca8b13b8524bb75bf994 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:49:08 +0200 Subject: [PATCH 341/562] avformat/sauce: Check avio_size() for failure Fixes: CID1604592 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 759aae590c0298414db4d2925a33b084d7f9e7f9) Signed-off-by: Michael Niedermayer --- libavformat/sauce.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/sauce.c b/libavformat/sauce.c index 5ac9ca9d14..a9ee9697a3 100644 --- a/libavformat/sauce.c +++ b/libavformat/sauce.c @@ -34,7 +34,12 @@ int ff_sauce_read(AVFormatContext *avctx, uint64_t *fsize, int *got_width, int g AVIOContext *pb = avctx->pb; char buf[36]; int datatype, filetype, t1, t2, nb_comments; - uint64_t start_pos = avio_size(pb) - 128; + int64_t start_pos = avio_size(pb); + + if (start_pos < 128) + return AVERROR_INVALIDDATA; + + start_pos -= 128; avio_seek(pb, start_pos, SEEK_SET); if (avio_read(pb, buf, 7) != 7) From db71fb1549a97bb5f25b5093fa24b6c85eb00613 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:58:21 +0200 Subject: [PATCH 342/562] avformat/siff: Basic pkt_size check Fixes: half of CID1258461 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 124a97dd8b7636fb52e042b2e85a44cce40ab5e7) Signed-off-by: Michael Niedermayer --- libavformat/siff.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/siff.c b/libavformat/siff.c index 5aad03d870..b33746d51d 100644 --- a/libavformat/siff.c +++ b/libavformat/siff.c @@ -199,7 +199,10 @@ static int siff_read_packet(AVFormatContext *s, AVPacket *pkt) if (c->cur_frame >= c->frames) return AVERROR_EOF; if (c->curstrm == -1) { - c->pktsize = avio_rl32(s->pb) - 4; + unsigned pktsize = avio_rl32(s->pb); + if (pktsize < 4) + return AVERROR_INVALIDDATA; + c->pktsize = pktsize - 4; c->flags = avio_rl16(s->pb); if (c->flags & VB_HAS_AUDIO && !c->has_audio) return AVERROR_INVALIDDATA; From 2a59fc5b18e5d4920fc87b2201439d566422ca46 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 21:05:20 +0200 Subject: [PATCH 343/562] avformat/tty: Check avio_size() Fixes: CID1220824 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 41745e550a0274571bd9fbfb12b36ff1743d4e9c) Signed-off-by: Michael Niedermayer --- libavformat/tty.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavformat/tty.c b/libavformat/tty.c index 95b7200527..c3956ccf34 100644 --- a/libavformat/tty.c +++ b/libavformat/tty.c @@ -123,13 +123,16 @@ static int read_header(AVFormatContext *avctx) s->chars_per_frame = FFMAX(av_q2d(st->time_base)*s->chars_per_frame, 1); if (avctx->pb->seekable & AVIO_SEEKABLE_NORMAL) { - s->fsize = avio_size(avctx->pb); - st->duration = (s->fsize + s->chars_per_frame - 1) / s->chars_per_frame; + int64_t fsize = avio_size(avctx->pb); + if (fsize > 0) { + s->fsize = fsize; + st->duration = (s->fsize + s->chars_per_frame - 1) / s->chars_per_frame; - if (ff_sauce_read(avctx, &s->fsize, 0, 0) < 0) - efi_read(avctx, s->fsize - 51); + if (ff_sauce_read(avctx, &s->fsize, 0, 0) < 0) + efi_read(avctx, s->fsize - 51); - avio_seek(avctx->pb, 0, SEEK_SET); + avio_seek(avctx->pb, 0, SEEK_SET); + } } fail: From 591680a0cf3df89ac8c46647a3d68b983f06a3b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 21:53:58 +0200 Subject: [PATCH 344/562] avformat/ty: rec_size seems to only need 32bit May help CID1604560 Overflowed integer argument Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit be30913538d4be9a50672ceb683f8745d8aa75a9) Signed-off-by: Michael Niedermayer --- libavformat/ty.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ty.c b/libavformat/ty.c index 71707f750f..4a1c820c08 100644 --- a/libavformat/ty.c +++ b/libavformat/ty.c @@ -48,7 +48,7 @@ static const uint8_t ty_AC3AudioPacket[] = { 0x00, 0x00, 0x01, 0xbd }; #define CHUNK_PEEK_COUNT 3 /* number of chunks to probe */ typedef struct TyRecHdr { - int64_t rec_size; + int32_t rec_size; uint8_t ex[2]; uint8_t rec_type; uint8_t subrec_type; From 2248217d42a30d9094ee721eb4bc12e9ac9853da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 22:13:42 +0200 Subject: [PATCH 345/562] avformat/webpenc: Check filesize in trailer not sure this is possible Fixes: CID1604446 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7734c583f777fdba2f6463cf525385ebe5cf10db) Signed-off-by: Michael Niedermayer --- libavformat/webpenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/webpenc.c b/libavformat/webpenc.c index 1c5b93e0ab..ce0d046aa9 100644 --- a/libavformat/webpenc.c +++ b/libavformat/webpenc.c @@ -190,7 +190,7 @@ static int webp_write_trailer(AVFormatContext *s) if (!ret) { filesize = avio_tell(s->pb); - if (avio_seek(s->pb, 4, SEEK_SET) == 4) { + if (filesize >= 8 && avio_seek(s->pb, 4, SEEK_SET) == 4) { avio_wl32(s->pb, filesize - 8); // Note: without the following, avio only writes 8 bytes to the file. avio_seek(s->pb, filesize, SEEK_SET); From 1ad6cf075d751c2b26920b3dedfa67c174640c28 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 22:37:54 +0200 Subject: [PATCH 346/562] avformat/xmv: Check this_packet_size Fixes: CID1604489 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 696685df0ccf437083d15f40358a6ec86f5748ac) Signed-off-by: Michael Niedermayer --- libavformat/xmv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index 6a44d82016..cd58d96c54 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -220,6 +220,8 @@ static int xmv_read_header(AVFormatContext *s) /* Initialize the packet context */ xmv->next_packet_offset = avio_tell(pb); + if (this_packet_size < xmv->next_packet_offset) + return AVERROR_INVALIDDATA; xmv->next_packet_size = this_packet_size - xmv->next_packet_offset; xmv->stream_count = xmv->audio_track_count + 1; From 634744ca91ab28c9d712b0a4258b8b29ddf3be7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 22:55:31 +0200 Subject: [PATCH 347/562] avutil/buffer: Check ff_mutex_init() for failure Fixes: CID1604487 Unchecked return value Fixes: CID1604494 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 82f5b20ff5be4fccbf42f4b90f155db0076c0462) Signed-off-by: Michael Niedermayer --- libavutil/buffer.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavutil/buffer.c b/libavutil/buffer.c index e4562a79b1..a8101d83f0 100644 --- a/libavutil/buffer.c +++ b/libavutil/buffer.c @@ -264,7 +264,10 @@ AVBufferPool *av_buffer_pool_init2(size_t size, void *opaque, if (!pool) return NULL; - ff_mutex_init(&pool->mutex, NULL); + if (ff_mutex_init(&pool->mutex, NULL)) { + av_free(pool); + return NULL; + } pool->size = size; pool->opaque = opaque; @@ -283,7 +286,10 @@ AVBufferPool *av_buffer_pool_init(size_t size, AVBufferRef* (*alloc)(size_t size if (!pool) return NULL; - ff_mutex_init(&pool->mutex, NULL); + if (ff_mutex_init(&pool->mutex, NULL)) { + av_free(pool); + return NULL; + } pool->size = size; pool->alloc = alloc ? alloc : av_buffer_alloc; From d7b229b38783496223794483e0be41219272282f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 23:04:42 +0200 Subject: [PATCH 348/562] avutil/frame: Check log2_crop_align Fixes: CID1604586 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 15540b3d28676d5e797764a04f6681dcd01736f8) Signed-off-by: Michael Niedermayer --- libavutil/frame.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/frame.c b/libavutil/frame.c index eb04a65c90..67fbf89f19 100644 --- a/libavutil/frame.c +++ b/libavutil/frame.c @@ -1018,7 +1018,7 @@ int av_frame_apply_cropping(AVFrame *frame, int flags) if (log2_crop_align < min_log2_align) return AVERROR_BUG; - if (min_log2_align < 5) { + if (min_log2_align < 5 && log2_crop_align != INT_MAX) { frame->crop_left &= ~((1 << (5 + log2_crop_align - min_log2_align)) - 1); calc_cropping_offsets(offsets, frame, desc); } From dc2b488fc7728c5f6505d45b8d25fea09a421628 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 23:27:34 +0200 Subject: [PATCH 349/562] avutil/slicethread: Check pthread_*_init() for failure Fixes: CID1604383 Unchecked return value Fixes: CID1604439 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 23851c9ee0f231122c58955e795e17cfe8ca5d98) Signed-off-by: Michael Niedermayer --- libavutil/slicethread.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/libavutil/slicethread.c b/libavutil/slicethread.c index 115b099736..e6b82e31b6 100644 --- a/libavutil/slicethread.c +++ b/libavutil/slicethread.c @@ -102,6 +102,7 @@ int avpriv_slicethread_create(AVSliceThread **pctx, void *priv, { AVSliceThread *ctx; int nb_workers, i; + int ret; av_assert0(nb_threads >= 0); if (!nb_threads) { @@ -135,16 +136,37 @@ int avpriv_slicethread_create(AVSliceThread **pctx, void *priv, atomic_init(&ctx->first_job, 0); atomic_init(&ctx->current_job, 0); - pthread_mutex_init(&ctx->done_mutex, NULL); - pthread_cond_init(&ctx->done_cond, NULL); + ret = pthread_mutex_init(&ctx->done_mutex, NULL); + if (ret) { + av_freep(&ctx->workers); + av_freep(pctx); + return AVERROR(ret); + } + ret = pthread_cond_init(&ctx->done_cond, NULL); + if (ret) { + ctx->nb_threads = main_func ? 0 : 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } ctx->done = 0; for (i = 0; i < nb_workers; i++) { WorkerContext *w = &ctx->workers[i]; int ret; w->ctx = ctx; - pthread_mutex_init(&w->mutex, NULL); - pthread_cond_init(&w->cond, NULL); + ret = pthread_mutex_init(&w->mutex, NULL); + if (ret) { + ctx->nb_threads = main_func ? i : i + 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } + ret = pthread_cond_init(&w->cond, NULL); + if (ret) { + pthread_mutex_destroy(&w->mutex); + ctx->nb_threads = main_func ? i : i + 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } pthread_mutex_lock(&w->mutex); w->done = 0; From 224dd41cceee3925c7453994fbe3d8af93cf362b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Jul 2024 00:28:14 +0200 Subject: [PATCH 350/562] avfilter/vf_xfade: Check ff_inlink_consume_frame() for failure Fixes: CID1458043 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 73ca4e75eb0ae7d15965b90ffe7c041443a0421f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_xfade.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_xfade.c b/libavfilter/vf_xfade.c index 4eea761dac..f61c7083dc 100644 --- a/libavfilter/vf_xfade.c +++ b/libavfilter/vf_xfade.c @@ -2288,8 +2288,11 @@ static int xfade_activate(AVFilterContext *avctx) // Check if we are not yet transitioning, in which case // just request and forward the input frame. if (s->start_pts > s->pts) { + int ret; s->passthrough = 1; - ff_inlink_consume_frame(in_a, &s->xf[0]); + ret = ff_inlink_consume_frame(in_a, &s->xf[0]); + if (ret < 0) + return ret; return ff_filter_frame(outlink, s->xf[0]); } s->passthrough = 0; @@ -2297,8 +2300,14 @@ static int xfade_activate(AVFilterContext *avctx) // We are transitioning, so we need a frame from second input if (ff_inlink_check_available_frame(in_b)) { int ret; - ff_inlink_consume_frame(avctx->inputs[0], &s->xf[0]); - ff_inlink_consume_frame(avctx->inputs[1], &s->xf[1]); + ret = ff_inlink_consume_frame(avctx->inputs[0], &s->xf[0]); + if (ret < 0) + return ret; + ret = ff_inlink_consume_frame(avctx->inputs[1], &s->xf[1]); + if (ret < 0) { + av_frame_free(&s->xf[0]); + return ret; + } // Calculate PTS offset to first input if (s->inputs_offset_pts == AV_NOPTS_VALUE) From e82aa42f6c229bd77be56adf904028d0d631a836 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Jun 2024 00:34:28 +0200 Subject: [PATCH 351/562] avformat/mov: add an EOF check in IPRP Fixes: Timeout Fixes: 69230/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6540512101203968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 586f6fda1d814f0ddc32e652fde5e203d552f6d0) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 48997bde1e..83a48335ac 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8457,6 +8457,11 @@ static int mov_read_iprp(MOVContext *c, AVIOContext *pb, MOVAtom atom) int item_id = version ? avio_rb32(pb) : avio_rb16(pb); int assoc_count = avio_r8(pb); + if (avio_feof(pb)) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + for (int j = 0; j < assoc_count; j++) { MOVAtoms *ref; int index = avio_r8(pb) & 0x7f; From 5c2dfe559e96499b25d6bcc81688cc69775a6da0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jun 2024 23:17:24 +0200 Subject: [PATCH 352/562] avcodec/hevc/hevcdec: Do not allow slices to depend on failed slices An alternative would be to leave the context unchanged on failure of hls_slice_header() Fixes: out of array access Fixes: NULL pointer dereference Fixes: 69584/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5931086299856896 Fixes: 69724/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5104066422702080 Fixes: 70422/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5908731129298944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d9544cfb03d8597aa2b0037def3a4679949cec6) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index a130eb1d74..425020436d 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -658,6 +658,10 @@ static int hls_slice_header(HEVCContext *s) if (s->ps.pps->dependent_slice_segments_enabled_flag) sh->dependent_slice_segment_flag = get_bits1(gb); + if (sh->dependent_slice_segment_flag && !s->slice_initialized) { + av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n"); + return AVERROR_INVALIDDATA; + } slice_address_length = av_ceil_log2(s->ps.sps->ctb_width * s->ps.sps->ctb_height); @@ -946,9 +950,6 @@ static int hls_slice_header(HEVCContext *s) } else { sh->slice_loop_filter_across_slices_enabled_flag = s->ps.pps->seq_loop_filter_across_slices_enabled_flag; } - } else if (!s->slice_initialized) { - av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n"); - return AVERROR_INVALIDDATA; } sh->num_entry_point_offsets = 0; @@ -3037,8 +3038,11 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) case HEVC_NAL_RASL_N: case HEVC_NAL_RASL_R: ret = hls_slice_header(s); - if (ret < 0) + if (ret < 0) { + // hls_slice_header() does not cleanup on failure thus the state now is inconsistant so we cannot use it on depandant slices + s->slice_initialized = 0; return ret; + } if (ret == 1) { ret = AVERROR_INVALIDDATA; goto fail; From b158f7c62b902365f1080407fb6068f562ca8035 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 17:08:22 +0200 Subject: [PATCH 353/562] avcodec/alsdec: Clear shift_value (the exact issue is unreproducable but the use of uninitialized data is reproducable) Should fix: signed integer overflow: -2147483648 - 127 cannot be represented in type 'int' Should fix: 69881/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-4751301204836352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6194cb87cb81ef97adfa2690e489f473182eaffe) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index c64d1032a4..7262cdb4b3 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -2110,8 +2110,8 @@ static av_cold int decode_init(AVCodecContext *avctx) if (sconf->floating) { ctx->acf = av_malloc_array(channels, sizeof(*ctx->acf)); - ctx->shift_value = av_malloc_array(channels, sizeof(*ctx->shift_value)); - ctx->last_shift_value = av_malloc_array(channels, sizeof(*ctx->last_shift_value)); + ctx->shift_value = av_calloc(channels, sizeof(*ctx->shift_value)); + ctx->last_shift_value = av_calloc(channels, sizeof(*ctx->last_shift_value)); ctx->last_acf_mantissa = av_malloc_array(channels, sizeof(*ctx->last_acf_mantissa)); ctx->raw_mantissa = av_calloc(channels, sizeof(*ctx->raw_mantissa)); From c2ec2994c35c08994b0757a1b658e6483141e52c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 19:21:41 +0200 Subject: [PATCH 354/562] avcodec/proresdec: Consider negative bits left Fixes: 70036/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_fuzzer-6298797647396864 Fixes: shift exponent 40 is too large for 32-bit type 'uint32_t' (aka 'unsigned int') Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 419eee63565f81aca67b29582297841c59deaab8) Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index 3a5b753430..faf6dfc976 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -510,7 +510,7 @@ static av_always_inline int decode_ac_coeffs(AVCodecContext *avctx, GetBitContex for (pos = block_mask;;) { bits_left = gb->size_in_bits - re_index; - if (!bits_left || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left))) + if (bits_left <= 0 || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left))) break; DECODE_CODEWORD(run, run_to_cb[FFMIN(run, 15)], LAST_SKIP_BITS); From 5faff14b909023bff191a5f03a40c975dabcedab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 22:29:15 +0200 Subject: [PATCH 355/562] avcodec/vaapi_encode: Check hwctx Fixes: null pointer dereference Fixes: 70376/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_VAAPI_fuzzer-4733551250046976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3cd077e2820679e8b9f8eb10954b4f5701191c48) Signed-off-by: Michael Niedermayer --- libavcodec/vaapi_encode.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vaapi_encode.c b/libavcodec/vaapi_encode.c index 4d47444f3f..b8765a19c7 100644 --- a/libavcodec/vaapi_encode.c +++ b/libavcodec/vaapi_encode.c @@ -2997,12 +2997,14 @@ av_cold int ff_vaapi_encode_close(AVCodecContext *avctx) ff_refstruct_pool_uninit(&ctx->output_buffer_pool); if (ctx->va_context != VA_INVALID_ID) { - vaDestroyContext(ctx->hwctx->display, ctx->va_context); + if (ctx->hwctx) + vaDestroyContext(ctx->hwctx->display, ctx->va_context); ctx->va_context = VA_INVALID_ID; } if (ctx->va_config != VA_INVALID_ID) { - vaDestroyConfig(ctx->hwctx->display, ctx->va_config); + if (ctx->hwctx) + vaDestroyConfig(ctx->hwctx->display, ctx->va_config); ctx->va_config = VA_INVALID_ID; } From 354d5b97370429b402b66123a0f7222abd5db8ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Sep 2023 00:49:41 +0200 Subject: [PATCH 356/562] avcodec/osq: avoid using too large numbers for shifts and integers in update_residue_parameter() Fixes: 2.96539e+09 is outside the range of representable values of type 'int' Fixes: Assertion n>=0 && n<=32 failed at libavcodec/get_bits.h:423 Fixes: 62241/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-4525761925873664 Fixes: 70406/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6545326804434944 Signed-off-by: Michael Niedermayer (cherry picked from commit 56c334d732dbbce43b0c8fc0809ec545b7946832) Signed-off-by: Michael Niedermayer --- libavcodec/osq.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/osq.c b/libavcodec/osq.c index fa4aeee35e..333ca506ea 100644 --- a/libavcodec/osq.c +++ b/libavcodec/osq.c @@ -160,11 +160,15 @@ static int update_residue_parameter(OSQChannel *cb) sum = cb->sum; x = sum / cb->count; - rice_k = av_ceil_log2(x); + rice_k = ceil(log2(x)); if (rice_k >= 30) { - rice_k = floor(sum / 1.4426952 + 0.5); - if (rice_k < 1) + double f = floor(sum / 1.4426952 + 0.5); + if (f <= 1) { rice_k = 1; + } else if (f >= 31) { + rice_k = 31; + } else + rice_k = f; } return rice_k; From 71dc3825139efd172f5f7e9dcb8eec78b9e78b18 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Sep 2023 00:49:41 +0200 Subject: [PATCH 357/562] avcodec/osq: fix integer overflow when applying factor Fixes: signed integer overflow: -35511773 * 256 cannot be represented in type 'int' Fixes: 70406/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6545326804434944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6420c1bf30884d5feb69d0a6f116eaceac02dacc) Signed-off-by: Michael Niedermayer --- libavcodec/osq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/osq.c b/libavcodec/osq.c index 333ca506ea..1663f0b15f 100644 --- a/libavcodec/osq.c +++ b/libavcodec/osq.c @@ -355,7 +355,7 @@ static int osq_decode_block(AVCodecContext *avctx, AVFrame *frame) const int nb_channels = avctx->ch_layout.nb_channels; const int nb_samples = frame->nb_samples; OSQContext *s = avctx->priv_data; - const int factor = s->factor; + const unsigned factor = s->factor; int ret, decorrelate, downsample; GetBitContext *gb = &s->gb; From 68a017f6b5ea08fb92ac0245f6625d6e195c2074 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 22:50:00 +0200 Subject: [PATCH 358/562] avcodec/cfhdenc: Allocate more space Fixes: Assertion failure Fixes: 68979/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5375874714107904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a308d79e4dedea11667cb2ad42c6676ce96e8ee1) Signed-off-by: Michael Niedermayer --- libavcodec/cfhdenc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/cfhdenc.c b/libavcodec/cfhdenc.c index 7169d20a8c..f54b19b032 100644 --- a/libavcodec/cfhdenc.c +++ b/libavcodec/cfhdenc.c @@ -553,7 +553,7 @@ static int cfhd_encode_frame(AVCodecContext *avctx, AVPacket *pkt, width, height * 2); } - ret = ff_alloc_packet(avctx, pkt, 256LL + s->planes * (2LL * avctx->width * (avctx->height + 15) + 2048LL)); + ret = ff_alloc_packet(avctx, pkt, 256LL + s->planes * (4LL * avctx->width * (avctx->height + 15) + 2048LL)); if (ret < 0) return ret; @@ -761,7 +761,6 @@ static int cfhd_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } else if (count > 0) { count = put_runcode(pb, count, rb); } - put_bits(pb, cb[index].size, cb[index].bits); } From adcb97538a36cfb7176fdd5d2f18b1aec034a885 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 23:19:52 +0200 Subject: [PATCH 359/562] avcodec/cfhdenc: Height of 16 is not supported Fixes: out of array access Fixes: 68941/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5990952685600768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5dde255abdeb50aefb0dcf8b060277e37d180ec6) Signed-off-by: Michael Niedermayer --- libavcodec/cfhdenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cfhdenc.c b/libavcodec/cfhdenc.c index f54b19b032..1412d35d3f 100644 --- a/libavcodec/cfhdenc.c +++ b/libavcodec/cfhdenc.c @@ -258,8 +258,8 @@ static av_cold int cfhd_encode_init(AVCodecContext *avctx) if (ret < 0) return ret; - if (avctx->height < 4) { - av_log(avctx, AV_LOG_ERROR, "Height must be >= 4.\n"); + if (avctx->height < 32) { + av_log(avctx, AV_LOG_ERROR, "Height must be >= 32.\n"); return AVERROR_INVALIDDATA; } From a0d1902e2ced34f3c4ac6db3814229ad24bed786 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 23:45:27 +0200 Subject: [PATCH 360/562] avcodec/hdrenc: Allocate more space This needs to be double checked or a checking way of writing should be used Fixes: out of array access Fixes: 70007/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HDR_fuzzer-5478704150020096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 204f7f8cc73109d14c3f76b7b57f6b36fe041ee8) Signed-off-by: Michael Niedermayer --- libavcodec/hdrenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hdrenc.c b/libavcodec/hdrenc.c index 40d283ee61..54682d0a77 100644 --- a/libavcodec/hdrenc.c +++ b/libavcodec/hdrenc.c @@ -124,7 +124,7 @@ static int hdr_encode_frame(AVCodecContext *avctx, AVPacket *pkt, uint8_t *buf; int ret; - packet_size = avctx->width * avctx->height * 4LL + 1024LL; + packet_size = avctx->height * 4LL + avctx->width * avctx->height * 8LL + 1024LL; if ((ret = ff_get_encode_buffer(avctx, pkt, packet_size, 0)) < 0) return ret; From 5f953ac26fbdea1eb73d8a1ab4045f0e031b7b10 Mon Sep 17 00:00:00 2001 From: Jens Frederich Date: Mon, 15 Jul 2024 06:51:29 +0000 Subject: [PATCH 361/562] avdevice/dshow: Don't skip audio devices if no video device is present The search of the current DirectShow device list has been customized so that audio devices are always found even if no video device is connected. Signed-off-by: Jens Frederich Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 60b1750134963e8326476c4fbae41cea1772ff5b) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 403e56fe13..57d8e1c0af 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -645,7 +645,7 @@ static int dshow_get_device_list(AVFormatContext *avctx, AVDeviceInfoList *devic } ret = dshow_cycle_devices(avctx, devenum, VideoDevice, VideoSourceDevice, NULL, NULL, &device_list); - if (ret < S_OK) + if (ret < S_OK && ret != AVERROR(EIO)) goto error; ret = dshow_cycle_devices(avctx, devenum, AudioDevice, AudioSourceDevice, NULL, NULL, &device_list); From a83c1a3db97f540841da13b031c7d500d8f2b779 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Tue, 16 Jul 2024 20:59:52 +0800 Subject: [PATCH 362/562] avcodec/videotoolboxenc: Fix bitrate doesn't work as expected Commit 4ef5e7d4722 add qmin/qmax support to videotoolbox encoder. The default value of (qmin, qmax) is (2, 31), which makes bitrate control doesn't work as users' expectations. Signed-off-by: Zhao Zhili (cherry picked from commit d07da7539d54c0ce71e06a577eb1fa3036467449) --- libavcodec/videotoolboxenc.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/videotoolboxenc.c b/libavcodec/videotoolboxenc.c index 15c34d59c3..5ea9afee22 100644 --- a/libavcodec/videotoolboxenc.c +++ b/libavcodec/videotoolboxenc.c @@ -2905,6 +2905,12 @@ static const AVOption h264_options[] = { { NULL }, }; +static const FFCodecDefault vt_defaults[] = { + {"qmin", "-1"}, + {"qmax", "-1"}, + {NULL}, +}; + static const AVClass h264_videotoolbox_class = { .class_name = "h264_videotoolbox", .item_name = av_default_item_name, @@ -2920,6 +2926,7 @@ const FFCodec ff_h264_videotoolbox_encoder = { .p.capabilities = AV_CODEC_CAP_DR1 | AV_CODEC_CAP_DELAY, .priv_data_size = sizeof(VTEncContext), .p.pix_fmts = avc_pix_fmts, + .defaults = vt_defaults, .init = vtenc_init, FF_CODEC_ENCODE_CB(vtenc_frame), .close = vtenc_close, @@ -2957,6 +2964,7 @@ const FFCodec ff_hevc_videotoolbox_encoder = { AV_CODEC_CAP_HARDWARE, .priv_data_size = sizeof(VTEncContext), .p.pix_fmts = hevc_pix_fmts, + .defaults = vt_defaults, .init = vtenc_init, FF_CODEC_ENCODE_CB(vtenc_frame), .close = vtenc_close, @@ -2996,6 +3004,7 @@ const FFCodec ff_prores_videotoolbox_encoder = { AV_CODEC_CAP_HARDWARE, .priv_data_size = sizeof(VTEncContext), .p.pix_fmts = prores_pix_fmts, + .defaults = vt_defaults, .init = vtenc_init, FF_CODEC_ENCODE_CB(vtenc_frame), .close = vtenc_close, From d517a84c85ae695085f3d0ea25156b68fafe7356 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 28 Jun 2024 21:06:53 -0300 Subject: [PATCH 363/562] avformat/mov: check that sample and chunk count is 1 for HEIF Fixes NULL pointer dereference in broken/fuzzed streams. Signed-off-by: James Almer (cherry picked from commit 2aa63784b533f461785c3e767e354e84c7e2c8c2) --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 83a48335ac..a6732ad3e0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -9574,6 +9574,9 @@ static int mov_read_header(AVFormatContext *s) st->codecpar->width = item->width; st->codecpar->height = item->height; + if (sc->sample_count != 1 || sc->chunk_count != 1) + return AVERROR_INVALIDDATA; + sc->sample_sizes[0] = item->extent_length; sc->chunk_offsets[0] = item->extent_offset + offset; From c77a3b8d2907aa051edc1200c1b7962e01fc44c2 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 28 Jun 2024 21:06:54 -0300 Subject: [PATCH 364/562] avformat/mov: check that child boxes of trak are only present inside it Based on the check done for the stco box. Signed-off-by: James Almer (cherry picked from commit e7d3ff8dcd8c8d02b67a0c2b192b1b4f25cc552e) --- libavformat/mov.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index a6732ad3e0..0f7b910a79 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3062,6 +3062,11 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVStreamContext *sc; unsigned int i, entries; + if (c->trak_index < 0) { + av_log(c->fc, AV_LOG_WARNING, "STSC outside TRAK\n"); + return 0; + } + if (c->fc->nb_streams < 1) return 0; st = c->fc->streams[c->fc->nb_streams-1]; @@ -3158,6 +3163,11 @@ static int mov_read_stps(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVStreamContext *sc; unsigned i, entries; + if (c->trak_index < 0) { + av_log(c->fc, AV_LOG_WARNING, "STPS outside TRAK\n"); + return 0; + } + if (c->fc->nb_streams < 1) return 0; st = c->fc->streams[c->fc->nb_streams-1]; @@ -3195,6 +3205,11 @@ static int mov_read_stss(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVStreamContext *sc; unsigned int i, entries; + if (c->trak_index < 0) { + av_log(c->fc, AV_LOG_WARNING, "STSS outside TRAK\n"); + return 0; + } + if (c->fc->nb_streams < 1) return 0; st = c->fc->streams[c->fc->nb_streams-1]; @@ -3247,6 +3262,11 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom) unsigned char* buf; int ret; + if (c->trak_index < 0) { + av_log(c->fc, AV_LOG_WARNING, "STSZ outside TRAK\n"); + return 0; + } + if (c->fc->nb_streams < 1) return 0; st = c->fc->streams[c->fc->nb_streams-1]; @@ -3336,6 +3356,11 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) int64_t current_dts = 0; int64_t corrected_dts = 0; + if (c->trak_index < 0) { + av_log(c->fc, AV_LOG_WARNING, "STTS outside TRAK\n"); + return 0; + } + if (c->fc->nb_streams < 1) return 0; st = c->fc->streams[c->fc->nb_streams-1]; @@ -3492,6 +3517,11 @@ static int mov_read_ctts(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVStreamContext *sc; unsigned int i, entries, ctts_count = 0; + if (c->trak_index < 0) { + av_log(c->fc, AV_LOG_WARNING, "CTTS outside TRAK\n"); + return 0; + } + if (c->fc->nb_streams < 1) return 0; st = c->fc->streams[c->fc->nb_streams-1]; From 63e90b338c85813b5b8e55deb2abf90d6edd931a Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Fri, 19 Jul 2024 12:04:19 -0400 Subject: [PATCH 365/562] avcodec/pngdec: use 8-bit sBIT cap for indexed PNGs per spec The PNG specification[1] says that sBIT entries must be at most the bit depth specified in IHDR, unless the PNG is indexed-color, in which case sBIT must be between 1 and 8. We should not reject valid sBITs on PNGs with indexed color. [1]: https://www.w3.org/TR/png-3/#11sBIT Regression since 84b454935fae2633a8a5dd075e22393f3e8f932f. Signed-off-by: Leo Izen Reported-by: Ramiro Polla --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index ac39b3277b..ea586332b2 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1095,7 +1095,7 @@ static int decode_sbit_chunk(AVCodecContext *avctx, PNGDecContext *s, bits = FFMAX(b, bits); } - if (bits < 0 || bits > s->bit_depth) { + if (bits <= 0 || bits > (s->color_type & PNG_COLOR_MASK_PALETTE ? 8 : s->bit_depth)) { av_log(avctx, AV_LOG_ERROR, "Invalid significant bits: %d\n", bits); return AVERROR_INVALIDDATA; } From 0ab20b5788d08f1947a6351e048fcdbc2838fc49 Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Fri, 19 Jul 2024 12:04:20 -0400 Subject: [PATCH 366/562] avcodec/pngenc: fix sBIT writing for indexed-color PNGs We currently write invalid sBIT entries for indexed PNGs, which by PNG specification[1] must be 3-bytes long. The values also are capped at 8 for indexed-color PNGs, not the palette depth. This patch fixes both of these issues previously fixed in the decoder, but not the encoder. [1]: https://www.w3.org/TR/png-3/#11sBIT Regression since: c125860892e931d9b10f88ace73c91484815c3a8. Signed-off-by: Leo Izen Reported-by: Ramiro Polla: --- libavcodec/pngenc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c index e4c6bdc563..819cd83659 100644 --- a/libavcodec/pngenc.c +++ b/libavcodec/pngenc.c @@ -468,8 +468,9 @@ static int encode_headers(AVCodecContext *avctx, const AVFrame *pict) if (png_get_gama(pict->color_trc, s->buf)) png_write_chunk(&s->bytestream, MKTAG('g', 'A', 'M', 'A'), s->buf, 4); - if (avctx->bits_per_raw_sample > 0 && avctx->bits_per_raw_sample < s->bit_depth) { - int len = ff_png_get_nb_channels(s->color_type); + if (avctx->bits_per_raw_sample > 0 && + avctx->bits_per_raw_sample < (s->color_type & PNG_COLOR_MASK_PALETTE ? 8 : s->bit_depth)) { + int len = s->color_type & PNG_COLOR_MASK_PALETTE ? 3 : ff_png_get_nb_channels(s->color_type); memset(s->buf, avctx->bits_per_raw_sample, len); png_write_chunk(&s->bytestream, MKTAG('s', 'B', 'I', 'T'), s->buf, len); } From 517e559a46b661ab7ba4aa03abc45b43ec381700 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 28 Mar 2024 05:35:36 +0100 Subject: [PATCH 367/562] avcodec/pcm-bluray/dvd: Use correct pointer types on BE Signed-off-by: Andreas Rheinhardt (cherry picked from commit 347a70f101be28f8d78e8fd62ffc3a78324f49e9) --- libavcodec/pcm-bluray.c | 5 +++-- libavcodec/pcm-dvd.c | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/pcm-bluray.c b/libavcodec/pcm-bluray.c index f65609514a..235020d78f 100644 --- a/libavcodec/pcm-bluray.c +++ b/libavcodec/pcm-bluray.c @@ -167,7 +167,7 @@ static int pcm_bluray_decode_frame(AVCodecContext *avctx, AVFrame *frame, samples *= num_source_channels; if (AV_SAMPLE_FMT_S16 == avctx->sample_fmt) { #if HAVE_BIGENDIAN - bytestream2_get_buffer(&gb, dst16, buf_size); + bytestream2_get_buffer(&gb, (uint8_t*)dst16, buf_size); #else do { *dst16++ = bytestream2_get_be16u(&gb); @@ -187,7 +187,8 @@ static int pcm_bluray_decode_frame(AVCodecContext *avctx, AVFrame *frame, if (AV_SAMPLE_FMT_S16 == avctx->sample_fmt) { do { #if HAVE_BIGENDIAN - bytestream2_get_buffer(&gb, dst16, avctx->ch_layout.nb_channels * 2); + bytestream2_get_buffer(&gb, (uint8_t*)dst16, + avctx->ch_layout.nb_channels * 2); dst16 += avctx->ch_layout.nb_channels; #else channel = avctx->ch_layout.nb_channels; diff --git a/libavcodec/pcm-dvd.c b/libavcodec/pcm-dvd.c index 419b2a138f..319746c62e 100644 --- a/libavcodec/pcm-dvd.c +++ b/libavcodec/pcm-dvd.c @@ -157,7 +157,7 @@ static void *pcm_dvd_decode_samples(AVCodecContext *avctx, const uint8_t *src, switch (avctx->bits_per_coded_sample) { case 16: { #if HAVE_BIGENDIAN - bytestream2_get_buffer(&gb, dst16, blocks * s->block_size); + bytestream2_get_buffer(&gb, (uint8_t*)dst16, blocks * s->block_size); dst16 += blocks * s->block_size / 2; #else int samples = blocks * avctx->ch_layout.nb_channels; From b6b55f6e2be6839faca6067aafe7d3800f2f6ea4 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 31 Jul 2024 10:00:54 -0300 Subject: [PATCH 368/562] avutil/hwcontext_vaapi: use the correct type for VASurfaceAttribExternalBuffers.buffers Should fix ticket #11115. Signed-off-by: James Almer (cherry picked from commit 6f8e365a2af2b6b21701d41eed3b2e3f8a436eeb) --- libavutil/hwcontext_vaapi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/hwcontext_vaapi.c b/libavutil/hwcontext_vaapi.c index 56d03aa4cd..95a68e62c5 100644 --- a/libavutil/hwcontext_vaapi.c +++ b/libavutil/hwcontext_vaapi.c @@ -1213,7 +1213,7 @@ static int vaapi_map_from_drm(AVHWFramesContext *src_fc, AVFrame *dst, if (!use_prime2 || vas != VA_STATUS_SUCCESS) { int k; - unsigned long buffer_handle; + uintptr_t buffer_handle; VASurfaceAttribExternalBuffers buffer_desc; VASurfaceAttrib buffer_attrs[2] = { { From d0d740946b72bbe736e99254a0bf921598a000d0 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 31 Jul 2024 11:35:03 -0300 Subject: [PATCH 369/562] avcodec/aacps_tablegen_template: don't redefine CONFIG_HARDCODED_TABLES Fixes relevant warnings when compiling with --enable-hardcoded-tables Signed-off-by: James Almer (cherry picked from commit f4daf633b2e31e2e0fb3e0fcf1c7deacbc57b93e) --- libavcodec/aacps_tablegen_template.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/aacps_tablegen_template.c b/libavcodec/aacps_tablegen_template.c index e70edf884b..e05887b9b1 100644 --- a/libavcodec/aacps_tablegen_template.c +++ b/libavcodec/aacps_tablegen_template.c @@ -22,6 +22,8 @@ #include #define BUILD_TABLES +#include "config.h" +#undef CONFIG_HARDCODED_TABLES #define CONFIG_HARDCODED_TABLES 0 #include "aac_defines.h" From abd5df3033de4fdbbd907022cf37d16b4d12380a Mon Sep 17 00:00:00 2001 From: Shiyou Yin Date: Thu, 25 Jul 2024 17:39:21 +0800 Subject: [PATCH 370/562] swscale: [loongarch] Fix checkasm-sw_yuv2rgb failure. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: 陈昊 Signed-off-by: Michael Niedermayer (cherry picked from commit 4713a5cc2478ac94150541918749913d05a54b7f) Signed-off-by: Michael Niedermayer --- libswscale/loongarch/swscale_init_loongarch.c | 104 +++++++++--------- libswscale/loongarch/yuv2rgb_lasx.c | 4 +- 2 files changed, 56 insertions(+), 52 deletions(-) diff --git a/libswscale/loongarch/swscale_init_loongarch.c b/libswscale/loongarch/swscale_init_loongarch.c index 53e4f970b6..51bfdd56de 100644 --- a/libswscale/loongarch/swscale_init_loongarch.c +++ b/libswscale/loongarch/swscale_init_loongarch.c @@ -93,60 +93,64 @@ av_cold SwsFunc ff_yuv2rgb_init_loongarch(SwsContext *c) int cpu_flags = av_get_cpu_flags(); #if HAVE_LASX if (have_lasx(cpu_flags)) { - switch (c->dstFormat) { - case AV_PIX_FMT_RGB24: - return yuv420_rgb24_lasx; - case AV_PIX_FMT_BGR24: - return yuv420_bgr24_lasx; - case AV_PIX_FMT_RGBA: - if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { - break; - } else - return yuv420_rgba32_lasx; - case AV_PIX_FMT_ARGB: - if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { - break; - } else - return yuv420_argb32_lasx; - case AV_PIX_FMT_BGRA: - if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { - break; - } else - return yuv420_bgra32_lasx; - case AV_PIX_FMT_ABGR: - if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { - break; - } else - return yuv420_abgr32_lasx; + if (c->srcFormat == AV_PIX_FMT_YUV420P) { + switch (c->dstFormat) { + case AV_PIX_FMT_RGB24: + return yuv420_rgb24_lasx; + case AV_PIX_FMT_BGR24: + return yuv420_bgr24_lasx; + case AV_PIX_FMT_RGBA: + if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { + break; + } else + return yuv420_rgba32_lasx; + case AV_PIX_FMT_ARGB: + if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { + break; + } else + return yuv420_argb32_lasx; + case AV_PIX_FMT_BGRA: + if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { + break; + } else + return yuv420_bgra32_lasx; + case AV_PIX_FMT_ABGR: + if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { + break; + } else + return yuv420_abgr32_lasx; + } } } #endif // #if HAVE_LASX if (have_lsx(cpu_flags)) { - switch (c->dstFormat) { - case AV_PIX_FMT_RGB24: - return yuv420_rgb24_lsx; - case AV_PIX_FMT_BGR24: - return yuv420_bgr24_lsx; - case AV_PIX_FMT_RGBA: - if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { - break; - } else - return yuv420_rgba32_lsx; - case AV_PIX_FMT_ARGB: - if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { - break; - } else - return yuv420_argb32_lsx; - case AV_PIX_FMT_BGRA: - if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { - break; - } else - return yuv420_bgra32_lsx; - case AV_PIX_FMT_ABGR: - if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { - break; - } else - return yuv420_abgr32_lsx; + if (c->srcFormat == AV_PIX_FMT_YUV420P) { + switch (c->dstFormat) { + case AV_PIX_FMT_RGB24: + return yuv420_rgb24_lsx; + case AV_PIX_FMT_BGR24: + return yuv420_bgr24_lsx; + case AV_PIX_FMT_RGBA: + if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { + break; + } else + return yuv420_rgba32_lsx; + case AV_PIX_FMT_ARGB: + if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { + break; + } else + return yuv420_argb32_lsx; + case AV_PIX_FMT_BGRA: + if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { + break; + } else + return yuv420_bgra32_lsx; + case AV_PIX_FMT_ABGR: + if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat)) { + break; + } else + return yuv420_abgr32_lsx; + } } } return NULL; diff --git a/libswscale/loongarch/yuv2rgb_lasx.c b/libswscale/loongarch/yuv2rgb_lasx.c index 64e434f50c..0ce553005a 100644 --- a/libswscale/loongarch/yuv2rgb_lasx.c +++ b/libswscale/loongarch/yuv2rgb_lasx.c @@ -82,8 +82,8 @@ #define YUV2RGB_RES \ m_y1 = __lasx_xvldrepl_d(py_1, 0); \ m_y2 = __lasx_xvldrepl_d(py_2, 0); \ - m_u = __lasx_xvldrepl_d(pu, 0); \ - m_v = __lasx_xvldrepl_d(pv, 0); \ + m_u = __lasx_xvldrepl_w(pu, 0); \ + m_v = __lasx_xvldrepl_w(pv, 0); \ m_y1 = __lasx_xvilvl_d(m_y2, m_y1); \ m_u = __lasx_xvilvl_b(m_u, m_u); \ m_v = __lasx_xvilvl_b(m_v, m_v); \ From f2145744a2e283e91eb4dc337c2c414af1bad283 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jul 2024 20:06:49 +0200 Subject: [PATCH 371/562] avformat/iamf_parse: Check for 0 samples Fixes: division by zero Fixes: 70561/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6199435013455872 Fixes: 70565/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5783790316748800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit ed96ac87a94aa0943412af93ef51c22cdc4c907c) Signed-off-by: Michael Niedermayer --- libavformat/iamf_parse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 3eb36f56f5..a222a46c86 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -252,7 +252,7 @@ static int codec_config_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) if (ret < 0) goto fail; - if ((codec_config->nb_samples > INT_MAX) || + if ((codec_config->nb_samples > INT_MAX) || codec_config->nb_samples <= 0 || (-codec_config->audio_roll_distance > INT_MAX / codec_config->nb_samples)) { ret = AVERROR_INVALIDDATA; goto fail; From 8b0cf8ab3174865b602b0502dc1fb9436a595be5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2024 13:31:02 +0200 Subject: [PATCH 372/562] avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow The snow encoder uses block based motion estimation which can read out of array if insufficient alignment is used It may be better to only apply this for the encoder, as it would safe a few bytes of memory for the decoder. Until then, this fixes the issue in a simple way. Fixes: out of array access Fixes: 68963/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4979988435632128 Fixes: 68969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6239933667803136.fuzz Fixed: 70497/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5751882631413760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 58fbeb59e74ac9a4ca81e9bc44141abcbff8ab6d) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 337c00e789..7914f79904 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -259,6 +259,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, if (s->codec_id == AV_CODEC_ID_SVQ1) { w_align = 64; h_align = 64; + } else if (s->codec_id == AV_CODEC_ID_SNOW) { + w_align = 16; + h_align = 16; } break; case AV_PIX_FMT_RGB555: From 679a572e44e5cecba42d43dde7892a1502c43c25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jul 2024 21:43:39 +0200 Subject: [PATCH 373/562] avcodec/snow: Fix off by 1 error in run_buffer Fixes: out of array access Fixes: 70741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5703668010647552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 06f5ed40f8fceb2542add052c57608121eda2f41) Signed-off-by: Michael Niedermayer --- libavcodec/snow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snow.c b/libavcodec/snow.c index 59815d00d9..1b0fc6dc7d 100644 --- a/libavcodec/snow.c +++ b/libavcodec/snow.c @@ -427,7 +427,7 @@ av_cold int ff_snow_common_init(AVCodecContext *avctx){ !FF_ALLOCZ_TYPED_ARRAY(s->spatial_dwt_buffer, width * height) || //FIXME this does not belong here !FF_ALLOCZ_TYPED_ARRAY(s->temp_dwt_buffer, width) || !FF_ALLOCZ_TYPED_ARRAY(s->temp_idwt_buffer, width) || - !FF_ALLOCZ_TYPED_ARRAY(s->run_buffer, ((width + 1) >> 1) * ((height + 1) >> 1))) + !FF_ALLOCZ_TYPED_ARRAY(s->run_buffer, ((width + 1) >> 1) * ((height + 1) >> 1) + 1)) return AVERROR(ENOMEM); for(i=0; i Date: Fri, 2 Aug 2024 22:17:43 +0200 Subject: [PATCH 374/562] Update for 7.0.2 Signed-off-by: Michael Niedermayer --- Changelog | 230 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 232 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 16320d2fe5..2faa8f3805 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,236 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 7.0.2: + avcodec/snow: Fix off by 1 error in run_buffer + avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow + avformat/iamf_parse: Check for 0 samples + swscale: [loongarch] Fix checkasm-sw_yuv2rgb failure. + avcodec/aacps_tablegen_template: don't redefine CONFIG_HARDCODED_TABLES + avutil/hwcontext_vaapi: use the correct type for VASurfaceAttribExternalBuffers.buffers + avcodec/pcm-bluray/dvd: Use correct pointer types on BE + avcodec/pngenc: fix sBIT writing for indexed-color PNGs + avcodec/pngdec: use 8-bit sBIT cap for indexed PNGs per spec + avformat/mov: check that child boxes of trak are only present inside it + avformat/mov: check that sample and chunk count is 1 for HEIF + avcodec/videotoolboxenc: Fix bitrate doesn't work as expected + avdevice/dshow: Don't skip audio devices if no video device is present + avcodec/hdrenc: Allocate more space + avcodec/cfhdenc: Height of 16 is not supported + avcodec/cfhdenc: Allocate more space + avcodec/osq: fix integer overflow when applying factor + avcodec/osq: avoid using too large numbers for shifts and integers in update_residue_parameter() + avcodec/vaapi_encode: Check hwctx + avcodec/proresdec: Consider negative bits left + avcodec/alsdec: Clear shift_value + avcodec/hevc/hevcdec: Do not allow slices to depend on failed slices + avformat/mov: add an EOF check in IPRP + avfilter/vf_xfade: Check ff_inlink_consume_frame() for failure + avutil/slicethread: Check pthread_*_init() for failure + avutil/frame: Check log2_crop_align + avutil/buffer: Check ff_mutex_init() for failure + avformat/xmv: Check this_packet_size + avformat/webpenc: Check filesize in trailer + avformat/ty: rec_size seems to only need 32bit + avformat/tty: Check avio_size() + avformat/siff: Basic pkt_size check + avformat/sauce: Check avio_size() for failure + avformat/sapdec: Check ffurl_get_file_handle() for error + avformat/nsvdec: Check asize for PCM + avformat/mp3dec: Check header_filesize + avformat/mp3dec; Check for avio_size() failure + avformat/mov: Use 64bit for str_size + avformat/mm: Check length + avformat/hnm: Check *chunk_size + avformat/hlsenc: Check ret + avformat/bintext: Check avio_size() return + avformat/asfdec_o: Check size of index object + avfilter/vf_scale: Check ff_scale_adjust_dimensions() for failure + avfilter/scale_eval: Use 64bit, check values in ff_scale_adjust_dimensions() + avfilter/vf_lut3d: Check av_scanf() + avfilter/vf_elbg: Use unsigned for shifting into the top bit + avfilter/vf_premultiply: Use AV_PIX_MAX_PLANES + avfilter/vf_deshake_opencl: Ensure that the first iteration initializes the best variables + avformat/iamf_parse: Check for negative sample sizes + swscale/output: Fix integer overflows in yuv2rgba64_X_c_template + avformat/mxfdec: Reorder elements of expression in bisect loop + avutil/timecode: Use a 64bit framenum internally + avcodec/pnmdec: Use 64bit for input size check + avformat/mov: Check extradata in mov_read_iacb() + avcodec/mpeg12enc: Use av_rescale() in vbv_buffer_size computation + avcodec/utvideoenc: Use unsigned shift to build flags + avcodec/j2kenc: Merge dwt_norm into lambda + avcodec/vc2enc: Fix overflows with storing large values + avcodec/mpegvideo_enc: Do not duplicate pictures on shifting + avdevice/dshow_capture: Fix error handling in ff_dshow_##prefix##_Create() + avcodec/tiff: Check value on positive signed targets + avfilter/vf_convolution_opencl: Assert that the filter name is one of the filters + avfilter/vf_bm3d: Dont round MSE2SSE to an integer + avdevice/dshow: Remove NULL check on pin + avdevice/dshow: check ff_dshow_pin_ConnectionMediaType() for failure + avdevice/dshow: Check device_filter_unique_name before use + avdevice/dshow: Cleanup also on av_log case + avdevice/dshow_filter: Use wcscpy_s() + avcodec/flac_parser: Assert that we do not overrun the link_penalty array + avcodec/osq: avoid signed overflow in downsample path + avcodec/pixlet: Simplify pfx computation + avcodec/motion_est: Fix score squaring overflow + avcodec/mlpenc: Use 64 for ml, mr + avcodec/loco: Check loco_get_rice() for failure + avcodec/loco: check get_ur_golomb_jpegls() for failure + avcodec/leaddec: Check init_get_bits8() for failure + avcodec/imm4: check cbphi for error + avcodec/iff: Use signed count + avcodec/golomb: Assert that k is in the supported range for get_ur/sr_golomb() + avcodec/golomb: Document return for get_ur_golomb_jpegls() and get_sr_golomb_flac() + avcodec/dxv: Fix type in get_opcodes() + avcodec/cri: Check length + avcodec/xsubdec: Check parse_timecode() + avutil/imgutils: av_image_check_size2() ensure width and height fit in 32bit + avfilter/vf_tiltandshift: Free dst on error + doc/examples/mux: remove nop + avcodec/proresenc_kostya: use unsigned alpha for rotation + avformat/rtpenc_rfc4175: Use 64bit in computation if copy_offset + avformat/rtmpproto: Use AV_DICT_MATCH_CASE instead of litteral number + avformat/rtmppkt: Simplify and deobfuscate amf_tag_skip() slightly + avformat/rmdec: use 64bit for audio_framesize checks + avutil/wchar_filename: Correct sizeof + avutil/hwcontext_d3d11va: correct sizeof IDirect3DSurface9 + avutil/hwcontext_d3d11va: Free AVD3D11FrameDescriptor on error + avutil/hwcontext_d3d11va: correct sizeof AVD3D11FrameDescriptor + avcodec/vvc/refs: Use unsigned mask + doc/examples/vaapi_encode: Try to check fwrite() for failure + avformat/usmdec: Initialize value + avformat/tls_schannel: Initialize ret + avformat/subfile: Assert that whence is a known case + avformat/subfile: Merge if into switch() + avformat/rtsp: Check that lower transport is handled in one of the if() + avformat/rtsp: initialize reply1 + avformat/rtsp: use < 0 for error check + avformat/rtpenc_vc2hq: Check sizes + avfilter/af_aderivative: Free out on error + swscale/swscale: Use ptrdiff_t for linesize computations + avfilter/af_amerge: Cleanup on av_channel_layout_copy() failure + avfilter/af_afir: Assert format + avfilter/af_afftdn: Assert format + avfilter/af_pan: check nb_output_channels before use + cbs_av1: Reject thirty-two zero bits in uvlc code + avfilter/af_mcompand: compute half frequency in double + avfilter/af_channelsplit: Assert that av_channel_layout_channel_from_index() succeeds + avfilter/af_aresample: Cleanup on av_channel_layout_copy() failure + tools/coverity: Phase 1 study of anti-halicogenic for coverity av_rescale() + avfilter/vf_avgblur: Check plane instead of AVFrame + avfilter/drawutils: Fix depthb computation + avfilter/avf_showcwt: Check av_parse_video_rate() for failure + avformat/rdt: Check pkt_len + avformat/mpeg: Check len in mpegps_probe() + avformat/mxfenc: resurrects the error print + avdevice/dshow: Check ICaptureGraphBuilder2_SetFiltergraph() for failure + avcodec/mfenc: check IMFSample_ConvertToContiguousBuffer() for failure + avcodec/vc1_loopfilter: Factor duplicate code in vc1_b_h_intfi_loop_filter() + avcodec/vvc/ctu: Remove dead ret check + avcodec/vvc/dec: Remove constant eos_at_start + avformat/img2dec: assert no pipe on ts_from_file + avcodec/cbs_jpeg: Try to move the read entity to one side in a test + fftools/ffplay: Check vulkan_params + fftools/ffmpeg_enc: Initialize Decoder + fftools/ffmpeg_enc: Initialize fd + fftools/ffmpeg_enc: simplify opaque_ref check + avformat/mov: Check edit list for overflow + fftools/ffmpeg: Check read() for failure + avcodec/vvc/dec: Check ff_init_cabac_decoder() for failure + MAINTAINERS: Add Timo Rothenpieler to server admins + swscale/output: Avoid undefined overflow in yuv2rgb_write_full() + swscale/output: alpha can become negative after scaling, use multiply + avcodec/targaenc: Allocate space for the palette + avcodec/r210enc: Use av_rescale for bitrate + avcodec/jfdctint_template: Fewer integer anomalies + avcodec/snowenc: MV limits due to mv_penalty table size + tools/target_dec_fuzzer: Adjust threshold for MV30 + tools/target_dec_fuzzer: Adjust threshold for jpeg2000 + avformat/mxfdec: Check container_ul->desc before use + avcodec/libvpxenc: Cleanup on error + MAINTAINERS: Update the entries for the release maintainer for FFmpeg + doc/developer: Provide information about git send-email and gmail + avfilter/vf_rotate: Check ff_draw_init2() return value + avformat/mov: Use int64_t in intermediate for corrected_dts + avformat/mov: Use 64bit in intermediate for current_dts + avformat/matroskadec: Assert that num_levels is non negative + avformat/libzmq: Check av_strstart() + avformat/img2dec: Little JFIF / Exif cleanup + avformat/img2dec: Move DQT after unrelated if() + avformat/imfdec: Simplify get_next_track_with_minimum_timestamp() + avdevice/xcbgrab: Check sscanf() return + fftools/cmdutils: Add protective () to FLAGS + avformat/sdp: Check before appending "," + avcodec/libx264: Check init_get_bits8() return code + avcodec/ilbcdec: Remove dead code + avcodec/vp8: Check cond init + avcodec/vp8: Check mutex init + avcodec/proresenc_anatoliy: Assert that AV_PROFILE_UNKNOWN is replaced + avcodec/pcm-dvdenc: 64bit pkt-size + avcodec/notchlc: Check init_get_bits8() for failure + avcodec/tests/dct: Use 64bit in intermediate for error computation + avcodec/scpr3: Check add_dec() for failure + avcodec/rv34: assert that size is not 0 in rv34_gen_vlc_ext() + avcodec/wavpackenc: Use unsigned for potential 31bit shift + avcodec/vvc/mvs: Initialize mvf + avcodec/tests/jpeg2000dwt: Use 64bit in comparission + avcodec/tests/jpeg2000dwt: Use 64bit in err2 computation + avformat/fwse: Remove always false expression + avcodec/sga: Make it clear that the return is intentionally not checked + avformat/asfdec_f: Use 64bit for preroll computation + avformat/argo_asf: Use 64bit in offset intermediate + avformat/ape: Use 64bit for final frame size + avformat/ac4dec: Check remaining space in ac4_probe() + avdevice/pulse_audio_enc: Use av_rescale() to avoid integer overflow + avcodec/vlc: Cleanup on multi table alloc failure in ff_vlc_init_multi_from_lengths() + avcodec/tiff: Assert init_get_bits8() success in unpack_gray() + avcodec/tiff: Assert init_get_bits8() success in horizontal_fill() + tools/decode_simple: Check avcodec_send_packet() for errors on flushing + swscale/yuv2rgb: Use 64bit for brightness computation + swscale/x86/swscale: use a clearer name for INPUT_PLANER_RGB_A_FUNC_CASE + avutil/tests/opt: Check av_set_options_string() for failure + avutil/tests/dict: Check av_dict_set() before get for failure + avdevice/dshow: fix badly indented line + avformat/demux: resurrect dead stores + avcodec/tests/bitstream_template: Assert bits_init8() return + tools/enc_recon_frame_test: Assert that av_image_get_linesize() succeeds + avformat/iamf_writer: disallow Opus extradata with mapping family other than 0 + avformat/iamf_parse: sanitize audio_roll_distance values + avformat/iamf: byteswap values in OpusHeader + avformat/iamf: rename Codec Config seek_preroll to audio_roll_distance + avformat/iamf_writer: fix coded audio_roll_distance values + avformat/iamf_writer: fix PCM endian-ness flag + avformat/movenc: fix channel count and samplerate fields for IAMF tracks + avformat/iamf_parse: keep substream count consistent + avformat/iamf_parse: add missing padding to AAC extradata + avformat/iamf_parse: 0 layers are not allowed + avformat/iamf_parse: consider nb_substreams when accessing substreams array + avformat/iamf_parse: Remove dead case + avcodec/png: more informative error message for invalid sBIT size + avcodec/pngdec: avoid erroring with sBIT on indexed-color images + avfilter/vf_tiltandshift: fix buffer offset for yuv422p input + avutil/timestamp: avoid possible FPE when 0 is passed to av_ts_make_time_string2() + avformat/mov: add more checks for infe atom size + avformat/mov: check for EOF inside the infe list parsing loop + avformat/mov: check extent_offset calculation for overflow + avformat/mov: check that iloc offset values fit on an int64_t + avcodec/pngenc: fix mDCv typo + avcodec/pngdec: fix mDCv typo + avcodec/nvenc: fix segfault in intra-only mode + avdevice/avfoundation: add external video devices + aarch64: Add OpenBSD runtime detection of dotprod and i8mm using sysctl + fftools/ffplay_renderer: use correct NULL value for Vulkan type + qsv: Initialize impl_value + avutil/hwcontext_qsv: fix GCC 14.1 warnings + avcodec/mediacodecenc: workaround the alignment requirement for H.265 + avcodec/mediacodecenc: workaround the alignment requirement only for H.264 + lavc/lpc: fix off-by-one in R-V V compute_autocorr + lavc/vp9: reset segmentation fields when segmentation isn't enabled + configure: enable ffnvcodec, nvenc, nvdec for FreeBSD + lavc/sbrdsp: fix potential overflow in noise table + version 7.0.1: lavc/flacdsp: do not assume maximum R-V VL avformat/flacdec: Reorder allocations to avoid leak on error diff --git a/RELEASE b/RELEASE index 9fe9ff9d99..a8907c025d 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -7.0.1 +7.0.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index 509241be17..da0bb267c9 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 7.0.1 +PROJECT_NUMBER = 7.0.2 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 714635937a9275282f2f6365b9e4619cb270a9f1 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 31 Jul 2024 22:19:53 -0300 Subject: [PATCH 375/562] avformat/mov: fix track handling when mixing IAMF and video tracks Fixes crashes when muxing the two together. Signed-off-by: James Almer (cherry picked from commit 5b87869c09cece1583e74b6f796aa825a4765631) --- libavformat/movenc.c | 37 ++++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 2d3a4db1d2..6241a66f90 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -7155,7 +7155,9 @@ static int mov_create_dvd_sub_decoder_specific_info(MOVTrack *track, static int mov_init_iamf_track(AVFormatContext *s) { MOVMuxContext *mov = s->priv_data; - MOVTrack *track = &mov->tracks[0]; // IAMF if present is always the first track + MOVTrack *track; + IAMFContext *iamf; + int first_iamf_idx = INT_MAX, last_iamf_idx = 0; int nb_audio_elements = 0, nb_mix_presentations = 0; int ret; @@ -7177,24 +7179,24 @@ static int mov_init_iamf_track(AVFormatContext *s) return AVERROR(EINVAL); } - track->iamf = av_mallocz(sizeof(*track->iamf)); - if (!track->iamf) + iamf = av_mallocz(sizeof(*iamf)); + if (!iamf) return AVERROR(ENOMEM); + for (int i = 0; i < s->nb_stream_groups; i++) { const AVStreamGroup *stg = s->stream_groups[i]; switch(stg->type) { case AV_STREAM_GROUP_PARAMS_IAMF_AUDIO_ELEMENT: for (int j = 0; j < stg->nb_streams; j++) { - track->first_iamf_idx = FFMIN(stg->streams[j]->index, track->first_iamf_idx); - track->last_iamf_idx = FFMAX(stg->streams[j]->index, track->last_iamf_idx); - stg->streams[j]->priv_data = track; + first_iamf_idx = FFMIN(stg->streams[j]->index, first_iamf_idx); + last_iamf_idx = FFMAX(stg->streams[j]->index, last_iamf_idx); } - ret = ff_iamf_add_audio_element(track->iamf, stg, s); + ret = ff_iamf_add_audio_element(iamf, stg, s); break; case AV_STREAM_GROUP_PARAMS_IAMF_MIX_PRESENTATION: - ret = ff_iamf_add_mix_presentation(track->iamf, stg, s); + ret = ff_iamf_add_mix_presentation(iamf, stg, s); break; default: av_assert0(0); @@ -7203,8 +7205,20 @@ static int mov_init_iamf_track(AVFormatContext *s) return ret; } + track = &mov->tracks[first_iamf_idx]; + track->iamf = iamf; + track->first_iamf_idx = first_iamf_idx; + track->last_iamf_idx = last_iamf_idx; track->tag = MKTAG('i','a','m','f'); + for (int i = 0; i < s->nb_stream_groups; i++) { + AVStreamGroup *stg = s->stream_groups[i]; + if (stg->type != AV_STREAM_GROUP_PARAMS_IAMF_AUDIO_ELEMENT) + continue; + for (int j = 0; j < stg->nb_streams; j++) + stg->streams[j]->priv_data = track; + } + ret = avio_open_dyn_buf(&track->iamf_buf); if (ret < 0) return ret; @@ -7215,6 +7229,7 @@ static int mov_init_iamf_track(AVFormatContext *s) static int mov_init(AVFormatContext *s) { MOVMuxContext *mov = s->priv_data; + int has_iamf = 0; int i, ret; mov->fc = s; @@ -7365,6 +7380,7 @@ static int mov_init(AVFormatContext *s) } st->priv_data = st; } + has_iamf = 1; if (!mov->nb_tracks) // We support one track for the entire IAMF structure mov->nb_tracks++; @@ -7461,8 +7477,11 @@ static int mov_init(AVFormatContext *s) for (int j = 0, i = 0; j < s->nb_streams; j++) { AVStream *st = s->streams[j]; - if (st != st->priv_data) + if (st != st->priv_data) { + if (has_iamf) + i += has_iamf--; continue; + } st->priv_data = &mov->tracks[i++]; } From 345855af80abdb0638841697cf3e0364a80f191a Mon Sep 17 00:00:00 2001 From: David Rosca Date: Wed, 8 May 2024 09:11:11 +0200 Subject: [PATCH 376/562] lavc/vaapi_decode: Make it possible to send multiple slice params buffers Reviewed-by: Neal Gompa Signed-off-by: David Rosca Signed-off-by: Haihao Xiang (cherry picked from commit fe9d889dcd79ea18d4dfaa39df4ddbd4c8c3b15c) --- libavcodec/vaapi_av1.c | 2 +- libavcodec/vaapi_decode.c | 3 ++- libavcodec/vaapi_decode.h | 1 + libavcodec/vaapi_h264.c | 2 +- libavcodec/vaapi_hevc.c | 4 ++-- libavcodec/vaapi_mjpeg.c | 2 +- libavcodec/vaapi_mpeg2.c | 2 +- libavcodec/vaapi_mpeg4.c | 2 +- libavcodec/vaapi_vc1.c | 2 +- libavcodec/vaapi_vp8.c | 2 +- libavcodec/vaapi_vp9.c | 2 +- 11 files changed, 13 insertions(+), 11 deletions(-) diff --git a/libavcodec/vaapi_av1.c b/libavcodec/vaapi_av1.c index 5bf81fc97f..281cde27bc 100644 --- a/libavcodec/vaapi_av1.c +++ b/libavcodec/vaapi_av1.c @@ -409,7 +409,7 @@ static int vaapi_av1_decode_slice(AVCodecContext *avctx, .tg_end = s->tg_end, }; - err = ff_vaapi_decode_make_slice_buffer(avctx, pic, &slice_param, + err = ff_vaapi_decode_make_slice_buffer(avctx, pic, &slice_param, 1, sizeof(VASliceParameterBufferAV1), buffer, size); diff --git a/libavcodec/vaapi_decode.c b/libavcodec/vaapi_decode.c index cca94b5336..cd11093fea 100644 --- a/libavcodec/vaapi_decode.c +++ b/libavcodec/vaapi_decode.c @@ -62,6 +62,7 @@ int ff_vaapi_decode_make_param_buffer(AVCodecContext *avctx, int ff_vaapi_decode_make_slice_buffer(AVCodecContext *avctx, VAAPIDecodePicture *pic, const void *params_data, + int nb_params, size_t params_size, const void *slice_data, size_t slice_size) @@ -87,7 +88,7 @@ int ff_vaapi_decode_make_slice_buffer(AVCodecContext *avctx, vas = vaCreateBuffer(ctx->hwctx->display, ctx->va_context, VASliceParameterBufferType, - params_size, 1, (void*)params_data, + params_size, nb_params, (void*)params_data, &pic->slice_buffers[index]); if (vas != VA_STATUS_SUCCESS) { av_log(avctx, AV_LOG_ERROR, "Failed to create slice " diff --git a/libavcodec/vaapi_decode.h b/libavcodec/vaapi_decode.h index 6beda14e52..702171e108 100644 --- a/libavcodec/vaapi_decode.h +++ b/libavcodec/vaapi_decode.h @@ -73,6 +73,7 @@ int ff_vaapi_decode_make_param_buffer(AVCodecContext *avctx, int ff_vaapi_decode_make_slice_buffer(AVCodecContext *avctx, VAAPIDecodePicture *pic, const void *params_data, + int nb_params, size_t params_size, const void *slice_data, size_t slice_size); diff --git a/libavcodec/vaapi_h264.c b/libavcodec/vaapi_h264.c index 55cf5a05ee..b47531ce1c 100644 --- a/libavcodec/vaapi_h264.c +++ b/libavcodec/vaapi_h264.c @@ -375,7 +375,7 @@ static int vaapi_h264_decode_slice(AVCodecContext *avctx, slice_param.chroma_offset_l1); err = ff_vaapi_decode_make_slice_buffer(avctx, pic, - &slice_param, sizeof(slice_param), + &slice_param, 1, sizeof(slice_param), buffer, size); if (err) { ff_vaapi_decode_cancel(avctx, pic); diff --git a/libavcodec/vaapi_hevc.c b/libavcodec/vaapi_hevc.c index 3bdd2dd1b8..3937b7574a 100644 --- a/libavcodec/vaapi_hevc.c +++ b/libavcodec/vaapi_hevc.c @@ -353,7 +353,7 @@ static int vaapi_hevc_end_frame(AVCodecContext *avctx) if (pic->last_size) { last_slice_param->LongSliceFlags.fields.LastSliceOfPic = 1; ret = ff_vaapi_decode_make_slice_buffer(avctx, &pic->pic, - &pic->last_slice_param, slice_param_size, + &pic->last_slice_param, 1, slice_param_size, pic->last_buffer, pic->last_size); if (ret < 0) goto fail; @@ -471,7 +471,7 @@ static int vaapi_hevc_decode_slice(AVCodecContext *avctx, if (!sh->first_slice_in_pic_flag) { err = ff_vaapi_decode_make_slice_buffer(avctx, &pic->pic, - &pic->last_slice_param, slice_param_size, + &pic->last_slice_param, 1, slice_param_size, pic->last_buffer, pic->last_size); pic->last_buffer = NULL; pic->last_size = 0; diff --git a/libavcodec/vaapi_mjpeg.c b/libavcodec/vaapi_mjpeg.c index 5b8d47bb2a..9557cf5f9b 100644 --- a/libavcodec/vaapi_mjpeg.c +++ b/libavcodec/vaapi_mjpeg.c @@ -131,7 +131,7 @@ static int vaapi_mjpeg_decode_slice(AVCodecContext *avctx, sp.components[i].ac_table_selector = s->ac_index[i]; } - err = ff_vaapi_decode_make_slice_buffer(avctx, pic, &sp, sizeof(sp), buffer, size); + err = ff_vaapi_decode_make_slice_buffer(avctx, pic, &sp, 1, sizeof(sp), buffer, size); if (err) goto fail; diff --git a/libavcodec/vaapi_mpeg2.c b/libavcodec/vaapi_mpeg2.c index eeb4e87321..171a742c7f 100644 --- a/libavcodec/vaapi_mpeg2.c +++ b/libavcodec/vaapi_mpeg2.c @@ -162,7 +162,7 @@ static int vaapi_mpeg2_decode_slice(AVCodecContext *avctx, const uint8_t *buffer }; err = ff_vaapi_decode_make_slice_buffer(avctx, pic, - &slice_param, sizeof(slice_param), + &slice_param, 1, sizeof(slice_param), buffer, size); if (err < 0) { ff_vaapi_decode_cancel(avctx, pic); diff --git a/libavcodec/vaapi_mpeg4.c b/libavcodec/vaapi_mpeg4.c index 363b686e42..612de10cd7 100644 --- a/libavcodec/vaapi_mpeg4.c +++ b/libavcodec/vaapi_mpeg4.c @@ -169,7 +169,7 @@ static int vaapi_mpeg4_decode_slice(AVCodecContext *avctx, const uint8_t *buffer }; err = ff_vaapi_decode_make_slice_buffer(avctx, pic, - &slice_param, sizeof(slice_param), + &slice_param, 1, sizeof(slice_param), buffer, size); if (err < 0) { ff_vaapi_decode_cancel(avctx, pic); diff --git a/libavcodec/vaapi_vc1.c b/libavcodec/vaapi_vc1.c index 09a5c852fc..0339ccc043 100644 --- a/libavcodec/vaapi_vc1.c +++ b/libavcodec/vaapi_vc1.c @@ -489,7 +489,7 @@ static int vaapi_vc1_decode_slice(AVCodecContext *avctx, const uint8_t *buffer, }; err = ff_vaapi_decode_make_slice_buffer(avctx, pic, - &slice_param, sizeof(slice_param), + &slice_param, 1, sizeof(slice_param), buffer, size); if (err < 0) { ff_vaapi_decode_cancel(avctx, pic); diff --git a/libavcodec/vaapi_vp8.c b/libavcodec/vaapi_vp8.c index 31137a45bd..66fdde1f39 100644 --- a/libavcodec/vaapi_vp8.c +++ b/libavcodec/vaapi_vp8.c @@ -209,7 +209,7 @@ static int vaapi_vp8_decode_slice(AVCodecContext *avctx, for (i = 0; i < 8; i++) sp.partition_size[i+1] = s->coeff_partition_size[i]; - err = ff_vaapi_decode_make_slice_buffer(avctx, pic, &sp, sizeof(sp), data, data_size); + err = ff_vaapi_decode_make_slice_buffer(avctx, pic, &sp, 1, sizeof(sp), data, data_size); if (err) goto fail; diff --git a/libavcodec/vaapi_vp9.c b/libavcodec/vaapi_vp9.c index 9dc7d5e72b..ff11022db7 100644 --- a/libavcodec/vaapi_vp9.c +++ b/libavcodec/vaapi_vp9.c @@ -158,7 +158,7 @@ static int vaapi_vp9_decode_slice(AVCodecContext *avctx, } err = ff_vaapi_decode_make_slice_buffer(avctx, pic, - &slice_param, sizeof(slice_param), + &slice_param, 1, sizeof(slice_param), buffer, size); if (err) { ff_vaapi_decode_cancel(avctx, pic); From 96e648ddbc10795fed2e97641f469f5b64c6a109 Mon Sep 17 00:00:00 2001 From: David Rosca Date: Wed, 8 May 2024 09:11:13 +0200 Subject: [PATCH 377/562] lavc/vaapi_av1: Avoid sending the same slice buffer multiple times When there are multiple tiles in one slice buffer, use multiple slice params to avoid sending the same slice buffer multiple times and thus increasing the bitstream size the driver will need to upload to hw. Reviewed-by: Neal Gompa Signed-off-by: David Rosca Signed-off-by: Haihao Xiang (cherry picked from commit d2d911eb9a2fc6eb8d86b3ae025a56c1a2692fba) --- libavcodec/vaapi_av1.c | 47 +++++++++++++++++++++++++++++------------- 1 file changed, 33 insertions(+), 14 deletions(-) diff --git a/libavcodec/vaapi_av1.c b/libavcodec/vaapi_av1.c index 281cde27bc..38811630cc 100644 --- a/libavcodec/vaapi_av1.c +++ b/libavcodec/vaapi_av1.c @@ -19,6 +19,7 @@ */ #include "libavutil/frame.h" +#include "libavutil/mem.h" #include "hwaccel_internal.h" #include "vaapi_decode.h" #include "internal.h" @@ -42,6 +43,9 @@ typedef struct VAAPIAV1DecContext { */ VAAPIAV1FrameRef ref_tab[AV1_NUM_REF_FRAMES]; AVFrame *tmp_frame; + + int nb_slice_params; + VASliceParameterBufferAV1 *slice_params; } VAAPIAV1DecContext; static VASurfaceID vaapi_av1_surface_id(AV1Frame *vf) @@ -97,6 +101,8 @@ static int vaapi_av1_decode_uninit(AVCodecContext *avctx) for (int i = 0; i < FF_ARRAY_ELEMS(ctx->ref_tab); i++) av_frame_free(&ctx->ref_tab[i].frame); + av_freep(&ctx->slice_params); + return ff_vaapi_decode_uninit(avctx); } @@ -393,13 +399,24 @@ static int vaapi_av1_decode_slice(AVCodecContext *avctx, { const AV1DecContext *s = avctx->priv_data; VAAPIDecodePicture *pic = s->cur_frame.hwaccel_picture_private; - VASliceParameterBufferAV1 slice_param; - int err = 0; + VAAPIAV1DecContext *ctx = avctx->internal->hwaccel_priv_data; + int err, nb_params; + + nb_params = s->tg_end - s->tg_start + 1; + if (ctx->nb_slice_params < nb_params) { + ctx->slice_params = av_realloc_array(ctx->slice_params, + nb_params, + sizeof(*ctx->slice_params)); + if (!ctx->slice_params) { + ctx->nb_slice_params = 0; + err = AVERROR(ENOMEM); + goto fail; + } + ctx->nb_slice_params = nb_params; + } for (int i = s->tg_start; i <= s->tg_end; i++) { - memset(&slice_param, 0, sizeof(VASliceParameterBufferAV1)); - - slice_param = (VASliceParameterBufferAV1) { + ctx->slice_params[i - s->tg_start] = (VASliceParameterBufferAV1) { .slice_data_size = s->tile_group_info[i].tile_size, .slice_data_offset = s->tile_group_info[i].tile_offset, .slice_data_flag = VA_SLICE_DATA_FLAG_ALL, @@ -408,18 +425,20 @@ static int vaapi_av1_decode_slice(AVCodecContext *avctx, .tg_start = s->tg_start, .tg_end = s->tg_end, }; - - err = ff_vaapi_decode_make_slice_buffer(avctx, pic, &slice_param, 1, - sizeof(VASliceParameterBufferAV1), - buffer, - size); - if (err) { - ff_vaapi_decode_cancel(avctx, pic); - return err; - } } + err = ff_vaapi_decode_make_slice_buffer(avctx, pic, ctx->slice_params, nb_params, + sizeof(VASliceParameterBufferAV1), + buffer, + size); + if (err) + goto fail; + return 0; + +fail: + ff_vaapi_decode_cancel(avctx, pic); + return err; } const FFHWAccel ff_av1_vaapi_hwaccel = { From 5ba8efe90bf9a826f30227e8af260580aeb92b4e Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 14 Aug 2024 13:46:53 -0300 Subject: [PATCH 378/562] avformat/iamf_parse: ignore Audio Elements with an unsupported type Better fix for the NULL pointer dereference from d7f83fc2f423. Signed-off-by: James Almer (cherry picked from commit 66c05dc03163998fb9a90ebd53e2c39a4f95b7ea) --- libavformat/iamf_parse.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index a222a46c86..af19b31e70 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -636,6 +636,12 @@ static int audio_element_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) } audio_element_type = avio_r8(pbc) >> 5; + if (audio_element_type > AV_IAMF_AUDIO_ELEMENT_TYPE_SCENE) { + av_log(s, AV_LOG_DEBUG, "Unknown audio_element_type referenced in an audio element. Ignoring\n"); + ret = 0; + goto fail; + } + codec_config_id = ffio_read_leb(pbc); codec_config = ff_iamf_get_codec_config(c, codec_config_id); @@ -751,8 +757,7 @@ static int audio_element_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) if (ret < 0) goto fail; } else { - unsigned audio_element_config_size = ffio_read_leb(pbc); - avio_skip(pbc, audio_element_config_size); + av_assert0(0); } c->audio_elements[c->nb_audio_elements++] = audio_element; From 5ff181c02544078cd02d200e5a517357e6bf65e3 Mon Sep 17 00:00:00 2001 From: Ross Burton Date: Fri, 9 Aug 2024 11:32:00 +0100 Subject: [PATCH 379/562] libavcodec/arm/mlpdsp_armv5te: fix label format to work with binutils 2.43 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit binutils 2.43 has stricter validation for labels[1] and results in errors when building ffmpeg for armv5: src/libavcodec/arm/mlpdsp_armv5te.S:232: Error: junk at end of line, first unrecognized character is `0' Remove the leading zero in the "01" label to resolve this error. [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=226749d5a6ff0d5c607d6428d6c81e1e7e7a994b Signed-off-by: Ross Burton Signed-off-by: Martin Storsjö (cherry picked from commit 654bd47716c4f36719fb0f3f7fd8386d5ed0b916) --- libavcodec/arm/mlpdsp_armv5te.S | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/arm/mlpdsp_armv5te.S b/libavcodec/arm/mlpdsp_armv5te.S index 4f9aa485fd..d31568611c 100644 --- a/libavcodec/arm/mlpdsp_armv5te.S +++ b/libavcodec/arm/mlpdsp_armv5te.S @@ -229,7 +229,7 @@ A .endif .endif // Begin loop -01: +1: .if TOTAL_TAPS == 0 // Things simplify a lot in this case // In fact this could be pipelined further if it's worth it... @@ -241,7 +241,7 @@ A .endif str ST0, [PST, #-4]! str ST0, [PST, #4 * (MAX_BLOCKSIZE + MAX_FIR_ORDER)] str ST0, [PSAMP], #4 * MAX_CHANNELS - bne 01b + bne 1b .else .if \fir_taps & 1 .set LOAD_REG, 1 @@ -333,7 +333,7 @@ T orr AC0, AC0, AC1 str ST3, [PST, #-4]! str ST2, [PST, #4 * (MAX_BLOCKSIZE + MAX_FIR_ORDER)] str ST3, [PSAMP], #4 * MAX_CHANNELS - bne 01b + bne 1b .endif b 99f From 7e69129d2f7a294c4e15eba0c2007b96351fc2a4 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Fri, 16 Aug 2024 02:01:12 +0200 Subject: [PATCH 380/562] avformat/hlsenc: correctly reset subtitle stream counter per-varstream Without resetting it, if there was a previous set of varstreams with subtitles, it would subtract from all the streams, leading to chaos and segfaults when trying to access for example stream -1. --- libavformat/hlsenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 1ec4d50485..bf294549a9 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -2427,7 +2427,6 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) int is_ref_pkt = 1; int ret = 0, can_split = 1, i, j; int stream_index = 0; - int subtitle_streams = 0; int range_length = 0; const char *proto = NULL; int use_temp_file = 0; @@ -2435,6 +2434,7 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) char *old_filename = NULL; for (i = 0; i < hls->nb_varstreams; i++) { + int subtitle_streams = 0; vs = &hls->var_streams[i]; for (j = 0; j < vs->nb_streams; j++) { if (vs->streams[j]->codecpar->codec_type == AVMEDIA_TYPE_SUBTITLE) { From 7950855197cff106f62aa5a63ce22804ac9441c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Aug 2024 16:34:19 +0200 Subject: [PATCH 381/562] avformat/iamf_parse: clear padding Fixes: use of uninitialized value Fixes: 70929/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-5931276639469568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 7e5410eadb51645e67d91708494c7566771f9015) --- libavformat/iamf_parse.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index af19b31e70..3abbf70c8d 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -1080,6 +1080,7 @@ int ff_iamfdec_read_descriptors(IAMFContext *c, AVIOContext *pb, size = avio_read(pb, header, FFMIN(MAX_IAMF_OBU_HEADER_SIZE, max_size)); if (size < 0) return size; + memset(header + size, 0, AV_INPUT_BUFFER_PADDING_SIZE); len = ff_iamf_parse_obu_header(header, size, &obu_size, &start_pos, &type, NULL, NULL); if (len < 0 || obu_size > max_size) { From 48a53bc2c72c91c8fc00ec6d8184f0829eb0a8fa Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 29 Aug 2024 21:17:38 -0300 Subject: [PATCH 382/562] avformat/isom: make parameters used for loging a pointer to void Signed-off-by: James Almer (cherry picked from commit 9d095f127a38c587ebc217353e80d400d77629fc) --- libavformat/isom.c | 18 +++++++++--------- libavformat/isom.h | 4 ++-- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/libavformat/isom.c b/libavformat/isom.c index c5930bd4d8..0e9b7ba0d9 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -292,12 +292,12 @@ int ff_mp4_read_descr_len(AVIOContext *pb) return len; } -int ff_mp4_read_descr(AVFormatContext *fc, AVIOContext *pb, int *tag) +int ff_mp4_read_descr(void *logctx, AVIOContext *pb, int *tag) { int len; *tag = avio_r8(pb); len = ff_mp4_read_descr_len(pb); - av_log(fc, AV_LOG_TRACE, "MPEG-4 description: tag=0x%02x len=%d\n", *tag, len); + av_log(logctx, AV_LOG_TRACE, "MPEG-4 description: tag=0x%02x len=%d\n", *tag, len); return len; } @@ -326,7 +326,7 @@ static const AVCodecTag mp4_audio_types[] = { { AV_CODEC_ID_NONE, AOT_NULL }, }; -int ff_mp4_read_dec_config_descr(AVFormatContext *fc, AVStream *st, AVIOContext *pb) +int ff_mp4_read_dec_config_descr(void *logctx, AVStream *st, AVIOContext *pb) { enum AVCodecID codec_id; int len, tag; @@ -341,22 +341,22 @@ int ff_mp4_read_dec_config_descr(AVFormatContext *fc, AVStream *st, AVIOContext codec_id= ff_codec_get_id(ff_mp4_obj_type, object_type_id); if (codec_id) st->codecpar->codec_id = codec_id; - av_log(fc, AV_LOG_TRACE, "esds object type id 0x%02x\n", object_type_id); - len = ff_mp4_read_descr(fc, pb, &tag); + av_log(logctx, AV_LOG_TRACE, "esds object type id 0x%02x\n", object_type_id); + len = ff_mp4_read_descr(logctx, pb, &tag); if (tag == MP4DecSpecificDescrTag) { - av_log(fc, AV_LOG_TRACE, "Specific MPEG-4 header len=%d\n", len); + av_log(logctx, AV_LOG_TRACE, "Specific MPEG-4 header len=%d\n", len); /* As per 14496-3:2009 9.D.2.2, No decSpecificInfo is defined for MPEG-1 Audio or MPEG-2 Audio; MPEG-2 AAC excluded. */ if (object_type_id == 0x69 || object_type_id == 0x6b) return 0; if (!len || (uint64_t)len > (1<<30)) return AVERROR_INVALIDDATA; - if ((ret = ff_get_extradata(fc, st->codecpar, pb, len)) < 0) + if ((ret = ff_get_extradata(logctx, st->codecpar, pb, len)) < 0) return ret; if (st->codecpar->codec_id == AV_CODEC_ID_AAC) { MPEG4AudioConfig cfg = {0}; ret = avpriv_mpeg4audio_get_config2(&cfg, st->codecpar->extradata, - st->codecpar->extradata_size, 1, fc); + st->codecpar->extradata_size, 1, logctx); if (ret < 0) return ret; av_channel_layout_uninit(&st->codecpar->ch_layout); @@ -368,7 +368,7 @@ int ff_mp4_read_dec_config_descr(AVFormatContext *fc, AVStream *st, AVIOContext st->codecpar->sample_rate = cfg.ext_sample_rate; else st->codecpar->sample_rate = cfg.sample_rate; - av_log(fc, AV_LOG_TRACE, "mp4a config channels %d obj %d ext obj %d " + av_log(logctx, AV_LOG_TRACE, "mp4a config channels %d obj %d ext obj %d " "sample rate %d ext sample rate %d\n", cfg.channels, cfg.object_type, cfg.ext_object_type, cfg.sample_rate, cfg.ext_sample_rate); diff --git a/libavformat/isom.h b/libavformat/isom.h index c0a5788e08..b7ccc9994b 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -359,8 +359,8 @@ typedef struct MOVContext { } MOVContext; int ff_mp4_read_descr_len(AVIOContext *pb); -int ff_mp4_read_descr(AVFormatContext *fc, AVIOContext *pb, int *tag); -int ff_mp4_read_dec_config_descr(AVFormatContext *fc, AVStream *st, AVIOContext *pb); +int ff_mp4_read_descr(void *logctx, AVIOContext *pb, int *tag); +int ff_mp4_read_dec_config_descr(void *logctx, AVStream *st, AVIOContext *pb); void ff_mp4_parse_es_descr(AVIOContext *pb, int *es_id); #define MP4ODescrTag 0x01 From 098ab0cd9987392bd54383cb8a8f1cee848a7000 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 29 Aug 2024 21:39:02 -0300 Subject: [PATCH 383/562] avformat/iamf_parse: fix parsing AAC DecoderConfigDescriptor Use ff_mp4_read_descr() to read both the tags and the vlc value that comes after it, which was not being taken into account. Ref: https://github.com/AOMediaCodec/libiamf/issues/119 Signed-off-by: James Almer (cherry picked from commit 38bcb3ba7b3424abd772c72f8bdf445d75285e88) --- libavformat/iamf_parse.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 3abbf70c8d..d6b7be81c0 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -67,7 +67,7 @@ static int aac_decoder_config(IAMFCodecConfig *codec_config, if (codec_config->audio_roll_distance >= 0) return AVERROR_INVALIDDATA; - tag = avio_r8(pb); + ff_mp4_read_descr(logctx, pb, &tag); if (tag != MP4DecConfigDescrTag) return AVERROR_INVALIDDATA; @@ -87,12 +87,9 @@ static int aac_decoder_config(IAMFCodecConfig *codec_config, if (codec_id && codec_id != codec_config->codec_id) return AVERROR_INVALIDDATA; - tag = avio_r8(pb); - if (tag != MP4DecSpecificDescrTag) - return AVERROR_INVALIDDATA; - - left = len - avio_tell(pb); - if (left <= 0) + left = ff_mp4_read_descr(logctx, pb, &tag); + if (tag != MP4DecSpecificDescrTag || + !left || left > (len - avio_tell(pb))) return AVERROR_INVALIDDATA; // We pad extradata here because avpriv_mpeg4audio_get_config2() needs it. @@ -100,9 +97,9 @@ static int aac_decoder_config(IAMFCodecConfig *codec_config, if (!codec_config->extradata) return AVERROR(ENOMEM); - codec_config->extradata_size = avio_read(pb, codec_config->extradata, left); - if (codec_config->extradata_size < left) - return AVERROR_INVALIDDATA; + codec_config->extradata_size = ffio_read_size(pb, codec_config->extradata, left); + if (ret < 0) + return ret; memset(codec_config->extradata + codec_config->extradata_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); From fee22dba5ffbd317a6ed5ec0d5a798be17eada13 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 31 Aug 2024 14:32:02 -0300 Subject: [PATCH 384/562] avformat/iamf_parse: use get_bits_long() to read the remaining AAC extradata bits The output of put_bits_left() here can be as big as 27, which is a bit count not supported by get_bits(). Fixes fate-iamf-stereo-demux when using --assert-level=2 Signed-off-by: James Almer (cherry picked from commit fa5d3cc65309052402c6e3223d127b930b9e5699) --- libavformat/iamf_parse.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index d6b7be81c0..7d635402cf 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -305,10 +305,10 @@ static int update_extradata(AVCodecParameters *codecpar) skip_bits(&gb, 4); put_bits(&pb, 4, codecpar->ch_layout.nb_channels); // set channel config ret = put_bits_left(&pb); - put_bits(&pb, ret, get_bits(&gb, ret)); + put_bits(&pb, ret, get_bits_long(&gb, ret)); flush_put_bits(&pb); - memcpy(codecpar->extradata, buf, sizeof(buf)); + memcpy(codecpar->extradata, buf, put_bytes_output(&pb)); break; } case AV_CODEC_ID_FLAC: { From 47844f58691feae90e3df7444c00631a94a65bba Mon Sep 17 00:00:00 2001 From: Marvin Scholz Date: Sat, 31 Aug 2024 22:45:31 +0200 Subject: [PATCH 385/562] avformat/iamf_parse: Fix return of uninitialized value The ret value here is not yet intialized so the return would return uninitialized data. What was probably meant to be checked here was the return value of ffio_read_size, which can return an error. Introduced in 38bcb3ba7b3424abd772c72f8bdf445d75285e88 Fixes: CID1618758 Signed-off-by: James Almer (cherry picked from commit b6a0eab528695c39a0c52889db0c1ce5dd6d99f3) --- libavformat/iamf_parse.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 7d635402cf..c8b58921b4 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -97,9 +97,10 @@ static int aac_decoder_config(IAMFCodecConfig *codec_config, if (!codec_config->extradata) return AVERROR(ENOMEM); - codec_config->extradata_size = ffio_read_size(pb, codec_config->extradata, left); + ret = ffio_read_size(pb, codec_config->extradata, left); if (ret < 0) return ret; + codec_config->extradata_size = left; memset(codec_config->extradata + codec_config->extradata_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); From b9ce1b405a1bbddd716c4eb35c14a2e98ce5c57b Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Wed, 3 Jul 2024 00:30:08 +0200 Subject: [PATCH 386/562] configure: restore autodetection of v4l2 and fbdev The detection logic for v4l2 and fbdev was accidentally modified to depend on v4l2-m2m in 43b3412. (cherry picked from commit 7405f1ad5351cc24b91a0227aeeaf24ff9d12278) Signed-off-by: Brad Smith --- configure | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/configure b/configure index 86425130bd..b3d092cde8 100755 --- a/configure +++ b/configure @@ -7132,11 +7132,12 @@ pod2man --help > /dev/null 2>&1 && enable pod2man || disable pod2man rsync --help 2> /dev/null | grep -q 'contimeout' && enable rsync_contimeout || disable rsync_contimeout xmllint --version > /dev/null 2>&1 && enable xmllint || disable xmllint +check_headers linux/fb.h +check_headers linux/videodev2.h +test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete + # check V4L2 codecs available in the API if enabled v4l2_m2m; then - check_headers linux/fb.h - check_headers linux/videodev2.h - test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete check_cc v4l2_m2m linux/videodev2.h "int i = V4L2_CAP_VIDEO_M2M_MPLANE | V4L2_CAP_VIDEO_M2M | V4L2_BUF_FLAG_LAST;" check_cc vc1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VC1_ANNEX_G;" check_cc mpeg1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG1;" From 51482627ca983a052d6271fa2c11b5e34e7ae088 Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Thu, 29 Aug 2024 15:40:00 +0200 Subject: [PATCH 387/562] configure: improve check for POSIX ioctl Instead of relying on system #ifdefs which may or may not be correct, detect the POSIX ioctl signature at configure time. (cherry picked from commit 00b64fca55a3a009c9d0e391c85f4fd3291e5d12) Signed-off-by: Brad Smith --- configure | 2 ++ libavdevice/v4l2.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/configure b/configure index b3d092cde8..20d4e4b615 100755 --- a/configure +++ b/configure @@ -2517,6 +2517,7 @@ HAVE_LIST=" opencl_videotoolbox perl pod2man + posix_ioctl texi2html xmllint zlib_gzip @@ -7135,6 +7136,7 @@ xmllint --version > /dev/null 2>&1 && enable xmllint || disable xmllint check_headers linux/fb.h check_headers linux/videodev2.h test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete +test_code cc sys/ioctl.h "int ioctl(int, int, ...)" && enable posix_ioctl # check V4L2 codecs available in the API if enabled v4l2_m2m; then diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index 50ac47ec5a..ee01711122 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -107,7 +107,7 @@ struct video_data { int (*open_f)(const char *file, int oflag, ...); int (*close_f)(int fd); int (*dup_f)(int fd); -#if defined(__sun) || defined(__BIONIC__) || defined(__musl__) /* POSIX-like */ +#if HAVE_POSIX_IOCTL int (*ioctl_f)(int fd, int request, ...); #else int (*ioctl_f)(int fd, unsigned long int request, ...); From 6a1ceb3c72ef45f5a98dd21bacce05a8bfb22d06 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 26 Aug 2024 23:07:35 +0200 Subject: [PATCH 388/562] avformat/libzmq: fix check for zmq protocol prefix Fixes ticket #11134. Signed-off-by: Marton Balint (cherry picked from commit a87a96105e9150dba07e3a660e41f78557f3356c) --- libavformat/libzmq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/libzmq.c b/libavformat/libzmq.c index f4bb849e46..da84efee73 100644 --- a/libavformat/libzmq.c +++ b/libavformat/libzmq.c @@ -94,7 +94,7 @@ static int zmq_proto_open(URLContext *h, const char *uri, int flags) return AVERROR_EXTERNAL; } - if (av_strstart(uri, "zmq:", &uri)) { + if (!av_strstart(uri, "zmq:", &uri)) { av_log(h, AV_LOG_ERROR, "URL %s lacks prefix\n", uri); return AVERROR(EINVAL); } From 0458a86656b291c7e91564efe44e109f97f7032a Mon Sep 17 00:00:00 2001 From: Gyan Doshi Date: Sun, 11 Aug 2024 12:51:50 +0530 Subject: [PATCH 389/562] lavc/libx265: unbreak build for X265_BUILD >= 210 x265 added support for alpha starting with build 210. While doing so, x265_encoder_encode() changed its fifth arg to an array of pointers to x265_picture. This broke building lavc/libx265.c This patch simply unbreaks the build and maintains existing single-layer non-alpha encoding support. Fixes #11130 --- libavcodec/libx265.c | 40 ++++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 10 deletions(-) diff --git a/libavcodec/libx265.c b/libavcodec/libx265.c index d3e74eaacf..c1202fa924 100644 --- a/libavcodec/libx265.c +++ b/libavcodec/libx265.c @@ -646,7 +646,13 @@ static int libx265_encode_frame(AVCodecContext *avctx, AVPacket *pkt, { libx265Context *ctx = avctx->priv_data; x265_picture x265pic; - x265_picture x265pic_out = { 0 }; +#if X265_BUILD >= 210 + x265_picture x265pic_layers_out[MAX_SCALABLE_LAYERS]; + x265_picture* x265pic_lyrptr_out[MAX_SCALABLE_LAYERS]; +#else + x265_picture x265pic_solo_out = { 0 }; +#endif + x265_picture* x265pic_out; x265_nal *nal; x265_sei *sei; uint8_t *dst; @@ -764,8 +770,16 @@ static int libx265_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } } +#if X265_BUILD >= 210 + for (i = 0; i < MAX_SCALABLE_LAYERS; i++) + x265pic_lyrptr_out[i] = &x265pic_layers_out[i]; + ret = ctx->api->encoder_encode(ctx->encoder, &nal, &nnal, - pic ? &x265pic : NULL, &x265pic_out); + pic ? &x265pic : NULL, x265pic_lyrptr_out); +#else + ret = ctx->api->encoder_encode(ctx->encoder, &nal, &nnal, + pic ? &x265pic : NULL, &x265pic_solo_out); +#endif for (i = 0; i < sei->numPayloads; i++) av_free(sei->payloads[i].payload); @@ -795,10 +809,16 @@ static int libx265_encode_frame(AVCodecContext *avctx, AVPacket *pkt, pkt->flags |= AV_PKT_FLAG_KEY; } - pkt->pts = x265pic_out.pts; - pkt->dts = x265pic_out.dts; +#if X265_BUILD >= 210 + x265pic_out = x265pic_lyrptr_out[0]; +#else + x265pic_out = &x265pic_solo_out; +#endif - switch (x265pic_out.sliceType) { + pkt->pts = x265pic_out->pts; + pkt->dts = x265pic_out->dts; + + switch (x265pic_out->sliceType) { case X265_TYPE_IDR: case X265_TYPE_I: pict_type = AV_PICTURE_TYPE_I; @@ -816,16 +836,16 @@ static int libx265_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } #if X265_BUILD >= 130 - if (x265pic_out.sliceType == X265_TYPE_B) + if (x265pic_out->sliceType == X265_TYPE_B) #else - if (x265pic_out.frameData.sliceType == 'b') + if (x265pic_out->frameData.sliceType == 'b') #endif pkt->flags |= AV_PKT_FLAG_DISPOSABLE; - ff_side_data_set_encoder_stats(pkt, x265pic_out.frameData.qp * FF_QP2LAMBDA, NULL, 0, pict_type); + ff_side_data_set_encoder_stats(pkt, x265pic_out->frameData.qp * FF_QP2LAMBDA, NULL, 0, pict_type); - if (x265pic_out.userData) { - int idx = (int)(intptr_t)x265pic_out.userData - 1; + if (x265pic_out->userData) { + int idx = (int)(intptr_t)x265pic_out->userData - 1; ReorderedData *rd = &ctx->rd[idx]; pkt->duration = rd->duration; From 9cadadb9a12aaf30b196c896073c473d91a2bdf0 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 1 Sep 2024 15:41:24 +0200 Subject: [PATCH 390/562] lavc/hevc: check framerate num/den to be strictly positive Rather than just != 0. These values are read as uint32 and can become negative when cast to int. (cherry picked from commit eec1a7a6bb952c09945d908d2d5de35909516778) Signed-off-by: Anton Khirnov --- libavcodec/hevc_parser.c | 2 +- libavcodec/hevcdec.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc_parser.c b/libavcodec/hevc_parser.c index 99a4272fad..3f4702001e 100644 --- a/libavcodec/hevc_parser.c +++ b/libavcodec/hevc_parser.c @@ -105,7 +105,7 @@ static int hevc_parse_slice_header(AVCodecParserContext *s, H2645NAL *nal, den = ps->sps->vui.vui_time_scale; } - if (num != 0 && den != 0) + if (num > 0 && den > 0) av_reduce(&avctx->framerate.den, &avctx->framerate.num, num, den, 1 << 30); diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 425020436d..d729925bdb 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -371,7 +371,7 @@ static void export_stream_params(HEVCContext *s, const HEVCSPS *sps) den = sps->vui.vui_time_scale; } - if (num != 0 && den != 0) + if (num > 0 && den > 0) av_reduce(&avctx->framerate.den, &avctx->framerate.num, num, den, 1 << 30); } From f705bc5b7333ed45d476f473df8f6bf893e867e2 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 4 Sep 2024 12:09:03 +0200 Subject: [PATCH 391/562] lavc/hevcdec: set per-CTB filter parameters for WPP Fixes #10887 (cherry picked from commit 536bb988889eec08c5a1d5fd733f9e98569ae65e) Signed-off-by: Anton Khirnov --- libavcodec/hevcdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index d729925bdb..9b3f31c948 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -2635,6 +2635,11 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *hevc_lclist, if (ret < 0) goto error; hls_sao_param(lc, x_ctb >> s->ps.sps->log2_ctb_size, y_ctb >> s->ps.sps->log2_ctb_size); + + s->deblock[ctb_addr_rs].beta_offset = s->sh.beta_offset; + s->deblock[ctb_addr_rs].tc_offset = s->sh.tc_offset; + s->filter_slice_edges[ctb_addr_rs] = s->sh.slice_loop_filter_across_slices_enabled_flag; + more_data = hls_coding_quadtree(lc, x_ctb, y_ctb, s->ps.sps->log2_ctb_size, 0); if (more_data < 0) { From 3e6cec12865d53ebdb5e5bf344ebfc4f4b9ccb85 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 17 Sep 2024 15:39:57 -0300 Subject: [PATCH 392/562] avformat/mov_chan: add extra checks to channel description count Make sure it's not zero, and equal or bigger than number of channels Fixes: Timeout / DOS Fixes: 67143/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-4858720481771520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: James Almer (cherry picked from commit 1c706cec46b8fe500c76f4cb5efbafccf47cfe20) --- libavformat/mov_chan.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/libavformat/mov_chan.c b/libavformat/mov_chan.c index 287059d65b..3c7274b737 100644 --- a/libavformat/mov_chan.c +++ b/libavformat/mov_chan.c @@ -462,10 +462,22 @@ int ff_mov_read_chan(AVFormatContext *s, AVIOContext *pb, AVStream *st, return 0; if (layout_tag == MOV_CH_LAYOUT_USE_DESCRIPTIONS) { - int nb_channels = ch_layout->nb_channels ? ch_layout->nb_channels : num_descr; - if (num_descr > nb_channels) { - av_log(s, AV_LOG_WARNING, "got %d channel descriptions, capping to the number of channels %d\n", + int nb_channels = ch_layout->nb_channels; + + if (!num_descr || num_descr < nb_channels) { + av_log(s, AV_LOG_ERROR, "got %d channel descriptions when at least %d were needed\n", num_descr, nb_channels); + return AVERROR_INVALIDDATA; + } + + if (num_descr > nb_channels) { + int strict = s->strict_std_compliance >= FF_COMPLIANCE_STRICT; + av_log(s, strict ? AV_LOG_ERROR : AV_LOG_WARNING, + "got %d channel descriptions when number of channels is %d\n", + num_descr, nb_channels); + if (strict) + return AVERROR_INVALIDDATA; + av_log(s, AV_LOG_WARNING, "capping channel descriptions to the number of channels\n"); num_descr = nb_channels; } From 45ecf80f0e28bbdb4390e0a9de435aaafc3fea54 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 26 Sep 2024 16:38:24 -0300 Subject: [PATCH 393/562] avutil/iamf: fix doxygen Signed-off-by: James Almer (cherry picked from commit d55ab2ba9b16cabf1a069bcd6784e8d4906fc859) --- libavutil/iamf.h | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavutil/iamf.h b/libavutil/iamf.h index 93785d9fec..1fa73893cd 100644 --- a/libavutil/iamf.h +++ b/libavutil/iamf.h @@ -37,20 +37,29 @@ #include "rational.h" /** + * @defgroup lavu_iamf Immersive Audio Model and Formats + * @ingroup lavu_audio + * + * Immersive Audio Model and Formats related functions and defines + * * @defgroup lavu_iamf_params Parameter Definition + * @ingroup lavu_iamf * @{ * Parameters as defined in section 3.6.1 and 3.8 of IAMF. * @} + * * @defgroup lavu_iamf_audio Audio Element + * @ingroup lavu_iamf * @{ * Audio Elements as defined in section 3.6 of IAMF. * @} + * * @defgroup lavu_iamf_mix Mix Presentation + * @ingroup lavu_iamf * @{ * Mix Presentations as defined in section 3.7 of IAMF. * @} * - * @} * @addtogroup lavu_iamf_params * @{ */ @@ -673,6 +682,7 @@ AVIAMFSubmixLayout *av_iamf_submix_add_layout(AVIAMFSubmix *submix); * upon return, *mix_presentation will be set to NULL. */ void av_iamf_mix_presentation_free(AVIAMFMixPresentation **mix_presentation); + /** * @} */ From f5f590b1e72cbd1da257d87d1adf1e9db3b9e2a9 Mon Sep 17 00:00:00 2001 From: Gyan Doshi Date: Sat, 5 Oct 2024 10:08:31 +0530 Subject: [PATCH 394/562] avcodec/libx265: unbreak build for X265_BUILD >= 213 Earlier, x265 made an API change to support alpha and other multiple layer pictures. We added guards to accommodate that in 1f801dfdb5 They have now reverted that API change in https://bitbucket.org/multicoreware/x265_git/commits/78e5b703b1 Updated our wrapper guards to unbreak build again. --- libavcodec/libx265.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/libx265.c b/libavcodec/libx265.c index c1202fa924..0107310068 100644 --- a/libavcodec/libx265.c +++ b/libavcodec/libx265.c @@ -646,7 +646,7 @@ static int libx265_encode_frame(AVCodecContext *avctx, AVPacket *pkt, { libx265Context *ctx = avctx->priv_data; x265_picture x265pic; -#if X265_BUILD >= 210 +#if (X265_BUILD >= 210) && (X265_BUILD < 213) x265_picture x265pic_layers_out[MAX_SCALABLE_LAYERS]; x265_picture* x265pic_lyrptr_out[MAX_SCALABLE_LAYERS]; #else @@ -770,7 +770,7 @@ static int libx265_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } } -#if X265_BUILD >= 210 +#if (X265_BUILD >= 210) && (X265_BUILD < 213) for (i = 0; i < MAX_SCALABLE_LAYERS; i++) x265pic_lyrptr_out[i] = &x265pic_layers_out[i]; @@ -809,7 +809,7 @@ static int libx265_encode_frame(AVCodecContext *avctx, AVPacket *pkt, pkt->flags |= AV_PKT_FLAG_KEY; } -#if X265_BUILD >= 210 +#if (X265_BUILD >= 210) && (X265_BUILD < 213) x265pic_out = x265pic_lyrptr_out[0]; #else x265pic_out = &x265pic_solo_out; From d63f7ddebc20a26838cc733aca2c6a21091c391c Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Tue, 22 Oct 2024 19:49:16 +0200 Subject: [PATCH 395/562] avutil/wchar_filename: re-introduce explicit cast of void* to char* Fixes compile error on windows with decklink: In file included from ./libavformat/os_support.h:175, from ./libavformat/internal.h:30, from libavdevice/decklink_common.cpp:25: ./libavutil/wchar_filename.h: In function 'int wchartocp(unsigned int, const wchar_t*, char**)': ./libavutil/wchar_filename.h:59:32: error: invalid conversion from 'void*' to 'char*' [-fpermissive] 59 | *filename = av_malloc_array(num_chars, sizeof **filename); | ~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | void* Regression since e9e8bea2e79bc3c481a6f81f75f6c871e3e0f367. Fixes ticket #11103. Signed-off-by: Marton Balint (cherry picked from commit 9b0128aa766221f8a32e13cf3c1d3e6d75a2d829) --- libavutil/wchar_filename.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/wchar_filename.h b/libavutil/wchar_filename.h index 23cc92aa2d..1370a084c9 100644 --- a/libavutil/wchar_filename.h +++ b/libavutil/wchar_filename.h @@ -57,7 +57,7 @@ static inline int wchartocp(unsigned int code_page, const wchar_t *filename_w, errno = EINVAL; return -1; } - *filename = av_malloc_array(num_chars, sizeof **filename); + *filename = (char *)av_malloc_array(num_chars, sizeof **filename); if (!*filename) { errno = ENOMEM; return -1; From 786d4af40504eaaa71a18f73e2fb237fdf84be20 Mon Sep 17 00:00:00 2001 From: Leandro Santiago Date: Thu, 31 Oct 2024 21:50:45 +0100 Subject: [PATCH 396/562] fftools/ffplay: fix crash when vk renderer is null When vulkan rendering is requested by the user and fails, ffplay should exit graciously instead of crash due to a null pointer deref. Signed-off-by: Leandro Santiago Signed-off-by: Zhao Zhili (cherry picked from commit fd0cacc4720c68c58f86e41153444252dbd4e5b6) --- fftools/ffplay.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fftools/ffplay.c b/fftools/ffplay.c index 048a4a8704..3e1be8038c 100644 --- a/fftools/ffplay.c +++ b/fftools/ffplay.c @@ -2605,6 +2605,11 @@ static int create_hwaccel(AVBufferRef **device_ctx) if (type == AV_HWDEVICE_TYPE_NONE) return AVERROR(ENOTSUP); + if (!vk_renderer) { + av_log(NULL, AV_LOG_ERROR, "Vulkan renderer is not available\n"); + return AVERROR(ENOTSUP); + } + ret = vk_renderer_get_hw_dev(vk_renderer, &vk_dev); if (ret < 0) return ret; From caaa4d2d6a2d84a11bb8a025e92c8bdb9788e593 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Fri, 1 Nov 2024 13:50:38 +0100 Subject: [PATCH 397/562] avcodec/jpegxl_parser: check entropy_decoder_read_symbol return value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found by OSS-Fuzz. Signed-off-by: Kacper Michajłow --- libavcodec/jpegxl_parser.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c index 8c45e1a1b7..746c429b9c 100644 --- a/libavcodec/jpegxl_parser.c +++ b/libavcodec/jpegxl_parser.c @@ -1311,7 +1311,7 @@ static int parse_frame_header(void *avctx, JXLParseContext *ctx, GetBitContext * // permuted toc if (get_bits1(gb)) { JXLEntropyDecoder dec; - uint32_t end, lehmer = 0; + int64_t end, lehmer = 0; ret = entropy_decoder_init(avctx, gb, &dec, 8); if (ret < 0) return ret; @@ -1320,13 +1320,13 @@ static int parse_frame_header(void *avctx, JXLParseContext *ctx, GetBitContext * return AVERROR_BUFFER_TOO_SMALL; } end = entropy_decoder_read_symbol(gb, &dec, toc_context(toc_count)); - if (end > toc_count) { + if (end < 0 || end > toc_count) { entropy_decoder_close(&dec); return AVERROR_INVALIDDATA; } for (uint32_t i = 0; i < end; i++) { lehmer = entropy_decoder_read_symbol(gb, &dec, toc_context(lehmer)); - if (get_bits_left(gb) < 0) { + if (lehmer < 0 || get_bits_left(gb) < 0) { entropy_decoder_close(&dec); return AVERROR_BUFFER_TOO_SMALL; } From 77facc9a55750a8b4a20dbcf0c6745063bf18dd5 Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Thu, 7 Nov 2024 11:31:49 -0500 Subject: [PATCH 398/562] avcodec/jpegxl_parser: fix reading lz77-pair as initial entropy symbol MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The JPEG XL parser has an entropy decoder inside, which supports LZ77 length-distance pairs. If the first symbol from the entropy stream is an LZ77 pair, the bitstream is invalid, so we should abort immediately rather than attempt to read it anyway (which would read from the uninitialized starting window). Reported-by: Kacper Michajłow Found-by: ossfuzz Fixes: 368725676/clusterfuzz-testcase-minimized-fuzzer_protocol_file-6022251122589696-cut Fixes: 42537758/clusterfuzz-testcase-minimized-fuzzer_protocol_file-5818969469026304-cut Signed-off-by: Leo Izen --- libavcodec/jpegxl_parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c index 746c429b9c..76122af54a 100644 --- a/libavcodec/jpegxl_parser.c +++ b/libavcodec/jpegxl_parser.c @@ -352,6 +352,8 @@ static int decode_hybrid_varlen_uint(GetBitContext *gb, JXLEntropyDecoder *dec, if (bundle->lz77_enabled && token >= bundle->lz77_min_symbol) { const JXLSymbolDistribution *lz77dist = &bundle->dists[bundle->cluster_map[bundle->num_dist - 1]]; + if (!dec->num_decoded) + return AVERROR_INVALIDDATA; ret = read_hybrid_uint(gb, &bundle->lz_len_conf, token - bundle->lz77_min_symbol, &dec->num_to_copy); if (ret < 0) return ret; @@ -531,6 +533,7 @@ static int read_dist_clustering(GetBitContext *gb, JXLEntropyDecoder *dec, JXLDi dec->state = -1; /* it's not going to necessarily be zero after reading */ dec->num_to_copy = 0; + dec->num_decoded = 0; dist_bundle_close(&nested); if (use_mtf) { uint8_t mtf[256]; From a38726fb059e8fe969060f81bb27fc4b55ef7778 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sun, 3 Nov 2024 22:32:51 +0100 Subject: [PATCH 399/562] avfilter/f_loop: fix length of aloop leftover buffer If the audio loop stops inside an audio frame, the leftover buffer contains the end of the frame, which is not looped. The length supposed to be the part which was not written to the loop buffer, so we need to drain exactly that number of bytes from the leftover buffer. Signed-off-by: Marton Balint (cherry picked from commit b33a59416072ad31a5840f33f9975d88acf45add) --- libavfilter/f_loop.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavfilter/f_loop.c b/libavfilter/f_loop.c index 0b08a2ead3..f2829ecb2b 100644 --- a/libavfilter/f_loop.c +++ b/libavfilter/f_loop.c @@ -169,14 +169,13 @@ static int afilter_frame(AVFilterLink *inlink, AVFrame *frame) s->pts += av_rescale_q(s->start - s->ignored_samples, (AVRational){1, outlink->sample_rate}, outlink->time_base); } s->nb_samples += ret - drain; - drain = frame->nb_samples - written; - if (s->nb_samples == s->size && drain > 0) { + if (s->nb_samples == s->size && frame->nb_samples > written) { int ret2; ret2 = av_audio_fifo_write(s->left, (void **)frame->extended_data, frame->nb_samples); if (ret2 < 0) return ret2; - av_audio_fifo_drain(s->left, drain); + av_audio_fifo_drain(s->left, written); } frame->nb_samples = ret; s->pts += av_rescale_q(ret, (AVRational){1, outlink->sample_rate}, outlink->time_base); From 210cb52ef637daebc964bbfda0c7eaafca33e254 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 4 Nov 2024 00:43:06 +0100 Subject: [PATCH 400/562] avfilter/f_loop: fix aloop activate logic The logic did not follow the documented behaviour and that caused skipping of some audio in the loop and in the leftover buffer. Example command line which should produce a smooth sine wave for the whole duration of the output: ffmpeg -f lavfi -i "sine=r=48000:f=480:d=4" -af "aloop=loop=4:start=48000:size=48000" out.wav Fixes ticket #11283. Signed-off-by: Marton Balint (cherry picked from commit fe18ed3f2a9221af0beaec7b04b7804849db1f2f) --- libavfilter/f_loop.c | 70 ++++++++++++++++++-------------------------- 1 file changed, 28 insertions(+), 42 deletions(-) diff --git a/libavfilter/f_loop.c b/libavfilter/f_loop.c index f2829ecb2b..3936d1c1b0 100644 --- a/libavfilter/f_loop.c +++ b/libavfilter/f_loop.c @@ -21,6 +21,7 @@ #include "config_components.h" #include "libavutil/audio_fifo.h" +#include "libavutil/avassert.h" #include "libavutil/internal.h" #include "libavutil/opt.h" #include "avfilter.h" @@ -104,7 +105,7 @@ static av_cold void auninit(AVFilterContext *ctx) av_audio_fifo_free(s->left); } -static int push_samples(AVFilterContext *ctx, int nb_samples) +static int push_samples(AVFilterContext *ctx, int nb_samples, AVFrame **frame) { AVFilterLink *outlink = ctx->outputs[0]; LoopContext *s = ctx->priv; @@ -126,9 +127,7 @@ static int push_samples(AVFilterContext *ctx, int nb_samples) i += out->nb_samples; s->current_sample += out->nb_samples; - ret = ff_filter_frame(outlink, out); - if (ret < 0) - return ret; + *frame = out; if (s->current_sample >= s->nb_samples) { s->current_sample = 0; @@ -136,6 +135,8 @@ static int push_samples(AVFilterContext *ctx, int nb_samples) if (s->loop > 0) s->loop--; } + + return 0; } return ret; @@ -181,10 +182,7 @@ static int afilter_frame(AVFilterLink *inlink, AVFrame *frame) s->pts += av_rescale_q(ret, (AVRational){1, outlink->sample_rate}, outlink->time_base); ret = ff_filter_frame(outlink, frame); } else { - int nb_samples = frame->nb_samples; - - av_frame_free(&frame); - ret = push_samples(ctx, nb_samples); + av_assert0(0); } } else { s->ignored_samples += frame->nb_samples; @@ -196,7 +194,7 @@ static int afilter_frame(AVFilterLink *inlink, AVFrame *frame) return ret; } -static int arequest_frame(AVFilterLink *outlink) +static int arequest_frame(AVFilterLink *outlink, AVFrame **frame) { AVFilterContext *ctx = outlink->src; LoopContext *s = ctx->priv; @@ -216,17 +214,11 @@ static int arequest_frame(AVFilterLink *outlink) av_audio_fifo_read(s->left, (void **)out->extended_data, nb_samples); out->pts = s->pts; s->pts += av_rescale_q(nb_samples, (AVRational){1, outlink->sample_rate}, outlink->time_base); - ret = ff_filter_frame(outlink, out); - if (ret < 0) - return ret; + *frame = out; } - ret = ff_request_frame(ctx->inputs[0]); + return 0; } else { - ret = push_samples(ctx, 1024); - } - - if (s->eof && s->nb_samples > 0 && s->loop != 0) { - ret = push_samples(ctx, 1024); + ret = push_samples(ctx, 1024, frame); } return ret; @@ -244,37 +236,31 @@ static int aactivate(AVFilterContext *ctx) update_time(ctx, inlink->time_base); - if (!s->eof && (s->nb_samples < s->size || !s->loop || !s->size)) { - const int in_nb_samples = FFMIN(1024, s->size - s->nb_samples); - if (in_nb_samples == 0) - ret = ff_inlink_consume_frame(inlink, &frame); - else - ret = ff_inlink_consume_samples(inlink, in_nb_samples, in_nb_samples, &frame); - if (ret < 0) - return ret; - if (ret > 0) - return afilter_frame(inlink, frame); - } +retry: + ret = arequest_frame(outlink, &frame); + if (ret < 0) + return ret; + if (frame) + return ff_filter_frame(outlink, frame); - if (!s->eof && ff_inlink_acknowledge_status(inlink, &status, &s->eof_pts)) { - if (status == AVERROR_EOF) { + ret = ff_inlink_consume_frame(inlink, &frame); + if (ret < 0) + return ret; + if (ret > 0) + return afilter_frame(inlink, frame); + + ret = ff_inlink_acknowledge_status(inlink, &status, &s->eof_pts); + if (ret) { + if (status == AVERROR_EOF && !s->eof) { s->size = s->nb_samples; s->eof = 1; + goto retry; } - } - - if (s->eof && (!s->loop || !s->size)) { - ff_outlink_set_status(outlink, AVERROR_EOF, s->eof_pts + s->pts_offset); + ff_outlink_set_status(outlink, status, s->eof_pts); return 0; } - if (!s->eof && (!s->size || - (s->nb_samples < s->size) || - (s->nb_samples >= s->size && s->loop == 0))) { - FF_FILTER_FORWARD_WANTED(outlink, inlink); - } else if (s->loop && s->nb_samples == s->size) { - return arequest_frame(outlink); - } + FF_FILTER_FORWARD_WANTED(outlink, inlink); return FFERROR_NOT_READY; } From 7f1e2090285e4f1d51e134269b94ff1fbdfdbc55 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:38 +0100 Subject: [PATCH 401/562] aarch64: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter This reduces the amount the horizontal filters read beyond the filter width to a consistent 1 pixel. The data is not used so this is usually not noticeable. It becomes a problem when the application allocates frame buffers only for the aligned picture size and the end of it is at a page boundary. This happens for picture sizes which are a multiple of the page size like 1280x640. The frame buffer allocation is based on its most likely done via mmap + MAP_ANONYMOUS so start and end of the buffer are page aligned and the previous and next page are not necessarily mapped. Under these conditions like seen by Firefox a read beyond the end of the buffer results in a segfault. After the over-read is reduced to a single pixel it's reasonable to use VP9's emulated edge motion compensation for this. Fixes: https://bugzilla.mozilla.org/show_bug.cgi?id=1881185 Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit 430c38f698a65d597e863330810b05e083682be6) --- libavcodec/aarch64/vp9mc_neon.S | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavcodec/aarch64/vp9mc_neon.S b/libavcodec/aarch64/vp9mc_neon.S index abf2bae9db..38f44ca56d 100644 --- a/libavcodec/aarch64/vp9mc_neon.S +++ b/libavcodec/aarch64/vp9mc_neon.S @@ -230,6 +230,9 @@ function \type\()_8tap_\size\()h_\idx1\idx2 // reduced dst stride .if \size >= 16 sub x1, x1, x5 +.elseif \size == 4 + add x12, x2, #8 + add x13, x7, #8 .endif // size >= 16 loads two qwords and increments x2, // for size 4/8 it's enough with one qword and no @@ -248,9 +251,14 @@ function \type\()_8tap_\size\()h_\idx1\idx2 .if \size >= 16 ld1 {v4.8b, v5.8b, v6.8b}, [x2], #24 ld1 {v16.8b, v17.8b, v18.8b}, [x7], #24 -.else +.elseif \size == 8 ld1 {v4.8b, v5.8b}, [x2] ld1 {v16.8b, v17.8b}, [x7] +.else // \size == 4 + ld1 {v4.8b}, [x2] + ld1 {v16.8b}, [x7] + ld1 {v5.s}[0], [x12], x3 + ld1 {v17.s}[0], [x13], x3 .endif uxtl v4.8h, v4.8b uxtl v5.8h, v5.8b From 0407cd49905802f6346e7bc00896c899c7441399 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:39 +0100 Subject: [PATCH 402/562] arm: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter This reduces the amount the horizontal filters read beyond the filter width to a consistent 1 pixel. The data is not used so this is usually not noticeable. It becomes a problem when the application allocates frame buffers only for the aligned picture size and the end of it is at a page boundary. This happens for picture sizes which are a multiple of the page size like 1280x640. The frame buffer allocation is based on its most likely done via mmap + MAP_ANONYMOUS so start and end of the buffer are page aligned and the previous and next page are not necessarily mapped. This mirrors the aarch64 change. Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit f3662562156c9b908588b1e58e4203fd09217cb6) --- libavcodec/arm/vp9mc_neon.S | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/arm/vp9mc_neon.S b/libavcodec/arm/vp9mc_neon.S index bd8cda7c30..2ec729bb31 100644 --- a/libavcodec/arm/vp9mc_neon.S +++ b/libavcodec/arm/vp9mc_neon.S @@ -279,11 +279,13 @@ function \type\()_8tap_\size\()h_\idx1\idx2 sub r1, r1, r5 .endif @ size >= 16 loads two qwords and increments r2, - @ for size 4/8 it's enough with one qword and no - @ postincrement + @ size 4 loads 1 d word, increments r2 and loads 1 32-bit lane + @ for size 8 it's enough with one qword and no postincrement .if \size >= 16 sub r3, r3, r5 sub r3, r3, #8 +.elseif \size == 4 + sub r3, r3, #8 .endif @ Load the filter vector vld1.16 {q0}, [r12,:128] @@ -295,9 +297,14 @@ function \type\()_8tap_\size\()h_\idx1\idx2 .if \size >= 16 vld1.8 {d18, d19, d20}, [r2]! vld1.8 {d24, d25, d26}, [r7]! -.else +.elseif \size == 8 vld1.8 {q9}, [r2] vld1.8 {q12}, [r7] +.else @ size == 4 + vld1.8 {d18}, [r2]! + vld1.8 {d24}, [r7]! + vld1.32 {d19[0]}, [r2] + vld1.32 {d25[0]}, [r7] .endif vmovl.u8 q8, d18 vmovl.u8 q9, d19 From bb1a9c5932d39bccb5052373af68b6043d57a727 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:40 +0100 Subject: [PATCH 403/562] vp9: recon: Use emulated edge to prevent buffer overflows The arm/aarch64 horizontal filter reads one additional pixel beyond what the filter uses. This can become an issue if the application does not allocate larger buffers than what's required for the pixel data. If the motion vector points to the bottom right edge of the picture this becomes a read buffer overflow. This triggers segfaults in Firefox for video resolutions which result in a page aligned picture size like 1280x640. Prevent this by using emulated edge in this case. Fixes: https://bugzilla.mozilla.org/show_bug.cgi?id=1881185 Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit 060464105bdca82b8cfb91c7a6fb56df4c7cd9d0) --- libavcodec/vp9recon.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/vp9recon.c b/libavcodec/vp9recon.c index 073c04b47d..b8071f39b0 100644 --- a/libavcodec/vp9recon.c +++ b/libavcodec/vp9recon.c @@ -318,7 +318,11 @@ static av_always_inline void mc_luma_unscaled(VP9TileData *td, const vp9_mc_func // The arm/aarch64 _hv filters read one more row than what actually is // needed, so switch to emulated edge one pixel sooner vertically // (!!my * 5) than horizontally (!!mx * 4). + // The arm/aarch64 _h filters read one more pixel than what actually is + // needed, so switch to emulated edge if that would read beyond the bottom + // right block. if (x < !!mx * 3 || y < !!my * 3 || + ((ARCH_AARCH64 || ARCH_ARM) && (x + !!mx * 5 > w - bw) && (y + !!my * 5 + 1 > h - bh)) || x + !!mx * 4 > w - bw || y + !!my * 5 > h - bh) { s->vdsp.emulated_edge_mc(td->edge_emu_buffer, ref - !!my * 3 * ref_stride - !!mx * 3 * bytesperpixel, @@ -357,7 +361,11 @@ static av_always_inline void mc_chroma_unscaled(VP9TileData *td, const vp9_mc_fu // The arm/aarch64 _hv filters read one more row than what actually is // needed, so switch to emulated edge one pixel sooner vertically // (!!my * 5) than horizontally (!!mx * 4). + // The arm/aarch64 _h filters read one more pixel than what actually is + // needed, so switch to emulated edge if that would read beyond the bottom + // right block. if (x < !!mx * 3 || y < !!my * 3 || + ((ARCH_AARCH64 || ARCH_ARM) && (x + !!mx * 5 > w - bw) && (y + !!my * 5 + 1 > h - bh)) || x + !!mx * 4 > w - bw || y + !!my * 5 > h - bh) { s->vdsp.emulated_edge_mc(td->edge_emu_buffer, ref_u - !!my * 3 * src_stride_u - !!mx * 3 * bytesperpixel, From 50c4fad6c8bdc32668629d2d669291a091646d0d Mon Sep 17 00:00:00 2001 From: Bin Peng Date: Mon, 16 Dec 2024 10:31:23 +0800 Subject: [PATCH 404/562] lavc/aarch64: Fix ff_pred8x8_plane_neon_10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix test failure on aarch64: ./tests/checkasm/checkasm --test=h264pred 479612 The mismatch between neon and C functions can also be reproduced using the following bitstream and command line. wget https://streams.videolan.org/ffmpeg/incoming/intra8x8pred_10bit.264 ./ffmpeg -cpuflags 0 -threads 1 -i intra8x8pred_10bit.264 -f framemd5 -y md5_ref ./ffmpeg -threads 1 -i intra8x8pred_10bit.264 -f framemd5 -y md5_neon Signed-off-by: Bin Peng Signed-off-by: Martin Storsjö (cherry picked from commit decc9e643cc3ac5537f42b465e2637fbefbf41cc) --- libavcodec/aarch64/h264pred_neon.S | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/aarch64/h264pred_neon.S b/libavcodec/aarch64/h264pred_neon.S index ea37689f34..168f8191ad 100644 --- a/libavcodec/aarch64/h264pred_neon.S +++ b/libavcodec/aarch64/h264pred_neon.S @@ -595,12 +595,11 @@ function ff_pred8x8_plane_neon_10, export=1 ssubl v2.4s, v2.4h, v3.4h ext v0.16b, v0.16b, v0.16b, #14 mov v0.h[0], wzr - mul v0.8h, v0.8h, v5.h[0] dup v1.4s, v2.s[0] dup v2.4s, v2.s[0] dup v3.8h, v5.h[1] - saddw v1.4s, v1.4s, v0.4h - saddw2 v2.4s, v2.4s, v0.8h + smlal v1.4s, v0.4h, v5.h[0] + smlal2 v2.4s, v0.8h, v5.h[0] mov w3, #8 mvni v4.8h, #0xFC, lsl #8 // 1023 for clipping 1: From e2a60e532f3f526703316620757f0399e3a3765e Mon Sep 17 00:00:00 2001 From: Bin Peng Date: Fri, 13 Dec 2024 22:19:47 +0800 Subject: [PATCH 405/562] lavc/aarch64: Fix ff_pred16x16_plane_neon_10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix test failure on aarch64: ./tests/checkasm/checkasm --test=h264pred 367840 Signed-off-by: Peng Bin Signed-off-by: Martin Storsjö (cherry picked from commit 72a3656e8468a394373b6397aacc906d7f7794c2) --- libavcodec/aarch64/h264pred_neon.S | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/libavcodec/aarch64/h264pred_neon.S b/libavcodec/aarch64/h264pred_neon.S index 168f8191ad..d0999938ef 100644 --- a/libavcodec/aarch64/h264pred_neon.S +++ b/libavcodec/aarch64/h264pred_neon.S @@ -502,28 +502,27 @@ function ff_pred16x16_plane_neon_10, export=1 add v7.4h, v7.4h, v0.4h shl v2.4h, v7.4h, #4 ssubl v2.4s, v2.4h, v3.4h - shl v3.4h, v4.4h, #4 ext v0.16b, v0.16b, v0.16b, #14 - ssubl v6.4s, v5.4h, v3.4h + sxtl v6.4s, v5.4h // c mov v0.h[0], wzr mul v0.8h, v0.8h, v4.h[0] dup v16.4s, v2.s[0] dup v17.4s, v2.s[0] - dup v2.8h, v4.h[0] - dup v3.4s, v6.s[0] - shl v2.8h, v2.8h, #3 + dup v2.8h, v4.h[0] // b + dup v3.4s, v6.s[0] // c + sshll v2.4s, v2.4h, #3 // b * 8 saddw v16.4s, v16.4s, v0.4h saddw2 v17.4s, v17.4s, v0.8h - saddw v3.4s, v3.4s, v2.4h + sub v3.4s, v3.4s, v2.4s mov w3, #16 mvni v4.8h, #0xFC, lsl #8 // 1023 for clipping 1: sqshrun v0.4h, v16.4s, #5 sqshrun2 v0.8h, v17.4s, #5 - saddw v16.4s, v16.4s, v2.4h - saddw v17.4s, v17.4s, v2.4h + add v16.4s, v16.4s, v2.4s + add v17.4s, v17.4s, v2.4s sqshrun v1.4h, v16.4s, #5 sqshrun2 v1.8h, v17.4s, #5 add v16.4s, v16.4s, v3.4s From e65923eff0296e6d250f99bb298582bf24cd27d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 23 Jan 2025 12:53:10 +0200 Subject: [PATCH 406/562] rtmpproto: Avoid rare crashes in the fail: codepath in rtmp_open MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When running the cleanup in rtmp_close on failures in rtmp_open, we can in rare cases end up using rt->playpath, assuming that it is still set. The crash could happen if we hit the fail codepath in rtmp_open while publishing (rt->is_input == 0) with rt->state set to a value > STATE_FCPUBLISH. This would normally not happen while publishing; either we have an error (and rt->state <= STATE_FCPUBLISH) or we reach rt->state = STATE_PUBLISHING, and then we also return successfully from rtmp_open. The unexpected combination of states could happen if the server responds with e.g. "NetStream.Play.Stop" while expecting "NetStream.Publish.Start"; this sets rt->state to STATE_STOPPED, which also fulfills the condition "> STATE_FCPUBLISH". We don't need to free the rt->playpath/tcurl/flashver strings here; they're handled via AVOption, and thus are freed automatically when the protocol instance is freed (that's why they aren't freed manually within the rtmp_close function either). We also don't need to free the AVDictionary with options; it's owned by the caller. A smaller fix would be to just call rtmp_close before freeing the strings and dictionary, but as we don't need to free them at all, let's remove that redundant code. Signed-off-by: Martin Storsjö (cherry picked from commit 8f4819ce01584e0858fdc312aa8a17c55e350a92) --- libavformat/rtmpproto.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 871d97e8a9..09882a4995 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -2917,10 +2917,6 @@ reconnect: return 0; fail: - av_freep(&rt->playpath); - av_freep(&rt->tcurl); - av_freep(&rt->flashver); - av_dict_free(opts); rtmp_close(s); return ret; } From aac44b78aa04c0084dfd7fdc39a780422ce2c4dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 24 Jan 2025 23:32:52 +0200 Subject: [PATCH 407/562] configure: Improve the check for the rsync --contimeout option MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Traditionally, macOS has shipped an old version of rsync that lacked support for this option, hence this check (added in a8b3f0c5cf548f654e30c981988bb71981a3f8d3). However, in macOS 15.x, Apple have switched to providing rsync as a different tool, openrsync. The version of openrsync in at least macOS 15.2 does include "[--contimeout]" (note the lack of "=" after the option), in the output of "rsync --help", but when used, the tool errors out with "rsync: --contimeout=60: unknown option". So apparently the tool erroenously lists the option as supported, while it really isn't. The original rsync tool (with a new enough version) prints "--contimeout=SECONDS" in the output of "rsync --help". It is unclear which version of openrsync Apple are shipping; the latest upstream openrsync from OpenBSD does support the option and includes "[--contimeout=seconds]" in the output of "--help", and older versions don't seem to include the option as listed at all. Therefore, check for "--conntimeout=" with the "=", this should properly detect both new enough rsync and openrsync. This fixes running "fate-rsync" on macOS 15.x. Signed-off-by: Martin Storsjö (cherry picked from commit 3cd4e8470a1ef82223d124523f8219691dfefb60) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 20d4e4b615..323476cdd7 100755 --- a/configure +++ b/configure @@ -7130,7 +7130,7 @@ enabled makeinfo \ disabled makeinfo_html && texi2html --help 2> /dev/null | grep -q 'init-file' && enable texi2html || disable texi2html perl -v > /dev/null 2>&1 && enable perl || disable perl pod2man --help > /dev/null 2>&1 && enable pod2man || disable pod2man -rsync --help 2> /dev/null | grep -q 'contimeout' && enable rsync_contimeout || disable rsync_contimeout +rsync --help 2> /dev/null | grep -q 'contimeout=' && enable rsync_contimeout || disable rsync_contimeout xmllint --version > /dev/null 2>&1 && enable xmllint || disable xmllint check_headers linux/fb.h From 72e64ede9446050ea06110cf4cf0342ad47051b7 Mon Sep 17 00:00:00 2001 From: Pavel Koshevoy Date: Sun, 23 Feb 2025 09:43:56 -0700 Subject: [PATCH 408/562] avformat/mov: (v4) fix get_eia608_packet The problem is reproducible with "Test for Quicktime 608 CC file.mov" from https://samples.ffmpeg.org/MPEG2/subcc/ ffmpeg -i "Test for Quicktime 608 CC file.mov" -map 0 -c copy -y remuxed.mov See https://trac.ffmpeg.org/ticket/11470 --- libavformat/mov.c | 70 +++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 59 insertions(+), 11 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 0f7b910a79..eae1b49ba5 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -9903,25 +9903,73 @@ static int mov_change_extradata(AVStream *st, AVPacket *pkt) return 0; } -static int get_eia608_packet(AVIOContext *pb, AVPacket *pkt, int size) +static int get_eia608_packet(AVIOContext *pb, AVPacket *pkt, int src_size) { - int new_size, ret; + /* We can't make assumptions about the structure of the payload, + because it may include multiple cdat and cdt2 samples. */ + const uint32_t cdat = AV_RB32("cdat"); + const uint32_t cdt2 = AV_RB32("cdt2"); + int ret, out_size = 0; - if (size <= 8) + /* a valid payload must have size, 4cc, and at least 1 byte pair: */ + if (src_size < 10) return AVERROR_INVALIDDATA; - new_size = ((size - 8) / 2) * 3; - ret = av_new_packet(pkt, new_size); + + /* avoid an int overflow: */ + if ((src_size - 8) / 2 >= INT_MAX / 3) + return AVERROR_INVALIDDATA; + + ret = av_new_packet(pkt, ((src_size - 8) / 2) * 3); if (ret < 0) return ret; - avio_skip(pb, 8); - for (int j = 0; j < new_size; j += 3) { - pkt->data[j] = 0xFC; - pkt->data[j+1] = avio_r8(pb); - pkt->data[j+2] = avio_r8(pb); + /* parse and re-format the c608 payload in one pass. */ + while (src_size >= 10) { + const uint32_t atom_size = avio_rb32(pb); + const uint32_t atom_type = avio_rb32(pb); + const uint32_t data_size = atom_size - 8; + const uint8_t cc_field = + atom_type == cdat ? 1 : + atom_type == cdt2 ? 2 : + 0; + + /* account for bytes consumed for atom size and type. */ + src_size -= 8; + + /* make sure the data size stays within the buffer boundaries. */ + if (data_size < 2 || data_size > src_size) { + ret = AVERROR_INVALIDDATA; + break; + } + + /* make sure the data size is consistent with N byte pairs. */ + if (data_size % 2 != 0) { + ret = AVERROR_INVALIDDATA; + break; + } + + if (!cc_field) { + /* neither cdat or cdt2 ... skip it */ + avio_skip(pb, data_size); + src_size -= data_size; + continue; + } + + for (uint32_t i = 0; i < data_size; i += 2) { + pkt->data[out_size] = (0x1F << 3) | (1 << 2) | (cc_field - 1); + pkt->data[out_size + 1] = avio_r8(pb); + pkt->data[out_size + 2] = avio_r8(pb); + out_size += 3; + src_size -= 2; + } } - return 0; + if (src_size > 0) + /* skip any remaining unread portion of the input payload */ + avio_skip(pb, src_size); + + av_shrink_packet(pkt, out_size); + return ret; } static int mov_finalize_packet(AVFormatContext *s, AVStream *st, AVIndexEntry *sample, From aaaf20a11fbea83718b9a6c5ce20fc15c203784c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2024 19:45:15 +0200 Subject: [PATCH 409/562] avformat/wavdec: Check if there are 16 bytes before testing them Fixes: use-of-uninitialized-value Fixes: 70839/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5212907590189056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79a1cf30d1289f90da682263ba160f6e4a5a7bf1) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 0fed1ee639..12f30a8073 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -873,8 +873,7 @@ static int w64_read_header(AVFormatContext *s) uint8_t guid[16]; int ret; - avio_read(pb, guid, 16); - if (memcmp(guid, ff_w64_guid_riff, 16)) + if (avio_read(pb, guid, 16) != 16 || memcmp(guid, ff_w64_guid_riff, 16)) return AVERROR_INVALIDDATA; /* riff + wave + fmt + sizes */ From 13ca705eebb47b81c17b3cd224e36493e5eba6a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:00:35 +0200 Subject: [PATCH 410/562] avformat/img2dec: Clear padding data after EOF Fixes: use-of-uninitialized-value Fixes: 70852/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5179190066872320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 3978e81809a3daf278199849f7bbeacbffb9fa09) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 69cce36bed..ddefbe85e2 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -563,6 +563,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } goto fail; } else { + memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE); s->img_count++; s->img_number++; s->pts++; From 24c9ecad42467c767e71f169e158819c2ec07a64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Thu, 27 Jun 2024 02:40:37 +0200 Subject: [PATCH 411/562] avformat/jpegxl_anim_dec: ensure input padding is zeroed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes use of uninitialized value, reported by MSAN. Found by OSS-Fuzz. Signed-off-by: Kacper Michajłow Fixes: 70837/clusterfuzz-testcase-minimized-ffmpeg_dem_JPEGXL_ANIM_fuzzer-5089407768526848 Signed-off-by: Michael Niedermayer (cherry picked from commit 2b5f000d3f6f9e737e918a5438e6c881f65e70e2) Signed-off-by: Michael Niedermayer --- libavformat/jpegxl_anim_dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c index ac95d3b961..2338a2e8c0 100644 --- a/libavformat/jpegxl_anim_dec.c +++ b/libavformat/jpegxl_anim_dec.c @@ -124,6 +124,8 @@ static int jpegxl_anim_read_header(AVFormatContext *s) } } + memset(head + headsize, 0, AV_INPUT_BUFFER_PADDING_SIZE); + /* offset in bits of the animation header */ ret = ff_jpegxl_parse_codestream_header(head, headsize, &meta, 0); if (ret < 0 || meta.animation_offset <= 0) From be882efb533c3e4dac87d297818613d13d990d16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Thu, 27 Jun 2024 02:40:35 +0200 Subject: [PATCH 412/562] avcodec/parser: ensure input padding is zeroed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes use of uninitialized value, reported by MSAN. Found by OSS-Fuzz. Signed-off-by: Kacper Michajłow Fixes: 70852/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5179190066872320 Signed-off-by: Michael Niedermayer (cherry picked from commit 5dfc0cc84129758b4eab2acdc3e186c3116deacd) Signed-off-by: Michael Niedermayer --- libavcodec/parser.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/parser.c b/libavcodec/parser.c index af17ee9c15..426cc314fb 100644 --- a/libavcodec/parser.c +++ b/libavcodec/parser.c @@ -236,6 +236,7 @@ int ff_combine_frame(ParseContext *pc, int next, } pc->buffer = new_buffer; memcpy(&pc->buffer[pc->index], *buf, *buf_size); + memset(&pc->buffer[pc->index + *buf_size], 0, AV_INPUT_BUFFER_PADDING_SIZE); pc->index += *buf_size; return -1; } From 7b942f342f93c557bc350a8a8b6dfe74d0475652 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2024 00:18:51 +0200 Subject: [PATCH 413/562] avformat/wtvdec: clear sectors The code can leave uninitialized holes in the array. Fixes: use of uninitialized values Fixes: 70883/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6698694567591936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit c95ea0310468e0a0906fa7d590ff7406c39d6991) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index f41b0f2c68..2bddd4fa79 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -184,7 +184,7 @@ static AVIOContext * wtvfile_open_sector(unsigned first_sector, uint64_t length, int nb_sectors1 = read_ints(s->pb, sectors1, WTV_SECTOR_SIZE / 4); int i; - wf->sectors = av_malloc_array(nb_sectors1, 1 << WTV_SECTOR_BITS); + wf->sectors = av_calloc(nb_sectors1, 1 << WTV_SECTOR_BITS); if (!wf->sectors) { av_free(wf); return NULL; From d4d154f7149713c6034c5ee806b2a5c240eef5d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2024 00:18:53 +0200 Subject: [PATCH 414/562] avformat/wtvdec: Check length of read mpeg2_descriptor Fixes: Use of uninitialized value Fixes: 70900/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6286909377150976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit c390234da2e3c7a8884f5592f0b9b4928c482b3e) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 2bddd4fa79..626e6a7068 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -845,7 +845,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p } buf_size = FFMIN(len - consumed, sizeof(buf)); - avio_read(pb, buf, buf_size); + if (avio_read(pb, buf, buf_size) != buf_size) + return AVERROR_INVALIDDATA; consumed += buf_size; ff_parse_mpeg2_descriptor(s, st, 0, &pbuf, buf + buf_size, NULL, 0, 0, NULL); } From 0a10ae25bac178e73b5e183eac1bcfcfec629a3e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2024 00:18:52 +0200 Subject: [PATCH 415/562] tools/target_dec_fuzzer: Use av_buffer_allocz() to avoid missing slices to have unpredictable content This matches production code which also zeros these buffers Fixes: use of uninitialized values Fixes: 70885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP6F_fuzzer-4610946029387776 (and likely others) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b8d95da3a4a5c9441238928a36b653da693c286) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 8adbc0809e..d54309a1aa 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -128,7 +128,7 @@ static int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame) frame->extended_data = frame->data; for (i = 0; i < 4 && size[i]; i++) { - frame->buf[i] = av_buffer_alloc(size[i]); + frame->buf[i] = av_buffer_allocz(size[i]); if (!frame->buf[i]) goto fail; frame->data[i] = frame->buf[i]->data; From dd1058a7b4673b6be54b54bff1baa109a183e34e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jul 2024 09:16:48 +0200 Subject: [PATCH 416/562] avformat/lmlm4: Eliminate some AVERROR(EIO) Found by code review related to CID732224 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 191a685010319cb0d248771574c7c61d76e4eb95) Signed-off-by: Michael Niedermayer --- libavformat/lmlm4.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/lmlm4.c b/libavformat/lmlm4.c index 209b544ccd..fd5880d9e1 100644 --- a/libavformat/lmlm4.c +++ b/libavformat/lmlm4.c @@ -95,15 +95,15 @@ static int lmlm4_read_packet(AVFormatContext *s, AVPacket *pkt) if (frame_type > LMLM4_MPEG1L2 || frame_type == LMLM4_INVALID) { av_log(s, AV_LOG_ERROR, "invalid or unsupported frame_type\n"); - return AVERROR(EIO); + return AVERROR_INVALIDDATA; } if (packet_size > LMLM4_MAX_PACKET_SIZE || packet_size<=8) { av_log(s, AV_LOG_ERROR, "packet size %d is invalid\n", packet_size); - return AVERROR(EIO); + return AVERROR_INVALIDDATA; } if ((ret = av_get_packet(pb, pkt, frame_size)) <= 0) - return AVERROR(EIO); + return ret < 0 ? ret : AVERROR(EIO); avio_skip(pb, padding); From d392adb19a41a10cc6b979cd55453271adfa5973 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Jul 2024 00:28:14 +0200 Subject: [PATCH 417/562] avfilter/vf_xfade_opencl: Check ff_inlink_consume_frame() for failure Fixes: CID1458127 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 43b62b7e0c85c0a1038ac2bc90ae06597e3ef706) Signed-off-by: Michael Niedermayer --- libavfilter/vf_xfade_opencl.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_xfade_opencl.c b/libavfilter/vf_xfade_opencl.c index 2368c046b4..8582230924 100644 --- a/libavfilter/vf_xfade_opencl.c +++ b/libavfilter/vf_xfade_opencl.c @@ -293,7 +293,9 @@ static int xfade_opencl_activate(AVFilterContext *avctx) if (ctx->first_pts + ctx->offset_pts > ctx->xf[0]->pts) { ctx->xf[0] = NULL; ctx->need_second = 0; - ff_inlink_consume_frame(avctx->inputs[0], &in); + ret = ff_inlink_consume_frame(avctx->inputs[0], &in); + if (ret < 0) + return ret; return ff_filter_frame(outlink, in); } @@ -302,8 +304,14 @@ static int xfade_opencl_activate(AVFilterContext *avctx) } if (ctx->xf[0] && ff_inlink_queued_frames(avctx->inputs[1]) > 0) { - ff_inlink_consume_frame(avctx->inputs[0], &ctx->xf[0]); - ff_inlink_consume_frame(avctx->inputs[1], &ctx->xf[1]); + ret = ff_inlink_consume_frame(avctx->inputs[0], &ctx->xf[0]); + if (ret < 0) + return ret; + ret = ff_inlink_consume_frame(avctx->inputs[1], &ctx->xf[1]); + if (ret < 0) { + av_frame_free(&ctx->xf[0]); + return ret; + } ctx->last_pts = ctx->xf[1]->pts; ctx->pts = ctx->xf[0]->pts; From 53ac4363757499aa41e27a5a98b5b5e831c130df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Jul 2024 22:16:13 +0200 Subject: [PATCH 418/562] avfilter/af_surround: Check output format Fixes: CID1516994 Out-of-bounds access Fixes: CID1516996 Out-of-bounds access Fixes: CID1516999 Out-of-bounds access Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 22ee55a1da8218fb00c536723d488b7ca9344bd3) Signed-off-by: Michael Niedermayer --- libavfilter/af_surround.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/libavfilter/af_surround.c b/libavfilter/af_surround.c index 5957860283..03e878c3cc 100644 --- a/libavfilter/af_surround.c +++ b/libavfilter/af_surround.c @@ -1122,6 +1122,31 @@ static av_cold int init(AVFilterContext *ctx) s->create_lfe = av_channel_layout_index_from_channel(&s->out_ch_layout, AV_CHAN_LOW_FREQUENCY) >= 0; + switch (out_channel_layout) { + case AV_CH_LAYOUT_MONO: + case AV_CH_LAYOUT_STEREO: + case AV_CH_LAYOUT_2POINT1: + case AV_CH_LAYOUT_2_1: + case AV_CH_LAYOUT_2_2: + case AV_CH_LAYOUT_SURROUND: + case AV_CH_LAYOUT_3POINT1: + case AV_CH_LAYOUT_QUAD: + case AV_CH_LAYOUT_4POINT0: + case AV_CH_LAYOUT_4POINT1: + case AV_CH_LAYOUT_5POINT0: + case AV_CH_LAYOUT_5POINT1: + case AV_CH_LAYOUT_5POINT0_BACK: + case AV_CH_LAYOUT_5POINT1_BACK: + case AV_CH_LAYOUT_6POINT0: + case AV_CH_LAYOUT_6POINT1: + case AV_CH_LAYOUT_7POINT0: + case AV_CH_LAYOUT_7POINT1: + case AV_CH_LAYOUT_OCTAGONAL: + break; + default: + goto fail; + } + switch (in_channel_layout) { case AV_CH_LAYOUT_STEREO: s->filter = filter_stereo; From 11037bdec0943bceff51da13f78f6681119e9e07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2024 23:47:46 +0200 Subject: [PATCH 419/562] avfilter/vf_tonemap_opencl: Dereference after NULL check Fixes: CID1437472 Dereference before null check Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e5c0f56ca09b4cb4ea87a61547218f9c818b52d7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_tonemap_opencl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_tonemap_opencl.c b/libavfilter/vf_tonemap_opencl.c index a2a27307b4..03219857d4 100644 --- a/libavfilter/vf_tonemap_opencl.c +++ b/libavfilter/vf_tonemap_opencl.c @@ -343,8 +343,7 @@ static int tonemap_opencl_filter_frame(AVFilterLink *inlink, AVFrame *input) int err; double peak = ctx->peak; - AVHWFramesContext *input_frames_ctx = - (AVHWFramesContext*)input->hw_frames_ctx->data; + AVHWFramesContext *input_frames_ctx; av_log(ctx, AV_LOG_DEBUG, "Filter input: %s, %ux%u (%"PRId64").\n", av_get_pix_fmt_name(input->format), @@ -352,6 +351,7 @@ static int tonemap_opencl_filter_frame(AVFilterLink *inlink, AVFrame *input) if (!input->hw_frames_ctx) return AVERROR(EINVAL); + input_frames_ctx = (AVHWFramesContext*)input->hw_frames_ctx->data; output = ff_get_video_buffer(outlink, outlink->w, outlink->h); if (!output) { From 069bf0efff20c5faa6331e453ad8006ac8e35526 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 00:10:45 +0200 Subject: [PATCH 420/562] avfilter/vf_v360: Assert that vf was initialized Maybe helps: CID1504571 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f802d65de0fe419563705a6846a73b77b020ef14) Signed-off-by: Michael Niedermayer --- libavfilter/vf_v360.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/vf_v360.c b/libavfilter/vf_v360.c index 942b47d7a4..a2960fd0ff 100644 --- a/libavfilter/vf_v360.c +++ b/libavfilter/vf_v360.c @@ -3787,6 +3787,8 @@ static int barrelsplit_to_xyz(const V360Context *s, case 3: // back bottom vf = (y * 2.f - 1.5f) / scaleh + 3.f - facef; break; + default: + av_assert0(0); } l_x = (0.5f - uf) / scalew; l_y = 0.5f * dir_vert; From bbba5e041c6e520c8f0ac68e311d92923a5820a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 00:17:39 +0200 Subject: [PATCH 421/562] avfilter/vf_xfade: Compute w2, h2 with float Fixes: CID1458148 Result is not floating-point Fixes: CID1458149 Result is not floating-point Fixes: CID1458150 Result is not floating-point Fixes: CID1458151 Result is not floating-point Fixes: CID1458152 Result is not floating-point Fixes: CID1458154 Result is not floating-point Fixes: CID1458155 Result is not floating-point Fixes: CID1458156 Result is not floating-point Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b98125e5a52c2f96dc02380f8f7e3bb16752765b) Signed-off-by: Michael Niedermayer --- libavfilter/vf_xfade.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_xfade.c b/libavfilter/vf_xfade.c index f61c7083dc..e97117704a 100644 --- a/libavfilter/vf_xfade.c +++ b/libavfilter/vf_xfade.c @@ -956,7 +956,7 @@ static void vertopen##name##_transition(AVFilterContext *ctx, { \ XFadeContext *s = ctx->priv; \ const int width = out->width; \ - const float w2 = out->width / 2; \ + const float w2 = out->width / 2.0; \ \ for (int y = slice_start; y < slice_end; y++) { \ for (int x = 0; x < width; x++) { \ @@ -984,7 +984,7 @@ static void vertclose##name##_transition(AVFilterContext *ctx, XFadeContext *s = ctx->priv; \ const int nb_planes = s->nb_planes; \ const int width = out->width; \ - const float w2 = out->width / 2; \ + const float w2 = out->width / 2.0; \ \ for (int y = slice_start; y < slice_end; y++) { \ for (int x = 0; x < width; x++) { \ @@ -1012,7 +1012,7 @@ static void horzopen##name##_transition(AVFilterContext *ctx, XFadeContext *s = ctx->priv; \ const int nb_planes = s->nb_planes; \ const int width = out->width; \ - const float h2 = out->height / 2; \ + const float h2 = out->height / 2.0; \ \ for (int y = slice_start; y < slice_end; y++) { \ const float smooth = 2.f - fabsf((y - h2) / h2) - progress * 2.f; \ @@ -1040,7 +1040,7 @@ static void horzclose##name##_transition(AVFilterContext *ctx, XFadeContext *s = ctx->priv; \ const int nb_planes = s->nb_planes; \ const int width = out->width; \ - const float h2 = out->height / 2; \ + const float h2 = out->height / 2.0; \ \ for (int y = slice_start; y < slice_end; y++) { \ const float smooth = 1.f + fabsf((y - h2) / h2) - progress * 2.f; \ From bd1b5e7b58ca2ef586a724acdc90507ab3f21025 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:13:28 +0200 Subject: [PATCH 422/562] avcodec/dxva2: Initialize dxva_size and check it Related: CID1591878 Uninitialized scalar variable Related: CID1591928 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c8c59e99295f9ef572b5d6f0fd9075bb2b79acbd) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index 59025633f7..0fe70a083e 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -805,7 +805,7 @@ int ff_dxva2_commit_buffer(AVCodecContext *avctx, unsigned type, const void *data, unsigned size, unsigned mb_count) { - void *dxva_data; + void *dxva_data = NULL; unsigned dxva_size; int result; HRESULT hr = 0; @@ -827,7 +827,7 @@ int ff_dxva2_commit_buffer(AVCodecContext *avctx, type, (unsigned)hr); return -1; } - if (size <= dxva_size) { + if (dxva_data && size <= dxva_size) { memcpy(dxva_data, data, size); #if CONFIG_D3D11VA From 32dd9118c74fe4d5397a320d685994d74ceecd68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:23:16 +0200 Subject: [PATCH 423/562] avcodec/dxva2: Initialize ConfigBitstreamRaw Related: CID1591894 Uninitialized scalar variable Related: CID1591906 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 489c05b9c3ea7d856b7a81abce247721b3b3d6e8) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index 0fe70a083e..18f8467614 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -117,7 +117,7 @@ static int dxva_get_decoder_configuration(AVCodecContext *avctx, for (i = 0; i < cfg_count; i++) { unsigned score; - UINT ConfigBitstreamRaw; + UINT ConfigBitstreamRaw = 0; GUID guidConfigBitstreamEncryption; #if CONFIG_D3D11VA From c15df4daca4d181c34fed74866d6a0a597cea147 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:28:04 +0200 Subject: [PATCH 424/562] avcodec/dxva2: initialize validate Related: CID1591915 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2232c4cc8c3d64dec4e4399b58e057f5dbb9ff98) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index 18f8467614..cbd7d906c0 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -268,7 +268,7 @@ static int dxva_get_decoder_guid(AVCodecContext *avctx, void *service, void *sur *decoder_guid = ff_GUID_NULL; for (i = 0; dxva_modes[i].guid; i++) { const dxva_mode *mode = &dxva_modes[i]; - int validate; + int validate = 0; if (!dxva_check_codec_compatibility(avctx, mode)) continue; From 02231d401249aa75a4264c1cff987edc1945f059 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:33:11 +0200 Subject: [PATCH 425/562] avcodec/dxva2: initialize hr in ff_dxva2_common_end_frame() Related: CID1591924 Uninitialized scalar variable Related: CID1591938 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 1d6a2aebae202652feb5964a2d62bdba4e5cc6e4) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index cbd7d906c0..c9526b2e2f 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -905,7 +905,7 @@ int ff_dxva2_common_end_frame(AVCodecContext *avctx, AVFrame *frame, #endif DECODER_BUFFER_DESC *buffer = NULL, *buffer_slice = NULL; int result, runs = 0; - HRESULT hr; + HRESULT hr = -1; unsigned type; FFDXVASharedContext *sctx = DXVA_SHARED_CONTEXT(avctx); From 21ef3948a5b650e522a8c4e2a19d146b6f1638b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:24:09 +0200 Subject: [PATCH 426/562] avdevice/dshow: Initialize 2 pointers Coverity claims these are used uninitilaized in CID1598561 Uninitialized pointer write and CID1598565 Uninitialized pointer write Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 43cde54fc14bc4644374b4736b2b7fff05359171) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 57d8e1c0af..84db151577 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -898,8 +898,8 @@ dshow_cycle_formats(AVFormatContext *avctx, enum dshowDeviceType devtype, if (devtype == VideoDevice) { VIDEO_STREAM_CONFIG_CAPS *vcaps = caps; - BITMAPINFOHEADER *bih; - int64_t *fr; + BITMAPINFOHEADER *bih = NULL; + int64_t *fr = NULL; #if DSHOWDEBUG ff_print_VIDEO_STREAM_CONFIG_CAPS(vcaps); #endif From 5a0393bf01176e740a1688f9e42cb93e4e8e78b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2024 15:23:56 +0200 Subject: [PATCH 427/562] tools/target_dec_fuzzer: Check that FFv1 doesnt leave uninitialized memory in its buffers Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e40b23c52abe3356effa552549b2e989708a6e70) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index d54309a1aa..8c625428f8 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -128,7 +128,14 @@ static int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame) frame->extended_data = frame->data; for (i = 0; i < 4 && size[i]; i++) { - frame->buf[i] = av_buffer_allocz(size[i]); + switch(ctx->codec_id) { + case AV_CODEC_ID_FFV1: + frame->buf[i] = av_buffer_alloc(size[i]); + break; + default: + frame->buf[i] = av_buffer_allocz(size[i]); + } + if (!frame->buf[i]) goto fail; frame->data[i] = frame->buf[i]->data; From 53c666d17ed60d2009ffbc8d648e80ebf03a5cd3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2024 18:20:33 +0200 Subject: [PATCH 428/562] avcodec/sga: av_assert1 check init_get_bits8() Related: CID1473562 Unchecked return value Related: CID1473592 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0f4524f07a93bf9061f9034ffa510d4bf9b582e8) Signed-off-by: Michael Niedermayer --- libavcodec/sga.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/sga.c b/libavcodec/sga.c index f474ffba9a..acf8cec7f3 100644 --- a/libavcodec/sga.c +++ b/libavcodec/sga.c @@ -253,11 +253,13 @@ static int decode_palmapdata(AVCodecContext *avctx) const int bits = (s->nb_pal + 1) / 2; GetByteContext *gb = &s->gb; GetBitContext pm; + int ret; bytestream2_seek(gb, s->palmapdata_offset, SEEK_SET); if (bytestream2_get_bytes_left(gb) < s->palmapdata_size) return AVERROR_INVALIDDATA; - init_get_bits8(&pm, gb->buffer, s->palmapdata_size); + ret = init_get_bits8(&pm, gb->buffer, s->palmapdata_size); + av_assert1(ret >= 0); for (int y = 0; y < s->tiles_h; y++) { uint8_t *dst = s->palmapindex_data + y * s->tiles_w; @@ -276,11 +278,13 @@ static int decode_tiledata(AVCodecContext *avctx) SGAVideoContext *s = avctx->priv_data; GetByteContext *gb = &s->gb; GetBitContext tm; + int ret; bytestream2_seek(gb, s->tiledata_offset, SEEK_SET); if (bytestream2_get_bytes_left(gb) < s->tiledata_size) return AVERROR_INVALIDDATA; - init_get_bits8(&tm, gb->buffer, s->tiledata_size); + ret = init_get_bits8(&tm, gb->buffer, s->tiledata_size); + av_assert1(ret >= 0); for (int n = 0; n < s->nb_tiles; n++) { uint8_t *dst = s->tileindex_data + n * 64; From 29fc028ae2b697656d644d20a05aa333caaba3ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Aug 2024 18:02:58 +0200 Subject: [PATCH 429/562] avformat/segafilm: Set keyframe Fixes: use of uninitialized value Fixes: 70871/clusterfuzz-testcase-minimized-ffmpeg_dem_SEGAFILM_fuzzer-5883617752973312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dc7dfe65aaa21801a907c66592b92b05da921dc) Signed-off-by: Michael Niedermayer --- libavformat/segafilm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index f86845f35e..44ce1f6787 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -234,6 +234,7 @@ static int film_read_header(AVFormatContext *s) else if (film->audio_type != AV_CODEC_ID_NONE) audio_frame_counter += (film->sample_table[i].sample_size / (film->audio_channels * film->audio_bits / 8)); + film->sample_table[i].keyframe = 1; } else { film->sample_table[i].stream = film->video_stream_index; film->sample_table[i].pts = AV_RB32(&scratch[8]) & 0x7FFFFFFF; From a6d7abc88b81319c626a05bfad69386aad25da40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Aug 2024 18:18:15 +0200 Subject: [PATCH 430/562] avformat/av1dec: Check bits left before get_leb128() Fixes: use of uninitialized value Fixes: 70872/clusterfuzz-testcase-minimized-ffmpeg_dem_OBU_fuzzer-6005782487826432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6996e1238e80b23caf05428dcbdd065fbd70ff10) Signed-off-by: Michael Niedermayer --- libavformat/av1dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/av1dec.c b/libavformat/av1dec.c index 3363003b18..a5b620a0ab 100644 --- a/libavformat/av1dec.c +++ b/libavformat/av1dec.c @@ -326,6 +326,9 @@ static int read_obu_with_size(const uint8_t *buf, int buf_size, int64_t *obu_siz skip_bits(&gb, 3); // extension_header_reserved_3bits } + if (get_bits_left(&gb) < 8) + return AVERROR_INVALIDDATA; + *obu_size = get_leb128(&gb); if (*obu_size > INT_MAX) return AVERROR_INVALIDDATA; From c419b928cdc4f422179683cd9d94af8b09338a07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Jul 2024 23:19:58 +0200 Subject: [PATCH 431/562] avformat/iamfdec: Check nb_layers before dereferencing layer Fixes: dereferencing pointers near NULL Fixes: 70432/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-5255672845893632 Fixes: 70877/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-5348547432611840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d7f83fc2f423863b78c140ba23b5d28058a59f45) Signed-off-by: Michael Niedermayer --- libavformat/iamfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iamfdec.c b/libavformat/iamfdec.c index ce6d4aa064..2e6608b868 100644 --- a/libavformat/iamfdec.c +++ b/libavformat/iamfdec.c @@ -107,7 +107,7 @@ static int iamf_read_header(AVFormatContext *s) if (ret < 0) return ret; - if (!i && !j && audio_element->layers[0].substream_count == 1) + if (!i && !j && audio_element->nb_layers && audio_element->layers[0].substream_count == 1) st->disposition |= AV_DISPOSITION_DEFAULT; else st->disposition |= AV_DISPOSITION_DEPENDENT; From 68a8dc4dd79b9d299158fdaaa2c647d27766c2dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2024 13:30:28 +0200 Subject: [PATCH 432/562] bsf/media100_to_mjpegb: Clear output buffer padding Fixes: use-of-uninitialized-value Fixes: 70855/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MEDIA100_fuzzer-5537446610141184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0f22218f74e3af73492e05e6696546b0da8d40e) Signed-off-by: Michael Niedermayer --- libavcodec/bsf/media100_to_mjpegb.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/bsf/media100_to_mjpegb.c b/libavcodec/bsf/media100_to_mjpegb.c index 6e117ae20f..4b2dc1a35a 100644 --- a/libavcodec/bsf/media100_to_mjpegb.c +++ b/libavcodec/bsf/media100_to_mjpegb.c @@ -148,6 +148,7 @@ second_field: AV_WB32(out->data + second_field_offset + 36, sod_offset[1] - second_field_offset); out->size = bytestream2_tell_p(&pb); + memset(out->data + out->size, 0, AV_INPUT_BUFFER_PADDING_SIZE); ret = av_packet_copy_props(out, in); if (ret < 0) From 4926619103ab34d5a5ffada991b50b81370f6d0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2024 19:11:33 +0200 Subject: [PATCH 433/562] avcodec/mvha: Clear remaining space after inflate() Fixes: use-of-uninitialized-value Fixes: 70838/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-4878509466517504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cba4e2e40dec1ff2ce534fec87c7e3e8bef7ff9b) Signed-off-by: Michael Niedermayer --- libavcodec/mvha.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mvha.c b/libavcodec/mvha.c index 356cebc64e..87fe3c7100 100644 --- a/libavcodec/mvha.c +++ b/libavcodec/mvha.c @@ -183,6 +183,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, av_log(avctx, AV_LOG_ERROR, "Inflate error: %d\n", ret); return AVERROR_EXTERNAL; } + if (zstream->avail_out > 0) + memset(zstream->next_out, 0, zstream->avail_out); } } } else if (type == MKTAG('H','U','F','Y')) { From d9e078dcd7fe0dd4563dd240499aba0f99e0448d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 21:20:55 +0200 Subject: [PATCH 434/562] avcodec/apac: Clean padding space Fixes: use-of-uninitialized-value Fixes: 70842/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APAC_fuzzer-5758325067677696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ca072a373f5e2b6689a8649c79a03d12db5eb0b) Signed-off-by: Michael Niedermayer --- libavcodec/apac.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/apac.c b/libavcodec/apac.c index b6cb6c669e..24ddcdb864 100644 --- a/libavcodec/apac.c +++ b/libavcodec/apac.c @@ -160,6 +160,7 @@ static int apac_decode(AVCodecContext *avctx, AVFrame *frame, buf = &s->bitstream[s->bitstream_index]; buf_size += s->bitstream_size; s->bitstream_size = buf_size; + memset(buf + buf_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); frame->nb_samples = s->bitstream_size * 16 * 8; if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) From d4394c8dce0dcf5f7d67fff0eab29af3f6bdcc40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 21:27:44 +0200 Subject: [PATCH 435/562] avformat/mpeg: Check an avio_read() for failure Fixes: use-of-uninitialized-value Fixes: 70849/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGPS_fuzzer-4684401009557504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 66ee75d76ce56a3553a99d67e74b8a9970c18f5b) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index d48f95c456..b30bb44aef 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -565,7 +565,9 @@ redo: static const unsigned char avs_seqh[4] = { 0, 0, 1, 0xb0 }; unsigned char buf[8]; - avio_read(s->pb, buf, 8); + ret = avio_read(s->pb, buf, 8); + if (ret != 8) + return AVERROR_INVALIDDATA; avio_seek(s->pb, -8, SEEK_CUR); if (!memcmp(buf, avs_seqh, 4) && (buf[6] != 0 || buf[7] != 1)) codec_id = AV_CODEC_ID_CAVS; From 87de55344c101081b99f03de22bd4e3a3cd608b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:10:48 +0200 Subject: [PATCH 436/562] avcodec/shorten: clear padding Fixes: use-of-uninitialized-value Fixes: 70854/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5533480570650624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e44349ee88418ac16051bbc9231c1bfdc25d3504) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 0ad95bf97e..66ff8dea3b 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -562,6 +562,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, AVFrame *frame, buf = &s->bitstream[s->bitstream_index]; buf_size += s->bitstream_size; s->bitstream_size = buf_size; + memset(buf + buf_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); /* do not decode until buffer has at least max_framesize bytes or * the end of the file has been reached */ From 2909f4235126bd5dee78217b3fe10a62da7c9b5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:15:08 +0200 Subject: [PATCH 437/562] avcodec/vc1dec: Clear mb_type_base and ttblk_base Fixes: two use-of-uninitialized-value Fixes: 70856/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5539349918187520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50471f96c4a68874575ab21f799c5999ed920838) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 3ca478e82a..3220d18341 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -378,7 +378,7 @@ static av_cold int vc1_decode_init_alloc_tables(VC1Context *v) if (!v->block || !v->cbp_base) return AVERROR(ENOMEM); v->cbp = v->cbp_base + 2 * s->mb_stride; - v->ttblk_base = av_malloc(sizeof(v->ttblk_base[0]) * 3 * s->mb_stride); + v->ttblk_base = av_mallocz(sizeof(v->ttblk_base[0]) * 3 * s->mb_stride); if (!v->ttblk_base) return AVERROR(ENOMEM); v->ttblk = v->ttblk_base + 2 * s->mb_stride; @@ -392,7 +392,7 @@ static av_cold int vc1_decode_init_alloc_tables(VC1Context *v) v->luma_mv = v->luma_mv_base + 2 * s->mb_stride; /* allocate block type info in that way so it could be used with s->block_index[] */ - v->mb_type_base = av_malloc(s->b8_stride * (mb_height * 2 + 1) + s->mb_stride * (mb_height + 1) * 2); + v->mb_type_base = av_mallocz(s->b8_stride * (mb_height * 2 + 1) + s->mb_stride * (mb_height + 1) * 2); if (!v->mb_type_base) return AVERROR(ENOMEM); v->mb_type[0] = v->mb_type_base + s->b8_stride + 1; From 01c406b1d6aefb567288b1a4e478ace3fcafa38b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:30:03 +0200 Subject: [PATCH 438/562] avcodec/aic: Clear slice_data Fixes: use-of-uninitialized-value Fixes: 70865/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AIC_fuzzer-4874102695854080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de3f6c8888bcf3df4ca6cb265a83507b95c884cd) Signed-off-by: Michael Niedermayer --- libavcodec/aic.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/aic.c b/libavcodec/aic.c index f8b0f60354..48a125d956 100644 --- a/libavcodec/aic.c +++ b/libavcodec/aic.c @@ -466,8 +466,7 @@ static av_cold int aic_decode_init(AVCodecContext *avctx) } } - ctx->slice_data = av_malloc_array(ctx->slice_width, AIC_BAND_COEFFS - * sizeof(*ctx->slice_data)); + ctx->slice_data = av_calloc(ctx->slice_width, AIC_BAND_COEFFS * sizeof(*ctx->slice_data)); if (!ctx->slice_data) { av_log(avctx, AV_LOG_ERROR, "Error allocating slice buffer\n"); From 677e7cd8147fb3f9951aabd27a1e68885f79dc2d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:32:31 +0200 Subject: [PATCH 439/562] avcodec/alsdec: clear last_acf_mantissa Fixes: use-of-uninitialized-value Fixes: 70869/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5476567461986304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db843c8910781eb72a4658780283ef4e2da4591d) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 7262cdb4b3..0b78f75ea6 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -2112,7 +2112,7 @@ static av_cold int decode_init(AVCodecContext *avctx) ctx->acf = av_malloc_array(channels, sizeof(*ctx->acf)); ctx->shift_value = av_calloc(channels, sizeof(*ctx->shift_value)); ctx->last_shift_value = av_calloc(channels, sizeof(*ctx->last_shift_value)); - ctx->last_acf_mantissa = av_malloc_array(channels, sizeof(*ctx->last_acf_mantissa)); + ctx->last_acf_mantissa = av_calloc(channels, sizeof(*ctx->last_acf_mantissa)); ctx->raw_mantissa = av_calloc(channels, sizeof(*ctx->raw_mantissa)); ctx->larray = av_malloc_array(ctx->cur_frame_length * 4, sizeof(*ctx->larray)); From d8be286c006e864289120682e9ef4c4e0c47a3ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Aug 2024 18:46:10 +0200 Subject: [PATCH 440/562] =?UTF-8?q?avcodec/apac:=20Fix=20discards=20?= =?UTF-8?q?=E2=80=98const=E2=80=99=20qualifier?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found-by: courmisch Signed-off-by: Michael Niedermayer (cherry picked from commit 45ee6b1e3d4f762e372e09505c9c8ca37c1321a0) Signed-off-by: Michael Niedermayer --- libavcodec/apac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apac.c b/libavcodec/apac.c index 24ddcdb864..98c34b9996 100644 --- a/libavcodec/apac.c +++ b/libavcodec/apac.c @@ -130,7 +130,7 @@ static int apac_decode(AVCodecContext *avctx, AVFrame *frame, APACContext *s = avctx->priv_data; GetBitContext *gb = &s->gb; int ret, n, buf_size, input_buf_size; - const uint8_t *buf; + uint8_t *buf; int nb_samples; if (!pkt->size && s->bitstream_size <= 0) { From 470718d8cb9e290f1b102afa36d378de5c650217 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2024 18:35:48 +0200 Subject: [PATCH 441/562] avformat/av1dec: Better fix for 70872/clusterfuzz-testcase-minimized-ffmpeg_dem_OBU_fuzzer-6005782487826432 Signed-off-by: Michael Niedermayer (cherry picked from commit 7ad937f0c8cb9f120c50f3e792a699076923768e) Signed-off-by: Michael Niedermayer --- libavformat/av1dec.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavformat/av1dec.c b/libavformat/av1dec.c index a5b620a0ab..8c0b8fe975 100644 --- a/libavformat/av1dec.c +++ b/libavformat/av1dec.c @@ -326,9 +326,6 @@ static int read_obu_with_size(const uint8_t *buf, int buf_size, int64_t *obu_siz skip_bits(&gb, 3); // extension_header_reserved_3bits } - if (get_bits_left(&gb) < 8) - return AVERROR_INVALIDDATA; - *obu_size = get_leb128(&gb); if (*obu_size > INT_MAX) return AVERROR_INVALIDDATA; @@ -382,6 +379,7 @@ static int obu_get_packet(AVFormatContext *s, AVPacket *pkt) if (size < 0) return size; + memset(header + size, 0, AV_INPUT_BUFFER_PADDING_SIZE); len = read_obu_with_size(header, size, &obu_size, &type); if (len < 0) { av_log(c, AV_LOG_ERROR, "Failed to read obu\n"); From 24396a0caf27a27c22a4f82e4fc6a367ac2ae487 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Aug 2024 01:11:50 +0200 Subject: [PATCH 442/562] avcodec/avcodec: Warn about data returned from get_buffer*() Text based on suggestion by: epirat07@gmail.com Signed-off-by: Michael Niedermayer (cherry picked from commit 93444c46fce195e378c4ebb1a20ea662e7f0123b) Signed-off-by: Michael Niedermayer --- libavcodec/avcodec.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 83dc487251..9c438cedaf 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -1175,6 +1175,10 @@ typedef struct AVCodecContext { * this callback and filled with the extra buffers if there are more * buffers than buf[] can hold. extended_buf will be freed in * av_frame_unref(). + * Decoders will generally initialize the whole buffer before it is output + * but it can in rare error conditions happen that uninitialized data is passed + * through. \important The buffers returned by get_buffer* should thus not contain sensitive + * data. * * If AV_CODEC_CAP_DR1 is not set then get_buffer2() must call * avcodec_default_get_buffer2() instead of providing buffers allocated by From 5742fce47afa94e3fef266af0b9d747910af7336 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2024 16:25:27 +0200 Subject: [PATCH 443/562] avcodec/magicyuvenc: better slice height Fixes: Use of uninitialized value Fixes: 71072/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-4835252046987264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b08776e3ae9a5315c19e8619ca71921006c1abe1) Signed-off-by: Michael Niedermayer --- libavcodec/magicyuvenc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/magicyuvenc.c b/libavcodec/magicyuvenc.c index 1c3ab56460..e8e03d2461 100644 --- a/libavcodec/magicyuvenc.c +++ b/libavcodec/magicyuvenc.c @@ -375,11 +375,14 @@ static int count_plane_slice(AVCodecContext *avctx, int n, int plane) Slice *sl = &s->slices[n * s->planes + plane]; const uint8_t *dst = sl->slice; PTable *counts = sl->counts; + const int slice_height = s->slice_height; + const int last_height = FFMIN(slice_height, avctx->height - n * slice_height); + const int height = (n < (s->nb_slices - 1)) ? slice_height : last_height; memset(counts, 0, sizeof(sl->counts)); count_usage(dst, AV_CEIL_RSHIFT(avctx->width, s->hshift[plane]), - AV_CEIL_RSHIFT(s->slice_height, s->vshift[plane]), counts); + AV_CEIL_RSHIFT(height, s->vshift[plane]), counts); return 0; } From d649d42a2c52b4934fd8c7b263819d235422f219 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2024 17:02:12 +0200 Subject: [PATCH 444/562] avformat/apetag: Check APETAGEX Fixes: Use of uninitialized value Fixes: 71074/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5697034877730816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 796ff2d599449ed798b69ab798ebcbcc0a5853f5) Signed-off-by: Michael Niedermayer --- libavformat/apetag.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/apetag.c b/libavformat/apetag.c index f2794c46f2..8316abc07c 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -120,7 +120,8 @@ int64_t ff_ape_parse_tag(AVFormatContext *s) avio_seek(pb, file_size - APE_TAG_FOOTER_BYTES, SEEK_SET); - avio_read(pb, buf, 8); /* APETAGEX */ + if(avio_read(pb, buf, 8) != 8) /* APETAGEX */ + return 0; if (strncmp(buf, APE_TAG_PREAMBLE, 8)) { return 0; } From f2d7b8089f453189ea79de6c645741b5494fdc04 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2024 20:02:41 +0200 Subject: [PATCH 445/562] avcodec/vc1_block: propagate error codes Fixes: use of uninitialized value Fixes: 71228/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-6188476880453632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01910ca6037379804572c5ec9bbd0b94e7e4b83e) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 59 ++++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 19 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index a6ee4922f9..d593878140 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1297,6 +1297,7 @@ static int vc1_decode_p_mb(VC1Context *v) int dst_idx, off; int skipped, fourmv; int block_cbp = 0, pat, block_tt = 0, block_intra = 0; + int ret; mquant = v->pq; /* lossy initialization */ @@ -1355,8 +1356,10 @@ static int vc1_decode_p_mb(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); @@ -1458,8 +1461,10 @@ static int vc1_decode_p_mb(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, is_coded[i], mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, is_coded[i], mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); @@ -1530,6 +1535,7 @@ static int vc1_decode_p_mb_intfr(VC1Context *v) int block_cbp = 0, pat, block_tt = 0; int idx_mbmode = 0, mvbp; int fieldtx; + int ret; mquant = v->pq; /* Lossy initialization */ @@ -1602,8 +1608,10 @@ static int vc1_decode_p_mb_intfr(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); @@ -1739,6 +1747,7 @@ static int vc1_decode_p_mb_intfi(VC1Context *v) int pred_flag = 0; int block_cbp = 0, pat, block_tt = 0; int idx_mbmode = 0; + int ret; mquant = v->pq; /* Lossy initialization */ @@ -1770,8 +1779,10 @@ static int vc1_decode_p_mb_intfi(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); @@ -1862,6 +1873,7 @@ static int vc1_decode_b_mb(VC1Context *v) int skipped, direct; int dmv_x[2], dmv_y[2]; int bmvtype = BMV_TYPE_BACKWARD; + int ret; mquant = v->pq; /* lossy initialization */ s->mb_intra = 0; @@ -1974,8 +1986,10 @@ static int vc1_decode_b_mb(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, s->block[i], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, s->block[i], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(s->block[i]); @@ -2021,6 +2035,7 @@ static int vc1_decode_b_mb_intfi(VC1Context *v) int bmvtype = BMV_TYPE_BACKWARD; int block_cbp = 0, pat, block_tt = 0; int idx_mbmode; + int ret; mquant = v->pq; /* Lossy initialization */ s->mb_intra = 0; @@ -2053,8 +2068,10 @@ static int vc1_decode_b_mb_intfi(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, s->block[i], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, s->block[i], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(s->block[i]); @@ -2191,6 +2208,7 @@ static int vc1_decode_b_mb_intfr(VC1Context *v) int stride_y, fieldtx; int bmvtype = BMV_TYPE_BACKWARD; int dir, dir2; + int ret; mquant = v->pq; /* Lossy initialization */ s->mb_intra = 0; @@ -2247,8 +2265,10 @@ static int vc1_decode_b_mb_intfr(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, s->block[i], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, s->block[i], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && i > 3 && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(s->block[i]); @@ -2782,6 +2802,7 @@ static void vc1_decode_p_blocks(VC1Context *v) { MpegEncContext *s = &v->s; int apply_loop_filter; + int ret; /* select coding mode used for VLC tables selection */ switch (v->c_ac_table_index) { @@ -2824,22 +2845,22 @@ static void vc1_decode_p_blocks(VC1Context *v) } if (v->fcm == ILACE_FIELD) { - vc1_decode_p_mb_intfi(v); + ret = vc1_decode_p_mb_intfi(v); if (apply_loop_filter) ff_vc1_p_loop_filter(v); } else if (v->fcm == ILACE_FRAME) { - vc1_decode_p_mb_intfr(v); + ret = vc1_decode_p_mb_intfr(v); if (apply_loop_filter) ff_vc1_p_intfr_loop_filter(v); } else { - vc1_decode_p_mb(v); + ret = vc1_decode_p_mb(v); if (apply_loop_filter) ff_vc1_p_loop_filter(v); } - if (get_bits_left(&s->gb) < 0 || get_bits_count(&s->gb) < 0) { + if (ret < 0 || get_bits_left(&s->gb) < 0 || get_bits_count(&s->gb) < 0) { // TODO: may need modification to handle slice coding ff_er_add_slice(&s->er, 0, s->start_mb_y, s->mb_x, s->mb_y, ER_MB_ERROR); - av_log(s->avctx, AV_LOG_ERROR, "Bits overconsumption: %i > %i at %ix%i\n", + av_log(s->avctx, AV_LOG_ERROR, "Error or Bits overconsumption: %i > %i at %ix%i\n", get_bits_count(&s->gb), s->gb.size_in_bits, s->mb_x, s->mb_y); return; } From d349ad7bb698d8d41e44e643cefcd6241ca0850d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2024 20:37:56 +0200 Subject: [PATCH 446/562] avcodec/notchlc: Check bytes left before reading Fixes: Use of uninitialized value Fixes: 71230/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NOTCHLC_fuzzer-4624502095413248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b9c7f50c7de9b7d8c533eae173c9b77a6719346c) Signed-off-by: Michael Niedermayer --- libavcodec/notchlc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/notchlc.c b/libavcodec/notchlc.c index 6351a313f8..f8c104b33c 100644 --- a/libavcodec/notchlc.c +++ b/libavcodec/notchlc.c @@ -92,6 +92,9 @@ static int lz4_decompress(AVCodecContext *avctx, } while (current == 255); } + if (bytestream2_get_bytes_left(gb) < num_literals) + return AVERROR_INVALIDDATA; + if (pos + num_literals < HISTORY_SIZE) { bytestream2_get_buffer(gb, history + pos, num_literals); pos += num_literals; From 7289a09477f7f00fb57ce4ce9754e0166d5374c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2024 22:17:48 +0200 Subject: [PATCH 447/562] avformat/argo_brp: Check that ASF chunk header is completely read Fixes: Use of uninitialized value Fixes: 71280/clusterfuzz-testcase-minimized-ffmpeg_dem_ARGO_BRP_fuzzer-4692991866896384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 815d00868101956e2f1f9f8dd509c11af5a63684) Signed-off-by: Michael Niedermayer --- libavformat/argo_brp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/argo_brp.c b/libavformat/argo_brp.c index f88def3731..94b404b5d0 100644 --- a/libavformat/argo_brp.c +++ b/libavformat/argo_brp.c @@ -380,8 +380,8 @@ static int argo_brp_read_packet(AVFormatContext *s, AVPacket *pkt) if (blk.size < ASF_CHUNK_HEADER_SIZE) return AVERROR_INVALIDDATA; - if ((ret = avio_read(s->pb, buf, ASF_CHUNK_HEADER_SIZE)) < 0) - return ret; + if (avio_read(s->pb, buf, ASF_CHUNK_HEADER_SIZE) != ASF_CHUNK_HEADER_SIZE) + return AVERROR_INVALIDDATA; ff_argo_asf_parse_chunk_header(&ckhdr, buf); From 45c9900a9f675352f62027ff3d27783ca5b55787 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2024 00:37:04 +0200 Subject: [PATCH 448/562] avcodec/wmavoice: Do not use uninitialized pitch[0] Fixes: use of uninitialized value Fixes: 70850/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-4806127362048000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53387079301690f1bd38b97fdf31d63194201d17) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 4e93aadab2..9bda7c7539 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1505,6 +1505,8 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, /* Parse frame type ("frame header"), see frame_descs */ int bd_idx = s->vbm_tree[get_vlc2(gb, frame_type_vlc, 6, 3)], block_nsamples; + pitch[0] = INT_MAX; + if (bd_idx < 0) { av_log(ctx, AV_LOG_ERROR, "Invalid frame type VLC code, skipping\n"); @@ -1622,6 +1624,9 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, double i_lsps[MAX_LSPS]; float lpcs[MAX_LSPS]; + if(frame_descs[bd_idx].fcb_type >= FCB_TYPE_AW_PULSES && pitch[0] == INT_MAX) + return AVERROR_INVALIDDATA; + for (n = 0; n < s->lsps; n++) // LSF -> LSP i_lsps[n] = cos(0.5 * (prev_lsps[n] + lsps[n])); ff_acelp_lspd2lpc(i_lsps, lpcs, s->lsps >> 1); From bd29e0ca59394c88ba27ab9d04c6135f38dee2e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2024 00:37:05 +0200 Subject: [PATCH 449/562] avformat/mvdec: Check if name was fully read Fixes: use of uninitialized value Fixes: 70901/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-6341913949569024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4e39795c75e664ef06f17473adec8c75fcf9de6f) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 31640f7590..0e1ae07443 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -255,7 +255,8 @@ static int read_table(AVFormatContext *avctx, AVStream *st, if (avio_feof(pb)) return AVERROR_EOF; - avio_read(pb, name, 16); + if (avio_read(pb, name, 16) != 16) + return AVERROR_INVALIDDATA; name[sizeof(name) - 1] = 0; size = avio_rb32(pb); if (size < 0) { From 748e8c6afa0e1e86bfe871536504cbe850053dde Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 20:03:55 +0200 Subject: [PATCH 450/562] avcodec/vc2enc: basic sanity check on slice_max_bytes Fixes: left shift of 896021632 by 3 places cannot be represented in type 'int' Fixes: 70544/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC2_fuzzer-6685593652756480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6df9a0292ca6c29ef3b220fbf9b257924cabf035) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index 349174c8c7..c442179a3e 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -985,7 +985,7 @@ static av_cold int vc2_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } s->slice_min_bytes = s->slice_max_bytes - s->slice_max_bytes*(s->tolerance/100.0f); - if (s->slice_min_bytes < 0) + if (s->slice_min_bytes < 0 || s->slice_max_bytes > INT_MAX >> 3) return AVERROR(EINVAL); ret = encode_frame(s, avpkt, frame, aux_data, header_size, s->interlaced); From d300b23bad12c1a874c9383cdccaf3440d98dba0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 20:08:42 +0200 Subject: [PATCH 451/562] swscale/swscale: Use unsigned operation to avoid undefined behavior I have not checked that the constant is correct, this just fixes the undefined behavior Fixes: signed integer overflow: -646656 * 3517 cannot be represented in type 'int Fixes: 70559/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5209368631508992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44c5641ae82387fcfce94820f5b53ce8e9dcd27f) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index f08f2ac3b7..87314c2edb 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -223,7 +223,7 @@ static void lumRangeFromJpeg16_c(int16_t *_dst, int width) int i; int32_t *dst = (int32_t *) _dst; for (i = 0; i < width; i++) - dst[i] = (dst[i]*(14071/4) + (33561947<<4)/4)>>12; + dst[i] = ((int)(dst[i]*(14071U/4) + (33561947<<4)/4)) >> 12; } From 8840b815359360e4afade2e26c812e2a36330bf3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 22:51:53 +0200 Subject: [PATCH 452/562] swscale/output: Fix undefined integer overflow in yuv2rgba64_2_c_template() Fixes: signed integer overflow: -1082982400 + -1083218484 cannot be represented in type 'int' Fixes: 70657/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6707819712675840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bd80c97391969f9dbb312d6c498211ad85bb67cb) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index e8dd2145ce..d5b457541c 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1150,8 +1150,8 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], av_assert2(uvalpha <= 4096U); for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] * yalpha1 + buf1[i * 2] * yalpha) >> 14; - int Y2 = (buf0[i * 2 + 1] * yalpha1 + buf1[i * 2 + 1] * yalpha) >> 14; + unsigned Y1 = (buf0[i * 2] * yalpha1 + buf1[i * 2] * yalpha) >> 14; + unsigned Y2 = (buf0[i * 2 + 1] * yalpha1 + buf1[i * 2 + 1] * yalpha) >> 14; int U = (ubuf0[i] * uvalpha1 + ubuf1[i] * uvalpha - (128 << 23)) >> 14; int V = (vbuf0[i] * uvalpha1 + vbuf1[i] * uvalpha - (128 << 23)) >> 14; int R, G, B; @@ -1175,20 +1175,20 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], A2 += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From 73475dfa8d9a7ce1adf35c0c5b6faf7b08aa3e97 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 22:57:44 +0200 Subject: [PATCH 453/562] avformat/flvdec: Free metaVideoColor Fixes: memeleak Fixes: 70659/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-4539872627458048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit 176db9db6e23f3299da379060adc89e4abc980b9) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 892371fcd0..725b5a0c89 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -1111,6 +1111,7 @@ static int flv_parse_video_color_info(AVFormatContext *s, AVStream *st, int64_t return TYPE_UNKNOWN; } + av_free(flv->metaVideoColor); if (!(flv->metaVideoColor = av_mallocz(sizeof(FLVMetaVideoColor)))) { return AVERROR(ENOMEM); } From c709d551d6ca9633fd80bcc3159c4bb49a2f38d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 22:29:04 +0200 Subject: [PATCH 454/562] avformat/mxfdec: More offset_temp checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 9223372036854775807 - -1927491430256034080 cannot be represented in type 'long' Fixes: 70607/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5282235077951488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 5a96aa435af0d66bdec52ee115cf4dd971855fcd) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 0f9c4fa730..e12e566a16 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1922,6 +1922,11 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t return mxf_absolute_bodysid_offset(mxf, index_table->body_sid, offset_temp, offset_out, partition_out); } else { /* EditUnitByteCount == 0 for VBR indexes, which is fine since they use explicit StreamOffsets */ + if (s->edit_unit_byte_count && (s->index_duration > INT64_MAX / s->edit_unit_byte_count || + s->edit_unit_byte_count * s->index_duration > INT64_MAX - offset_temp) + ) + return AVERROR_INVALIDDATA; + offset_temp += s->edit_unit_byte_count * s->index_duration; } } From c3d84bdcbf8bf1e5c8a773b00016ff7cb13c3b76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 22:05:24 +0200 Subject: [PATCH 455/562] avformat/mxfdec: Check timecode for overflow Fixes: signed integer overflow: 9223372036840103968 + 538976288 cannot be represented in type 'long' Fixes: 70604/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4844090340999168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6be3786c828edfd60d810c98a42a43eeac4f050c) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index e12e566a16..77cc137780 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2394,6 +2394,9 @@ static int mxf_parse_physical_source_package(MXFContext *mxf, MXFTrack *source_t physical_track->edit_rate, source_track->edit_rate); + if (av_sat_add64(start_position, mxf_tc->start_frame) != start_position + (uint64_t)mxf_tc->start_frame) + return AVERROR_INVALIDDATA; + if (av_timecode_init(&tc, mxf_tc->rate, flags, start_position + mxf_tc->start_frame, mxf->fc) == 0) { mxf_add_timecode_metadata(&st->metadata, "timecode", &tc); return 0; From af50c43d82d708d450271b681bf5ab093269a7c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 19:43:03 +0200 Subject: [PATCH 456/562] avcodec/osq: Treat sum = 0 as k = 0 We have no valid sample that triggers this so we do not know if this would decode correctly, but -inf is not the correct k value Fixes: Assertion n>=0 && n<=32 failed at libavcodec/get_bits.h:423 Fixes: -inf is outside the range of representable values of type 'int' Fixes: 70709/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6223623839350784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit ad35eaf848bb605d9b2b3a638265ac9d385878e3) Signed-off-by: Michael Niedermayer --- libavcodec/osq.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/osq.c b/libavcodec/osq.c index 1663f0b15f..826b9f1454 100644 --- a/libavcodec/osq.c +++ b/libavcodec/osq.c @@ -159,6 +159,8 @@ static int update_residue_parameter(OSQChannel *cb) int rice_k; sum = cb->sum; + if (!sum) + return 0; x = sum / cb->count; rice_k = ceil(log2(x)); if (rice_k >= 30) { From 5ea1ae9385259fb61bf7f44ba951b1e9aeb619f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 19:56:48 +0200 Subject: [PATCH 457/562] avformat/asf: Check picsize Fixes: signed integer overflow: 1073750247 * 2 cannot be represented in type 'int' Fixes: 70722/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5447231587549184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fde8637fda8e5ac4ccfa4b137a7467e16cd631b6) Signed-off-by: Michael Niedermayer --- libavformat/asf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/asf.c b/libavformat/asf.c index 1285062220..2a5859ed68 100644 --- a/libavformat/asf.c +++ b/libavformat/asf.c @@ -89,8 +89,8 @@ static int asf_read_picture(AVFormatContext *s, int len) return 0; } - if (picsize >= len) { - av_log(s, AV_LOG_ERROR, "Invalid attached picture data size: %d >= %d.\n", + if (picsize >= len || ((int64_t)len - picsize) * 2 + 1 > INT_MAX) { + av_log(s, AV_LOG_ERROR, "Invalid attached picture data size: %d (len = %d).\n", picsize, len); return AVERROR_INVALIDDATA; } From 44bf027a3f97b099a13a101b3318191de134bdec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 21:57:09 +0200 Subject: [PATCH 458/562] avcodec/jfdctint_template: use unsigned z* in row_fdct() Fixes: signed integer overflow: 856827136 + 2123580416 cannot be represented in type 'int' Fixes: 70772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-5180569961431040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f27c8b04d3059fa538db8f2db6503cbb586eb3ad) Signed-off-by: Michael Niedermayer --- libavcodec/jfdctint_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jfdctint_template.c b/libavcodec/jfdctint_template.c index aa2680132e..58827b677e 100644 --- a/libavcodec/jfdctint_template.c +++ b/libavcodec/jfdctint_template.c @@ -183,7 +183,7 @@ static av_always_inline void FUNC(row_fdct)(int16_t *data) { int tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7; int tmp10, tmp11, tmp12, tmp13; - int z1, z2, z3, z4, z5; + unsigned z1, z2, z3, z4, z5; int16_t *dataptr; int ctr; From b67e271bed0ca8fc610d94d25da9d7b487761ba0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 22:03:37 +0200 Subject: [PATCH 459/562] avcodec/osq: use unsigned for decorrelation Fixes: signed integer overflow: 1205469696 + 1901074655 cannot be represented in type 'int' Fixes: 70773/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-5419594888577024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e9f588af9530e5e6f9422ffa0d8e8dc8f80a2ae1) Signed-off-by: Michael Niedermayer --- libavcodec/osq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/osq.c b/libavcodec/osq.c index 826b9f1454..6db25a3ffc 100644 --- a/libavcodec/osq.c +++ b/libavcodec/osq.c @@ -341,7 +341,7 @@ static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int if (nb_channels == 2 && ch == 1) { if (decorrelate) - dst[n] += s->decode_buffer[0][OFFSET+n]; + dst[n] += (unsigned)s->decode_buffer[0][OFFSET+n]; } if (downsample) From ab1b1ef730569d8916d415b4014e94f4cd0c84d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 22:32:36 +0200 Subject: [PATCH 460/562] avcodec/cbs_h266_syntax_template: Check bit depth with range extension Fixes: shift exponent 62 is too large for 32-bit type 'int' Fixes: 71020/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-6444916325023744 Fixes: 71285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4761971281428480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9d25b9665edb45c31ad6dda9612fd6e63fc289f3) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h266_syntax_template.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index 281069f06e..7907f9d5c7 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -1618,6 +1618,8 @@ static int FUNC(sps)(CodedBitstreamContext *ctx, RWContext *rw, ub(7, sps_extension_7bits); if (current->sps_range_extension_flag) { + if (current->sps_bitdepth_minus8 <= 10 - 8) + return AVERROR_INVALIDDATA; CHECK(FUNC(sps_range_extension)(ctx, rw, current)); } else { infer(sps_extended_precision_flag, 0); From d4bdaa24ea6dfa4a196aefbe6b9fcf556c97c20a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 23:33:49 +0200 Subject: [PATCH 461/562] avcodec/encode: Check bitrate Fixes: -1.80923e+19 is outside the range of representable values of type 'long' Fixes: 71103/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6542773681979392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74385dd496bdcda9a6e029fabf4946f2234a0d13) Signed-off-by: Michael Niedermayer --- libavcodec/encode.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/encode.c b/libavcodec/encode.c index 7fc9737e93..caac6c3c3e 100644 --- a/libavcodec/encode.c +++ b/libavcodec/encode.c @@ -739,6 +739,11 @@ int ff_encode_preinit(AVCodecContext *avctx) return AVERROR(EINVAL); } + if (avctx->bit_rate < 0) { + av_log(avctx, AV_LOG_ERROR, "The encoder bitrate is negative.\n"); + return AVERROR(EINVAL); + } + if (avctx->flags & AV_CODEC_FLAG_COPY_OPAQUE && !(avctx->codec->capabilities & AV_CODEC_CAP_ENCODER_REORDERED_OPAQUE)) { av_log(avctx, AV_LOG_ERROR, "The copy_opaque flag is set, but the " From 0b5bfff1c09e73ed378ba41e683bd7aa25d702a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 23:41:39 +0200 Subject: [PATCH 462/562] tools/target_dec_fuzzer: Adapt threshold for RASC Fixes: Timeout Fixes: 71108/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-4799330484027392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a823fbcfae33c8022086cbdea94e8e6d7b32ec1) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 8c625428f8..d65c47a1e8 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -284,7 +284,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_QPEG: maxpixels /= 256; break; case AV_CODEC_ID_RKA: maxsamples /= 1<<20; break; case AV_CODEC_ID_RSCC: maxpixels /= 256; break; - case AV_CODEC_ID_RASC: maxpixels /= 16; break; + case AV_CODEC_ID_RASC: maxpixels /= 256; break; case AV_CODEC_ID_RTV1: maxpixels /= 16; break; case AV_CODEC_ID_SANM: maxpixels /= 16; break; case AV_CODEC_ID_SCPR: maxpixels /= 32; break; From f8b1d416e3b695b72bd25c1620016c08aa3b4561 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 23:57:31 +0200 Subject: [PATCH 463/562] avcodec/eacmv: Check input size for intra frames Fixes: Timeout Fixes: 71135/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EACMV_fuzzer-6251879028293632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c3a1cbbf5d99337b5e99260eb95c84e65c7587f6) Signed-off-by: Michael Niedermayer --- libavcodec/eacmv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index 43dba20fae..15d3550cb8 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -194,12 +194,15 @@ static int cmv_decode_frame(AVCodecContext *avctx, AVFrame *frame, if ((ret = av_image_check_size(s->width, s->height, 0, s->avctx)) < 0) return ret; + buf += EA_PREAMBLE_SIZE; + if (!(buf[0]&1) && buf_end - buf < s->width * s->height * (int64_t)(100 - s->avctx->discard_damaged_percentage) / 100) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) return ret; memcpy(frame->data[1], s->palette, AVPALETTE_SIZE); - buf += EA_PREAMBLE_SIZE; if ((buf[0]&1)) { // subtype cmv_decode_inter(s, frame, buf+2, buf_end); frame->flags &= ~AV_FRAME_FLAG_KEY; From 0f0645381b954585f21326f97765f00e8f4b0aad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Sep 2024 20:31:58 +0200 Subject: [PATCH 464/562] avcodec/svq3: Check for minimum size input Fixes: Timeout Fixes: 71295/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-4999941125111808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 050b5e85cbe61414ba9b78f76a04b2488e816f42) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index d2f53742e1..8d0e096edc 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1399,6 +1399,9 @@ static int svq3_decode_frame(AVCodecContext *avctx, AVFrame *rframe, if (svq3_decode_slice_header(avctx)) return -1; + if (avpkt->size < s->mb_width * s->mb_height / 8) + return AVERROR_INVALIDDATA; + s->pict_type = s->slice_type; if (s->pict_type != AV_PICTURE_TYPE_B) From 6f395fba57201a1d73fbd0f012dc2e2db3c417aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Sep 2024 22:47:03 +0200 Subject: [PATCH 465/562] avcodec/imm4: Check input size Fixes: Timeout Fixes: 71324/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IMM4_fuzzer-5388489435185152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8367d7e184562f8b9f410c0f325596f7e041884f) Signed-off-by: Michael Niedermayer --- libavcodec/imm4.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/imm4.c b/libavcodec/imm4.c index ef7e692b84..0b74068b03 100644 --- a/libavcodec/imm4.c +++ b/libavcodec/imm4.c @@ -452,6 +452,10 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, if (ret < 0) return ret; + if (((avctx->width + 15) / 16) * ((avctx->height + 15) / 16) > get_bits_left(gb)) + return AVERROR_INVALIDDATA; + + if ((ret = ff_get_buffer(avctx, frame, (frame->flags & AV_FRAME_FLAG_KEY) ? AV_GET_BUFFER_FLAG_REF : 0)) < 0) return ret; From ad989ae50bfca49ca977dfd025442a3c7e0987d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Sep 2024 23:15:35 +0200 Subject: [PATCH 466/562] avcodec/xan: Add basic input size check Fixes: Timeout Fixes: 71739/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XAN_WC3_fuzzer-6170301405134848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpe Signed-off-by: Michael Niedermayer (cherry picked from commit 56bef2fd58d0ed30dbe940083c30ada2b0404491) Signed-off-by: Michael Niedermayer --- libavcodec/xan.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index cc0ecea5eb..56675dbbb1 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -607,6 +607,9 @@ static int xan_decode_frame(AVCodecContext *avctx, AVFrame *frame, return AVERROR_INVALIDDATA; } + if (buf_size < 9) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) return ret; From 5585e331816650ec86b3931651134a537a6d402b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2024 23:43:09 +0200 Subject: [PATCH 467/562] avcodec/ffv1enc: Fix >8bit context size Fixes: Ticket5405 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a9c83e43f2fc9128e20851291b0270add1a6b95f) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index e510abf6ff..7a319607e5 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -722,19 +722,21 @@ static av_cold int encode_init(AVCodecContext *avctx) s->quant_tables[1][2][i]= 11*11*quant5 [i]; s->quant_tables[1][3][i]= 5*11*11*quant5 [i]; s->quant_tables[1][4][i]= 5*5*11*11*quant5 [i]; + s->context_count[0] = (11 * 11 * 11 + 1) / 2; + s->context_count[1] = (11 * 11 * 5 * 5 * 5 + 1) / 2; } else { s->quant_tables[0][0][i]= quant9_10bit[i]; - s->quant_tables[0][1][i]= 11*quant9_10bit[i]; - s->quant_tables[0][2][i]= 11*11*quant9_10bit[i]; + s->quant_tables[0][1][i]= 9*quant9_10bit[i]; + s->quant_tables[0][2][i]= 9*9*quant9_10bit[i]; s->quant_tables[1][0][i]= quant9_10bit[i]; - s->quant_tables[1][1][i]= 11*quant9_10bit[i]; - s->quant_tables[1][2][i]= 11*11*quant5_10bit[i]; - s->quant_tables[1][3][i]= 5*11*11*quant5_10bit[i]; - s->quant_tables[1][4][i]= 5*5*11*11*quant5_10bit[i]; + s->quant_tables[1][1][i]= 9*quant9_10bit[i]; + s->quant_tables[1][2][i]= 9*9*quant5_10bit[i]; + s->quant_tables[1][3][i]= 5*9*9*quant5_10bit[i]; + s->quant_tables[1][4][i]= 5*5*9*9*quant5_10bit[i]; + s->context_count[0] = (9 * 9 * 9 + 1) / 2; + s->context_count[1] = (9 * 9 * 5 * 5 * 5 + 1) / 2; } } - s->context_count[0] = (11 * 11 * 11 + 1) / 2; - s->context_count[1] = (11 * 11 * 5 * 5 * 5 + 1) / 2; memcpy(s->quant_table, s->quant_tables[s->context_model], sizeof(s->quant_table)); From 27ed6de46dcee791ddc206aa2c243125589e937f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2024 23:42:50 +0200 Subject: [PATCH 468/562] avcodec/ffv1enc: 2Pass mode is not possible with golomb coding "Fixes" Ticket7063 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 417b163c00555ccda201a963e797bfa663a26ff5) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 7a319607e5..ace50667a5 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -526,6 +526,11 @@ static av_cold int encode_init(AVCodecContext *avctx) avctx->slices > 1) s->version = FFMAX(s->version, 2); + if ((avctx->flags & (AV_CODEC_FLAG_PASS1 | AV_CODEC_FLAG_PASS2)) && s->ac == AC_GOLOMB_RICE) { + av_log(avctx, AV_LOG_ERROR, "2 Pass mode is not possible with golomb coding\n"); + return AVERROR(EINVAL); + } + // Unspecified level & slices, we choose version 1.2+ to ensure multithreaded decodability if (avctx->slices == 0 && avctx->level < 0 && avctx->width * avctx->height > 720*576) s->version = FFMAX(s->version, 2); From 654d329fcb80e591408c97a991cfcfc9dab15053 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Oct 2023 22:23:33 +0200 Subject: [PATCH 469/562] avcodec/ffv1enc: Slice combination is unsupported We always write minimal slices, the size calculation is wrong in some corner cases but as its always 1x1 (minus1) we can for now just hard-code it This helps with ticket 5548 Signed-off-by: Michael Niedermayer (cherry picked from commit 7d514655bfa47c6e5cc1b81fbba8e750e368036e) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index ace50667a5..2f23496771 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -921,8 +921,8 @@ static void encode_slice_header(FFV1Context *f, FFV1Context *fs) put_symbol(c, state, (fs->slice_x +1)*f->num_h_slices / f->width , 0); put_symbol(c, state, (fs->slice_y +1)*f->num_v_slices / f->height , 0); - put_symbol(c, state, (fs->slice_width +1)*f->num_h_slices / f->width -1, 0); - put_symbol(c, state, (fs->slice_height+1)*f->num_v_slices / f->height-1, 0); + put_symbol(c, state, 0, 0); + put_symbol(c, state, 0, 0); for (j=0; jplane_count; j++) { put_symbol(c, state, f->plane[j].quant_table_index, 0); av_assert0(f->plane[j].quant_table_index == f->context_model); From 24e1f327a591004c15dfe01a050a310b2927b5ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2024 22:04:58 +0200 Subject: [PATCH 470/562] avcodec/ffv1enc: Correct error message about unsupported version Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 556c767786e9e3c072f7666d60a68a31a3400438) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 2f23496771..c40d634cbe 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -555,7 +555,7 @@ static av_cold int encode_init(AVCodecContext *avctx) s->version = FFMAX(s->version, 3); if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) { - av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n"); + av_log(avctx, AV_LOG_ERROR, "Version 2 or 4 needed for requested features but version 2 or 4 is experimental and not enabled\n"); return AVERROR_INVALIDDATA; } From 16127ebb9fcd3aef5fa4c23ada6f6dc5b800d27e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jul 2024 20:53:49 +0200 Subject: [PATCH 471/562] avformat/mov: Avoid overflow in dts This basically ignores the overflow without undefined behavior, alternatively we could detect and error out Fixes: signed integer overflow: 6310596683470275584 + 7660622966157213696 cannot be represented in type 'long' Fixes: 70433/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5483347233538048 Fixes: 369662284/clusterfuzz-testcase-minimized-media_metadata_parser_fuzzer-5327368763670528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 057b8c2066da3554072565744f4f00435cc3342b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index eae1b49ba5..9c5ce6532d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3414,10 +3414,10 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc->stts_data[i].duration = 1; corrected_dts += (delta_magnitude < 0 ? (int64_t)delta_magnitude : 1) * sample_count; } else { - corrected_dts += sample_duration * (int64_t)sample_count; + corrected_dts += sample_duration * (uint64_t)sample_count; } - current_dts += sc->stts_data[i].duration * (int64_t)sample_count; + current_dts += sc->stts_data[i].duration * (uint64_t)sample_count; if (current_dts > corrected_dts) { int64_t drift = (current_dts - corrected_dts)/FFMAX(sample_count, 1); From 64cd344fbecbcc817a3fe4fbd4e44f87a803878f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jul 2024 22:08:23 +0200 Subject: [PATCH 472/562] avformat/matroskadec: Check desc_bytes so bits fit in 64bit Likely a tighter check can be done Fixes: signed integer overflow: 3305606804154370442 * 8 cannot be represented in type 'long' Fixes: 70449/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4771166007918592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c4122406f6d2726aea833480a2a8e345833dd881) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index ae3565b0c3..6f1e2926ab 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4595,7 +4595,7 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset; int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns; double desc_sec, calc_bits_per_second, percent, mod_bits_per_second; - if (desc_bytes <= 0) + if (desc_bytes <= 0 || desc_bytes > INT64_MAX/8) return -1; desc_sec = desc_ns / nano_seconds_per_second; From 5a988a5fede904af3580ba65c18ecfc1d39142c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2024 22:06:40 +0200 Subject: [PATCH 473/562] avcodec/ffv1enc: Prevent generation of files with broken slices Fixes: Ticket5548 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b7ff66a35804275b25c1176cad560540785e8750) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1.c | 7 +++++++ libavcodec/ffv1.h | 1 + libavcodec/ffv1enc.c | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index b6204740ed..2660cae208 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -103,6 +103,13 @@ av_cold int ff_ffv1_init_slices_state(FFV1Context *f) return 0; } +int ff_need_new_slices(int width, int num_h_slices, int chroma_shift) { + int mpw = 1<num_h_slices * f->num_v_slices; diff --git a/libavcodec/ffv1.h b/libavcodec/ffv1.h index 04869da5c9..bbe0839868 100644 --- a/libavcodec/ffv1.h +++ b/libavcodec/ffv1.h @@ -142,6 +142,7 @@ int ff_ffv1_init_slice_contexts(FFV1Context *f); int ff_ffv1_allocate_initial_states(FFV1Context *f); void ff_ffv1_clear_slice_state(const FFV1Context *f, FFV1Context *fs); int ff_ffv1_close(AVCodecContext *avctx); +int ff_need_new_slices(int width, int num_h_slices, int chroma_shift); static av_always_inline int fold(int diff, int bits) { diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index c40d634cbe..aa501b8285 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -873,6 +873,10 @@ static av_cold int encode_init(AVCodecContext *avctx) continue; if (maxw * maxh * (int64_t)(s->bits_per_raw_sample+1) * plane_count > 8<<24) continue; + if (s->version < 4) + if ( ff_need_new_slices(avctx->width , s->num_h_slices, s->chroma_h_shift) + ||ff_need_new_slices(avctx->height, s->num_v_slices, s->chroma_v_shift)) + continue; if (avctx->slices == s->num_h_slices * s->num_v_slices && avctx->slices <= MAX_SLICES || !avctx->slices) goto slices_ok; } From a770e544a2d0d786877506344ebabcce939a2d3c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Oct 2024 20:39:23 +0200 Subject: [PATCH 474/562] avcodec/ffv1dec: Fix end computation with ec=2 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 10e5af15bf220d9da128ca12d2d474ff6ab0076e) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 97877b9106..65404bfb5d 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -363,7 +363,7 @@ static int decode_slice(AVCodecContext *c, void *arg) if (fs->ac != AC_GOLOMB_RICE && f->version > 2) { int v; get_rac(&fs->c, (uint8_t[]) { 129 }); - v = fs->c.bytestream_end - fs->c.bytestream - 2 - 5*f->ec; + v = fs->c.bytestream_end - fs->c.bytestream - 2 - 5*!!f->ec; if (v) { av_log(f->avctx, AV_LOG_ERROR, "bytestream end mismatching by %d\n", v); fs->slice_damaged = 1; From c530cff25d29c9ebb93f4b06ee6b4e8f26ad2464 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Oct 2024 14:39:20 +0200 Subject: [PATCH 475/562] avcodec/rangecoder: only perform renorm check/loop for callers that need it Signed-off-by: Michael Niedermayer (cherry picked from commit d147b3d7ecba2bd40cb45284f920238da97a95ee) Signed-off-by: Michael Niedermayer --- libavcodec/rangecoder.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/rangecoder.h b/libavcodec/rangecoder.h index 89d178ac31..110908d6bd 100644 --- a/libavcodec/rangecoder.h +++ b/libavcodec/rangecoder.h @@ -62,7 +62,6 @@ void ff_build_rac_states(RangeCoder *c, int factor, int max_p); static inline void renorm_encoder(RangeCoder *c) { // FIXME: optimize - while (c->range < 0x100) { if (c->outstanding_byte < 0) { c->outstanding_byte = c->low >> 8; } else if (c->low <= 0xFF00) { @@ -81,7 +80,6 @@ static inline void renorm_encoder(RangeCoder *c) c->low = (c->low & 0xFF) << 8; c->range <<= 8; - } } static inline int get_rac_count(RangeCoder *c) @@ -108,7 +106,8 @@ static inline void put_rac(RangeCoder *c, uint8_t *const state, int bit) *state = c->one_state[*state]; } - renorm_encoder(c); + while (c->range < 0x100) + renorm_encoder(c); } static inline void refill(RangeCoder *c) From b5cb8e4951ddef0dff7755453383cc3628d72a6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2024 20:39:07 +0200 Subject: [PATCH 476/562] swscale/output: used unsigned for bit accumulation Fixes: Integer overflow Fixes: 368725672/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5009093023563776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3fe3014405494503a03c2e6eff4743db91a21c00) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index d5b457541c..1fb188f87c 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -664,7 +664,7 @@ yuv2mono_2_c_template(SwsContext *c, const int16_t *buf[2], if (c->dither == SWS_DITHER_ED) { int err = 0; - int acc = 0; + unsigned acc = 0; for (i = 0; i < dstW; i +=2) { int Y; @@ -686,7 +686,8 @@ yuv2mono_2_c_template(SwsContext *c, const int16_t *buf[2], c->dither_error[0][i] = err; } else { for (i = 0; i < dstW; i += 8) { - int Y, acc = 0; + int Y; + unsigned acc = 0; Y = (buf0[i + 0] * yalpha1 + buf1[i + 0] * yalpha) >> 19; accumulate_bit(acc, Y + d128[0]); @@ -721,7 +722,7 @@ yuv2mono_1_c_template(SwsContext *c, const int16_t *buf0, if (c->dither == SWS_DITHER_ED) { int err = 0; - int acc = 0; + unsigned acc = 0; for (i = 0; i < dstW; i +=2) { int Y; @@ -743,7 +744,7 @@ yuv2mono_1_c_template(SwsContext *c, const int16_t *buf0, c->dither_error[0][i] = err; } else { for (i = 0; i < dstW; i += 8) { - int acc = 0; + unsigned acc = 0; accumulate_bit(acc, ((buf0[i + 0] + 64) >> 7) + d128[0]); accumulate_bit(acc, ((buf0[i + 1] + 64) >> 7) + d128[1]); accumulate_bit(acc, ((buf0[i + 2] + 64) >> 7) + d128[2]); From 351392460a02e2e674a7af1459a6d9373b8a100a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2024 20:47:34 +0200 Subject: [PATCH 477/562] avformat/mxfdec: Fix overflow in midpoint computation Fixes: signed integer overflow: 4611686016549392399 + 9223372033098784800 cannot be represented in type 'long long' Fixes: 368503277/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5928227458056192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 23088a5ff2b549fa4fc037bb9ed833fffbc89ca0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 77cc137780..87941e2bc7 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3828,7 +3828,7 @@ static int mxf_get_next_track_edit_unit(MXFContext *mxf, MXFTrack *track, int64_ a = -1; b = track->original_duration; while (b - 1 > a) { - m = (a + b) >> 1; + m = (a + (uint64_t)b) >> 1; if (mxf_edit_unit_absolute_offset(mxf, t, m, track->edit_rate, NULL, &offset, NULL, 0) < 0) return -1; if (offset < current_offset) From 483b77b03852eb77e5af588ec2100d0e350f3528 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2024 23:44:00 +0200 Subject: [PATCH 478/562] avformat/mpegts: Initialize predefined_SLConfigDescriptor_seen Fixes: use of uninitialized variable Fixes: 368729566/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTS_fuzzer-6044501804646400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db7b4fc89fb18d5ff0a1426bd433c234555a3fff) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 320926248b..4e07fe5828 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1674,6 +1674,8 @@ static int mp4_read_iods(AVFormatContext *s, const uint8_t *buf, unsigned size, MP4DescrParseContext d; int ret; + d.predefined_SLConfigDescriptor_seen = 0; + ret = init_MP4DescrParseContext(&d, s, buf, size, descr, max_descr_count); if (ret < 0) return ret; From 3c53b9ff3e76b9bc259a493f604c5d684a4e57f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Nov 2024 18:23:50 +0100 Subject: [PATCH 479/562] INSTALL: explain the circular dependency issue and solution Sponsored-by: Sovereign Tech Fund Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit df00705e0010cc2c53d17d51944f847c2c852189) Signed-off-by: Michael Niedermayer --- INSTALL.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/INSTALL.md b/INSTALL.md index 3b220bc6ff..bdf5814014 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -15,3 +15,11 @@ NOTICE ------ - Non system dependencies (e.g. libx264, libvpx) are disabled by default. + +NOTICE for Package Maintainers +------------------------------ + + - It is recommended to build FFmpeg twice, first with minimal external dependencies so + that 3rd party packages, which depend on FFmpegs libavutil/libavfilter/libavcodec/libavformat + can then be built. And last build FFmpeg with full dependancies (which may in turn depend on + some of these 3rd party packages). This avoids circular dependencies during build. From 4310bcb07db0b646a50b9728b9e48ff45a03c2f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:08:07 +0100 Subject: [PATCH 480/562] avformat/rpl: check channels Fixes: 42537199/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5447162658357248 Fixes: runtime error: signed integer overflow: -3330498059201358222 * 4 cannot be represented in type 'int64_t' (aka 'long') Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit beca13a42e9fb5341e8bd6356fd7d9c2d18aac9b) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 09d0b68f74..9090f5e913 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -203,6 +203,8 @@ static int rpl_read_header(AVFormatContext *s) ast->codecpar->codec_tag = audio_format; ast->codecpar->sample_rate = read_line_and_int(pb, &error); // audio bitrate channels = read_line_and_int(pb, &error); // number of audio channels + if (channels <= 0) + return AVERROR_INVALIDDATA; error |= read_line(pb, line, sizeof(line)); ast->codecpar->bits_per_coded_sample = read_int(line, &endptr, &error); // audio bits per sample av_strlcpy(audio_type, endptr, RPL_LINE_LENGTH); From aa9e07461cac3c4ada17784013e2b3164d9f205b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:18:36 +0100 Subject: [PATCH 481/562] avformat/mccdec: Initialize and check rate.den Fixes: Assertion c > 0 failed at libavutil/mathematics.c:61 Fixes: use-of-uninitialized-value Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_protocol_memory-5939605805793280 Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit bf8e43083f68c383b9d905d2c8c791ac33ecc7bc) Signed-off-by: Michael Niedermayer --- libavformat/mccdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mccdec.c b/libavformat/mccdec.c index 85bf93cd3b..8c0ea09b6b 100644 --- a/libavformat/mccdec.c +++ b/libavformat/mccdec.c @@ -93,7 +93,7 @@ static int mcc_read_header(AVFormatContext *s) { MCCContext *mcc = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); - AVRational rate; + AVRational rate = {0}; int64_t ts, pos; uint8_t out[4096]; char line[4096]; @@ -139,7 +139,7 @@ static int mcc_read_header(AVFormatContext *s) continue; } - if (av_sscanf(line, "%d:%d:%d:%d", &hh, &mm, &ss, &fs) != 4) + if (av_sscanf(line, "%d:%d:%d:%d", &hh, &mm, &ss, &fs) != 4 || rate.den <= 0) continue; ts = av_sat_add64(av_rescale(hh * 3600LL + mm * 60LL + ss, rate.num, rate.den), fs); From 3cead954c89a258d0e68c5a325c0f0a516dc943f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:43:21 +0100 Subject: [PATCH 482/562] avformat/nistspheredec: Clear buffer Fixes: use-of-uninitialized-value Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_protocol_memory-6515855798632448-cut Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 898f6582eb51bf77b1f88e8f55eab67ee6ee13b8) Signed-off-by: Michael Niedermayer --- libavformat/nistspheredec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c index 1e6c567e01..e624036149 100644 --- a/libavformat/nistspheredec.c +++ b/libavformat/nistspheredec.c @@ -35,7 +35,7 @@ static int nist_probe(const AVProbeData *p) static int nist_read_header(AVFormatContext *s) { - char buffer[256], coding[32] = "pcm", format[32] = "01"; + char buffer[256]= {0}, coding[32] = "pcm", format[32] = "01"; int bps = 0, be = 0; int32_t header_size = -1; AVStream *st; From 9078f0f524af18457ee761beea2a0c241927bb88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:47:07 +0100 Subject: [PATCH 483/562] avformat/ilbc: Check avio_read() for failure Fixes: use of uninitialized value Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_protocol_memory-6656646223298560-cut Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit e30d957a9bacf7f7307c640aa0bd1e70cb3bbe7e) Signed-off-by: Michael Niedermayer --- libavformat/ilbc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/ilbc.c b/libavformat/ilbc.c index a24aa3da9d..6c441c21bf 100644 --- a/libavformat/ilbc.c +++ b/libavformat/ilbc.c @@ -61,7 +61,8 @@ static int ilbc_read_header(AVFormatContext *s) AVStream *st; uint8_t header[9]; - avio_read(pb, header, 9); + if (avio_read(pb, header, 9) != 9) + return AVERROR_INVALIDDATA; st = avformat_new_stream(s, NULL); if (!st) From 8dfb82b7327e3fe04d161f629847c890088dbc02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:54:29 +0100 Subject: [PATCH 484/562] avformat/vividas: Check avio_read() for failure Fixes: use of uninitialized value (untested) Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5505802505355264 Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 96d45c3b212689f82bff2530c3637405df9e9369) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index ee4048415e..84d9c39f8a 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -566,7 +566,8 @@ static int viv_read_header(AVFormatContext *s) v = avio_r8(pb); avio_seek(pb, v, SEEK_CUR); - avio_read(pb, keybuffer, 187); + if (avio_read(pb, keybuffer, 187) != 187) + return AVERROR_INVALIDDATA; key = decode_key(keybuffer); viv->sb_key = key; From 68c41b95e03925e7bab2a9da0b95ccb2cf8f25d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 Nov 2024 19:28:15 +0100 Subject: [PATCH 485/562] doc/infra: Document gitolite Signed-off-by: Michael Niedermayer (cherry picked from commit 07904231cb9730e09e2b7948e3977e7c2eafbb10) Signed-off-by: Michael Niedermayer --- doc/infra.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/infra.txt b/doc/infra.txt index 30a85dd5ce..aea3e93e13 100644 --- a/doc/infra.txt +++ b/doc/infra.txt @@ -65,6 +65,9 @@ Github mirrors are redundantly synced by multiple people You need a new git repository related to FFmpeg ? contact root at ffmpeg.org +git repositories are managed by gitolite, every change to permissions is +logged, including when, what and by whom + Fate: ~~~~~ From 2c07fa346f157bc58fc467caeed055de2fe3ab07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Nov 2024 23:18:31 +0100 Subject: [PATCH 486/562] doc/infra: Document trac backup system Signed-off-by: Michael Niedermayer (cherry picked from commit edc4855f7710c4563e7cd5773598f8341f64e019) Signed-off-by: Michael Niedermayer --- doc/infra.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/infra.txt b/doc/infra.txt index aea3e93e13..79d4e56719 100644 --- a/doc/infra.txt +++ b/doc/infra.txt @@ -23,6 +23,8 @@ Web, mail, and public facing git, also website git fftrac VM: ---------- trac.ffmpeg.org Issue tracking +gpg encrypted backups of the trac repositories are created once a day +and can be downloaded by any of the admins. ffaux VM: From 69c4c8543279f167838189ccf0d9c82e13becebd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Nov 2024 21:32:53 +0100 Subject: [PATCH 487/562] doc/developer: Document relationship between git accounts and MAINTAINERS This should have been documented long ago and i thought it was Signed-off-by: Michael Niedermayer (cherry picked from commit 7051825b0171bd5d566c5a5cc78852c5f3aa3072) Signed-off-by: Michael Niedermayer --- doc/developer.texi | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/doc/developer.texi b/doc/developer.texi index ed998adecb..1d78647f8b 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -927,6 +927,25 @@ In case you need finer control over how valgrind is invoked, use the @code{--target-exec='valgrind } option in your configure line instead. +@anchor{Maintenance} +@chapter Maintenance process + +@anchor{MAINTAINERS} +@section MAINTAINERS + +The developers maintaining each part of the codebase are listed in @file{MAINTAINERS}. +Being listed in @file{MAINTAINERS}, gives one the right to have git write access to +the specific repository. + +@anchor{Becoming a maintainer} +@section Becoming a maintainer + +People add themselves to @file{MAINTAINERS} by sending a patch like any other code +change. These get reviewed by the community like any other patch. It is expected +that, if someone has an objection to a new maintainer, she is willing to object +in public with her full name and is willing to take over maintainership for the area. + + @anchor{Release process} @chapter Release process From 041084f753c7296004986509d1f5ff291f2991b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 11:07:27 +0100 Subject: [PATCH 488/562] avformat/icodec: fix integer overflow with nb_pal Fixes: runtime error: signed integer overflow Fixes: 42536949/clusterfuzz-testcase-minimized-fuzzer_loadfile-6199846684393472 Found-by: ossfuzz Reported-by: Kacper Michajlow Tested-by: Kacper Michajlow Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 84569b6c22cb4eda9c682aabeb5f658112126780) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 808c7ab795..371deb4bc0 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -197,7 +197,7 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) AV_WL32(buf + 32, image->nb_pal); } - if (image->nb_pal > INT_MAX / 4 - 14 - 40) + if (image->nb_pal > INT_MAX / 4 - 14 - 40U) return AVERROR_INVALIDDATA; AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4); From 8334cae2654a266adda6241cc30de2ffe239474c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2024 23:55:05 +0100 Subject: [PATCH 489/562] avcodec/mjpegdec: Disallow progressive bayer images Fixes: Null pointer dereference Fixes: sample1.dng Found-by: South East <8billion.people@gmail.com> Signed-off-by: Michael Niedermayer (cherry picked from commit 6d8285633d8965658dfa6cd0b201cca36184c467) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index c9409eac6c..9085c04a9b 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -467,6 +467,10 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) if (s->avctx->height <= 0) return AVERROR_INVALIDDATA; } + if (s->bayer && s->progressive) { + avpriv_request_sample(s->avctx, "progressively coded bayer picture"); + return AVERROR_INVALIDDATA; + } if (s->got_picture && s->interlaced && (s->bottom_field == !s->interlace_polarity)) { if (s->progressive) { From 47f88bf02a00acc9c34561c1144ab5d788f1d521 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Nov 2024 02:28:18 +0100 Subject: [PATCH 490/562] avformat/iamf_parse: reject ambisonics mode > 1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ambisonics mode > 1 does not initialize any layer but layer 0 is unconditionally dereferenced Fixes: poc-2024-11 Fixes: null pointer dereference Found-by: 苏童 <220235212@seu.edu.cn> Signed-off-by: Michael Niedermayer --- libavformat/iamf_parse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index c8b58921b4..773ab94fc6 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -415,7 +415,7 @@ static int ambisonics_config(void *s, AVIOContext *pb, ambisonics_mode = ffio_read_leb(pb); if (ambisonics_mode > 1) - return 0; + return AVERROR_INVALIDDATA; output_channel_count = avio_r8(pb); // C substream_count = avio_r8(pb); // N From 47b3b3079b509f8c63913602bbaddfec225eb4ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2024 03:22:27 +0100 Subject: [PATCH 491/562] avcodec/h2645_parse: Ignore NAL with nuh_layer_id == 63 Comply with "For purposes other than determining the amount of data in the decoding units of the bitstream, decoders shall ignore all data that follow the value 63 for nuh_layer_id in a NAL unit" Rec. ITU-T H.265 v8 (08/2021) Page 67 Fixes: index 63 out of bounds for type 'const int8_t[63]' (aka 'const signed char[63]') Fixes: clusterfuzz-testcase-fuzzer_loadfile-5109286752026624 Reported-by: Kacper Michajlow Found-by: ossfuzz Signed-off-by: Michael Niedermayer (cherry picked from commit 360e7cafd0e65fdf4b186c95e2517a94b9f3fa4f) Signed-off-by: Michael Niedermayer --- libavcodec/h2645_parse.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c index 9f66f079c2..b268f115db 100644 --- a/libavcodec/h2645_parse.c +++ b/libavcodec/h2645_parse.c @@ -579,9 +579,11 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, if (codec_id == AV_CODEC_ID_VVC) ret = vvc_parse_nal_header(nal, logctx); - else if (codec_id == AV_CODEC_ID_HEVC) + else if (codec_id == AV_CODEC_ID_HEVC) { ret = hevc_parse_nal_header(nal, logctx); - else + if (nal->nuh_layer_id == 63) + continue; + } else ret = h264_parse_nal_header(nal, logctx); if (ret < 0) { av_log(logctx, AV_LOG_WARNING, "Invalid NAL unit %d, skipping.\n", From d60d2313dadb79aa39f1eacf21b6862aef1ca841 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2024 00:08:03 +0200 Subject: [PATCH 492/562] swscale/slice: clear allocated memory in alloc_lines() Fixes: use of uninitialized memory in hScale16To15_c() Fixes: 373924007/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5841199968092160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aeec39f3c1be82863efe64ce95242de58e075e8f) Signed-off-by: Michael Niedermayer --- libswscale/slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/slice.c b/libswscale/slice.c index db1c696727..9dff91c18d 100644 --- a/libswscale/slice.c +++ b/libswscale/slice.c @@ -59,7 +59,7 @@ static int alloc_lines(SwsSlice *s, int size, int width) for (j = 0; j < n; ++j) { // chroma plane line U and V are expected to be contiguous in memory // by mmx vertical scaler code - s->plane[i].line[j] = av_malloc(size * 2 + 32); + s->plane[i].line[j] = av_mallocz(size * 2 + 32); if (!s->plane[i].line[j]) { free_lines(s); return AVERROR(ENOMEM); From 690d4bb8cb7c19ed13bd28ac0deecfdeccf5687f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2024 01:15:53 +0200 Subject: [PATCH 493/562] avformat/dxa: check bpc Fixes: integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 373971762/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-4880491112103936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7e020f21413269418180eea7933a94ecb6bf2ef8) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 813e665a27..56b19a7fca 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -120,6 +120,8 @@ static int dxa_read_header(AVFormatContext *s) avio_skip(pb, fsize); } c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames; + if (c->bpc < 0) + return AVERROR_INVALIDDATA; if(ast->codecpar->block_align) { if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) return AVERROR_INVALIDDATA; From f4d37b1a60dee0c82f6a342547544b08221bc0b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Sep 2024 20:52:02 +0200 Subject: [PATCH 494/562] avcodec/eatgq: Check bytestream2_get_buffer() for failure Fixes: Use of uninitialized memory Fixes: 71546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGQ_fuzzer-5607656650244096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4949e34d96cc751aedaace02123c2fb02b5ac174) Signed-off-by: Michael Niedermayer --- libavcodec/eatgq.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c index 0f0ed3585f..6a19de93f0 100644 --- a/libavcodec/eatgq.c +++ b/libavcodec/eatgq.c @@ -178,7 +178,8 @@ static int tgq_decode_mb(TgqContext *s, GetByteContext *gbyte, dc[4] = bytestream2_get_byte(gbyte); dc[5] = bytestream2_get_byte(gbyte); } else if (mode == 6) { - bytestream2_get_buffer(gbyte, dc, 6); + if (bytestream2_get_buffer(gbyte, dc, 6) != 6) + return AVERROR_INVALIDDATA; } else if (mode == 12) { for (i = 0; i < 6; i++) { dc[i] = bytestream2_get_byte(gbyte); From 06d71cd465b01af28ad6d246a104667d87c94f3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Sep 2024 20:55:17 +0200 Subject: [PATCH 495/562] avformat/qcp: Check for read failure in header Fixes: Use of uninitialized value Fixes: 71551/clusterfuzz-testcase-minimized-ffmpeg_dem_QCP_fuzzer-4647386712965120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f52b9d05837c23b0c55013551bc28dce4922de0b) Signed-off-by: Michael Niedermayer --- libavformat/qcp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/qcp.c b/libavformat/qcp.c index fdf18618d2..13a479a11e 100644 --- a/libavformat/qcp.c +++ b/libavformat/qcp.c @@ -105,7 +105,8 @@ static int qcp_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_MONO; - avio_read(pb, buf, 16); + if (avio_read(pb, buf, 16) != 16) + return AVERROR_INVALIDDATA; if (is_qcelp_13k_guid(buf)) { st->codecpar->codec_id = AV_CODEC_ID_QCELP; } else if (!memcmp(buf, guid_evrc, 16)) { From 6143f633f741b675df6a5d3baa6445317ab55e0d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Sep 2024 19:57:28 +0200 Subject: [PATCH 496/562] avcodec/ilbcdec: Initialize tempbuff2 Fixes: Use of uninitialized value Fixes: 71350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ILBC_fuzzer-6322020827070464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4482218440534804d067de00ee1a4bc493c8b41d) Signed-off-by: Michael Niedermayer --- libavcodec/ilbcdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c index ba1da168bc..7fea39b43c 100644 --- a/libavcodec/ilbcdec.c +++ b/libavcodec/ilbcdec.c @@ -658,7 +658,7 @@ static void get_codebook(int16_t * cbvec, /* (o) Constructed codebook vector * int16_t k, base_size; int16_t lag; /* Stack based */ - int16_t tempbuff2[SUBL + 5]; + int16_t tempbuff2[SUBL + 5] = {0}; /* Determine size of codebook sections */ base_size = lMem - cbveclen + 1; From d6a82f3f4996a5df0be8f0f1d7b4ab796560431d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Aug 2024 16:00:01 +0200 Subject: [PATCH 497/562] avcodec/webp: Check ref_x/y Fixes: 70991/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WEBP_fuzzer-5544067620995072 Fixes: use of uninintailized value Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c1e732ad2e240af5afe9ffea443c91bb233aa65) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 9308ea2b69..37ed134ed6 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -703,6 +703,9 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, ref_x = FFMAX(0, ref_x); ref_y = FFMAX(0, ref_y); + if (ref_y == y && ref_x >= x) + return AVERROR_INVALIDDATA; + /* copy pixels * source and dest regions can overlap and wrap lines, so just * copy per-pixel */ From a58941bc1f925bd1aaf394180f4df427c7e003fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Dec 2024 00:28:21 +0100 Subject: [PATCH 498/562] avutil/timecode: Avoid fps overflow in av_timecode_get_smpte_from_framenum() Fix from c94875471e3ba3dc396c6919ff3ec9b14539cd71 Found-by: Youngjae Choi Signed-off-by: Michael Niedermayer (cherry picked from commit 6ba33b50f51b17eef0449f20b3524f174dc9c3cc) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index f40a10eb38..f454466f97 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -61,8 +61,8 @@ uint32_t av_timecode_get_smpte_from_framenum(const AVTimecode *tc, int framenum) framenum = av_timecode_adjust_ntsc_framenum2(framenum, tc->fps); ff = framenum % fps; ss = framenum / fps % 60; - mm = framenum / (fps*60) % 60; - hh = framenum / (fps*3600) % 24; + mm = framenum / (fps*60LL) % 60; + hh = framenum / (fps*3600LL) % 24; return av_timecode_get_smpte(tc->rate, drop, hh, mm, ss, ff); } From cda205835ff4c80fb4c858a2b9c20c9b208c6da9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Dec 2024 00:32:38 +0100 Subject: [PATCH 499/562] tools/target_dec_fuzzer: Adjust Threshold for indeo5 Fixes: 379768251/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO5_fuzzer-5981329084186624 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 89efc6c97c4faf97dfed558b7bce2f64f8bd61e1) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index d65c47a1e8..8064cc48bf 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -254,6 +254,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_HQ_HQA: maxpixels /= 128; break; case AV_CODEC_ID_IFF_ILBM: maxpixels /= 4096; break; case AV_CODEC_ID_INDEO4: maxpixels /= 128; break; + case AV_CODEC_ID_INDEO5: maxpixels /= 1024; break; case AV_CODEC_ID_INTERPLAY_ACM: maxsamples /= 16384; break; case AV_CODEC_ID_JPEG2000: maxpixels /= 16384; break; case AV_CODEC_ID_LAGARITH: maxpixels /= 1024; break; From 7a6d21b293637179c2f3a7f9ac922164f4562409 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Dec 2024 03:04:16 +0100 Subject: [PATCH 500/562] tools/target_dec_fuzzer: Adjust threshold for MVC1 Fixes: Timeout Fixes: 378231213/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVC1_fuzzer-6640960500465664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7230bc503a1180e6eb76f956e9c6b61352936e4) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 8064cc48bf..c6456e1fbc 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -270,6 +270,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_MSZH: maxpixels /= 128; break; case AV_CODEC_ID_MTS2: maxpixels /= 4096; break; case AV_CODEC_ID_MV30: maxpixels /= 128; break; + case AV_CODEC_ID_MVC1: maxpixels /= 1024; break; case AV_CODEC_ID_MVC2: maxpixels /= 128; break; case AV_CODEC_ID_MVHA: maxpixels /= 16384; break; case AV_CODEC_ID_MVDV: maxpixels /= 1024; break; From b263aa0095a9a73186dbc2c2350d725b791276e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Dec 2024 21:24:00 +0100 Subject: [PATCH 501/562] tools/target_dec_fuzzer: Adjust threshold for EACMV Fixes: Timeout Fixes: 382988735/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EACMV_fuzzer-5278721465974784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8f4eb0fe03aca552d375e2bce019a5da785f50d5) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index c6456e1fbc..8d817eea33 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -236,6 +236,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_DVB_SUBTITLE: av_dict_set_int(&opts, "compute_clut", -2, 0); break; case AV_CODEC_ID_DXA: maxpixels /= 32; break; case AV_CODEC_ID_DXV: maxpixels /= 32; break; + case AV_CODEC_ID_CMV: maxpixels /= 256; break; case AV_CODEC_ID_EXR: maxpixels /= 1024; break; case AV_CODEC_ID_FFV1: maxpixels /= 32; break; case AV_CODEC_ID_FFWAVESYNTH: maxsamples /= 16384; break; From caceeed2b4577c75726d10ea3f222aa99775003d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Dec 2024 21:36:11 +0100 Subject: [PATCH 502/562] avformat/matroskadec: Check pre_ns for overflow Fixes: signed integer overflow: -3483479120376300096 - 7442323944145700864 cannot be represented in type 'long' Fixes: 383187489/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4561470580391936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 361d24e6d920e4f7e4e5fa1fd6fbb6922bff35f2) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 6f1e2926ab..9c4e5b1d80 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4580,9 +4580,10 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t // The prebuffer ends in the last Cue. Estimate how much data was // prebuffered. pre_bytes = desc_end.end_offset - desc_end.start_offset; - pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; - if (pre_ns <= 0) + if (desc_end.end_time_ns <= desc_end.start_time_ns || + desc_end.end_time_ns - (uint64_t)desc_end.start_time_ns > INT64_MAX) return -1; + pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; pre_sec = pre_ns / nano_seconds_per_second; prebuffer_bytes += pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / pre_sec); From d06fcec830502942251c58fd6395f05daacaa996 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Dec 2024 22:37:07 +0100 Subject: [PATCH 503/562] avcodec/utils: Fix block align overflow for ADPCM_IMA_WAV Fixes: signed integer overflow: 529008646 * 8 cannot be represented in type 'int' Fixes: 383379145/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6674045107503104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93270930798da368d5b1954a73ef7ff9dfa48f73) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 7914f79904..c6785eeec1 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -723,7 +723,7 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_ADPCM_IMA_WAV: if (bps < 2 || bps > 5) return 0; - tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8); + tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8LL); break; case AV_CODEC_ID_ADPCM_IMA_DK3: tmp = blocks * (((ba - 16LL) * 2 / 3 * 4) / ch); From c99baf2ceecaaa990206c8939e211d1c1e79c57e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Dec 2024 05:13:02 +0100 Subject: [PATCH 504/562] avformat/mlvdec: Check avio_read() Fixes: use-of-uninitialized-value Fixes: 383170476/clusterfuzz-testcase-minimized-ffmpeg_dem_MLV_fuzzer-4696002884337664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit bb85423142103d694d97bad1967bd3dc55440e71) Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index e3165e3811..0ceec430a7 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -81,13 +81,15 @@ static int check_file_header(AVIOContext *pb, uint64_t guid) static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, unsigned size) { char * value = av_malloc(size + 1); + int ret; + if (!value) { avio_skip(pb, size); return; } - avio_read(pb, value, size); - if (!value[0]) { + ret = avio_read(pb, value, size); + if (ret != size || !value[0]) { av_free(value); return; } From 65e885dd58d5fe2dfbe1eee9f4fe31bc2bdb0f80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2024 04:09:11 +0100 Subject: [PATCH 505/562] avformat/rpl: Fix check for negative values Fixes: signed integer overflow: 10 * -1923267925333400000 cannot be represented in type 'int64_t' (aka 'long') Fixes: 378891963/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5714338935013376 Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit eab65379bf89c55d8ec4bc6f00e04f15b37d3d85) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 9090f5e913..31ddd2b3fe 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -102,7 +102,7 @@ static AVRational read_fps(const char* line, int* error) line++; for (; *line>='0' && *line<='9'; line++) { // Truncate any numerator too large to fit into an int64_t - if (num > (INT64_MAX - 9) / 10 || den > INT64_MAX / 10) + if (num > (INT64_MAX - 9) / 10ULL || den > INT64_MAX / 10ULL) break; num = 10 * num + (*line - '0'); den *= 10; From b4c888343ad0627301364345b8e12f2e848e3cf9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Aug 2024 22:53:47 +0200 Subject: [PATCH 506/562] avformat/mxfdec: Check that key was read sucessfull Fixes: use of uninitialized value Fixes: 70932/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4870202133643264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4c62cbcae2612acbc7ab5e8a7e7815674a6e8df4) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 87941e2bc7..2bd92bb514 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1531,7 +1531,8 @@ static int mxf_read_indirect_value(void *arg, AVIOContext *pb, int size) if (size <= 17) return 0; - avio_read(pb, key, 17); + if (avio_read(pb, key, 17) != 17) + return AVERROR_INVALIDDATA; /* TODO: handle other types of of indirect values */ if (memcmp(key, mxf_indirect_value_utf16le, 17) == 0) { return mxf_read_utf16le_string(pb, size - 17, &tagged_value->value); From 9b82620275712c719a5b692282af59be87dce57c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Aug 2024 23:15:32 +0200 Subject: [PATCH 507/562] avcodec/hapdec: Clear tex buffer The code following makes no attempt to initialize all of the buffer Fixes: use of uninitialized value Fixes: 70980/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5329909059223552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7eeeda703b599847aa89c7c08bb433d0b3da9590) Signed-off-by: Michael Niedermayer --- libavcodec/hapdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/hapdec.c b/libavcodec/hapdec.c index 6066cb814c..805180b36e 100644 --- a/libavcodec/hapdec.c +++ b/libavcodec/hapdec.c @@ -309,6 +309,7 @@ static int hap_decode(AVCodecContext *avctx, AVFrame *frame, ret = av_reallocp(&ctx->tex_buf, ctx->tex_size); if (ret < 0) return ret; + memset(ctx->tex_buf, 0, ctx->tex_size); avctx->execute2(avctx, decompress_chunks_thread, NULL, ctx->chunk_results, ctx->chunk_count); From b6f184ac4704cbbb48f3b2ffa97a4b6494a1459c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2024 22:55:03 +0200 Subject: [PATCH 508/562] avcodec/cfhdenc: Clear dwt_tmp This occurs on a 32x32 input Fixes: use of uninitialized value Fixes: 70897/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5960860961406976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9de721de709fa9cc06a3ce3f542a1e7d45b2b0bf) Signed-off-by: Michael Niedermayer --- libavcodec/cfhdenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cfhdenc.c b/libavcodec/cfhdenc.c index 1412d35d3f..787c2674aa 100644 --- a/libavcodec/cfhdenc.c +++ b/libavcodec/cfhdenc.c @@ -286,7 +286,7 @@ static av_cold int cfhd_encode_init(AVCodecContext *avctx) s->plane[i].dwt_buf = av_calloc(h8 * 8 * w8 * 8, sizeof(*s->plane[i].dwt_buf)); s->plane[i].dwt_tmp = - av_malloc_array(h8 * 8 * w8 * 8, sizeof(*s->plane[i].dwt_tmp)); + av_calloc(h8 * 8 * w8 * 8, sizeof(*s->plane[i].dwt_tmp)); if (!s->plane[i].dwt_buf || !s->plane[i].dwt_tmp) return AVERROR(ENOMEM); From e43f54f043e0925fa20188c5a43600751a77cdb8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Aug 2024 14:47:42 +0200 Subject: [PATCH 509/562] avformat/rmdec: check that buf if completely filled Fixes: use of uninitialized value Fixes: 70988/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5298245077630976 Signed-off-by: Michael Niedermayer (cherry picked from commit 9578c135d00dd9cc01491b8559d7fad5a387e90d) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 70e1b4d4b2..fc49a1d29f 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -187,7 +187,8 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, st->codecpar->ch_layout.nb_channels = avio_rb16(pb); if (version == 5) { ast->deint_id = avio_rl32(pb); - avio_read(pb, buf, 4); + if (avio_read(pb, buf, 4) != 4) + return AVERROR_INVALIDDATA; buf[4] = 0; } else { AV_WL32(buf, 0); From 3b0c222dc022b7f8ea1b636ab067a5eb0d53dd8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Aug 2024 16:33:43 +0200 Subject: [PATCH 510/562] avformat/jpegxl_anim_dec: clear buffer padding Fixes: use of uninitialized value Fixes: 70992/clusterfuzz-testcase-minimized-ffmpeg_dem_IMAGE2_fuzzer-5735819170611200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3f0b95bb176445a509d99e7497e90f20355b8411) Signed-off-by: Michael Niedermayer --- libavformat/jpegxl_anim_dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c index 2338a2e8c0..7798f3dabc 100644 --- a/libavformat/jpegxl_anim_dec.c +++ b/libavformat/jpegxl_anim_dec.c @@ -43,7 +43,7 @@ typedef struct JXLAnimDemuxContext { static int jpegxl_anim_probe(const AVProbeData *p) { - uint8_t buffer[4096 + AV_INPUT_BUFFER_PADDING_SIZE]; + uint8_t buffer[4096 + AV_INPUT_BUFFER_PADDING_SIZE] = {0}; int copied = 0, ret; FFJXLMetadata meta = { 0 }; From 932b0ea281a9990ce936189f009685b20fad9056 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Aug 2024 17:30:45 +0200 Subject: [PATCH 511/562] avcodec/get_buffer: Use av_buffer_mallocz() for audio same as its done for video Fixes: Use of uninintialized value Fixes: 70993/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-6378949754552320 Fixes: 71104/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5001538727116800 For the AAC/USAC/SBR code which reads uninitialized memory, it would be good, if it did not a fix for that is welcome! Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b9b4c9ebf07748993ad91ba9b9b9f06914d67865) Signed-off-by: Michael Niedermayer --- libavcodec/get_buffer.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/get_buffer.c b/libavcodec/get_buffer.c index 9b35fde7c6..1f691334f0 100644 --- a/libavcodec/get_buffer.c +++ b/libavcodec/get_buffer.c @@ -146,7 +146,10 @@ static int update_frame_pool(AVCodecContext *avctx, AVFrame *frame) if (ret < 0) goto fail; - pool->pools[0] = av_buffer_pool_init(pool->linesize[0], NULL); + pool->pools[0] = av_buffer_pool_init(pool->linesize[0], + CONFIG_MEMORY_POISONING ? + NULL : + av_buffer_allocz); if (!pool->pools[0]) { ret = AVERROR(ENOMEM); goto fail; From 3bdb889b116cd9b05c4d4320781aa563ab92b573 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Jan 2025 02:36:25 +0100 Subject: [PATCH 512/562] avfilter/vf_addroi: Add missing NULL termination to addroi_var_names[]() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: out of array read Found-by: Elias Myllymäki Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit b72de492959fb19eab37368232e65a4371c367f7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_addroi.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/vf_addroi.c b/libavfilter/vf_addroi.c index e7ad916214..24efd62d5d 100644 --- a/libavfilter/vf_addroi.c +++ b/libavfilter/vf_addroi.c @@ -39,6 +39,7 @@ enum { static const char *const addroi_var_names[] = { "iw", "ih", + NULL, }; typedef struct AddROIContext { From 45944e0c1f1a537afe745299c5e99da8cae14062 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jan 2025 05:06:10 +0100 Subject: [PATCH 513/562] avfilter/vf_grayworld: Use the correct pointer for av_log() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: crash Found-by: Elias Myllymäki Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 9ffa127aa6853790acb40004fbab97f13ff4c72e) Signed-off-by: Michael Niedermayer --- libavfilter/vf_grayworld.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_grayworld.c b/libavfilter/vf_grayworld.c index e9c959416e..236e3d4417 100644 --- a/libavfilter/vf_grayworld.c +++ b/libavfilter/vf_grayworld.c @@ -275,10 +275,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } /* input and output transfer will be linear */ if (in->color_trc == AVCOL_TRC_UNSPECIFIED) { - av_log(s, AV_LOG_WARNING, "Untagged transfer, assuming linear light.\n"); + av_log(ctx, AV_LOG_WARNING, "Untagged transfer, assuming linear light.\n"); out->color_trc = AVCOL_TRC_LINEAR; } else if (in->color_trc != AVCOL_TRC_LINEAR) { - av_log(s, AV_LOG_WARNING, "Gray world color correction works on linear light only.\n"); + av_log(ctx, AV_LOG_WARNING, "Gray world color correction works on linear light only.\n"); } td.in = in; From 1e3b60a916c3d6f7e1e0642f8bd50639c14a07c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jan 2025 22:01:39 +0100 Subject: [PATCH 514/562] avfilter/af_pan: Fix sscanf() use Fixes: Memory Data Leak Found-by: Simcha Kosman Signed-off-by: Michael Niedermayer (cherry picked from commit b5b6391d64807578ab872dc58fb8aa621dcfc38a) Signed-off-by: Michael Niedermayer --- libavfilter/af_pan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 04bf7d3fe3..c806105a56 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -173,7 +173,7 @@ static av_cold int init(AVFilterContext *ctx) sign = 1; while (1) { gain = 1; - if (sscanf(arg, "%lf%n *%n", &gain, &len, &len)) + if (sscanf(arg, "%lf%n *%n", &gain, &len, &len) >= 1) arg += len; if (parse_channel_name(&arg, &in_ch_id, &named)){ av_log(ctx, AV_LOG_ERROR, From cd163136b5b8bab6506a0feae0aa936fa030b0a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 03:25:09 +0100 Subject: [PATCH 515/562] swscale/output: Fix undefined overflow in yuv2rgba64_full_X_c_template() Fixes: signed integer overflow: -1082982400 + -1195645138 cannot be represented in type 'int' Fixes: 376136843/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-4791844321427456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 56faee21c136942c491f30a2e82cfbbfce180beb) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 1fb188f87c..4ca6be8977 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1352,9 +1352,9 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8bit: 30 - 22 = 8bit, 16bit: 30bit - 14 = 16bit - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y)>>14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y)>>14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y)>>14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + (unsigned)Y)>>14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + (unsigned)Y)>>14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + (unsigned)Y)>>14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From dfeb22ffa7c1ffcd4c88f7d53af9d768995ea3aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 03:31:56 +0100 Subject: [PATCH 516/562] avcodec/osq: Fixes several undefined overflows in do_decode() Fixes: signed integer overflow: 1239596184 + 2119376059 cannot be represented in type 'int' Fixes: 376136844/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6581164455821312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0f511b4518fa4337f603275f865eb13ac5520d0f) Signed-off-by: Michael Niedermayer --- libavcodec/osq.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/osq.c b/libavcodec/osq.c index 6db25a3ffc..17dec52fcc 100644 --- a/libavcodec/osq.c +++ b/libavcodec/osq.c @@ -299,7 +299,7 @@ static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int dst[n] += (int)(P2 + P3) / 2 + (unsigned)p; break; case 8: - dst[n] += (int)(P2 + P3) / 2; + dst[n] += (int)(P2 + P3) / 2 + 0U; break; case 9: dst[n] += (int)(P2 * 2 + P3) / 3 + (unsigned)p; @@ -308,13 +308,13 @@ static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int dst[n] += (int)(P2 + P3 * 2) / 3 + (unsigned)p; break; case 11: - dst[n] += (int)((unsigned)dst[A] + dst[B]) / 2; + dst[n] += (int)((unsigned)dst[A] + dst[B]) / 2 + 0U; break; case 12: dst[n] += (unsigned)dst[B]; break; case 13: - dst[n] += (int)(unsigned)(dst[D] + dst[B]) / 2; + dst[n] += (int)((unsigned)dst[D] + dst[B]) / 2 + 0U; break; case 14: dst[n] += (int)((unsigned)P2 + dst[A]) / 2 + (unsigned)p; From 439d36d539618cbe0e0c6b6d003841bc203aa426 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 21:40:43 +0100 Subject: [PATCH 517/562] avformat/iamf_parse: Check output_channel_count Fixes: -nan is outside the range of representable values of type 'int' Fixes: 377072730/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6545416570601472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4485a0fd77c50157feb308090d84b52cd84e80a2) Signed-off-by: Michael Niedermayer --- libavformat/iamf_parse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 773ab94fc6..5f2ad9fb5b 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -419,7 +419,7 @@ static int ambisonics_config(void *s, AVIOContext *pb, output_channel_count = avio_r8(pb); // C substream_count = avio_r8(pb); // N - if (audio_element->nb_substreams != substream_count) + if (audio_element->nb_substreams != substream_count || output_channel_count == 0) return AVERROR_INVALIDDATA; order = floor(sqrt(output_channel_count - 1)); From 29ff07ab76e0aca0f0a7d9749cbd46fafc93d4ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 22:27:18 +0100 Subject: [PATCH 518/562] avcodec/aacsbr_template: Clear n_q on error Fixes: index 5 out of bounds for type 'uint8_t [5]' Fixes: 377748135/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5167109774049280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3f029bfb7f9ca1c73fecb8d0eacf3c4e0550f771) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_template.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index cdfaed636b..406d5b2202 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -582,6 +582,7 @@ static int sbr_make_f_derived(AACDecContext *ac, SpectralBandReplication *sbr) if (sbr->n_q > 5) { av_log(ac->avctx, AV_LOG_ERROR, "Too many noise floor scale factors: %d\n", sbr->n_q); + sbr->n_q = 1; return -1; } From be65fc7c979636888a3e47be92477ee431e6f6cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 23:30:55 +0100 Subject: [PATCH 519/562] avcodec/vc1dec: Clear block_index in vc1_decode_reset() Fixes: 377965565/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-4504434689769472 Fixes: out of array access Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 251de1791e645f16e80b09d82999d4a5e24b1ad1) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 3220d18341..f01bd50aff 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -786,6 +786,7 @@ av_cold int ff_vc1_decode_end(AVCodecContext *avctx) for (i = 0; i < 4; i++) av_freep(&v->sr_rows[i >> 1][i & 1]); ff_mpv_common_end(&v->s); + memset(v->s.block_index, 0, sizeof(v->s.block_index)); av_freep(&v->mv_type_mb_plane); av_freep(&v->direct_mb_plane); av_freep(&v->forward_mb_plane); From 2cdf8e0d8ed742760e7be3741b4397a7cc24efd9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jan 2025 00:02:35 +0100 Subject: [PATCH 520/562] avformat/mov: Factorize sanity check out Signed-off-by: Michael Niedermayer (cherry picked from commit 16b3d3e3ebb9ff7b00c0fd14b0167779ada87f86) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 9c5ce6532d..e0ffb0a405 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4894,6 +4894,24 @@ static int mov_update_iamf_streams(MOVContext *c, const AVStream *st) return 0; } +static int sanity_checks(void *log_obj, MOVStreamContext *sc, int index) +{ + if ((sc->chunk_count && (!sc->stts_count || !sc->stsc_count || + (!sc->sample_size && !sc->sample_count))) || + (!sc->chunk_count && sc->sample_count)) { + av_log(log_obj, AV_LOG_ERROR, "stream %d, missing mandatory atoms, broken header\n", + index); + return 1; + } + + if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { + av_log(log_obj, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", + index); + return 2; + } + return 0; +} + static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) { AVStream *st; @@ -4924,19 +4942,9 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_freep(&sc->stsc_data); } - /* sanity checks */ - if ((sc->chunk_count && (!sc->stts_count || !sc->stsc_count || - (!sc->sample_size && !sc->sample_count))) || - (!sc->chunk_count && sc->sample_count)) { - av_log(c->fc, AV_LOG_ERROR, "stream %d, missing mandatory atoms, broken header\n", - st->index); - return 0; - } - if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { - av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", - st->index); - return AVERROR_INVALIDDATA; - } + ret = sanity_checks(c->fc, sc, st->index); + if (ret) + return ret > 1 ? AVERROR_INVALIDDATA : 0; fix_timescale(c, sc); From fdabd48bbbaedbee9c7e764fb1794359cbc53424 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jan 2025 21:35:06 +0100 Subject: [PATCH 521/562] avcodec/ffv1enc: Fix handling of 32bit unsigned symbols This may be needed for floats Sponsored-by: Sovereign Tech Fund Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 402824e9e99461f1c9e74a6730ced40894669560) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index aa501b8285..7f0215847b 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -199,7 +199,7 @@ static av_always_inline av_flatten void put_symbol_inline(RangeCoder *c, } while (0) if (v) { - const int a = FFABS(v); + const unsigned a = is_signed ? FFABS(v) : v; const int e = av_log2(a); put_rac(c, state + 0, 0); if (e <= 9) { From de6eed407cd7528160c24e78a8130cd84a71aa66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Jan 2025 02:59:28 +0100 Subject: [PATCH 522/562] avcodec/mpegvideo_enc: Check FLV1 resolution limits MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found-by: Elias Myllymäki Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 827c073154f4cc17d1bd3777dff3b58370210bcb) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 5fab302148..c1228f21e5 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -526,6 +526,12 @@ av_cold int ff_mpv_encode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "H.263 does not support resolutions above 2048x1152\n"); return AVERROR(EINVAL); } + if (s->codec_id == AV_CODEC_ID_FLV1 && + (avctx->width > 65535 || + avctx->height > 65535 )) { + av_log(avctx, AV_LOG_ERROR, "FLV does not support resolutions above 16bit\n"); + return AVERROR(EINVAL); + } if ((s->codec_id == AV_CODEC_ID_H263 || s->codec_id == AV_CODEC_ID_H263P || s->codec_id == AV_CODEC_ID_RV20) && From 2080df46069fcbb829aa08710b3a2158aa40a4f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Jan 2025 03:11:02 +0100 Subject: [PATCH 523/562] avfilter/vf_v360: Fix NULL pointer use MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: applying zero offset to null pointer partly Fixes: verysmall.flv Found-by: Elias Myllymäki Signed-off-by: Michael Niedermayer (cherry picked from commit 66e9888bf418984a274beddbc3e87e9f1b8f5077) Signed-off-by: Michael Niedermayer --- libavfilter/vf_v360.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_v360.c b/libavfilter/vf_v360.c index a2960fd0ff..37aa4eb72f 100644 --- a/libavfilter/vf_v360.c +++ b/libavfilter/vf_v360.c @@ -4253,8 +4253,8 @@ static int v360_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) int16_t *u = r->u[p] + ((j - slice_start) * uv_linesize + i) * elements; int16_t *v = r->v[p] + ((j - slice_start) * uv_linesize + i) * elements; int16_t *ker = r->ker[p] + ((j - slice_start) * uv_linesize + i) * elements; - uint8_t *mask8 = p ? NULL : r->mask + ((j - slice_start) * s->pr_width[0] + i); - uint16_t *mask16 = p ? NULL : (uint16_t *)r->mask + ((j - slice_start) * s->pr_width[0] + i); + uint8_t *mask8 = (p || !r->mask) ? NULL : r->mask + ((j - slice_start) * s->pr_width[0] + i); + uint16_t *mask16 = (p || !r->mask) ? NULL : (uint16_t *)r->mask + ((j - slice_start) * s->pr_width[0] + i); int in_mask, out_mask; if (s->out_transpose) From 315e4e509736e78fdd3b35e25941b13c0b0cc7f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Jan 2025 03:30:21 +0100 Subject: [PATCH 524/562] avutil/avstring: dont mess with NULL pointers in av_match_list() Fixes: applying zero offset to null pointer Signed-off-by: Michael Niedermayer (cherry picked from commit c6c54943d161812b3c4034116cb14f3f5c05dc43) Signed-off-by: Michael Niedermayer --- libavutil/avstring.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/avstring.c b/libavutil/avstring.c index 2071dd36a5..875eb691db 100644 --- a/libavutil/avstring.c +++ b/libavutil/avstring.c @@ -452,10 +452,12 @@ int av_match_list(const char *name, const char *list, char separator) if (k && (!p[k] || p[k] == separator)) return 1; q = strchr(q, separator); - q += !!q; + if(q) + q++; } p = strchr(p, separator); - p += !!p; + if (p) + p++; } return 0; From 7dd232e5876f5144a53389aa744c2614a5a3151d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jan 2025 00:22:05 +0100 Subject: [PATCH 525/562] avformat/dashdec: Check whitelist Fixes: CVE-2023-6602, V. DASH Playlist SSRF Found-by: Harvey Phillips of Amazon Element55 (element55) Signed-off-by: Michael Niedermayer (cherry picked from commit 4c96d6bf75357ab13808efc9f08c1b41b1bf5bdf) Signed-off-by: Michael Niedermayer --- libavformat/dashdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index 63070b77be..5909677bf1 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -445,7 +445,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, av_freep(pb); av_dict_copy(&tmp, *opts, 0); av_dict_copy(&tmp, opts2, 0); - ret = avio_open2(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp); + ret = ffio_open_whitelist(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp, s->protocol_whitelist, s->protocol_blacklist); if (ret >= 0) { // update cookies on http response with setcookies. char *new_cookies = NULL; @@ -1224,7 +1224,7 @@ static int parse_manifest(AVFormatContext *s, const char *url, AVIOContext *in) close_in = 1; av_dict_copy(&opts, c->avio_opts, 0); - ret = avio_open2(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts); + ret = ffio_open_whitelist(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts, s->protocol_whitelist, s->protocol_blacklist); av_dict_free(&opts); if (ret < 0) return ret; From 4cb1c7a31cd94516ad24b08af80378a043b2f590 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2024 01:46:49 +0100 Subject: [PATCH 526/562] avformat/vqf: Check avio_read() in add_metadata() Fixes: use of uninitialized data Fixes: 383825642/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5380168801124352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c43dbecbdad152a91eadc7538b545852eee562ae) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 409c014a92..68ba5c0db0 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -62,7 +62,8 @@ static void add_metadata(AVFormatContext *s, uint32_t tag, buf = av_malloc(len+1); if (!buf) return; - avio_read(s->pb, buf, len); + if (len != avio_read(s->pb, buf, len)) + return; buf[len] = 0; AV_WL32(key, tag); av_dict_set(&s->metadata, key, buf, AV_DICT_DONT_STRDUP_VAL); From 53be7e244c13faa7f538cf5fde2c7fae414378e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 31 Dec 2024 04:13:25 +0100 Subject: [PATCH 527/562] avformat/vqf: Propagate errors from add_metadata() Suggested-by: Marton Balint Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 49fa3f6c5ba6d43cc4b3ade4f8d9dc2fdbc71f0a) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 68ba5c0db0..3fdb7d1781 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -50,23 +50,28 @@ static int vqf_probe(const AVProbeData *probe_packet) return AVPROBE_SCORE_EXTENSION; } -static void add_metadata(AVFormatContext *s, uint32_t tag, +static int add_metadata(AVFormatContext *s, uint32_t tag, unsigned int tag_len, unsigned int remaining) { int len = FFMIN(tag_len, remaining); char *buf, key[5] = {0}; + int ret; if (len == UINT_MAX) - return; + return AVERROR_INVALIDDATA; buf = av_malloc(len+1); if (!buf) - return; - if (len != avio_read(s->pb, buf, len)) - return; + return AVERROR(ENOMEM); + + ret = avio_read(s->pb, buf, len); + if (ret < 0) + return ret; + if (len != ret) + return AVERROR_INVALIDDATA; buf[len] = 0; AV_WL32(key, tag); - av_dict_set(&s->metadata, key, buf, AV_DICT_DONT_STRDUP_VAL); + return av_dict_set(&s->metadata, key, buf, AV_DICT_DONT_STRDUP_VAL); } static const AVMetadataConv vqf_metadata_conv[] = { @@ -164,7 +169,9 @@ static int vqf_read_header(AVFormatContext *s) avio_skip(s->pb, FFMIN(len, header_size)); break; default: - add_metadata(s, chunk_tag, len, header_size); + ret = add_metadata(s, chunk_tag, len, header_size); + if (ret < 0) + return ret; break; } From 884c833434b903930719633669f26ec1c9c8af88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jan 2025 05:03:08 +0100 Subject: [PATCH 528/562] avcodec/cbs_vp9: Initialize VP9RawSuperframeIndex Fixes: use-of-uninitialized-value Fixes: 70907/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_METADATA_fuzzer-6339363208757248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e81d410242ea604c4f667da4a415836c1575d72f) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_vp9.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c index 816d06da04..ff99fe32fb 100644 --- a/libavcodec/cbs_vp9.c +++ b/libavcodec/cbs_vp9.c @@ -375,7 +375,7 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx, superframe_header = frag->data[frag->data_size - 1]; if ((superframe_header & 0xe0) == 0xc0) { - VP9RawSuperframeIndex sfi; + VP9RawSuperframeIndex sfi = {0}; GetBitContext gbc; size_t index_size, pos; int i; From 15498e72428f3f7fa1c9684ce6ce5beff9968da3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2024 02:53:45 +0100 Subject: [PATCH 529/562] avformat/wtvdec: Initialize buf ff_parse_mpeg2_descriptor() reads over what is initialized Fixes: use of uninitialized memory Fixes: 383825645/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5144130618982400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 17b019c517af26c6d2f0c6266938c60d36db1fa3) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 626e6a7068..2294d626cd 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -832,7 +832,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p int stream_index = ff_find_stream_index(s, sid); if (stream_index >= 0) { AVStream *st = s->streams[stream_index]; - uint8_t buf[258]; + uint8_t buf[258] = {0}; const uint8_t *pbuf = buf; int buf_size; From 1826e947d02ff568ba12c2f7ce527a4d55f4a527 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2024 03:07:51 +0100 Subject: [PATCH 530/562] avformat/ipmovie: Check signature_buffer read Fixes: use of uninitilaized data Fixes: 385167047/clusterfuzz-testcase-minimized-ffmpeg_dem_IPMOVIE_fuzzer-5941477505564672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 788abe0d253b2034af15876d7889265d4746df2b) Signed-off-by: Michael Niedermayer --- libavformat/ipmovie.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/ipmovie.c b/libavformat/ipmovie.c index 5d1748953a..3701be276f 100644 --- a/libavformat/ipmovie.c +++ b/libavformat/ipmovie.c @@ -614,7 +614,8 @@ static int ipmovie_read_header(AVFormatContext *s) ipmovie->avf = s; - avio_read(pb, signature_buffer, sizeof(signature_buffer)); + if (avio_read(pb, signature_buffer, sizeof(signature_buffer)) != sizeof(signature_buffer)) + return AVERROR_INVALIDDATA; while (memcmp(signature_buffer, signature, sizeof(signature))) { memmove(signature_buffer, signature_buffer + 1, sizeof(signature_buffer) - 1); signature_buffer[sizeof(signature_buffer) - 1] = avio_r8(pb); From 6a50a92137b7657e782989d62906f75b70840de7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2024 03:28:53 +0100 Subject: [PATCH 531/562] avformat/iamf_reader: Initialize padding and check read in ff_iamf_read_packet() Fixes: Use of uninitialized memory Fixes: 377642312/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4554550985424896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aec2933344b2b32fc931bdf0b46eef1bd42225ff) Signed-off-by: Michael Niedermayer --- libavformat/iamf_reader.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/iamf_reader.c b/libavformat/iamf_reader.c index f3ff4170c6..fa825cf287 100644 --- a/libavformat/iamf_reader.c +++ b/libavformat/iamf_reader.c @@ -269,7 +269,7 @@ int ff_iamf_read_packet(AVFormatContext *s, IAMFDemuxContext *c, int read = 0; while (1) { - uint8_t header[MAX_IAMF_OBU_HEADER_SIZE + AV_INPUT_BUFFER_PADDING_SIZE]; + uint8_t header[MAX_IAMF_OBU_HEADER_SIZE + AV_INPUT_BUFFER_PADDING_SIZE] = {0}; enum IAMF_OBU_Type type; unsigned obu_size; unsigned skip_samples, discard_padding; @@ -280,6 +280,8 @@ int ff_iamf_read_packet(AVFormatContext *s, IAMFDemuxContext *c, size = avio_read(pb, header, FFMIN(MAX_IAMF_OBU_HEADER_SIZE, max_size)); if (size < 0) return size; + if (size != FFMIN(MAX_IAMF_OBU_HEADER_SIZE, max_size)) + return AVERROR_INVALIDDATA; len = ff_iamf_parse_obu_header(header, size, &obu_size, &start_pos, &type, &skip_samples, &discard_padding); From 55a3a57dffe12de105f3e9b9c71ee03f377ce208 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Nov 2024 01:48:22 +0100 Subject: [PATCH 532/562] avcodec/huffyuvdec: Initialize whole output for decode_gray_bitstream() Fixes: use of uninitialized memory Fixes: 375286238/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-6352546854141952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ef71552cf970876085d99834abdb8e429aea9730) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index ce6d4d4c59..b77f3808a6 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -773,6 +773,8 @@ static void decode_gray_bitstream(HYuvDecContext *s, int count) for (i = 0; i < count && BITS_LEFT(re, &s->gb) > 0; i++) { READ_2PIX(s->temp[0][2 * i], s->temp[0][2 * i + 1], 0); } + for (; i < count; i++) + s->temp[0][2 * i] = s->temp[0][2 * i + 1] = 0; } else { for (i = 0; i < count; i++) { READ_2PIX(s->temp[0][2 * i], s->temp[0][2 * i + 1], 0); From 55ec6d87aa41fcfb2e397f7ade42aadfb67433d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Sep 2024 20:05:37 +0200 Subject: [PATCH 533/562] avformat/mxfdec: Check avio_read() success in mxf_decrypt_triplet() Fixes: Use of uninitialized memory Fixes: 71444/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5448597561212928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ecc96f4d08d74b0590ab03f39f93f386910c4c0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 2bd92bb514..3d52db47b8 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -672,7 +672,8 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv if (size < 32 || size - 32 < orig_size || (int)orig_size != orig_size) return AVERROR_INVALIDDATA; avio_read(pb, ivec, 16); - avio_read(pb, tmpbuf, 16); + if (avio_read(pb, tmpbuf, 16) != 16) + return AVERROR_INVALIDDATA; if (mxf->aesc) av_aes_crypt(mxf->aesc, tmpbuf, tmpbuf, 1, ivec, 1); if (memcmp(tmpbuf, checkv, 16)) From 8e95a9177eb95c260b16e154c71c35767a14ed10 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jan 2025 01:28:46 +0100 Subject: [PATCH 534/562] avformat/hls: Be more picky on extensions This blocks disallowed extensions from probing It also requires all available segments to have matching extensions to the format mpegts is treated independent of the extension It is recommended to set the whitelists correctly instead of depending on extensions, but this should help a bit, and this is easier to backport Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification The other parts of CVE-2023-6602 have been fixed by prior commits Found-by: Harvey Phillips of Amazon Element55 (element55) Signed-off-by: Michael Niedermayer (cherry picked from commit 91d96dc8ddaebe0b6cb393f672085e6bfaf15a31) Signed-off-by: Michael Niedermayer --- doc/demuxers.texi | 7 +++++++ libavformat/hls.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index b70f3a38d7..29d1b0a8a8 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -567,6 +567,13 @@ prefer to use #EXT-X-START if it's in playlist instead of live_start_index. @item allowed_extensions ',' separated list of file extensions that hls is allowed to access. +@item extension_picky +This blocks disallowed extensions from probing +It also requires all available segments to have matching extensions to the format +except mpegts, which is always allowed. +It is recommended to set the whitelists correctly instead of depending on extensions +Enabled by default. + @item max_reload Maximum number of times a insufficient list is attempted to be reloaded. Default value is 1000. diff --git a/libavformat/hls.c b/libavformat/hls.c index 8702113e9f..18c8a4b654 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -222,6 +222,7 @@ typedef struct HLSContext { AVDictionary *avio_opts; AVDictionary *seg_format_opts; char *allowed_extensions; + int extension_picky; int max_reload; int http_persistent; int http_multiple; @@ -730,6 +731,40 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, return ret; } +static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct playlist *pls, struct segment *seg) +{ + HLSContext *c = s->priv_data; + int matchA = 3; + int matchF = 0; + + if (!c->extension_picky) + return 0; + + if (strcmp(c->allowed_extensions, "ALL")) + matchA = av_match_ext (seg->url, c->allowed_extensions) + + 2*(ff_match_url_ext(seg->url, c->allowed_extensions) > 0); + + if (!matchA) { + av_log(s, AV_LOG_ERROR, "URL %s is not in allowed_extensions\n", seg->url); + return AVERROR_INVALIDDATA; + } + + if (in_fmt) { + if (in_fmt->extensions) { + matchF = av_match_ext( seg->url, in_fmt->extensions) + + 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0); + } else if (!strcmp(in_fmt->name, "mpegts")) + matchF = 3; + + if (!(matchA & matchF)) { + av_log(s, AV_LOG_ERROR, "detected format extension %s mismatches allowed extensions in url %s\n", in_fmt->extensions ? in_fmt->extensions : "none", seg->url); + return AVERROR_INVALIDDATA; + } + } + + return 0; +} + static int parse_playlist(HLSContext *c, const char *url, struct playlist *pls, AVIOContext *in) { @@ -988,6 +1023,14 @@ static int parse_playlist(HLSContext *c, const char *url, goto fail; } + ret = test_segment(c->ctx, pls->ctx ? pls->ctx->iformat : NULL, pls, seg); + if (ret < 0) { + av_free(seg->url); + av_free(seg->key); + av_free(seg); + goto fail; + } + if (duration < 0.001 * AV_TIME_BASE) { av_log(c->ctx, AV_LOG_WARNING, "Cannot get correct #EXTINF value of segment %s," " set to default value to 1ms.\n", seg->url); @@ -2112,6 +2155,11 @@ static int hls_read_header(AVFormatContext *s) pls->ctx->interrupt_callback = s->interrupt_callback; url = av_strdup(pls->segments[0]->url); ret = av_probe_input_buffer(&pls->pb.pub, &in_fmt, url, NULL, 0, 0); + + for (int n = 0; n < pls->n_segments; n++) + if (ret >= 0) + ret = test_segment(s, in_fmt, pls, pls->segments[n]); + if (ret < 0) { /* Free the ctx - it isn't initialized properly at this point, * so avformat_close_input shouldn't be called. If @@ -2572,6 +2620,8 @@ static const AVOption hls_options[] = { OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, {.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, INT_MIN, INT_MAX, FLAGS}, + {"extension_picky", "Be picky with all extensions matching", + OFFSET(extension_picky), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, FLAGS}, {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 3}, 0, INT_MAX, FLAGS}, {"m3u8_hold_counters", "The maximum number of times to load m3u8 when it refreshes without new segments", From f57d15139f00b19d8e8232298a6e87c31e6e3fdc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jan 2025 12:51:58 +0100 Subject: [PATCH 535/562] avformat/hls: Print input format in error message Signed-off-by: Michael Niedermayer (cherry picked from commit d8455331302c72cde2f0b72f255004a91189dd93) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 18c8a4b654..1ce759d164 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -757,7 +757,7 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct matchF = 3; if (!(matchA & matchF)) { - av_log(s, AV_LOG_ERROR, "detected format extension %s mismatches allowed extensions in url %s\n", in_fmt->extensions ? in_fmt->extensions : "none", seg->url); + av_log(s, AV_LOG_ERROR, "detected format %s extension %s mismatches allowed extensions in url %s\n", in_fmt->name, in_fmt->extensions ? in_fmt->extensions : "none", seg->url); return AVERROR_INVALIDDATA; } } From 584eb8c73cc702c4042331eb714ccad8910efde8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Jan 2025 02:28:32 +0100 Subject: [PATCH 536/562] avcodec/h263dec: Check against previous dimensions instead of coded Fixes: out of array access Fixes: crash-a41ef3db699013f669b076f02f36942925f5a98c Found-by: Kacper Michajlow Reviewed-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 0fe33c99a26a06a6875c4abfb96362a65145264b) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 910df7585f..c7b465d7ad 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -429,6 +429,7 @@ int ff_h263_decode_frame(AVCodecContext *avctx, AVFrame *pict, MpegEncContext *s = avctx->priv_data; int ret; int slice_ret = 0; + int bak_width, bak_height; /* no supplementary picture */ if (buf_size == 0) { @@ -480,6 +481,9 @@ retry: if (ret < 0) return ret; + bak_width = s->width; + bak_height = s->height; + /* let's go :-) */ if (CONFIG_WMV2_DECODER && s->msmpeg4_version == 5) { ret = ff_wmv2_decode_picture_header(s); @@ -497,11 +501,12 @@ retry: } if (ret < 0 || ret == FRAME_SKIPPED) { - if ( s->width != avctx->coded_width - || s->height != avctx->coded_height) { + if ( s->width != bak_width + || s->height != bak_height) { av_log(s->avctx, AV_LOG_WARNING, "Reverting picture dimensions change due to header decoding failure\n"); - s->width = avctx->coded_width; - s->height= avctx->coded_height; + s->width = bak_width; + s->height= bak_height; + } } if (ret == FRAME_SKIPPED) From 8e69f09c40d09893fb0ccf784ff4c3f3ce0ea485 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jan 2025 13:26:34 +0100 Subject: [PATCH 537/562] avformat/hls: .ts is always ok even if its a mov/mp4 Maybe fixes: 11435 Signed-off-by: Michael Niedermayer (cherry picked from commit 9e12572933dc1c49e9b35d772ddcae896c2ba8a8) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index 1ce759d164..39c805d69c 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -753,6 +753,10 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct if (in_fmt->extensions) { matchF = av_match_ext( seg->url, in_fmt->extensions) + 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0); + if(av_match_name("mp4", in_fmt->name)) { + matchF |= av_match_ext( seg->url, "ts") + + 2*(ff_match_url_ext(seg->url, "ts") > 0); + } } else if (!strcmp(in_fmt->name, "mpegts")) matchF = 3; From 4d00981ce73fea81f8f386ba64db17953168649e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jan 2025 23:07:54 +0100 Subject: [PATCH 538/562] libavformat/hls: Be more restrictive on mpegts extensions Signed-off-by: Michael Niedermayer (cherry picked from commit 0113e30806b205111344e266bc69ff9657a3ca02) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 39c805d69c..f382fb09fc 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -757,8 +757,10 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct matchF |= av_match_ext( seg->url, "ts") + 2*(ff_match_url_ext(seg->url, "ts") > 0); } - } else if (!strcmp(in_fmt->name, "mpegts")) - matchF = 3; + } else if (!strcmp(in_fmt->name, "mpegts")) { + matchF = av_match_ext( seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") + + 2*(ff_match_url_ext(seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") > 0); + } if (!(matchA & matchF)) { av_log(s, AV_LOG_ERROR, "detected format %s extension %s mismatches allowed extensions in url %s\n", in_fmt->name, in_fmt->extensions ? in_fmt->extensions : "none", seg->url); From f28eeabd034a6005e88e08f42d65db7fe314f9a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Feb 2025 13:09:08 +0100 Subject: [PATCH 539/562] avformat/hls: Fix twitter Allow mp4 with all mpegts extensions Fixes: Ticket11435 Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit cef3422b4819e3b6f07086625fa7890eaa8d45e7) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index f382fb09fc..274dc2b895 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -754,8 +754,8 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct matchF = av_match_ext( seg->url, in_fmt->extensions) + 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0); if(av_match_name("mp4", in_fmt->name)) { - matchF |= av_match_ext( seg->url, "ts") - + 2*(ff_match_url_ext(seg->url, "ts") > 0); + matchF |= av_match_ext( seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") + + 2*(ff_match_url_ext(seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") > 0); } } else if (!strcmp(in_fmt->name, "mpegts")) { matchF = av_match_ext( seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") From af1eb801daac0f249c51227d3f975e0e4d18f93a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 5 Feb 2025 03:47:52 +0100 Subject: [PATCH 540/562] avformat/mxfdec: Check edit unit for overflow in mxf_set_current_edit_unit() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long' Fixes: 392672068/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6232335892152320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 8a6ad9eab2f1c37a18c2f30e6660260edd7c0c16) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 3d52db47b8..9c771b5856 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3883,7 +3883,7 @@ static int64_t mxf_set_current_edit_unit(MXFContext *mxf, AVStream *st, int64_t int64_t new_edit_unit; MXFIndexTable *t = mxf_find_index_table(mxf, track->index_sid); - if (!t || track->wrapping == UnknownWrapped) + if (!t || track->wrapping == UnknownWrapped || edit_unit > INT64_MAX - track->edit_units_per_packet) return -1; if (mxf_edit_unit_absolute_offset(mxf, t, edit_unit + track->edit_units_per_packet, track->edit_rate, NULL, &next_ofs, NULL, 0) < 0 && From 89a792fd3b2368d2da349e9ecc5e4bccf4f5b4ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Feb 2025 01:24:37 +0100 Subject: [PATCH 541/562] avformat/wavdec: Fix overflow of intermediate in block_align check Fixes: signed integer overflow: -251517880 * 32 cannot be represented in type 'int' Fixes: 385224934/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-4909298151915520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1afbc40875069312dd729b5959fb04950c3938db) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 12f30a8073..135da04840 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -911,10 +911,10 @@ static int w64_read_header(AVFormatContext *s) if (st->codecpar->block_align && st->codecpar->ch_layout.nb_channels < FF_SANE_NB_CHANNELS && st->codecpar->bits_per_coded_sample < 128) { - int block_align = st->codecpar->block_align; + int64_t block_align = st->codecpar->block_align; block_align = FFMAX(block_align, - ((st->codecpar->bits_per_coded_sample + 7) / 8) * + ((st->codecpar->bits_per_coded_sample + 7LL) / 8) * st->codecpar->ch_layout.nb_channels); if (block_align > st->codecpar->block_align) { av_log(s, AV_LOG_WARNING, "invalid block_align: %d, broken file.\n", From f43dfb5e82ad151e061d4c8e8fa4660740ba8bab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Feb 2025 02:33:21 +0100 Subject: [PATCH 542/562] avformat/mlvdec: fix size checks Fixes: heap-buffer-overflow Fixes: 391962476/clusterfuzz-testcase-minimized-ffmpeg_dem_MLV_fuzzer-5746746587676672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 251d43aef0df9262f2688c1c848af993bbb67d08) Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 0ceec430a7..f91b95a939 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -436,19 +436,25 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt) if (size < 16) return AVERROR_INVALIDDATA; avio_skip(pb, 12); //timestamp, frameNumber - if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) + size -= 12; + if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { + if (size < 8) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); // cropPosX, cropPosY, panPosX, panPosY + size -= 8; + } space = avio_rl32(pb); + if (size < space + 4LL) + return AVERROR_INVALIDDATA; avio_skip(pb, space); + size -= space; if ((mlv->class[st->id] & (MLV_CLASS_FLAG_DELTA|MLV_CLASS_FLAG_LZMA))) { ret = AVERROR_PATCHWELCOME; } else if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { ret = av_get_packet(pb, pkt, (st->codecpar->width * st->codecpar->height * st->codecpar->bits_per_coded_sample + 7) >> 3); } else { // AVMEDIA_TYPE_AUDIO - if (space > UINT_MAX - 24 || size < (24 + space)) - return AVERROR_INVALIDDATA; - ret = av_get_packet(pb, pkt, size - (24 + space)); + ret = av_get_packet(pb, pkt, size - 4); } if (ret < 0) From 33435e078f660b5122e3447a975655c33d7d3df7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Feb 2025 01:28:17 +0100 Subject: [PATCH 543/562] avformat/iff: Check that we have a stream in read_dst_frame() Fixes: null pointer dereference Fixes: 385644864/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4551049565765632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 8668957ef604bd2b99175310638bc5031ae0d991) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index 0cbe125337..be4856aa3d 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -359,6 +359,9 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) uint64_t chunk_pos, data_pos, data_size; int ret = AVERROR_EOF; + if (s->nb_streams < 1) + return AVERROR_INVALIDDATA; + while (!avio_feof(pb)) { chunk_pos = avio_tell(pb); if (chunk_pos >= iff->body_end) From 9aab014878c12cd8b5003d3d9d656d9363789ed6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Feb 2025 22:59:00 +0100 Subject: [PATCH 544/562] update for 7.0.3 Signed-off-by: Michael Niedermayer --- Changelog | 171 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 173 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 2faa8f3805..2fd8477a18 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,177 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 7.0.3: + avformat/iff: Check that we have a stream in read_dst_frame() + avformat/mlvdec: fix size checks + avformat/wavdec: Fix overflow of intermediate in block_align check + avformat/mxfdec: Check edit unit for overflow in mxf_set_current_edit_unit() + avformat/hls: Fix twitter + libavformat/hls: Be more restrictive on mpegts extensions + avformat/hls: .ts is always ok even if its a mov/mp4 + avcodec/h263dec: Check against previous dimensions instead of coded + avformat/hls: Print input format in error message + avformat/hls: Be more picky on extensions + avformat/mxfdec: Check avio_read() success in mxf_decrypt_triplet() + avcodec/huffyuvdec: Initialize whole output for decode_gray_bitstream() + avformat/iamf_reader: Initialize padding and check read in ff_iamf_read_packet() + avformat/ipmovie: Check signature_buffer read + avformat/wtvdec: Initialize buf + avcodec/cbs_vp9: Initialize VP9RawSuperframeIndex + avformat/vqf: Propagate errors from add_metadata() + avformat/vqf: Check avio_read() in add_metadata() + avformat/dashdec: Check whitelist + avutil/avstring: dont mess with NULL pointers in av_match_list() + avfilter/vf_v360: Fix NULL pointer use + avcodec/mpegvideo_enc: Check FLV1 resolution limits + avcodec/ffv1enc: Fix handling of 32bit unsigned symbols + avformat/mov: Factorize sanity check out + avcodec/vc1dec: Clear block_index in vc1_decode_reset() + avcodec/aacsbr_template: Clear n_q on error + avformat/iamf_parse: Check output_channel_count + avcodec/osq: Fixes several undefined overflows in do_decode() + swscale/output: Fix undefined overflow in yuv2rgba64_full_X_c_template() + avfilter/af_pan: Fix sscanf() use + avfilter/vf_grayworld: Use the correct pointer for av_log() + avfilter/vf_addroi: Add missing NULL termination to addroi_var_names[]() + avcodec/get_buffer: Use av_buffer_mallocz() for audio same as its done for video + avformat/jpegxl_anim_dec: clear buffer padding + avformat/rmdec: check that buf if completely filled + avcodec/cfhdenc: Clear dwt_tmp + avcodec/hapdec: Clear tex buffer + avformat/mxfdec: Check that key was read sucessfull + avformat/rpl: Fix check for negative values + avformat/mlvdec: Check avio_read() + avcodec/utils: Fix block align overflow for ADPCM_IMA_WAV + avformat/matroskadec: Check pre_ns for overflow + tools/target_dec_fuzzer: Adjust threshold for EACMV + tools/target_dec_fuzzer: Adjust threshold for MVC1 + tools/target_dec_fuzzer: Adjust Threshold for indeo5 + avutil/timecode: Avoid fps overflow in av_timecode_get_smpte_from_framenum() + avcodec/webp: Check ref_x/y + avcodec/ilbcdec: Initialize tempbuff2 + avformat/qcp: Check for read failure in header + avcodec/eatgq: Check bytestream2_get_buffer() for failure + avformat/dxa: check bpc + swscale/slice: clear allocated memory in alloc_lines() + avcodec/h2645_parse: Ignore NAL with nuh_layer_id == 63 + avformat/iamf_parse: reject ambisonics mode > 1 + avcodec/mjpegdec: Disallow progressive bayer images + avformat/icodec: fix integer overflow with nb_pal + doc/developer: Document relationship between git accounts and MAINTAINERS + doc/infra: Document trac backup system + doc/infra: Document gitolite + avformat/vividas: Check avio_read() for failure + avformat/ilbc: Check avio_read() for failure + avformat/nistspheredec: Clear buffer + avformat/mccdec: Initialize and check rate.den + avformat/rpl: check channels + INSTALL: explain the circular dependency issue and solution + avformat/mpegts: Initialize predefined_SLConfigDescriptor_seen + avformat/mxfdec: Fix overflow in midpoint computation + swscale/output: used unsigned for bit accumulation + avcodec/rangecoder: only perform renorm check/loop for callers that need it + avcodec/ffv1dec: Fix end computation with ec=2 + avcodec/ffv1enc: Prevent generation of files with broken slices + avformat/matroskadec: Check desc_bytes so bits fit in 64bit + avformat/mov: Avoid overflow in dts + avcodec/ffv1enc: Correct error message about unsupported version + avcodec/ffv1enc: Slice combination is unsupported + avcodec/ffv1enc: 2Pass mode is not possible with golomb coding + avcodec/ffv1enc: Fix >8bit context size + avcodec/xan: Add basic input size check + avcodec/imm4: Check input size + avcodec/svq3: Check for minimum size input + avcodec/eacmv: Check input size for intra frames + tools/target_dec_fuzzer: Adapt threshold for RASC + avcodec/encode: Check bitrate + avcodec/cbs_h266_syntax_template: Check bit depth with range extension + avcodec/osq: use unsigned for decorrelation + avcodec/jfdctint_template: use unsigned z* in row_fdct() + avformat/asf: Check picsize + avcodec/osq: Treat sum = 0 as k = 0 + avformat/mxfdec: Check timecode for overflow + avformat/mxfdec: More offset_temp checks + avformat/flvdec: Free metaVideoColor + swscale/output: Fix undefined integer overflow in yuv2rgba64_2_c_template() + swscale/swscale: Use unsigned operation to avoid undefined behavior + avcodec/vc2enc: basic sanity check on slice_max_bytes + avformat/mvdec: Check if name was fully read + avcodec/wmavoice: Do not use uninitialized pitch[0] + avformat/argo_brp: Check that ASF chunk header is completely read + avcodec/notchlc: Check bytes left before reading + avcodec/vc1_block: propagate error codes + avformat/apetag: Check APETAGEX + avcodec/magicyuvenc: better slice height + avcodec/avcodec: Warn about data returned from get_buffer*() + avformat/av1dec: Better fix for 70872/clusterfuzz-testcase-minimized-ffmpeg_dem_OBU_fuzzer-6005782487826432 + avcodec/apac: Fix discards ‘const’ qualifier + avcodec/alsdec: clear last_acf_mantissa + avcodec/aic: Clear slice_data + avcodec/vc1dec: Clear mb_type_base and ttblk_base + avcodec/shorten: clear padding + avformat/mpeg: Check an avio_read() for failure + avcodec/apac: Clean padding space + avcodec/mvha: Clear remaining space after inflate() + bsf/media100_to_mjpegb: Clear output buffer padding + avformat/iamfdec: Check nb_layers before dereferencing layer + avformat/av1dec: Check bits left before get_leb128() + avformat/segafilm: Set keyframe + avcodec/sga: av_assert1 check init_get_bits8() + tools/target_dec_fuzzer: Check that FFv1 doesnt leave uninitialized memory in its buffers + avdevice/dshow: Initialize 2 pointers + avcodec/dxva2: initialize hr in ff_dxva2_common_end_frame() + avcodec/dxva2: initialize validate + avcodec/dxva2: Initialize ConfigBitstreamRaw + avcodec/dxva2: Initialize dxva_size and check it + avfilter/vf_xfade: Compute w2, h2 with float + avfilter/vf_v360: Assert that vf was initialized + avfilter/vf_tonemap_opencl: Dereference after NULL check + avfilter/af_surround: Check output format + avfilter/vf_xfade_opencl: Check ff_inlink_consume_frame() for failure + avformat/lmlm4: Eliminate some AVERROR(EIO) + tools/target_dec_fuzzer: Use av_buffer_allocz() to avoid missing slices to have unpredictable content + avformat/wtvdec: Check length of read mpeg2_descriptor + avformat/wtvdec: clear sectors + avcodec/parser: ensure input padding is zeroed + avformat/jpegxl_anim_dec: ensure input padding is zeroed + avformat/img2dec: Clear padding data after EOF + avformat/wavdec: Check if there are 16 bytes before testing them + avformat/mov: (v4) fix get_eia608_packet + configure: Improve the check for the rsync --contimeout option + rtmpproto: Avoid rare crashes in the fail: codepath in rtmp_open + lavc/aarch64: Fix ff_pred16x16_plane_neon_10 + lavc/aarch64: Fix ff_pred8x8_plane_neon_10 + vp9: recon: Use emulated edge to prevent buffer overflows + arm: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter + aarch64: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter + avfilter/f_loop: fix aloop activate logic + avfilter/f_loop: fix length of aloop leftover buffer + avcodec/jpegxl_parser: fix reading lz77-pair as initial entropy symbol + avcodec/jpegxl_parser: check entropy_decoder_read_symbol return value + fftools/ffplay: fix crash when vk renderer is null + avutil/wchar_filename: re-introduce explicit cast of void* to char* + avcodec/libx265: unbreak build for X265_BUILD >= 213 + avutil/iamf: fix doxygen + avformat/mov_chan: add extra checks to channel description count + lavc/hevcdec: set per-CTB filter parameters for WPP + lavc/hevc: check framerate num/den to be strictly positive + lavc/libx265: unbreak build for X265_BUILD >= 210 + avformat/libzmq: fix check for zmq protocol prefix + configure: improve check for POSIX ioctl + configure: restore autodetection of v4l2 and fbdev + avformat/iamf_parse: Fix return of uninitialized value + avformat/iamf_parse: use get_bits_long() to read the remaining AAC extradata bits + avformat/iamf_parse: fix parsing AAC DecoderConfigDescriptor + avformat/isom: make parameters used for loging a pointer to void + avformat/iamf_parse: clear padding + avformat/hlsenc: correctly reset subtitle stream counter per-varstream + libavcodec/arm/mlpdsp_armv5te: fix label format to work with binutils 2.43 + avformat/iamf_parse: ignore Audio Elements with an unsupported type + lavc/vaapi_av1: Avoid sending the same slice buffer multiple times + lavc/vaapi_decode: Make it possible to send multiple slice params buffers + avformat/mov: fix track handling when mixing IAMF and video tracks + version 7.0.2: avcodec/snow: Fix off by 1 error in run_buffer avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow diff --git a/RELEASE b/RELEASE index a8907c025d..a50da181e9 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -7.0.2 +7.0.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index da0bb267c9..c3d1ed38c0 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 7.0.2 +PROJECT_NUMBER = 7.0.3 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 3c3d252449527321a8706952eea369623d9181ae Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 10 Dec 2024 14:07:09 -0300 Subject: [PATCH 545/562] avformat/iamfdec: don't set individual streams as dependent Signed-off-by: James Almer (cherry picked from commit 2d33f66f9ac85b3b58280e27793a2b7aa47dc054) --- libavformat/iamfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iamfdec.c b/libavformat/iamfdec.c index 2e6608b868..ad47c5e5f7 100644 --- a/libavformat/iamfdec.c +++ b/libavformat/iamfdec.c @@ -109,7 +109,7 @@ static int iamf_read_header(AVFormatContext *s) if (!i && !j && audio_element->nb_layers && audio_element->layers[0].substream_count == 1) st->disposition |= AV_DISPOSITION_DEFAULT; - else + else if (audio_element->nb_layers > 1 || audio_element->layers[0].substream_count > 1) st->disposition |= AV_DISPOSITION_DEPENDENT; st->id = substream->audio_substream_id; avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From 5a8055a58ac7db8bd8837b44ab8e5c02adfb623c Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 11 Dec 2024 23:27:00 -0300 Subject: [PATCH 546/562] avformat/iamf_parse: add checks to parameter definition durations Section 3.6.1 of the IAMF spec states "When constant_subblock_duration is equal to 0, the summation of all subblock_duration in this parameter block SHALL be equal to duration.". Signed-off-by: James Almer (cherry picked from commit d38fc25519cf12a9212dadcba1258fc176ffbade) --- libavformat/iamf_parse.c | 14 ++++++++++++-- libavformat/iamf_reader.c | 15 +++++++++++++-- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 5f2ad9fb5b..8d952cf203 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -498,6 +498,7 @@ static int param_parse(void *s, IAMFContext *c, AVIOContext *pb, AVIAMFParamDefinition *param; unsigned int parameter_id, parameter_rate, mode; unsigned int duration = 0, constant_subblock_duration = 0, nb_subblocks = 0; + unsigned int total_duration = 0; size_t param_size; parameter_id = ffio_read_leb(pb); @@ -518,8 +519,10 @@ static int param_parse(void *s, IAMFContext *c, AVIOContext *pb, constant_subblock_duration = ffio_read_leb(pb); if (constant_subblock_duration == 0) nb_subblocks = ffio_read_leb(pb); - else + else { nb_subblocks = duration / constant_subblock_duration; + total_duration = duration; + } } param = av_iamf_param_definition_alloc(type, nb_subblocks, ¶m_size); @@ -530,8 +533,10 @@ static int param_parse(void *s, IAMFContext *c, AVIOContext *pb, void *subblock = av_iamf_param_definition_get_subblock(param, i); unsigned int subblock_duration = constant_subblock_duration; - if (constant_subblock_duration == 0) + if (constant_subblock_duration == 0) { subblock_duration = ffio_read_leb(pb); + total_duration += subblock_duration; + } switch (type) { case AV_IAMF_PARAMETER_DEFINITION_MIX_GAIN: { @@ -559,6 +564,11 @@ static int param_parse(void *s, IAMFContext *c, AVIOContext *pb, } } + if (!mode && !constant_subblock_duration && total_duration != duration) { + av_log(s, AV_LOG_ERROR, "Invalid subblock durations in parameter_id %u\n", parameter_id); + return AVERROR_INVALIDDATA; + } + param->parameter_id = parameter_id; param->parameter_rate = parameter_rate; param->duration = duration; diff --git a/libavformat/iamf_reader.c b/libavformat/iamf_reader.c index fa825cf287..b43ed76df4 100644 --- a/libavformat/iamf_reader.c +++ b/libavformat/iamf_reader.c @@ -108,6 +108,7 @@ static int parameter_block_obu(AVFormatContext *s, IAMFDemuxContext *c, AVIOContext *pb; uint8_t *buf; unsigned int duration, constant_subblock_duration; + unsigned int total_duration = 0; unsigned int nb_subblocks; unsigned int parameter_id; size_t out_param_size; @@ -146,8 +147,10 @@ static int parameter_block_obu(AVFormatContext *s, IAMFDemuxContext *c, constant_subblock_duration = ffio_read_leb(pb); if (constant_subblock_duration == 0) nb_subblocks = ffio_read_leb(pb); - else + else { nb_subblocks = duration / constant_subblock_duration; + total_duration = duration; + } } else { duration = param->duration; constant_subblock_duration = param->constant_subblock_duration; @@ -171,8 +174,10 @@ static int parameter_block_obu(AVFormatContext *s, IAMFDemuxContext *c, void *subblock = av_iamf_param_definition_get_subblock(out_param, i); unsigned int subblock_duration = constant_subblock_duration; - if (!param_definition->mode && !constant_subblock_duration) + if (!param_definition->mode && !constant_subblock_duration) { subblock_duration = ffio_read_leb(pb); + total_duration += subblock_duration; + } switch (param->type) { case AV_IAMF_PARAMETER_DEFINITION_MIX_GAIN: { @@ -234,6 +239,12 @@ static int parameter_block_obu(AVFormatContext *s, IAMFDemuxContext *c, av_log(s, level, "Underread in parameter_block_obu. %d bytes left at the end\n", len); } + if (!param_definition->mode && !constant_subblock_duration && total_duration != duration) { + av_log(s, AV_LOG_ERROR, "Invalid duration in parameter block\n"); + ret = AVERROR_INVALIDDATA; + goto fail; + } + switch (param->type) { case AV_IAMF_PARAMETER_DEFINITION_MIX_GAIN: av_free(c->mix); From 70ae846c71f4daaf8f89927ba24845773edcce1f Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 11 Dec 2024 23:34:32 -0300 Subject: [PATCH 547/562] avformat/iamf_parse: fix setting duration for the last subblock in a parameter definition When subblock durations are constant, the last block may be smaller and the value needs to be calculated. Signed-off-by: James Almer (cherry picked from commit fb5e8ea9719c8afcd0d9e3a51e370c06c361d9ba) --- libavformat/iamf_parse.c | 3 ++- libavformat/iamf_reader.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 8d952cf203..2497061d7a 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -536,7 +536,8 @@ static int param_parse(void *s, IAMFContext *c, AVIOContext *pb, if (constant_subblock_duration == 0) { subblock_duration = ffio_read_leb(pb); total_duration += subblock_duration; - } + } else if (i == nb_subblocks - 1) + subblock_duration = duration - i * constant_subblock_duration; switch (type) { case AV_IAMF_PARAMETER_DEFINITION_MIX_GAIN: { diff --git a/libavformat/iamf_reader.c b/libavformat/iamf_reader.c index b43ed76df4..02e8b694d7 100644 --- a/libavformat/iamf_reader.c +++ b/libavformat/iamf_reader.c @@ -177,7 +177,8 @@ static int parameter_block_obu(AVFormatContext *s, IAMFDemuxContext *c, if (!param_definition->mode && !constant_subblock_duration) { subblock_duration = ffio_read_leb(pb); total_duration += subblock_duration; - } + } else if (i == nb_subblocks - 1) + subblock_duration = duration - i * constant_subblock_duration; switch (param->type) { case AV_IAMF_PARAMETER_DEFINITION_MIX_GAIN: { From d88741836ee3a04a9c5645a51ebf1134ab94995e Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 11 Dec 2024 13:30:23 -0300 Subject: [PATCH 548/562] avformat/iamf_writer: fix setting num_samples_per_frame for OPUS As per section 3.11.1 of the IAMF spec, the sample rate used in Codec Config for Opus shall be 48kHz, regardless of the original sample rate used during encoding. Signed-off-by: James Almer (cherry picked from commit 76049d1c4564a6a03c467b1f9b0bc853bc971769) --- libavformat/iamf_writer.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavformat/iamf_writer.c b/libavformat/iamf_writer.c index 5e8d8f768b..b4874806e4 100644 --- a/libavformat/iamf_writer.c +++ b/libavformat/iamf_writer.c @@ -112,9 +112,17 @@ static int fill_codec_config(IAMFContext *iamf, const AVStreamGroup *stg, int j, ret = 0; codec_config->codec_id = st->codecpar->codec_id; - codec_config->sample_rate = st->codecpar->sample_rate; codec_config->codec_tag = st->codecpar->codec_tag; - codec_config->nb_samples = st->codecpar->frame_size; + switch (codec_config->codec_id) { + case AV_CODEC_ID_OPUS: + codec_config->sample_rate = 48000; + codec_config->nb_samples = av_rescale(st->codecpar->frame_size, 48000, st->codecpar->sample_rate); + break; + default: + codec_config->sample_rate = st->codecpar->sample_rate; + codec_config->nb_samples = st->codecpar->frame_size; + break; + } populate_audio_roll_distance(codec_config); if (st->codecpar->extradata_size) { codec_config->extradata = av_memdup(st->codecpar->extradata, st->codecpar->extradata_size); @@ -183,9 +191,9 @@ static int add_param_definition(IAMFContext *iamf, AVIAMFParamDefinition *param, } if (codec_config) { if (!param->duration) - param->duration = codec_config->nb_samples; + param->duration = av_rescale(codec_config->nb_samples, param->parameter_rate, codec_config->sample_rate); if (!param->constant_subblock_duration) - param->constant_subblock_duration = codec_config->nb_samples; + param->constant_subblock_duration = av_rescale(codec_config->nb_samples, param->parameter_rate, codec_config->sample_rate); } param_definition = av_mallocz(sizeof(*param_definition)); From c10f15c0e871e1f21f1b4affac1b08ac568785d8 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 27 Dec 2024 16:17:51 -0300 Subject: [PATCH 549/562] avformat/iamf_writer: ensure the stream groups are not empty Signed-off-by: James Almer (cherry picked from commit cedd9151f863e3db9c325aff2f9375c39adbbec2) --- libavformat/iamf_writer.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/iamf_writer.c b/libavformat/iamf_writer.c index b4874806e4..7dfe658bf9 100644 --- a/libavformat/iamf_writer.c +++ b/libavformat/iamf_writer.c @@ -217,6 +217,10 @@ int ff_iamf_add_audio_element(IAMFContext *iamf, const AVStreamGroup *stg, void if (stg->type != AV_STREAM_GROUP_PARAMS_IAMF_AUDIO_ELEMENT) return AVERROR(EINVAL); + if (!stg->nb_streams) { + av_log(log_ctx, AV_LOG_ERROR, "Audio Element id %"PRId64" has no streams\n", stg->id); + return AVERROR(EINVAL); + } iamf_audio_element = stg->params.iamf_audio_element; if (iamf_audio_element->audio_element_type == AV_IAMF_AUDIO_ELEMENT_TYPE_SCENE) { @@ -381,6 +385,10 @@ int ff_iamf_add_mix_presentation(IAMFContext *iamf, const AVStreamGroup *stg, vo if (stg->type != AV_STREAM_GROUP_PARAMS_IAMF_MIX_PRESENTATION) return AVERROR(EINVAL); + if (!stg->nb_streams) { + av_log(log_ctx, AV_LOG_ERROR, "Mix Presentation id %"PRId64" has no streams\n", stg->id); + return AVERROR(EINVAL); + } for (int i = 0; i < iamf->nb_mix_presentations; i++) { if (stg->id == iamf->mix_presentations[i]->mix_presentation_id) { From d6270e6b5cbfac87c8e6bcaffd9017eadc21ce36 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 13 Jan 2025 17:28:02 -0300 Subject: [PATCH 550/562] avformat/iamf_parse: add missing av_free() call on failure path Fixes ticket #11416 Signed-off-by: James Almer (cherry picked from commit d5873be583ada9e1fb887e2fe8dcfd4b12e0efcd) --- libavformat/iamf_parse.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 2497061d7a..5c7004664e 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -567,6 +567,7 @@ static int param_parse(void *s, IAMFContext *c, AVIOContext *pb, if (!mode && !constant_subblock_duration && total_duration != duration) { av_log(s, AV_LOG_ERROR, "Invalid subblock durations in parameter_id %u\n", parameter_id); + av_free(param); return AVERROR_INVALIDDATA; } From 695dcf29c21911db19cc41722af94ece131303d8 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 17 Feb 2025 11:41:24 -0300 Subject: [PATCH 551/562] avformat/iamf_parse: add missing constrains for num_parameters in audio_element_oub() Fixes ticket #11475. Signed-off-by: James Almer (cherry picked from commit 0526535cd58444dd264e810b2f3348b4d96cff3b) --- libavformat/iamf_parse.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 5c7004664e..b97a3fb3fe 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -733,6 +733,12 @@ static int audio_element_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) } num_parameters = ffio_read_leb(pbc); + if (num_parameters > 2 && audio_element_type == 0) { + av_log(s, AV_LOG_ERROR, "Audio Element parameter count %u is invalid" + " for Channel representations\n", num_parameters); + ret = AVERROR_INVALIDDATA; + goto fail; + } if (num_parameters && audio_element_type != 0) { av_log(s, AV_LOG_ERROR, "Audio Element parameter count %u is invalid" " for Scene representations\n", num_parameters); From e0e7c95a06c22b60a5924e1a268df1c2ccc472d2 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 17 Feb 2025 11:41:25 -0300 Subject: [PATCH 552/562] avformat/iamf_parse: ensure there's at most one of each parameter types in audio elements Should prevent potential memory leaks on invalid files. Signed-off-by: James Almer (cherry picked from commit 5470d024e18968b3bdef2b745966f7617f1eb9f2) --- libavformat/iamf_parse.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index b97a3fb3fe..c1e9cbebaa 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -752,11 +752,19 @@ static int audio_element_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) type = ffio_read_leb(pbc); if (type == AV_IAMF_PARAMETER_DEFINITION_MIX_GAIN) ret = AVERROR_INVALIDDATA; - else if (type == AV_IAMF_PARAMETER_DEFINITION_DEMIXING) + else if (type == AV_IAMF_PARAMETER_DEFINITION_DEMIXING) { + if (element->demixing_info) { + ret = AVERROR_INVALIDDATA; + goto fail; + } ret = param_parse(s, c, pbc, type, audio_element, &element->demixing_info); - else if (type == AV_IAMF_PARAMETER_DEFINITION_RECON_GAIN) + } else if (type == AV_IAMF_PARAMETER_DEFINITION_RECON_GAIN) { + if (element->recon_gain_info) { + ret = AVERROR_INVALIDDATA; + goto fail; + } ret = param_parse(s, c, pbc, type, audio_element, &element->recon_gain_info); - else { + } else { unsigned param_definition_size = ffio_read_leb(pbc); avio_skip(pbc, param_definition_size); } From f1e8e74477c3736597f700d8986b1bd4967cbd79 Mon Sep 17 00:00:00 2001 From: Patrice Dumas Date: Fri, 1 Nov 2024 15:57:07 +0100 Subject: [PATCH 553/562] doc/t2h: Support texinfo 7.1 and 7.2 pretest Here is a proposed patch for portability of doc/t2h.pm for GNU Texinfo 7.1 and 7.1.90 (7.2 pretest). I tested against 7.1 and 7.1.90 (7.2 pretest). There is a difference in the headings compared to the website version, maybe related to FA_ICONS not being set the same, but the result seems correct. I also renamed $element to $output_unit in ffmpeg_heading_command as in new equivalent makeinfo/texi2any code the $element variable is the $command variable in ffmpeg_heading_command, which is very confusing. I left as is the $command variable to have a patch easier to read, but it could make sense to rename $command as $element later on. The patch could also have effects with Texinfo 7.0, since some of the changes are for that version, but that probably never show up because it is for situations that may not exist in ffmpeg manuals (for example @node without sectioning command), or because the code is robust to some missing information (case of $heading_level in ffmpeg_heading_command that was not set, as far as I can tell). Signed-off-by: James Almer (cherry picked from commit 4d9cdf82ee36a7da4f065821c86165fe565aeac2) --- doc/t2h.pm | 169 ++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 129 insertions(+), 40 deletions(-) diff --git a/doc/t2h.pm b/doc/t2h.pm index b7485e1f1e..4875d66305 100644 --- a/doc/t2h.pm +++ b/doc/t2h.pm @@ -54,12 +54,24 @@ sub get_formatting_function($$) { } # determine texinfo version -my $program_version_num = version->declare(ff_get_conf('PACKAGE_VERSION'))->numify; +my $package_version = ff_get_conf('PACKAGE_VERSION'); +$package_version =~ s/\+dev$//; +my $program_version_num = version->declare($package_version)->numify; my $program_version_6_8 = $program_version_num >= 6.008000; # no navigation elements ff_set_from_init_file('HEADERS', 0); +my %sectioning_commands = %Texinfo::Common::sectioning_commands; +if (scalar(keys(%sectioning_commands)) == 0) { + %sectioning_commands = %Texinfo::Commands::sectioning_heading_commands; +} + +my %root_commands = %Texinfo::Common::root_commands; +if (scalar(keys(%root_commands)) == 0) { + %root_commands = %Texinfo::Commands::root_commands; +} + sub ffmpeg_heading_command($$$$$) { my $self = shift; @@ -77,6 +89,9 @@ sub ffmpeg_heading_command($$$$$) return $result; } + # no need to set it as the $element_id is output unconditionally + my $heading_id; + my $element_id = $self->command_id($command); $result .= "\n" if (defined($element_id) and $element_id ne ''); @@ -84,24 +99,40 @@ sub ffmpeg_heading_command($$$$$) print STDERR "Process $command " .Texinfo::Structuring::_print_root_command_texi($command)."\n" if ($self->get_conf('DEBUG')); - my $element; - if ($Texinfo::Common::root_commands{$command->{'cmdname'}} - and $command->{'parent'} - and $command->{'parent'}->{'type'} - and $command->{'parent'}->{'type'} eq 'element') { - $element = $command->{'parent'}; + my $output_unit; + if ($root_commands{$command->{'cmdname'}}) { + if ($command->{'associated_unit'}) { + $output_unit = $command->{'associated_unit'}; + } elsif ($command->{'structure'} + and $command->{'structure'}->{'associated_unit'}) { + $output_unit = $command->{'structure'}->{'associated_unit'}; + } elsif ($command->{'parent'} + and $command->{'parent'}->{'type'} + and $command->{'parent'}->{'type'} eq 'element') { + $output_unit = $command->{'parent'}; + } } - if ($element) { + + if ($output_unit) { $result .= &{get_formatting_function($self, 'format_element_header')}($self, $cmdname, - $command, $element); + $command, $output_unit); } my $heading_level; # node is used as heading if there is nothing else. if ($cmdname eq 'node') { - if (!$element or (!$element->{'extra'}->{'section'} - and $element->{'extra'}->{'node'} - and $element->{'extra'}->{'node'} eq $command + if (!$output_unit or + (((!$output_unit->{'extra'}->{'section'} + and $output_unit->{'extra'}->{'node'} + and $output_unit->{'extra'}->{'node'} eq $command) + or + ((($output_unit->{'extra'}->{'unit_command'} + and $output_unit->{'extra'}->{'unit_command'} eq $command) + or + ($output_unit->{'unit_command'} + and $output_unit->{'unit_command'} eq $command)) + and $command->{'extra'} + and not $command->{'extra'}->{'associated_section'})) # bogus node may not have been normalized and defined($command->{'extra'}->{'normalized'}))) { if ($command->{'extra'}->{'normalized'} eq 'Top') { @@ -111,7 +142,15 @@ sub ffmpeg_heading_command($$$$$) } } } else { - $heading_level = $command->{'level'}; + if (defined($command->{'extra'}) + and defined($command->{'extra'}->{'section_level'})) { + $heading_level = $command->{'extra'}->{'section_level'}; + } elsif ($command->{'structure'} + and defined($command->{'structure'}->{'section_level'})) { + $heading_level = $command->{'structure'}->{'section_level'}; + } else { + $heading_level = $command->{'level'}; + } } my $heading = $self->command_text($command); @@ -119,8 +158,8 @@ sub ffmpeg_heading_command($$$$$) # if there is an error in the node. if (defined($heading) and $heading ne '' and defined($heading_level)) { - if ($Texinfo::Common::root_commands{$cmdname} - and $Texinfo::Common::sectioning_commands{$cmdname}) { + if ($root_commands{$cmdname} + and $sectioning_commands{$cmdname}) { my $content_href = $self->command_contents_href($command, 'contents', $self->{'current_filename'}); if ($content_href) { @@ -140,7 +179,13 @@ sub ffmpeg_heading_command($$$$$) } } - if ($self->in_preformatted()) { + my $in_preformatted; + if ($program_version_num >= 7.001090) { + $in_preformatted = $self->in_preformatted_context(); + } else { + $in_preformatted = $self->in_preformatted(); + } + if ($in_preformatted) { $result .= $heading."\n"; } else { # if the level was changed, set the command name right @@ -149,21 +194,25 @@ sub ffmpeg_heading_command($$$$$) $cmdname = $Texinfo::Common::level_to_structuring_command{$cmdname}->[$heading_level]; } - # format_heading_text expects an array of headings for texinfo >= 7.0 if ($program_version_num >= 7.000000) { - $heading = [$heading]; - } - $result .= &{get_formatting_function($self,'format_heading_text')}( + $result .= &{get_formatting_function($self,'format_heading_text')}($self, + $cmdname, [$cmdname], $heading, + $heading_level +$self->get_conf('CHAPTER_HEADER_LEVEL') -1, + $heading_id, $command); + + } else { + $result .= &{get_formatting_function($self,'format_heading_text')}( $self, $cmdname, $heading, $heading_level + $self->get_conf('CHAPTER_HEADER_LEVEL') - 1, $command); + } } } $result .= $content if (defined($content)); return $result; } -foreach my $command (keys(%Texinfo::Common::sectioning_commands), 'node') { +foreach my $command (keys(%sectioning_commands), 'node') { texinfo_register_command_formatting($command, \&ffmpeg_heading_command); } @@ -188,28 +237,56 @@ sub ffmpeg_begin_file($$$) my $filename = shift; my $element = shift; - my $command; - if ($element and $self->get_conf('SPLIT')) { - $command = $self->element_command($element); + my ($element_command, $node_command, $command_for_title); + if ($element) { + if ($element->{'unit_command'}) { + $element_command = $element->{'unit_command'}; + } elsif ($self->can('tree_unit_element_command')) { + $element_command = $self->tree_unit_element_command($element); + } elsif ($self->can('tree_unit_element_command')) { + $element_command = $self->element_command($element); + } + + $node_command = $element_command; + if ($element_command and $element_command->{'cmdname'} + and $element_command->{'cmdname'} ne 'node' + and $element_command->{'extra'} + and $element_command->{'extra'}->{'associated_node'}) { + $node_command = $element_command->{'extra'}->{'associated_node'}; + } + + $command_for_title = $element_command if ($self->get_conf('SPLIT')); } - my ($title, $description, $encoding, $date, $css_lines, - $doctype, $bodytext, $copying_comment, $after_body_open, - $extra_head, $program_and_version, $program_homepage, + my ($title, $description, $keywords, $encoding, $date, $css_lines, $doctype, + $root_html_element_attributes, $body_attributes, $copying_comment, + $after_body_open, $extra_head, $program_and_version, $program_homepage, $program, $generator); - if ($program_version_num >= 7.000000) { - ($title, $description, $encoding, $date, $css_lines, - $doctype, $bodytext, $copying_comment, $after_body_open, + if ($program_version_num >= 7.001090) { + ($title, $description, $keywords, $encoding, $date, $css_lines, $doctype, + $root_html_element_attributes, $body_attributes, $copying_comment, + $after_body_open, $extra_head, $program_and_version, $program_homepage, + $program, $generator) = $self->_file_header_information($command_for_title, + $filename); + } elsif ($program_version_num >= 7.000000) { + ($title, $description, $encoding, $date, $css_lines, $doctype, + $root_html_element_attributes, $copying_comment, $after_body_open, $extra_head, $program_and_version, $program_homepage, - $program, $generator) = $self->_file_header_information($command); + $program, $generator) = $self->_file_header_information($command_for_title, + $filename); } else { ($title, $description, $encoding, $date, $css_lines, - $doctype, $bodytext, $copying_comment, $after_body_open, - $extra_head, $program_and_version, $program_homepage, - $program, $generator) = $self->_file_header_informations($command); + $doctype, $root_html_element_attributes, $copying_comment, + $after_body_open, $extra_head, $program_and_version, $program_homepage, + $program, $generator) = $self->_file_header_informations($command_for_title); } - my $links = $self->_get_links ($filename, $element); + my $links; + if ($program_version_num >= 7.000000) { + $links = $self->_get_links($filename, $element, $node_command); + } else { + $links = $self->_get_links ($filename, $element); + } my $head1 = $ENV{"FFMPEG_HEADER1"} || < @@ -252,13 +329,25 @@ sub ffmpeg_program_string($) if (defined($self->get_conf('PROGRAM')) and $self->get_conf('PROGRAM') ne '' and defined($self->get_conf('PACKAGE_URL'))) { - return $self->convert_tree( + if ($program_version_num >= 7.001090) { + return $self->convert_tree( + $self->cdt('This document was generated using @uref{{program_homepage}, @emph{{program}}}.', + { 'program_homepage' => {'text' => $self->get_conf('PACKAGE_URL')}, + 'program' => {'text' => $self->get_conf('PROGRAM') }})); + } else { + return $self->convert_tree( $self->gdt('This document was generated using @uref{{program_homepage}, @emph{{program}}}.', - { 'program_homepage' => $self->get_conf('PACKAGE_URL'), - 'program' => $self->get_conf('PROGRAM') })); + { 'program_homepage' => {'text' => $self->get_conf('PACKAGE_URL')}, + 'program' => {'text' => $self->get_conf('PROGRAM') }})); + } } else { - return $self->convert_tree( - $self->gdt('This document was generated automatically.')); + if ($program_version_num >= 7.001090) { + return $self->convert_tree( + $self->cdt('This document was generated automatically.')); + } else { + return $self->convert_tree( + $self->gdt('This document was generated automatically.')); + } } } if ($program_version_6_8) { From cacdb41ef22b0fe38348dfc0846a14f1eb7ca6fb Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 28 Feb 2025 16:15:56 -0300 Subject: [PATCH 554/562] Changelog: update Signed-off-by: James Almer --- Changelog | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Changelog b/Changelog index 2fd8477a18..f88d35aafe 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,15 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 7.0.3: + doc/t2h: Support texinfo 7.1 and 7.2 pretest + avformat/iamf_parse: ensure there's at most one of each parameter types in audio elements + avformat/iamf_parse: add missing constrains for num_parameters in audio_element_oub() + avformat/iamf_parse: add missing av_free() call on failure path + avformat/iamf_writer: ensure the stream groups are not empty + avformat/iamf_writer: fix setting num_samples_per_frame for OPUS + avformat/iamf_parse: fix setting duration for the last subblock in a parameter definition + avformat/iamf_parse: add checks to parameter definition durations + avformat/iamfdec: don't set individual streams as dependent avformat/iff: Check that we have a stream in read_dst_frame() avformat/mlvdec: fix size checks avformat/wavdec: Fix overflow of intermediate in block_align check From 70fe76385da3b59387ca2d5d262cc05697ba5107 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Fri, 18 Aug 2023 15:32:39 -0400 Subject: [PATCH 555/562] lsws/ppc/yuv2rgb_altivec: Fix build in non-VSX environments with Clang Add a check for the existence of the vec_xl() function. Clang provides the function even with VSX not enabled. (cherry picked from commit 30a8641465f7b7923e92d8724ef6a595fccb9e58) Signed-off-by: Brad Smith --- configure | 8 ++++++++ libswscale/ppc/yuv2rgb_altivec.c | 4 ++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 323476cdd7..7ed9188478 100755 --- a/configure +++ b/configure @@ -2212,6 +2212,7 @@ ARCH_EXT_LIST_PPC=" ldbrx power8 ppc4xx + vec_xl vsx " @@ -2749,6 +2750,7 @@ altivec_deps="ppc" dcbzl_deps="ppc" ldbrx_deps="ppc" ppc4xx_deps="ppc" +vec_xl_deps="altivec" vsx_deps="altivec" power8_deps="vsx" @@ -6353,6 +6355,11 @@ elif enabled ppc; then check_cpp_condition power8 "altivec.h" "defined(_ARCH_PWR8)" fi + if enabled altivec && disabled vsx; then + check_cc vec_xl altivec.h "const unsigned char *y1i = { 0 }; + vector unsigned char y0 = vec_xl(0, y1i);" + fi + elif enabled riscv; then enabled rv && check_inline_asm rv '".option arch, +zbb\nrev8 t0, t1"' @@ -7899,6 +7906,7 @@ if enabled ppc; then echo "POWER8 enabled ${power8-no}" echo "PPC 4xx optimizations ${ppc4xx-no}" echo "dcbzl available ${dcbzl-no}" + echo "vec_xl available ${vec_xl-no}" fi if enabled loongarch; then echo "LSX enabled ${lsx-no}" diff --git a/libswscale/ppc/yuv2rgb_altivec.c b/libswscale/ppc/yuv2rgb_altivec.c index 5e1033a973..8b0a93796f 100644 --- a/libswscale/ppc/yuv2rgb_altivec.c +++ b/libswscale/ppc/yuv2rgb_altivec.c @@ -284,7 +284,7 @@ static inline void cvtyuvtoRGB(SwsContext *c, vector signed short Y, * ------------------------------------------------------------------------------ */ -#if !HAVE_VSX +#if !HAVE_VEC_XL static inline vector unsigned char vec_xl(signed long long offset, const ubyte *addr) { const vector unsigned char *v_addr = (const vector unsigned char *) (addr + offset); @@ -292,7 +292,7 @@ static inline vector unsigned char vec_xl(signed long long offset, const ubyte * return (vector unsigned char) vec_perm(v_addr[0], v_addr[1], align_perm); } -#endif /* !HAVE_VSX */ +#endif /* !HAVE_VEC_XL */ #define DEFCSP420_CVT(name, out_pixels) \ static int altivec_ ## name(SwsContext *c, const unsigned char **in, \ From 94e94becb133cc0ca89705c98587757b96b3a232 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Tue, 11 Mar 2025 00:31:47 -0400 Subject: [PATCH 556/562] lsws/ppc/yuv2rgb_altivec: Fix build in non-VSX environments with Clang v2 v2: test for function if AltiVec is enabled instead of with AltiVec and without VSX (cherry picked from commit 49c8f33262d7c113c71cee9cd30b990a92afa0a1) Signed-off-by: Brad Smith --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 7ed9188478..819e1ae1e9 100755 --- a/configure +++ b/configure @@ -6355,7 +6355,7 @@ elif enabled ppc; then check_cpp_condition power8 "altivec.h" "defined(_ARCH_PWR8)" fi - if enabled altivec && disabled vsx; then + if enabled altivec; then check_cc vec_xl altivec.h "const unsigned char *y1i = { 0 }; vector unsigned char y0 = vec_xl(0, y1i);" fi From 5c61d2bdddc450c294576cce6a344c7fcc9ec12d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 25 Sep 2024 15:13:34 +0300 Subject: [PATCH 557/562] configure: Silence Xcode warnings about duplicate libraries MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since Xcode 15, macOS developer tools use a new linker. The new linker by default warns for duplicate -l options. As this is a known and expected thing, not to be considered an issue, ask for the warning to be silenced. This silences linker warnings like this: ld: warning: ignoring duplicate libraries: '-lc++', '-lcrypto', '-lm', '-logg', '-lpthread', '-lssl', '-lvorbis', '-lvpx', '-lz' The linker can also warn about duplicate -rpath options, and there's currently no option to silence those warnings. Signed-off-by: Martin Storsjö (cherry picked from commit bd22d7e601933ef8a0975fc9252cee2d44632f61) --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 819e1ae1e9..28b530e8a6 100755 --- a/configure +++ b/configure @@ -6448,6 +6448,7 @@ check_cc intrinsics_neon arm_neon.h "int16x8_t test = vdupq_n_s16(0)" check_ldflags -Wl,--as-needed check_ldflags -Wl,-z,noexecstack +check_ldflags -Wl,-no_warn_duplicate_libraries if ! disabled network; then check_func getaddrinfo $network_extralibs From eaa3fb32d9c8a7816b4abc5f18b72e4de9688ca0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 14 Oct 2024 23:43:11 +0300 Subject: [PATCH 558/562] configure: Only try to use the -no_warn_duplicate_libraries flag on Darwin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While we only add the flag if the linker seems to support it, it turns out that ld.bfd had a bug where the flag is accidentally accepted, and the flag produces an output file named "_warn_duplicate_libraries". The ld.bfd bug was fixed in binutils 2.36, in https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3991c7acb29aa8d7d52150695eb3efa03a08dd50. Signed-off-by: Martin Storsjö (cherry picked from commit 38d08f5c451a312d9064b81472fa05ff53b2e780) --- configure | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 28b530e8a6..59e06c8d57 100755 --- a/configure +++ b/configure @@ -6448,7 +6448,9 @@ check_cc intrinsics_neon arm_neon.h "int16x8_t test = vdupq_n_s16(0)" check_ldflags -Wl,--as-needed check_ldflags -Wl,-z,noexecstack -check_ldflags -Wl,-no_warn_duplicate_libraries +if [ $target_os = "darwin" ]; then + check_ldflags -Wl,-no_warn_duplicate_libraries +fi if ! disabled network; then check_func getaddrinfo $network_extralibs From 20d711e4df4aef0d4dcc777ee035903fee764c8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 29 Apr 2025 10:42:48 +0300 Subject: [PATCH 559/562] configure: Enable -fno-common for Darwin targets, avoid linker warnings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since GCC 10 and llvm.org Clang 11, -fno-common is the default. However Apple's Xcode Clang hasn't followed suit yet, and still defaults to -fcommon. Compiling with -fcommon causes uninitialized global variables to be treated as "common" (which allows multiple object files to have similar definitions). Common variables seem to have the issue that their intended alignment isn't signaled, so the linker assumes that they may need alignment according to their full size. With large global tables, this can lead to linker warnings like this, with Xcode 16.3: ld: warning: reducing alignment of section __DATA,__common from 0x8000 to 0x4000 because it exceeds segment maximum alignment This can be reproduced with a small snippet like this: char table[16385]; int main(int argc, char* argv[]) { return 0; } Compiling with -fno-common avoids this issue and warning, and matches the default behaviour of other compilers. (Compiling with -fno-common also avoids the risk of accidentally accepting duplicate definitions of global variables, as long as they are uninitialized.) Signed-off-by: Martin Storsjö (cherry picked from commit f4e72eb5a3dbd25ed3ab6c9f89c42adcfc0b5e3d) --- configure | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/configure b/configure index 59e06c8d57..aa29aa9eba 100755 --- a/configure +++ b/configure @@ -5765,6 +5765,13 @@ case $target_os in clang_version=$($cc -dumpversion) test ${clang_version%%.*} -eq 11 && add_cflags -fno-stack-check fi + + # Xcode Clang doesn't default to -fno-common while upstream llvm.org + # Clang (and GCC) do. This avoids linker warnings on Xcode 16.3 about + # "reducing alignment of section __DATA,__common from 0x8000 to 0x4000 + # because it exceeds segment maximum alignment". + check_cflags -fno-common + ;; msys*) die "Native MSYS builds are discouraged, please use the MINGW environment." From 01e42959a5c0d9a64c85245101b65afc9775fd6a Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Thu, 22 May 2025 21:21:24 +0000 Subject: [PATCH 560/562] avfilter/avfiltergraph: fix regression in picking channel layout Signed-off-by: James Almer (cherry picked from commit 1b3f4842c18409dba5a345ef9e7b3de7a4fa3657) --- libavfilter/avfiltergraph.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index 8e091d95e0..f0a4e6fb66 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -1014,8 +1014,8 @@ static void swap_channel_layouts_on_filter(AVFilterContext *filter) } /* no penalty for LFE channel mismatch */ - if (av_channel_layout_channel_from_index(&in_chlayout, AV_CHAN_LOW_FREQUENCY) >= 0 && - av_channel_layout_channel_from_index(&out_chlayout, AV_CHAN_LOW_FREQUENCY) >= 0) + if (av_channel_layout_index_from_channel(&in_chlayout, AV_CHAN_LOW_FREQUENCY) >= 0 && + av_channel_layout_index_from_channel(&out_chlayout, AV_CHAN_LOW_FREQUENCY) >= 0) score += 10; av_channel_layout_from_mask(&in_chlayout, av_channel_layout_subset(&in_chlayout, ~AV_CH_LOW_FREQUENCY)); av_channel_layout_from_mask(&out_chlayout, av_channel_layout_subset(&out_chlayout, ~AV_CH_LOW_FREQUENCY)); From 67ce9aeb5c8f8c0f6d20bad2142b19ad6b4508b8 Mon Sep 17 00:00:00 2001 From: Coia Prant Date: Fri, 23 May 2025 17:32:00 +0800 Subject: [PATCH 561/562] configure: Use MSYSTEM_CARCH for default arch on msys2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On msys2, `uname -m` returns the architecture of the base msys2 layer. On Windows on arm64, the base msys2 layer itself is still x86_64 only, even if running with e.g. the clangarm64 where the windows native applications are built as aarch64. If MSYSTEM_CARCH is set, use this instead of `uname -m` for the default architecture. This gives the correct behaviour for the clangarm64 environments. It also gives the correct default for the 32 bit x86 environments such as `mingw32`. (On `mingw32`, the fact that `uname -m` returned `x86_64` hasn't been an issue, as both that and `i686` gets normalized into `x86` internally in ffmpeg's configure.) Signed-off-by: Coia Prant Signed-off-by: Martin Storsjö (cherry picked from commit df967d095ae6a42a46cd4c46b96d61cc1c319b23) --- configure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure b/configure index aa29aa9eba..1aca2f7864 100755 --- a/configure +++ b/configure @@ -4065,6 +4065,8 @@ if test "$target_os_default" = aix; then arch_default=$(uname -p) strip_default="strip -X32_64" nm_default="nm -g -X32_64" +elif test "$MSYSTEM_CARCH" != ""; then + arch_default="$MSYSTEM_CARCH" else arch_default=$(uname -m) fi From 2e503a9b94e2f499791a6fa9172018f61ba3d44a Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 8 Jul 2025 15:00:29 -0300 Subject: [PATCH 562/562] fftools/ffmpeg_demux: don't flag timestamps as unreliable if they are generated Regardless of the source being an AVFMT_NOTIMESTAMPS format, if the timestamps are generated like when using the use_wallclock_as_timestamps demuxer option, then they are reliable. Fixes ticket #11268 Signed-off-by: James Almer (cherry picked from commit 1787fade209b1ecbd4b911c9d77a52bcdec13fa6) --- fftools/ffmpeg_demux.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/fftools/ffmpeg_demux.c b/fftools/ffmpeg_demux.c index 47312c9fe1..c6b8af8909 100644 --- a/fftools/ffmpeg_demux.c +++ b/fftools/ffmpeg_demux.c @@ -907,9 +907,18 @@ static int ist_use(InputStream *ist, int decoding_needed) if (decoding_needed && ds->sch_idx_dec < 0) { int is_audio = ist->st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO; + int is_unreliable = !!(d->f.ctx->iformat->flags & AVFMT_NOTIMESTAMPS); + int64_t use_wallclock_as_timestamps; + + ret = av_opt_get_int(d->f.ctx, "use_wallclock_as_timestamps", 0, &use_wallclock_as_timestamps); + if (ret < 0) + return ret; + + if (use_wallclock_as_timestamps) + is_unreliable = 0; ds->dec_opts.flags = (!!ist->fix_sub_duration * DECODER_FLAG_FIX_SUB_DURATION) | - (!!(d->f.ctx->iformat->flags & AVFMT_NOTIMESTAMPS) * DECODER_FLAG_TS_UNRELIABLE) | + (!!is_unreliable * DECODER_FLAG_TS_UNRELIABLE) | (!!(d->loop && is_audio) * DECODER_FLAG_SEND_END_TS) #if FFMPEG_OPT_TOP | ((ist->top_field_first >= 0) * DECODER_FLAG_TOP_FIELD_FIRST)