diff --git a/Changelog b/Changelog index 99cfa12a3a..ff11803c9c 100644 --- a/Changelog +++ b/Changelog @@ -1,8 +1,651 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. -version : -- YUY2 Lossless Codec decoder +version 3.1.11: +- avcodec/takdec: Fix integer overflow in decode_lpc() +- avcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift +- avcodec/takdec: Fix integer overflows in decode_subframe() +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*() +- avcodec/ffv1dec: Fix integer overflow in read_quant_table() +- avcodec/svq3: Fix overflow in svq3_add_idct_c() +- avcodec/pngdec: Clean up on av_frame_ref() failure +- avcodec/hevc_ps: Fix c?_qp_offset_list size +- avcodec/shorten: Move buffer allocation and offset init to end of read_header() +- avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels +- avcodec/diracdec: Fix overflow in DC computation +- avformat/asfdec: Fix DoS in asf_build_simple_index() +- avformat/mov: Fix DoS in read_tfra() +- avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting +- avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED() +- avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() +- avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() +- avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. +- avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered() +- avcodec/hevc_ps: Fix undefined shift in pcm code +- avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate() +- avformat/mvdec: Fix DoS due to lack of eof check +- avformat/rl2: Fix DoS due to lack of eof check +- avformat/rmdec: Fix DoS due to lack of eof check +- avformat/cinedec: Fix DoS due to lack of eof check +- avformat/asfdec: Fix DoS due to lack of eof check +- avformat/hls: Fix DoS due to infinite loop +- ffprobe: Fix NULL pointer handling in color parameter printing +- ffprobe: Fix null pointer dereference with color primaries +- avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps() +- avformat/rtpdec_h264: Fix heap-buffer-overflow +- avformat/aviobuf: Fix signed integer overflow in avio_seek() +- avformat/mov: Fix signed integer overflows with total_size +- avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization +- avcodec/aacdec_template: Fix running cleanup in decode_ics_info() +- avcodec/me_cmp: Fix crashes on ARM due to misalignment +- avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0() +- avcodec/fic: Fixes signed integer overflow +- avcodec/snowdec: Fix off by 1 error +- avcodec/diracdec: Check perspective_exp and zrs_exp. +- avcodec/mpeg4videodec: Clear mcsel before decoding an image +- avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97* +- avcodec/aacdec_fixed: fix invalid shift in predict() +- avcodec/h264_slice: Fix overflow in slice offset +- avformat/utils: fix memory leak in avformat_free_context +- avfilter/vf_ssim: fix temp size calculation + + +version 3.1.10: +- avcodec/diracdec: Check weight_log2denom +- avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0() +- avcodec/diracdec: Fix integer overflow in divide3() +- avcodec/takdec: Fix integer overflow in decode_subframe() +- avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2 +- avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2 +- avcodec/diracdec: Fix integer overflow in signed multiplication in UNPACK_ARITH() +- avcodec/dnxhddec: Move mb height check out of non hr branch +- avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2 +- avformat/oggparsecelt: Do not re-allocate os->private +- avcodec/ylc: Fix shift overflow +- avcodec/aacps: Fix multiple integer overflow in map_val_34_to_20() +- avcodec/aacdec_fixed: fix: left shift of negative value -1 +- doc/filters: typo in frei0r +- avcodec/cfhd: Fix decoding regression due to height check +- avcodec/aacdec_template (fixed point): Check gain in decode_cce() to avoid undefined shifts later +- avcodec/aacdec_template: Fix undefined integer overflow in apply_tns() +- avcodec/magicyuv: Check that vlc len is not too large +- avcodec/mjpegdec: Clip DC also on the negative side. +- avcodec/aacps (fixed point): Fix multiple signed integer overflows +- avcodec/ylc: Fix vlc of 31 bits +- avcodec/sbrdsp_fixed: Fix integer overflow in sbr_hf_apply_noise() +- avcodec/wavpack: Fix invalid shift +- avcodec/h264_slice: Fix signed integer overflow +- avcodec/hevc_ps: Fix integer overflow with beta/tc offsets +- avcodec/cfhd: Fix invalid left shift of negative value +- avcodec/vb: Check vertical GMC component before multiply +- avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int() +- avcodec/apedec: Fix integer overflow +- avcodec/wavpack: Fix integer overflow in wv_unpack_stereo() +- avcodec/mpeg4videodec: Fix GMC with videos of dimension 1 +- avcodec/wavpack: Fix integer overflow +- avcodec/takdec: Fix integer overflow +- avcodec/tiff: Update pointer only when the result is used + + +version 3.1.9: +- avcodec/cfhd: Check bpc before setting bpc in context +- avcodec/cfhd: Fix undefined shift +- avcodec/hevc_filter: Fix invalid shift +- avcodec/mpeg4videodec: Fix overflow in virtual_ref computation +- avcodec/lpc: signed integer overflow in compute_lpc_coefs() (aacdec_fixed) +- avcodec/wavpack: Fix undefined integer negation +- avcodec/aacdec_fixed: Check s for being too small +- avcodec/htmlsubtitles: Replace very slow redundant sscanf() calls by cleaner and faster code +- avcodec/h264: Fix mix of lossless and lossy MBs decoding +- avcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264 +- avcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4 +- avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output +- avcodec/jpeg2000dsp: Reorder operations in ict_int() to avoid 2 integer overflows +- avcodec/hevcpred_template: Fix left shift of negative value +- avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps() +- avcodec/jpeg2000dec: Check nonzerobits more completely +- avcodec/shorten: Sanity check maxnlpc +- avcodec/truemotion2: Move skip computation after checks +- avcodec/jpeg2000: Fixes integer overflow in ff_jpeg2000_ceildivpow2() +- avcodec/hevcdec: Check nb_sps +- avcodec/hevc_refs: Check nb_refs in add_candidate_ref() +- avcodec/mpeg4videodec: Check sprite delta upshift against overflowing. +- avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case +- avcodec/aacsbr_fixed: Check shift in sbr_hf_assemble() +- avcodec/sbrdsp_fixed: Return an error from sbr_hf_apply_noise() if operations are impossible +- avcodec/jpeg2000dwt: Fix runtime error: left shift of negative value -123 +- avcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640 cannot be represented in type 'int' +- avcodec/snowdec: Fix runtime error: left shift of negative value -1 +- avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1297616 +- avcodec/tiff: Fix leak of geotags[].val +- avcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot be represented in type 'int' +- avcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot be represented in type 'int' +- avcodec/cfhd: Check band parameters before storing them +- avcodec/indeo4: Check remaining data in Pic hdr extension parsing code +- avcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008 * 59 cannot be represented in type 'int' +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int' +- avcodec/pafvideo: Fix assertion failure +- avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int' +- avcodec/mjpegdec: Check that reference frame matches the current frame +- avcodec/tiff: Avoid loosing allocated geotag values +- avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int' +- avformat/hls: Check local file extensions +- avcodec/qdrw: Fix null pointer dereference +- avutil/softfloat: Fix sign error in and improve documentation of av_int2sf() +- avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]' +- avcodec/dxv: Check remaining bytes in dxv_decompress_raw() +- avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer() +- avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int' +- avformat/options: log filename on open +- avcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'INTFLOAT' (aka 'int') +- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' +- avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int' +- avcodec/cinepak: Check input packet size before frame reallocation +- avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int' +- avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int' +- avcodec/pnm: Use ff_set_dimensions() +- avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int' +- avformat/avidec: Limit formats in gab2 to srt and ass/ssa +- avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float' +- avcodec/wavpack: Check float_shift +- avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int' +- avcodec/ansi: Fix frame memleak +- avcodec/jpeg2000dec: Use ff_set_dimensions() +- avcodec/truemotion2: Fix passing null pointer to memset() +- avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int' +- avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int' +- avcodec/aac_defines: Add missing () to AAC_HALF_SUM() macro +- avcodec/webp: Fixes null pointer dereference +- avcodec/aacdec_fixed: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/ylc: Check count in build_vlc() +- avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int' +- avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int' +- avcodec/jpeg2000dec: Check tile offsets more completely +- avcodec/sheervideo: Check input buffer size before allocating and decoding +- avcodec/aacdec_fixed: Fix multiple runtime error: shift exponent 127 is too large for 32-bit type 'int' +- avcodec/wnv1: More strict buffer size check +- avcodec/libfdk-aacdec: Correct buffer_size parameter +- avcodec/sbrdsp_template: Fix: runtime error: signed integer overflow: 849815297 + 1315389781 cannot be represented in type 'int' +- avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2 +- doc/filters: Clarify scale2ref example +- avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error +- avcodec/ra144dec: Fix runtime error: left shift of negative value -17 +- avformat/mux: Fix copy an paste typo +- avutil/internal: Do not enable CHECKED with DEBUG +- avcodec/aacdec_fixed: Fix runtime error: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' +- avcodec/smc: Check remaining input +- avcodec/jpeg2000dec: Fix copy and paste error +- avcodec/jpeg2000dec: Check tile offsets +- avcodec/sanm: Fix uninitialized reference frames +- avcodec/jpeglsdec: Check get_bits_left() before decoding a picture +- avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71 +- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int' +- avcodec/aacdec_fixed: Fix runtime error: shift exponent 34 is too large for 32-bit type 'int' +- avcodec/mpeg4videodec: Check for multiple VOL headers +- avcodec/vmnc: Check location before use +- avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308 cannot be represented in type 'int' +- avcodec/aac_defines: Fix: runtime error: left shift of negative value -2 +- avcodec/takdec: Fix runtime error: left shift of negative value -63 +- avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128 cannot be represented in type 'int' +- avcodec/sbrdsp_fixed: fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 170 is too large for 32-bit type 'int' +- avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context +- avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 150 is too large for 32-bit type 'int' +- avcodec/mimic: Use ff_set_dimensions() to set the dimensions +- avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int' +- avcodec/mlpdec: Fix: runtime error: left shift of negative value -8 +- avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877 cannot be represented in type 'int' +- avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' +- avcodec/aacdec_template: Fix fixed point scale in decode_cce() +- avcodec/nvenc: remove unnecessary alignment + + +version 3.1.8: +- avcodec/flicvideo: Check frame_size before decrementing +- avcodec/mlpdec: Fix runtime error: left shift of negative value -1 +- avcodec/takdec: Fix runtime error: left shift of negative value -42 +- avcodec/hq_hqa: Fix: runtime error: signed integer overflow: -255 * 10180917 cannot be represented in type 'int' +- avcodec/hevc_sei: fix amount of bits skipped when reading picture timing SEI message +- avutil/hwcontext_dxva2: Don't improperly free IDirect3DSurface9 objects +- avcodec/aac_adtstoasc: fix ASC passthrough on small frames +- avformat/utils: free AVStream.codec properly in free_stream() +- avcodec/options: do a more thorough clean up in avcodec_copy_context() +- avcodec/options: factorize avcodec_copy_context() cleanup code +- avformat/concatdec: fix the h264 annexb extradata check +- avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int' +- avcodec/svq3: Fix runtime error: left shift of negative value -6 +- avcodec/tiff: reset sampling[] if its invalid +- avcodec/aacps: Fix undefined behavior +- avcodec/opus_silk: Fix integer overflow and out of array read +- avcodec/flacdec: Return error code instead of 0 for failures +- avcodec/snowdec: Check width +- avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame() +- avcodec/webp: Factor update_canvas_size() out +- avcodec/cllc: Check prefix +- avcodec/rscc: Check pixel_size for overflow +- avcodec/dds: Fix runtime error: left shift of 210 by 24 places cannot be represented in type 'int' +- avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode +- avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]' +- avcodec/hqxdsp: Fix runtime error: signed integer overflow: -196264 * 11585 cannot be represented in type 'int' +- avcodec/g723_1dec: Fix LCG type +- libswscale/tests/swscale: Fix uninitialized variables +- avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int' +- avcodec/webp: Fix signedness in prefix_code check +- avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int' +- avcodec/mlpdec: Check that there is enough data for headers +- avcodec/ac3dec: Keep track of band structure +- avcodec/webp: Add missing input padding +- avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1 +- avcodec/aacsbr_template: Do not change bs_num_env before its checked +- avcodec/mlp: Fix multiple runtime error: left shift of negative value -1 +- avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int' +- avcodec/avcodec: Limit the number of side data elements per packet +- avcodec/texturedsp: Fix runtime error: left shift of 255 by 24 places cannot be represented in type 'int' +- avcodec/g723_1dec: Fix runtime error: left shift of negative value -1 +- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int' +- avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610 +- avcodec/msmpeg4dec: Check for cbpy VLC errors +- avcodec/cllc: Check num_bits +- avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers +- avcodec/dvbsubdec: Check entry_id +- avcodec/aacdec_fixed: Fix multiple shift exponent 33 is too large for 32-bit type 'int' +- avcodec/mpeg12dec: Fixes runtime error: division by zero +- avcodec/webp: Always set pix_fmt +- avfilter/vf_uspp: Fix currently unused input frame dimensions +- avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1 +- avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int' +- avcodec/dss_sp: Fix runtime error: signed integer overflow: 2147481189 + 4096 cannot be represented in type 'int' +- avformat/wavdec: Check chunk_size +- avcodec/cavs: Check updated MV +- avcodec/y41pdec: Fix width in input buffer size check +- avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int' +- avcodec/texturedsp: Fix runtime error: left shift of 218 by 24 places cannot be represented in type 'int' +- avcodec/lagarith: Check scale_factor +- avcodec/lagarith: Fix runtime error: left shift of negative value -1 +- avcodec/takdec: Fix multiple runtime error: left shift of negative value -1 +- avcodec/indeo2: Check for invalid VLCs +- avcodec/g723_1dec: Fix several integer related cases of undefined behaviour +- avcodec/htmlsubtitles: Check for string truncation and return error +- avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int' +- avcodec/dss_sp: Fix multiple runtime error: signed integer overflow: -15699 * -164039 cannot be represented in type 'int' +- avcodec/dvbsubdec: check region dimensions +- avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int' +- avcodec/hqxdsp: Fix multiple runtime error: signed integer overflow: 248220 * 21407 cannot be represented in type 'int' in idct_col() +- avcodec/cavsdec: Check sym_factor +- avcodec/cdxl: Check format for BGR24 +- avcodec/ffv1dec: Fix copying planes of paletted formats +- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int' +- avcodec/xwddec: Check bpp more completely +- avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int' +- avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int' +- avcodec/g726: Fix runtime error: left shift of negative value -2 +- avcodec/ra144: Fix runtime error: left shift of negative value -798 +- avcodec/mss34dsp: Fix multiple signed integer overflow +- avcodec/targa_y216dec: Fix width type +- avcodec/texturedsp: Fix multiple runtime error: left shift of 255 by 24 places cannot be represented in type 'int' +- avcodec/ivi_dsp: Fix multiple left shift of negative value -2 +- avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int' +- avcodec/msmpeg4dec: Correct table depth +- avcodec/dds: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/cdxl: Check format parameter +- avutil/softfloat: Fix overflow in av_div_sf() +- avcodec/hq_hqa: Fix runtime error: left shift of negative value -207 +- avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from +- avcodec/shorten: Check k in get_uint() +- avcodec/webp: Fix null pointer dereference +- avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' +- avcodec/g723_1: Fix multiple runtime error: left shift of negative value +- avcodec/mimic: Fix runtime error: left shift of negative value -1 +- avcodec/fic: Fix multiple left shift of negative value -15 +- avcodec/mlpdec: Fix runtime error: left shift of negative value -22 +- avcodec/snowdec: Check qbias +- avutil/softfloat: Fix multiple runtime error: left shift of negative value -8 +- avcodec/aacsbr_template: Do not leave bs_num_env invalid +- avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int' +- avcodec/dfa: Fix off by 1 error +- avcodec/nellymoser: Fix multiple left shift of negative value -8591 +- avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int' +- avcodec/g722: Fix multiple runtime error: left shift of negative value -1 +- avcodec/dss_sp: Fix multiple left shift of negative value -466 +- avcodec/wnv1: Fix runtime error: left shift of negative value -1 +- avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so +- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int' +- avcodec/cavsdec: Fix undefined behavior from integer overflow +- avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int' +- libavcodec/mpeg4videodec: Convert sprite_offset to 64bit +- avcodec/pngdec: Use ff_set_dimensions() +- avcodec/msvideo1: Check buffer size before re-getting the frame +- avcodec/h264_cavlc: Fix undefined behavior on qscale overflow +- avcodec/dcadsp: Fix runtime error: signed integer overflow +- avcodec/svq3: Reject dx/dy beyond 16bit +- avcodec/svq3: Increase offsets to prevent integer overflows +- avcodec/indeo2: Check remaining bits in ir2_decode_plane() +- avcodec/vp3: Check remaining bits in unpack_dct_coeffs() +- doc/developer: Add terse documentation of assumed C implementation defined behavior +- avcodec/mdec: Fix runtime error: left shift of negative value -127 +- avcodec/x86/vc1dsp_init: Fix build failure with --disable-optimizations and clang +- libavcodec/exr : fix float to uint16 conversion for negative float value +- avformat/webmdashenc: Validate the 'streams' adaptation sets parameter +- avformat/webmdashenc: Require the 'adaptation_sets' option to be set +- avformat/oggparseogm: Check ff_alloc_extradata() for failure +- avformat/oggparseogm: Check available data before reading global header +- avcodec/dvdsubdec: Fixes 2 runtime error: left shift of 170 by 24 places cannot be represented in type 'int' +- avformat/oggparsedaala: Do not leave an invalid value in gpshift +- avformat/oggparsedaala: Check duration for AV_NOPTS_VALUE +- avfilter/af_sofalizer: Fix bad shift +- avcodec: fix uninitialized variable read +- avfilter/avfiltergraph: Add assert to write down in machine readable form what is assumed about sample rates in swap_samplerates_on_filter() +- avcodec/tiff: Perform multiply in tiff_unpack_lzma() as 64bit +- omx: Fix OOM check +- avcodec/vdpau_hevc: Fix potential out-of-bounds write +- avcodec/h264_ps: Fix runtime error: signed integer overflow: 2147483647 + 26 cannot be represented in type 'int' +- avcodec/tiff: Check geotag count for being non zero +- avcodec/vp56: Check avctx->error_concealment before enabling EC +- avcodec/tiff: Check stripsize strippos for overflow +- avcodec/mpegaudiodec_template: Make l3_unscale() work with e=0 +- avcodec/tiff: Check for multiple geo key directories +- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' +- avcodec/rv34: Fix runtime error: signed integer overflow: 36880 * 66288 cannot be represented in type 'int' +- avcodec/amrwbdec: Fix runtime error: left shift of negative value -1 +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: -135088512 * 16 cannot be represented in type 'int' +- avcodec/h264_mvpred: Fix runtime error: left shift of negative value -1 +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -127 +- avcodec/wavpack: Fix runtime error: left shift of negative value -5 +- avcodec/wavpack: Fix runtime error: left shift of negative value -2 +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 134527392 * 16 cannot be represented in type 'int' +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -13 +- avcodec/h264_mvpred: Fix multiple runtime error: left shift of negative value +- avcodec/adxdec: Fix runtime error: left shift of negative value -1 +- avcodec/mpeg4videodec: Improve the overflow checks in mpeg4_decode_sprite_trajectory() +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -511 +- avcodec/h264_direct: Fix runtime error: left shift of negative value -14 +- avcodec/pictordec: Check plane value before doing value/mask computations +- avcodec/mpeg4videodec: Fix runtime error: left shift of negative value -2650 +- avcodec/eac3dec: Fix runtime error: left shift of negative value -3 +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -2 +- avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows +- avcodec/mpeg4videodec: Check sprite_offset in addition to shifts +- avcodec/mpeg4video: Fix runtime error: left shift of negative value +- avcodec/ituh263dec: Fix runtime error: left shift of negative value -22 +- avcodec/rv40: Fix runtime error: left shift of negative value +- avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int' +- avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -507 +- avcodec/eac3dec: Fix runtime error: left shift of negative value +- avcodec/htmlsubtitles: Fix reading one byte beyond the array +- avcodec/vp6: clear dimensions on failed resolution change in vp6_parse_header() +- avcodec/vp56: Reset have_undamaged_frame on resolution changes +- avcodec/vp8: Fix hang with slice threads +- avcodec/vp8: Check for the bitstream end per MB in decode_mb_row_no_filter() +- avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder() +- avcodec/vp8: remove redundant check +- avcodec/vp56: Require a correctly decoded frame before using vp56_conceal_mb() +- avcodec/vp3: Do not return random positive values but the buf size +- avcodec/vp8: Check for bitsteam end in decode_mb_row_no_filter() +- avcodec/vp56: Factorize vp56_render_mb() out +- avcodec/vp3dsp: Fix multiple signed integer overflow: 46341 * 47523 cannot be represented in type 'int' +- Add CHECK/SUINT code +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -1 +- avcodec/vp56: Clear dimensions in case of failure in the middle of a resolution change +- avcodec/vp56: Implement very basic error concealment +- avcodec/amrwbdec: Fix 2 runtime errors: left shift of negative value -1 +- avcodec/pngdec: Fix runtime error: left shift of 152 by 24 places cannot be represented in type 'int' +- avcodec/vp56: Fix sign typo +- avcodec/mpegaudiodec_template: Correct return code on id3 tag discarding +- avcodec/rv34: Simplify and factor get_slice_offset() code +- avcodec/pictordec: Do not read more than nb_planes +- avcodec/srtdec: Fix signed integer overflow: 1811992524 * 384 cannot be represented in type 'int' +- avcodec/pngdec: Check bit depth for validity +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value +- avcodec/wavpacl: Fix runtime error: left shift of negative value -1 +- avformat/http: Check for truncated buffers in http_connect() +- lavf/mov.c: Avoid heap allocation wraps in mov_read_{senc,saiz}() +- lavf/mov.c: Avoid OOB in mov_read_udta_string() +- avformat/apng: fix setting frame delay when max_fps is set to no limit +- swresample/resample: free existing ResampleContext on reinit +- swresample/resample: move resample_free() higher in the file +- lavfi/buffersrc: fix directly setting channel layout +- lavf/mpeg: Initialize a stack variable used by memcmp(). +- lavc/avpacket: Initialize a variable in error path. + + +version 3.1.7: +- avcodec/h264_slice: Clear ref_counts on redundant slices +- lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid +- lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr +- avcodec/pictordec: Fix logic error +- ffserver_config: Setup codecpar in add_codec() +- avcodec/movtextdec: Fix decode_styl() cleanup +- lavf/matroskadec: fix is_keyframe for early Blocks +- configure: bump year +- avcodec/pngdec: Check trns more completely +- avcodec/interplayvideo: Move parameter change check up +- avcodec/dca_lbr: Fix off by 1 error in freq check +- avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac() +- avformat/flacdec: Check avio_read result when reading flac block header. +- avcodec/utils: correct align value for interplay +- avcodec/vp56: Check for the bitstream end, pass error codes on +- avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan() +- avcodec/pngdec: Fix off by 1 size in decode_zbuf() +- avcodec/omx: Do not pass negative value into av_malloc() +- avformat/avidec: skip odml master index chunks in avi_sync +- avcodec/mjpegdec: Check for rgb before flipping +- avutil/random_seed: Reduce the time needed on systems with very low precision clock() +- avutil/random_seed: Improve get_generic_seed() with higher precision clock() +- avformat/mp3dec: fix msan warning when verifying mpa header +- avformat/utils: Print verbose error message if stream count exceeds max_streams +- avformat/options_table: Set the default maximum number of streams to 1000 +- pgssubdec: reset rle_data_len/rle_remaining_len on allocation error +- avutil: Add av_image_check_size2() +- avformat: Add max_streams option +- avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated +- avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory() +- avformat/oggdec: Skip streams in duration correction that did not had their duration set. +- avcodec/ffv1enc: Fix size of first slice +- avfilter/vf_hwupload_cuda: Add min/max limits for the 'device' option +- configure: check for strtoull on msvc + +version 3.1.6: +- configure: check for strtoull on msvc +- http: move chunk handling from http_read_stream() to http_buf_read(). +- http: make length/offset-related variables unsigned. +- ffserver: Check chunk size +- Avoid using the term "file" and prefer "url" in some docs and comments +- avformat/rtmppkt: Check for packet size mismatches +- zmqsend: Initialize ret to 0 +- avcodec/rawdec: check for side data before checking its size +- avcodec/flacdec: Fix undefined shift in decode_subframe() +- avcodec/get_bits: Fix get_sbits_long(0) +- avformat/ffmdec: Check media type for chunks +- avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed() +- avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c +- avformat/oggparsespeex: Check frames_per_packet and packet_size +- avformat/utils: Check start/end before computing duration in update_stream_timings() +- avcodec/flac_parser: Update nb_headers_buffered +- avformat/idroqdec: Check chunk_size for being too large +- avformat/utils: Fix type mismatch +- avformat/mpeg: Adjust vid probe threshold to correct mis-detection +- avcodec/rv40: Test remaining space in loop of get_dimension() +- avcodec/ituh263dec: Avoid spending a long time in slice sync +- avcodec/movtextdec: Add error message for tsmb_size check +- avcodec/movtextdec: Fix tsmb_size check==0 check +- avcodec/movtextdec: Fix potential integer overflow +- avcodec/sunrast: Fix input buffer pointer check +- avcodec/tscc: Check side data size before use +- avcodec/rawdec: Check side data size before use +- avcodec/msvideo1: Check side data size before use +- avcodec/qpeg: Check side data size before use +- avcodec/qtrle: Check side data size before use +- avcodec/msrle: Check side data size before use +- avcodec/kmvc: Check side data size before use +- avcodec/idcinvideo: Check side data size before use +- avcodec/cinepak: Check side data size before use +- avcodec/8bps: Check side data size before use +- avformat/flvdec: Fix regression losing streams +- avcodec/dvdsubdec: Fix off by 1 error +- avformat/isom: Fix old API regression with exporting max bitrate +- avcodec/dvdsubdec: Fix buf_size check +- vp9: change order of operations in adapt_prob(). +- avcodec/interplayvideo: Check side data size before use +- mss2: only use error correction for matching block counts +- softfloat: decrease MIN_EXP to cover full float range +- libopusdec: default to stereo for invalid number of channels +- flvdec: require need_context_update when changing codec id +- pgssubdec: only set w/h/linesize when allocating data +- sbgdec: prevent NULL pointer access +- rmdec: validate block alignment +- smacker: limit recursion depth of smacker_decode_bigtree +- mxfdec: fix NULL pointer dereference in mxf_read_packet_old +- ffmdec: validate codec parameters +- exr: reindent after previous commit +- exr: fix out-of-bounds read +- libschroedingerdec: fix leaking of framewithpts +- libschroedingerdec: don't produce empty frames +- softfloat: handle -INT_MAX correctly +- filmstripdec: correctly check image dimensions +- pnmdec: make sure v is capped by maxval +- smvjpegdec: make sure cur_frame is not negative +- icodec: correctly check avio_read return value +- dvbsubdec: fix division by zero in compute_default_clut +- proresdec_lgpl: explicitly check coff[3] against slice_data_size +- escape124: reject codebook size 0 +- icodec: add ico_read_close to fix leaking ico->images +- icodec: fix leaking pkt on error +- mpegts: prevent division by zero +- matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header +- mpegaudio_parser: don't return AVERROR_PATCHWELCOME +- mxfdec: fix NULL pointer dereference +- lzf: update pointer p after realloc +- diracdec: check return code of get_buffer_with_edge +- ppc: pixblockdsp: do unaligned block accesses correctly again +- interplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE +- interplayacm: validate number of channels +- interplayacm: check for too large b +- mpeg12dec: unref discarded picture from extradata +- cavsdec: unref frame before referencing again +- dcstr: fix division by zero +- aiff: check block_align in aiff_read_packet +- rsd: limit number of channels +- avformat: prevent triggering request_probe assert in ff_read_packet +- westwood_aud: prevent division by zero +- astdec: fix division by zero +- aiffdec: fix division by zero +- avcodec/avpacket: fix leak on realloc in av_packet_add_side_data() + +version 3.1.5: +- avformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string() +- avcodec/mpegvideo_enc: Clear mmx state in ff_mpv_reallocate_putbitbuffer() +- avcodec/utils: Clear MMX state before returning from avcodec_default_execute*() +- doc/examples/demuxing_decoding: Drop AVFrame->pts use +- libopenjpegenc: fix out-of-bounds reads when filling the edges +- libopenjpegenc: stop reusing image data buffer for openjpeg 2 +- configure: fix detection of libopenjpeg +- doc: fix various typos and grammar errors +- avformat/utils: Update codec_id before using it in the parser init +- cmdutils: fix typos +- lavfi: fix typos +- lavc: fix typos +- tools: fix grammar error +- ffmpeg: remove unused and errorneous AVFrame timestamp check +- Support for MIPS cpu P6600 +- avutil/mips/generic_macros_msa: rename macro variable which causes segfault for mips r6 + +version 3.1.4: +- avformat/avidec: Check nb_streams in read_gab2_sub() +- avformat/avidec: Remove ancient assert +- avfilter/vf_colorspace: fix range for output colorspace option +- lavc/mediacodecdec_h264: fix SODB escaping +- avcodec/nvenc: fix const options for hevc gpu setting +- avformat/avidec: Fix memleak with dv in avi +- lavc/movtextdec.c: Avoid infinite loop on invalid data. +- avcodec/ansi: Check dimensions +- avcodec/cavsdsp: use av_clip_uint8() for idct +- avformat/movenc: Check packet in mov_write_single_packet() too +- avformat/movenc: Factor check_pkt() out +- avformat/utils: fix timebase error in avformat_seek_file() +- avcodec/g726: Add missing ADDB output mask +- avcodec/avpacket: clear side_data_elems +- avformat/movenc: Check first DTS similar to dts difference +- avcodec/ccaption_dec: Use simple array instead of AVBuffer +- avcodec/svq3: Reintroduce slice_type +- avformat/mov: Fix potential integer overflow in mov_read_keys +- swscale/swscale_unscaled: Try to fix Rgb16ToPlanarRgb16Wrapper() with slices +- swscale/swscale_unscaled: Fix packed_16bpc_bswap() with slices +- avformat/avidec: Fix infinite loop in avi_read_nikon() +- lavf/utils: Avoid an overflow for huge negative durations. +- avformat/hls: Fix handling of EXT-X-BYTERANGE streams over 2GB +- lavc/avpacket: Fix undefined behaviour, do not pass a null pointer to memcpy(). +- lavc/mjpegdec: Do not skip reading quantization tables. +- cmdutils: fix implicit declaration of SetDllDirectory function + +version 3.1.3: +- examples/demuxing_decoding: convert to codecpar +- avcodec/exr: Check tile positions +- avcodec/aacenc: Tighter input checks +- avformat/wtvdec: Check pointer before use +- libavcodec/wmalosslessdec: Check the remaining bits +- avcodec/adpcm: Fix adpcm_ima_wav padding +- avcodec/svq3: fix slice size check +- avcodec/diracdec: Check numx/y +- avcodec/h2645_parse: fix nal size +- avcodec/h2645_parse: Use get_nalsize() in ff_h2645_packet_split() +- h2645_parse: only read avc length code at the correct position +- h2645_parse: don't overread AnnexB NALs within an avc stream +- avcodec/h264_parser: Factor get_avc_nalsize() out +- avcodec/cfhd: Increase minimum band dimension to 3 +- avcodec/indeo2: check ctab +- avformat/swfdec: Fix inflate() error code check +- avcodec/rawdec: Fix bits_per_coded_sample checks +- vcodec/h2645_parse: Clear buffer padding +- avcodec/h2645: Fix NAL unit padding +- avfilter/drawutils: Fix single plane with alpha +- cmdutils: check for SetDllDirectory() availability + +version 3.1.2: +- cmdutils: remove the current working directory from the DLL search path on win32 +- avcodec/rawdec: Fix palette handling with changing palettes +- avcodec/raw: Fix decoding of ilacetest.mov +- avformat/mov: Enable mp3 parsing if a packet needs it +- avformat/hls: Use an array instead of stream offset for stream mapping +- avformat/hls: Sync starting segment across variants on live streams +- avformat/hls: Fix regression with ranged media segments +- avcodec/ffv1enc: Fix assertion failure with non zero bits per sample +- avfilter/af_hdcd: small fix in af_hdcd.c where gain was not being adjusted for "attenuate slowly" +- avformat/oggdec: Fix integer overflow with invalid pts +- ffplay: Fix invalid array index +- avcodec/alacenc: allocate bigger packets (cherry picked from commit 82b84c71b009884c8d041361027718b19922c76d) +- libavcodec/dnxhd: Enable 12-bit DNxHR support. +- lavc/vaapi_encode_h26x: Fix a crash if "." is not the decimal separator. +- jni: Return ENOSYS on unsupported platforms +- lavu/hwcontext_vaapi: Fix compilation if VA_FOURCC_ABGR is not defined. +- avcodec/vp9_parser: Check the input frame sizes for being consistent +- avformat/flvdec: parse keyframe before a\v stream was created add_keyframes_index() when stream created or keyframe parsed +- avformat/flvdec: splitting add_keyframes_index() out from parse_keyframes_index() +- libavformat/rtpdec_asf: zero initialize the AVIOContext struct +- libavutil/opt: Small bugfix in example. +- libx264: Increase x264 opts character limit to 4096 +- avcodec/h264_parser: Set sps/pps_ref +- librtmp: Avoid an infiniloop setting connection arguments +- avformat/oggparsevp8: fix pts calculation on pages ending with an invisible frame +- lavc/Makefile: Fix standalone compilation of the svq3 decoder. +- lavf/vplayerdec: Improve auto-detection. +- lavc/mediacodecdec_h264: properly convert extradata to annex-b +- Revert "configure: Enable GCC vectorization on ≥4.9 on x86" + +version 3.1.1: +- doc/APIchanges: document the lavu/lavf field moves +- avformat/avformat: Move new field to the end of AVStream +- avformat/utils: update deprecated AVStream->codec when the context is updated +- avutil/frame: Move new field to the end of AVFrame +- libavcodec/exr : fix decoding piz float file. +- avformat/mov: Check sample size +- lavfi: Move new field to the end of AVFilterContext +- lavfi: Move new field to the end of AVFilterLink +- ffplay: Fix usage of private lavfi API +- lavc/mediacodecdec_h264: add missing NAL headers to SPS/PPS buffers +- lavc/pnm_parser: disable parsing for text based PNMs version 3.1: @@ -48,6 +691,8 @@ version 3.1: - CUDA CUVID H264/HEVC decoder - 10-bit depth support in native utvideo decoder - libutvideo wrapper removed +- YUY2 Lossless Codec decoder +- VideoToolbox H.264 encoder version 3.0: diff --git a/RELEASE b/RELEASE index b889d20d71..efd03d130b 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.0.git +3.1.11 diff --git a/RELEASE_NOTES b/RELEASE_NOTES new file mode 100644 index 0000000000..afa25ae4ee --- /dev/null +++ b/RELEASE_NOTES @@ -0,0 +1,15 @@ + + ┌────────────────────────────────────────┐ + │ RELEASE NOTES for FFmpeg 3.1 "Laplace" │ + └────────────────────────────────────────┘ + + The FFmpeg Project proudly presents FFmpeg 3.1 "Laplace", about 4 + months after the release of FFmpeg 3.0. + + A complete Changelog is available at the root of the project, and the + complete Git history on http://source.ffmpeg.org. + + We hope you will like this release as much as we enjoyed working on it, and + as usual, if you have any questions about it, or any FFmpeg related topic, + feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask + on the mailing-lists. diff --git a/cmdutils.c b/cmdutils.c index 03a4836207..476c85894c 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -61,6 +61,9 @@ #include #include #endif +#if HAVE_SETDLLDIRECTORY +#include +#endif static int init_report(const char *env); @@ -107,6 +110,15 @@ static void log_callback_report(void *ptr, int level, const char *fmt, va_list v } } +void init_dynload(void) +{ +#if HAVE_SETDLLDIRECTORY + /* Calling SetDllDirectory with the empty string (but not NULL) removes the + * current working directory from the DLL search path as a security pre-caution. */ + SetDllDirectory(""); +#endif +} + static void (*program_exit)(int ret); void register_exit(void (*cb)(int ret)) @@ -2099,7 +2111,7 @@ static int print_device_sources(AVInputFormat *fmt, AVDictionary *opts) if (!fmt || !fmt->priv_class || !AV_IS_INPUT_DEVICE(fmt->priv_class->category)) return AVERROR(EINVAL); - printf("Audo-detected sources for %s:\n", fmt->name); + printf("Auto-detected sources for %s:\n", fmt->name); if (!fmt->get_device_list) { ret = AVERROR(ENOSYS); printf("Cannot list sources. Not implemented.\n"); @@ -2129,7 +2141,7 @@ static int print_device_sinks(AVOutputFormat *fmt, AVDictionary *opts) if (!fmt || !fmt->priv_class || !AV_IS_OUTPUT_DEVICE(fmt->priv_class->category)) return AVERROR(EINVAL); - printf("Audo-detected sinks for %s:\n", fmt->name); + printf("Auto-detected sinks for %s:\n", fmt->name); if (!fmt->get_device_list) { ret = AVERROR(ENOSYS); printf("Cannot list sinks. Not implemented.\n"); diff --git a/cmdutils.h b/cmdutils.h index 83ea4ad39e..1b96aa48d1 100644 --- a/cmdutils.h +++ b/cmdutils.h @@ -61,6 +61,11 @@ void register_exit(void (*cb)(int ret)); */ void exit_program(int ret) av_noreturn; +/** + * Initialize dynamic library loading + */ +void init_dynload(void); + /** * Initialize the cmdutils option system, in particular * allocate the *_opts contexts. @@ -445,13 +450,13 @@ int show_devices(void *optctx, const char *opt, const char *arg); #if CONFIG_AVDEVICE /** - * Print a listing containing audodetected sinks of the output device. + * Print a listing containing autodetected sinks of the output device. * Device name with options may be passed as an argument to limit results. */ int show_sinks(void *optctx, const char *opt, const char *arg); /** - * Print a listing containing audodetected sources of the input device. + * Print a listing containing autodetected sources of the input device. * Device name with options may be passed as an argument to limit results. */ int show_sources(void *optctx, const char *opt, const char *arg); diff --git a/configure b/configure index 6aadf9c7c8..592df195ac 100755 --- a/configure +++ b/configure @@ -1935,6 +1935,7 @@ SYSTEM_FUNCS=" sched_getaffinity SetConsoleTextAttribute SetConsoleCtrlHandler + SetDllDirectory setmode setrlimit Sleep @@ -4335,7 +4336,7 @@ elif enabled mips; then enable mips32r2 disable msa ;; - p5600|i6400) + p5600|i6400|p6600) disable mipsdsp disable mipsdspr2 ;; @@ -4400,6 +4401,10 @@ elif enabled mips; then enable mips64r6 check_cflags "-mtune=i6400 -mabi=64" && check_cflags "-msched-weight -mload-store-pairs -funroll-loops" && check_ldflags "-mabi=64" ;; + p6600) + enable mips64r6 + check_cflags "-mtune=p6600 -mabi=64" && check_cflags "-msched-weight -mload-store-pairs -funroll-loops" && check_ldflags "-mabi=64" + ;; esac else # We do not disable anything. Is up to the user to disable the unwanted features. @@ -4529,7 +4534,7 @@ fi add_cppflags -D_ISOC99_SOURCE add_cxxflags -D__STDC_CONSTANT_MACROS -add_cxxflags -std=c++11 +add_cxxflags -std=c++98 check_cflags -std=c99 check_cc -D_FILE_OFFSET_BITS=64 < @@ -5475,6 +5480,7 @@ check_func_headers windows.h MapViewOfFile check_func_headers windows.h PeekNamedPipe check_func_headers windows.h SetConsoleTextAttribute check_func_headers windows.h SetConsoleCtrlHandler +check_func_headers windows.h SetDllDirectory check_func_headers windows.h Sleep check_func_headers windows.h VirtualAlloc check_struct windows.h "CONDITION_VARIABLE" Ptr @@ -5669,10 +5675,11 @@ enabled libopencv && { check_header opencv2/core/core_c.h && require opencv opencv2/core/core_c.h cvCreateImageHeader -lopencv_core -lopencv_imgproc; } || require_pkg_config opencv opencv/cxcore.h cvCreateImageHeader; } enabled libopenh264 && require_pkg_config openh264 wels/codec_api.h WelsGetCodecVersion -enabled libopenjpeg && { check_lib openjpeg-2.1/openjpeg.h opj_version -lopenjp2 -DOPJ_STATIC || - check_lib openjpeg-2.0/openjpeg.h opj_version -lopenjp2 -DOPJ_STATIC || - check_lib openjpeg-1.5/openjpeg.h opj_version -lopenjpeg -DOPJ_STATIC || - check_lib openjpeg.h opj_version -lopenjpeg -DOPJ_STATIC || +enabled libopenjpeg && { { check_lib2 openjpeg-2.1/openjpeg.h opj_version -lopenjp2 -DOPJ_STATIC && add_cppflags -DOPJ_STATIC; } || + check_lib2 openjpeg-2.1/openjpeg.h opj_version -lopenjp2 || + { check_lib2 openjpeg-2.0/openjpeg.h opj_version -lopenjp2 -DOPJ_STATIC && add_cppflags -DOPJ_STATIC; } || + { check_lib2 openjpeg-1.5/openjpeg.h opj_version -lopenjpeg -DOPJ_STATIC && add_cppflags -DOPJ_STATIC; } || + { check_lib2 openjpeg.h opj_version -lopenjpeg -DOPJ_STATIC && add_cppflags -DOPJ_STATIC; } || die "ERROR: libopenjpeg not found"; } enabled libopus && require_pkg_config opus opus_multistream.h opus_multistream_decoder_create enabled libpulse && require_pkg_config libpulse pulse/pulseaudio.h pa_context_new @@ -6125,11 +6132,7 @@ elif enabled ccc; then add_cflags -msg_disable nonstandcast add_cflags -msg_disable unsupieee elif enabled gcc; then - case $gcc_basever in - 4.9*) enabled x86 || check_optflags -fno-tree-vectorize ;; - 4.*) check_optflags -fno-tree-vectorize ;; - *) enabled x86 || check_optflags -fno-tree-vectorize ;; - esac + check_optflags -fno-tree-vectorize check_cflags -Werror=format-security check_cflags -Werror=implicit-function-declaration check_cflags -Werror=missing-prototypes @@ -6194,6 +6197,7 @@ __declspec($_restrict) void* foo(int); EOF fi check_func strtoll || add_cflags -Dstrtoll=_strtoi64 + check_func strtoull || add_cflags -Dstrtoull=_strtoui64 fi for pfx in "" host_; do @@ -6620,7 +6624,7 @@ cat > $TMPH <=6.42.100 will not be + compatible with lavfi>=6.47.100. Potentially also affects other users of + libavfilter if they are using one of the affected fields. -------- 8< --------- FFmpeg 3.1 was cut here -------- 8< --------- +2016-06-26 - 481f320 / 1c9e861 - lavu 55.27.100 / 55.13.0 - hwcontext.h + Add av_hwdevice_ctx_create(). + +2016-06-26 - b95534b / e47b8bb - lavc 57.48.101 / 57.19.1 - avcodec.h + Adjust values for JPEG 2000 profiles. + 2016-06-23 - 5d75e46 / db7968b - lavf 57.40.100 / 57.7.0 - avio.h Add AVIODataMarkerType, write_data_type, ignore_boundary_point and avio_write_marker. diff --git a/doc/Doxyfile b/doc/Doxyfile index 0c1604e007..2d5bc2c67b 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 3.1.11 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/doc/codecs.texi b/doc/codecs.texi index 48fc3bfece..3b197a7245 100644 --- a/doc/codecs.texi +++ b/doc/codecs.texi @@ -1173,7 +1173,7 @@ Set to 1 to disable processing alpha (transparency). This works like the instead of alpha. Default is 0. @item codec_whitelist @var{list} (@emph{input}) -"," separated List of allowed decoders. By default all are allowed. +"," separated list of allowed decoders. By default all are allowed. @item dump_separator @var{string} (@emph{input}) Separator used to separate the fields printed on the command line about the diff --git a/doc/demuxers.texi b/doc/demuxers.texi index e34f8b3fe6..d75dc9497e 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -72,7 +72,7 @@ Do not try to resynchronize by looking for a certain optional start code. Virtual concatenation script demuxer. This demuxer reads a list of files and other directives from a text file and -demuxes them one after the other, as if all their packet had been muxed +demuxes them one after the other, as if all their packets had been muxed together. The timestamps in the files are adjusted so that the first file starts at 0 @@ -107,7 +107,7 @@ Identify the script type and version. It also sets the @option{safe} option to 1 if it was -1. To make FFmpeg recognize the format automatically, this directive must -appears exactly as is (no extra space or byte-order-mark) on the very first +appear exactly as is (no extra space or byte-order-mark) on the very first line of the script. @item @code{duration @var{dur}} @@ -306,6 +306,24 @@ used to end the output video at the length of the shortest input file, which in this case is @file{input.mp4} as the GIF in this example loops infinitely. +@section hls + +HLS demuxer + +It accepts the following options: + +@table @option +@item live_start_index +segment index to start live streams at (negative values are from the end). + +@item allowed_extensions +',' separated list of file extensions that hls is allowed to access. + +@item max_reload +Maximum number of times a insufficient list is attempted to be reloaded. +Default value is 1000. +@end table + @section image2 Image file demuxer. diff --git a/doc/developer.texi b/doc/developer.texi index 4d3a7aef94..acb9dc83a2 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -131,6 +131,11 @@ designated struct initializers (@samp{struct s x = @{ .i = 17 @};}); @item compound literals (@samp{x = (struct s) @{ 17, 23 @};}). + +@item +Implementation defined behavior for signed integers is assumed to match the +expected behavior for two's complement. Non representable values in integer +casts are binary truncated. Shift right of signed values uses sign extension. @end itemize These features are supported by all compilers we care about, so we will not diff --git a/doc/examples/demuxing_decoding.c b/doc/examples/demuxing_decoding.c index 59e0ccc986..b1a216abb4 100644 --- a/doc/examples/demuxing_decoding.c +++ b/doc/examples/demuxing_decoding.c @@ -93,10 +93,9 @@ static int decode_packet(int *got_frame, int cached) return -1; } - printf("video_frame%s n:%d coded_n:%d pts:%s\n", + printf("video_frame%s n:%d coded_n:%d\n", cached ? "(cached)" : "", - video_frame_count++, frame->coded_picture_number, - av_ts2timestr(frame->pts, &video_dec_ctx->time_base)); + video_frame_count++, frame->coded_picture_number); /* copy decoded frame to destination buffer: * this is required since rawvideo expects non aligned data */ @@ -148,11 +147,10 @@ static int decode_packet(int *got_frame, int cached) } static int open_codec_context(int *stream_idx, - AVFormatContext *fmt_ctx, enum AVMediaType type) + AVCodecContext **dec_ctx, AVFormatContext *fmt_ctx, enum AVMediaType type) { int ret, stream_index; AVStream *st; - AVCodecContext *dec_ctx = NULL; AVCodec *dec = NULL; AVDictionary *opts = NULL; @@ -166,17 +164,31 @@ static int open_codec_context(int *stream_idx, st = fmt_ctx->streams[stream_index]; /* find decoder for the stream */ - dec_ctx = st->codec; - dec = avcodec_find_decoder(dec_ctx->codec_id); + dec = avcodec_find_decoder(st->codecpar->codec_id); if (!dec) { fprintf(stderr, "Failed to find %s codec\n", av_get_media_type_string(type)); return AVERROR(EINVAL); } + /* Allocate a codec context for the decoder */ + *dec_ctx = avcodec_alloc_context3(dec); + if (!*dec_ctx) { + fprintf(stderr, "Failed to allocate the %s codec context\n", + av_get_media_type_string(type)); + return AVERROR(ENOMEM); + } + + /* Copy codec parameters from input stream to output codec context */ + if ((ret = avcodec_parameters_to_context(*dec_ctx, st->codecpar)) < 0) { + fprintf(stderr, "Failed to copy %s codec parameters to decoder context\n", + av_get_media_type_string(type)); + return ret; + } + /* Init the decoders, with or without reference counting */ av_dict_set(&opts, "refcounted_frames", refcount ? "1" : "0", 0); - if ((ret = avcodec_open2(dec_ctx, dec, &opts)) < 0) { + if ((ret = avcodec_open2(*dec_ctx, dec, &opts)) < 0) { fprintf(stderr, "Failed to open %s codec\n", av_get_media_type_string(type)); return ret; @@ -255,9 +267,8 @@ int main (int argc, char **argv) exit(1); } - if (open_codec_context(&video_stream_idx, fmt_ctx, AVMEDIA_TYPE_VIDEO) >= 0) { + if (open_codec_context(&video_stream_idx, &video_dec_ctx, fmt_ctx, AVMEDIA_TYPE_VIDEO) >= 0) { video_stream = fmt_ctx->streams[video_stream_idx]; - video_dec_ctx = video_stream->codec; video_dst_file = fopen(video_dst_filename, "wb"); if (!video_dst_file) { @@ -279,9 +290,8 @@ int main (int argc, char **argv) video_dst_bufsize = ret; } - if (open_codec_context(&audio_stream_idx, fmt_ctx, AVMEDIA_TYPE_AUDIO) >= 0) { + if (open_codec_context(&audio_stream_idx, &audio_dec_ctx, fmt_ctx, AVMEDIA_TYPE_AUDIO) >= 0) { audio_stream = fmt_ctx->streams[audio_stream_idx]; - audio_dec_ctx = audio_stream->codec; audio_dst_file = fopen(audio_dst_filename, "wb"); if (!audio_dst_file) { fprintf(stderr, "Could not open destination file %s\n", audio_dst_filename); @@ -369,8 +379,8 @@ int main (int argc, char **argv) } end: - avcodec_close(video_dec_ctx); - avcodec_close(audio_dec_ctx); + avcodec_free_context(&video_dec_ctx); + avcodec_free_context(&audio_dec_ctx); avformat_close_input(&fmt_ctx); if (video_dst_file) fclose(video_dst_file); diff --git a/doc/ffmpeg.texi b/doc/ffmpeg.texi index 7368cdbbbd..40eda6e6d2 100644 --- a/doc/ffmpeg.texi +++ b/doc/ffmpeg.texi @@ -12,7 +12,7 @@ @chapter Synopsis -ffmpeg [@var{global_options}] @{[@var{input_file_options}] -i @file{input_file}@} ... @{[@var{output_file_options}] @file{output_file}@} ... +ffmpeg [@var{global_options}] @{[@var{input_file_options}] -i @file{input_url}@} ... @{[@var{output_file_options}] @file{output_url}@} ... @chapter Description @c man begin DESCRIPTION @@ -24,10 +24,10 @@ rates and resize video on the fly with a high quality polyphase filter. @command{ffmpeg} reads from an arbitrary number of input "files" (which can be regular files, pipes, network streams, grabbing devices, etc.), specified by the @code{-i} option, and writes to an arbitrary number of output "files", which are -specified by a plain output filename. Anything found on the command line which -cannot be interpreted as an option is considered to be an output filename. +specified by a plain output url. Anything found on the command line which +cannot be interpreted as an option is considered to be an output url. -Each input or output file can, in principle, contain any number of streams of +Each input or output url can, in principle, contain any number of streams of different types (video/audio/subtitle/attachment/data). The allowed number and/or types of streams may be limited by the container format. Selecting which streams from which inputs will go into which output is either done automatically @@ -243,8 +243,8 @@ Force input or output file format. The format is normally auto detected for inpu files and guessed from the file extension for output files, so this option is not needed in most cases. -@item -i @var{filename} (@emph{input}) -input file name +@item -i @var{url} (@emph{input}) +input file url @item -y (@emph{global}) Overwrite output files without asking. @@ -281,7 +281,7 @@ libx264, and the 138th audio, which will be encoded with libvorbis. When used as an input option (before @code{-i}), limit the @var{duration} of data read from the input file. -When used as an output option (before an output filename), stop writing the +When used as an output option (before an output url), stop writing the output after its duration reaches @var{duration}. @var{duration} must be a time duration specification, @@ -310,7 +310,7 @@ extra segment between the seek point and @var{position} will be decoded and discarded. When doing stream copy or when @option{-noaccurate_seek} is used, it will be preserved. -When used as an output option (before an output filename), decodes but discards +When used as an output option (before an output url), decodes but discards input until the timestamps reach @var{position}. @var{position} must be a time duration specification, @@ -1008,7 +1008,7 @@ Dump each input packet to stderr. @item -hex (@emph{global}) When dumping packets, also dump the payload. @item -re (@emph{input}) -Read input at native frame rate. Mainly used to simulate a grab device. +Read input at native frame rate. Mainly used to simulate a grab device, or live input stream (e.g. when reading from a file). Should not be used with actual grab devices or live input streams (where it can cause packet loss). @@ -1129,7 +1129,7 @@ may be reassigned to a different value. For example, to set the stream 0 PID to 33 and the stream 1 PID to 36 for an output mpegts file: @example -ffmpeg -i infile -streamid 0:33 -streamid 1:36 out.ts +ffmpeg -i inurl -streamid 0:33 -streamid 1:36 out.ts @end example @item -bsf[:@var{stream_specifier}] @var{bitstream_filters} (@emph{output,per-stream}) diff --git a/doc/ffplay.texi b/doc/ffplay.texi index 4bc3ced39a..073b457256 100644 --- a/doc/ffplay.texi +++ b/doc/ffplay.texi @@ -12,7 +12,7 @@ @chapter Synopsis -ffplay [@var{options}] [@file{input_file}] +ffplay [@var{options}] [@file{input_url}] @chapter Description @c man begin DESCRIPTION @@ -106,8 +106,8 @@ the input audio. Use the option "-filters" to show all the available filters (including sources and sinks). -@item -i @var{input_file} -Read @var{input_file}. +@item -i @var{input_url} +Read @var{input_url}. @end table @section Advanced options diff --git a/doc/ffprobe.texi b/doc/ffprobe.texi index 2024eed4e5..26530a9962 100644 --- a/doc/ffprobe.texi +++ b/doc/ffprobe.texi @@ -12,7 +12,7 @@ @chapter Synopsis -ffprobe [@var{options}] [@file{input_file}] +ffprobe [@var{options}] [@file{input_url}] @chapter Description @c man begin DESCRIPTION @@ -24,8 +24,8 @@ For example it can be used to check the format of the container used by a multimedia stream and the format and type of each media stream contained in it. -If a filename is specified in input, ffprobe will try to open and -probe the file content. If the file cannot be opened or recognized as +If a url is specified in input, ffprobe will try to open and +probe the url content. If the url cannot be opened or recognized as a multimedia file, a positive exit code is returned. ffprobe may be employed both as a standalone application or in @@ -332,8 +332,8 @@ with name "PIXEL_FORMAT". Force bitexact output, useful to produce output which is not dependent on the specific build. -@item -i @var{input_file} -Read @var{input_file}. +@item -i @var{input_url} +Read @var{input_url}. @end table @c man end diff --git a/doc/fftools-common-opts.texi b/doc/fftools-common-opts.texi index 509c8bca7c..a8e485f43a 100644 --- a/doc/fftools-common-opts.texi +++ b/doc/fftools-common-opts.texi @@ -176,10 +176,10 @@ loglevel will be used. If multiple loglevel parameters are given, using Show nothing at all; be silent. @item panic, 0 Only show fatal errors which could lead the process to crash, such as -and assert failure. This is not currently used for anything. +an assertion failure. This is not currently used for anything. @item fatal, 8 Only show fatal errors. These are errors after which the process absolutely -cannot continue after. +cannot continue. @item error, 16 Show all errors, including ones which can be recovered from. @item warning, 24 @@ -195,13 +195,13 @@ Show everything, including debugging information. @item trace, 56 @end table -By default the program logs to stderr, if coloring is supported by the +By default the program logs to stderr. If coloring is supported by the terminal, colors are used to mark errors and warnings. Log coloring can be disabled setting the environment variable @env{AV_LOG_FORCE_NOCOLOR} or @env{NO_COLOR}, or can be forced setting the environment variable @env{AV_LOG_FORCE_COLOR}. The use of the environment variable @env{NO_COLOR} is deprecated and -will be dropped in a following FFmpeg version. +will be dropped in a future FFmpeg version. @item -report Dump full command line and console output to a file named diff --git a/doc/filters.texi b/doc/filters.texi index 3cf3d7ce89..e92227c964 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -845,14 +845,14 @@ A gate is mainly used to reduce lower parts of a signal. This kind of signal processing reduces disturbing noise between useful signals. Gating is done by detecting the volume below a chosen level @var{threshold} -and divide it by the factor set with @var{ratio}. The bottom of the noise +and dividing it by the factor set with @var{ratio}. The bottom of the noise floor is set via @var{range}. Because an exact manipulation of the signal would cause distortion of the waveform the reduction can be levelled over time. This is done by setting @var{attack} and @var{release}. @var{attack} determines how long the signal has to fall below the threshold before any reduction will occur and @var{release} sets the time the signal -has to raise above the threshold to reduce the reduction again. +has to rise above the threshold to reduce the reduction again. Shorter signals than the chosen attack time will be left untouched. @table @option @@ -869,7 +869,7 @@ If a signal rises above this level the gain reduction is released. Default is 0.125. Allowed range is from 0 to 1. @item ratio -Set a ratio about which the signal is reduced. +Set a ratio by which the signal is reduced. Default is 2. Allowed range is from 1 to 9000. @item attack @@ -892,19 +892,19 @@ Default is 2.828427125. Allowed range is from 1 to 8. @item detection Choose if exact signal should be taken for detection or an RMS like one. -Default is rms. Can be peak or rms. +Default is @code{rms}. Can be @code{peak} or @code{rms}. @item link Choose if the average level between all channels or the louder channel affects the reduction. -Default is average. Can be average or maximum. +Default is @code{average}. Can be @code{average} or @code{maximum}. @end table @section alimiter -The limiter prevents input signal from raising over a desired threshold. +The limiter prevents an input signal from rising over a desired threshold. This limiter uses lookahead technology to prevent your signal from distorting. -It means that there is a small delay after signal is processed. Keep in mind +It means that there is a small delay after the signal is processed. Keep in mind that the delay it produces is the attack time you set. The filter accepts the following options: @@ -1353,7 +1353,7 @@ Set the number of samples per each output audio frame. The last output packet may contain a different number of samples, as the filter will flush all the remaining samples when the input audio -signal its end. +signals its end. The filter accepts the following options: @@ -2445,7 +2445,7 @@ filtering with large delay. Default is disabled. Enable multichannels evaluation on gain. Default is disabled. @item zero_phase -Enable zero phase mode by substracting timestamp to compensate delay. +Enable zero phase mode by subtracting timestamp to compensate delay. Default is disabled. @end table @@ -3216,7 +3216,7 @@ Can be specified in dB (in case "dB" is appended to the specified value) or amplitude ratio. Default value is @code{0}. @item leave_silence -This indicate that @var{stop_duration} length of audio should be left intact +This indicates that @var{stop_duration} length of audio should be left intact at the beginning of each period of silence. For example, if you want to remove long pauses between words but do not want to remove the pauses completely. Default value is @code{0}. @@ -6622,10 +6622,10 @@ This option does not exist, please see the timeline system @item alpha Draw the text applying alpha blending. The value can -be either a number between 0.0 and 1.0 -The expression accepts the same variables @var{x, y} do. +be a number between 0.0 and 1.0. +The expression accepts the same variables @var{x, y} as well. The default value is 1. -Please see fontcolor_expr +Please see @var{fontcolor_expr}. @item fontsize The font size to be used for drawing text. @@ -6808,7 +6808,7 @@ the following expansion mechanism is used. The backslash character @samp{\}, followed by any character, always expands to the second character. -Sequence of the form @code{%@{...@}} are expanded. The text between the +Sequences of the form @code{%@{...@}} are expanded. The text between the braces is a function name, possibly followed by arguments separated by ':'. If the arguments contain special characters or delimiters (':' or '@}'), they should be escaped. @@ -8094,7 +8094,7 @@ It accepts the following parameters: @item filter_name The name of the frei0r effect to load. If the environment variable @env{FREI0R_PATH} is defined, the frei0r effect is searched for in each of the -directories specified by the colon-separated list in @env{FREIOR_PATH}. +directories specified by the colon-separated list in @env{FREI0R_PATH}. Otherwise, the standard frei0r paths are searched, in this order: @file{HOME/.frei0r-1/lib/}, @file{/usr/local/lib/frei0r-1/}, @file{/usr/lib/frei0r-1/}. @@ -8714,8 +8714,8 @@ value. Detect video interlacing type. -This filter tries to detect if the input frames as interlaced, progressive, -top or bottom field first. It will also try and detect fields that are +This filter tries to detect if the input frames are interlaced, progressive, +top or bottom field first. It will also try to detect fields that are repeated between adjacent frames (a sign of telecine). Single frame detection considers only immediately adjacent frames when classifying each frame. @@ -8782,7 +8782,7 @@ Set progressive threshold. Threshold for repeated field detection. @item half_life Number of frames after which a given frame's contribution to the -statistics is halved (i.e., it contributes only 0.5 to it's +statistics is halved (i.e., it contributes only 0.5 to its classification). The default of 0 means that all frames seen are given full weight of 1.0 forever. @item analyze_interlaced_flag @@ -11514,7 +11514,7 @@ uses the reference video instead of the main input as basis. @itemize @item -Scale a subtitle stream to match the main video in size before overlaying +Scale a subtitle stream (b) to match the main video (a) in size before overlaying @example 'scale2ref[b][a];[a][b]overlay' @end example @@ -14281,7 +14281,7 @@ syntax is deprecated: Create a pattern generated by an elementary cellular automaton. The initial state of the cellular automaton can be defined through the -@option{filename}, and @option{pattern} options. If such options are +@option{filename} and @option{pattern} options. If such options are not specified an initial state is created randomly. At each new frame a new row in the video is filled with the result of @@ -15324,7 +15324,7 @@ Temporally interleave frames from several inputs. These filters read frames from several inputs and send the oldest queued frame to the output. -Input streams must have a well defined, monotonically increasing frame +Input streams must have well defined, monotonically increasing frame timestamp values. In order to submit one frame to output, these filters need to enqueue @@ -15332,9 +15332,9 @@ at least one frame for each input, so they cannot work in case one input is not yet terminated and will not receive incoming frames. For example consider the case when one input is a @code{select} filter -which always drop input frames. The @code{interleave} filter will keep +which always drops input frames. The @code{interleave} filter will keep reading from that input, but it will never be able to send new frames -to output until the input will send an end-of-stream signal. +to output until the input sends an end-of-stream signal. Also, depending on inputs synchronization, the filters will drop frames in case one input receives more frames than the other ones, and diff --git a/doc/formats.texi b/doc/formats.texi index f79ebe28ac..a2d72e6572 100644 --- a/doc/formats.texi +++ b/doc/formats.texi @@ -195,7 +195,7 @@ delayed bt the time duration specified in @var{offset}. Default value is @code{0} (meaning that no offset is applied). @item format_whitelist @var{list} (@emph{input}) -"," separated List of allowed demuxers. By default all are allowed. +"," separated list of allowed demuxers. By default all are allowed. @item dump_separator @var{string} (@emph{input}) Separator used to separate the fields printed on the command line about the @@ -205,6 +205,10 @@ For example to separate the fields with newlines and indention: ffprobe -dump_separator " " -i ~/videos/matrixbench_mpeg2.mpg @end example + +@item max_streams @var{integer} (@emph{input}) +Specifies the maximum number of streams. This can be used to reject files that +would require too many resources due to a large number of streams. @end table @c man end FORMAT OPTIONS diff --git a/doc/indevs.texi b/doc/indevs.texi index 3fb852b1f8..6cbdf88725 100644 --- a/doc/indevs.texi +++ b/doc/indevs.texi @@ -656,7 +656,7 @@ is an exact value. For HDV, it is not frame exact, since HDV does not have a fixed frame size. @item dvguid -Select the capture device by specifying it's GUID. Capturing will only +Select the capture device by specifying its GUID. Capturing will only be performed from the specified device and fails if no device with the given GUID is found. This is useful to select the input if multiple devices are connected at the same time. @@ -1319,7 +1319,7 @@ ffmpeg -f x11grab -framerate 25 -video_size cif -i :0.0+10,20 out.mpg @table @option @item draw_mouse -Specify whether to draw the mouse pointer. A value of @code{0} specify +Specify whether to draw the mouse pointer. A value of @code{0} specifies not to draw the pointer. Default value is @code{1}. @item follow_mouse diff --git a/doc/muxers.texi b/doc/muxers.texi index c2ca0ba92d..3e77a4beb6 100644 --- a/doc/muxers.texi +++ b/doc/muxers.texi @@ -274,14 +274,14 @@ the loops: ffmpeg -i INPUT -loop 10 -final_delay 500 out.gif @end example -Note 1: if you wish to extract the frames in separate GIF files, you need to +Note 1: if you wish to extract the frames into separate GIF files, you need to force the @ref{image2} muxer: @example ffmpeg -i INPUT -c:v gif -f image2 "out%d.gif" @end example -Note 2: the GIF format has a very small time base: the delay between two frames -can not be smaller than one centi second. +Note 2: the GIF format has a very large time base: the delay between two frames +can therefore not be smaller than one centi second. @anchor{hash} @section hash diff --git a/doc/platform.texi b/doc/platform.texi index 21b135f55d..9ec6ff4733 100644 --- a/doc/platform.texi +++ b/doc/platform.texi @@ -173,7 +173,7 @@ earlier, place @code{c99wrap.exe} and @code{c99conv.exe} somewhere in your Next, make sure any other headers and libs you want to use, such as zlib, are located in a spot that the compiler can see. Do so by modifying the @code{LIB} and @code{INCLUDE} environment variables to include the @strong{Windows-style} -paths to these directories. Alternatively, you can try and use the +paths to these directories. Alternatively, you can try to use the @code{--extra-cflags}/@code{--extra-ldflags} configure options. If using MSVC 2012 or earlier, place @code{inttypes.h} somewhere the compiler can see too. diff --git a/doc/protocols.texi b/doc/protocols.texi index 72b39145ec..0165ff7434 100644 --- a/doc/protocols.texi +++ b/doc/protocols.texi @@ -355,7 +355,7 @@ autodetection in the future. If set to 1 enables experimental HTTP server. This can be used to send data when used as an output option, or read data from a client with HTTP POST when used as an input option. -If set to 2 enables experimental mutli-client HTTP server. This is not yet implemented +If set to 2 enables experimental multi-client HTTP server. This is not yet implemented in ffmpeg.c or ffserver.c and thus must not be used as a command line option. @example # Server side (sending): diff --git a/ffmpeg.c b/ffmpeg.c index 9ffd833a91..cdded8673f 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2026,12 +2026,7 @@ static int decode_audio(InputStream *ist, AVPacket *pkt, int *got_output) } } - /* if the decoder provides a pts, use it instead of the last packet pts. - the decoder could be delaying output by a packet or more. */ - if (decoded_frame->pts != AV_NOPTS_VALUE) { - ist->dts = ist->next_dts = ist->pts = ist->next_pts = av_rescale_q(decoded_frame->pts, avctx->time_base, AV_TIME_BASE_Q); - decoded_frame_tb = avctx->time_base; - } else if (decoded_frame->pkt_pts != AV_NOPTS_VALUE) { + if (decoded_frame->pkt_pts != AV_NOPTS_VALUE) { decoded_frame->pts = decoded_frame->pkt_pts; decoded_frame_tb = ist->st->time_base; } else if (pkt->pts != AV_NOPTS_VALUE) { @@ -4303,6 +4298,8 @@ int main(int argc, char **argv) int ret; int64_t ti; + init_dynload(); + register_exit(ffmpeg_cleanup); setvbuf(stderr,NULL,_IONBF,0); /* win32 runtime needs this */ diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index 7785a304cb..7f3ff1ad11 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -3009,8 +3009,8 @@ enum OptGroup { }; static const OptionGroupDef groups[] = { - [GROUP_OUTFILE] = { "output file", NULL, OPT_OUTPUT }, - [GROUP_INFILE] = { "input file", "i", OPT_INPUT }, + [GROUP_OUTFILE] = { "output url", NULL, OPT_OUTPUT }, + [GROUP_INFILE] = { "input url", "i", OPT_INPUT }, }; static int open_files(OptionGroupList *l, const char *inout, diff --git a/ffplay.c b/ffplay.c index f28e0877cd..adbe9cb4e1 100644 --- a/ffplay.c +++ b/ffplay.c @@ -2725,7 +2725,7 @@ static int stream_component_open(VideoState *is, int stream_index) goto fail; link = is->out_audio_filter->inputs[0]; sample_rate = link->sample_rate; - nb_channels = link->channels; + nb_channels = avfilter_link_get_channels(link); channel_layout = link->channel_layout; } #else @@ -2936,7 +2936,7 @@ static int read_thread(void *arg) AVStream *st = ic->streams[i]; enum AVMediaType type = st->codecpar->codec_type; st->discard = AVDISCARD_ALL; - if (wanted_stream_spec[type] && st_index[type] == -1) + if (type >= 0 && wanted_stream_spec[type] && st_index[type] == -1) if (avformat_match_stream_specifier(ic, st, wanted_stream_spec[type]) > 0) st_index[type] = i; } @@ -3776,6 +3776,8 @@ int main(int argc, char **argv) char dummy_videodriver[] = "SDL_VIDEODRIVER=dummy"; char alsa_bufsize[] = "SDL_AUDIO_ALSA_SET_BUFFER_SIZE=1"; + init_dynload(); + av_log_set_flags(AV_LOG_SKIP_REPEATED); parse_loglevel(argc, argv, options); diff --git a/ffprobe.c b/ffprobe.c index b9c3760384..25678040f8 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -1789,6 +1789,56 @@ static void print_pkt_side_data(WriterContext *w, writer_print_section_footer(w); } +static void print_color_range(WriterContext *w, enum AVColorRange color_range, const char *fallback) +{ + const char *val = av_color_range_name(color_range); + if (!val || color_range == AVCOL_RANGE_UNSPECIFIED) { + print_str_opt("color_range", fallback); + } else { + print_str("color_range", val); + } +} + +static void print_color_space(WriterContext *w, enum AVColorSpace color_space) +{ + const char *val = av_color_space_name(color_space); + if (!val || color_space == AVCOL_SPC_UNSPECIFIED) { + print_str_opt("color_space", "unknown"); + } else { + print_str("color_space", val); + } +} + +static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries) +{ + const char *val = av_color_primaries_name(color_primaries); + if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) { + print_str_opt("color_primaries", "unknown"); + } else { + print_str("color_primaries", val); + } +} + +static void print_color_trc(WriterContext *w, enum AVColorTransferCharacteristic color_trc) +{ + const char *val = av_color_transfer_name(color_trc); + if (!val || color_trc == AVCOL_TRC_UNSPECIFIED) { + print_str_opt("color_transfer", "unknown"); + } else { + print_str("color_transfer", val); + } +} + +static void print_chroma_location(WriterContext *w, enum AVChromaLocation chroma_location) +{ + const char *val = av_chroma_location_name(chroma_location); + if (!val || chroma_location == AVCHROMA_LOC_UNSPECIFIED) { + print_str_opt("chroma_location", "unspecified"); + } else { + print_str("chroma_location", val); + } +} + static void show_packet(WriterContext *w, InputFile *ifile, AVPacket *pkt, int packet_idx) { char val_str[128]; @@ -2243,29 +2293,12 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id if (s) print_str ("pix_fmt", s); else print_str_opt("pix_fmt", "unknown"); print_int("level", par->level); - if (par->color_range != AVCOL_RANGE_UNSPECIFIED) - print_str ("color_range", av_color_range_name(par->color_range)); - else - print_str_opt("color_range", "N/A"); - s = av_get_colorspace_name(par->color_space); - if (s) print_str ("color_space", s); - else print_str_opt("color_space", "unknown"); - - if (par->color_trc != AVCOL_TRC_UNSPECIFIED) - print_str("color_transfer", av_color_transfer_name(par->color_trc)); - else - print_str_opt("color_transfer", av_color_transfer_name(par->color_trc)); - - if (par->color_primaries != AVCOL_PRI_UNSPECIFIED) - print_str("color_primaries", av_color_primaries_name(par->color_primaries)); - else - print_str_opt("color_primaries", av_color_primaries_name(par->color_primaries)); - - if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED) - print_str("chroma_location", av_chroma_location_name(par->chroma_location)); - else - print_str_opt("chroma_location", av_chroma_location_name(par->chroma_location)); + print_color_range(w, par->color_range, "N/A"); + print_color_space(w, par->color_space); + print_color_trc(w, par->color_trc); + print_primaries(w, par->color_primaries); + print_chroma_location(w, par->chroma_location); #if FF_API_PRIVATE_OPT if (dec_ctx && dec_ctx->timecode_frame_start >= 0) { @@ -3241,6 +3274,8 @@ int main(int argc, char **argv) char *w_name = NULL, *w_args = NULL; int ret, i; + init_dynload(); + av_log_set_flags(AV_LOG_SKIP_REPEATED); register_exit(ffprobe_cleanup); diff --git a/ffserver.c b/ffserver.c index 1a27583677..aec808e78c 100644 --- a/ffserver.c +++ b/ffserver.c @@ -2702,8 +2702,10 @@ static int http_receive_data(HTTPContext *c) } else if (c->buffer_ptr - c->buffer >= 2 && !memcmp(c->buffer_ptr - 1, "\r\n", 2)) { c->chunk_size = strtol(c->buffer, 0, 16); - if (c->chunk_size == 0) // end of stream + if (c->chunk_size <= 0) { // end of stream or invalid chunk size + c->chunk_size = 0; goto fail; + } c->buffer_ptr = c->buffer; break; } else if (++loop_run > 10) @@ -2725,6 +2727,7 @@ static int http_receive_data(HTTPContext *c) /* end of connection : close it */ goto fail; else { + av_assert0(len <= c->chunk_size); c->chunk_size -= len; c->buffer_ptr += len; c->data_count += len; @@ -3980,6 +3983,7 @@ int main(int argc, char **argv) int cfg_parsed; int ret = EXIT_FAILURE; + init_dynload(); config.filename = av_strdup("/etc/ffserver.conf"); diff --git a/ffserver_config.c b/ffserver_config.c index 0ec93b5fda..e0fc6876e0 100644 --- a/ffserver_config.c +++ b/ffserver_config.c @@ -323,6 +323,8 @@ done: av_dict_free(&recommended); av_stream_set_recommended_encoder_configuration(st, enc_config); st->codec = av; + st->codecpar = avcodec_parameters_alloc(); + avcodec_parameters_from_context(st->codecpar, av); stream->streams[stream->nb_streams++] = st; } diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index 46344e0e43..503ad76c0a 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -119,12 +119,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, } if (avctx->bits_per_coded_sample <= 8) { + int size; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, - NULL); - if (pal) { + &size); + if (pal && size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(c->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } memcpy (frame->data[1], c->pal, AVPALETTE_SIZE); diff --git a/libavcodec/Makefile b/libavcodec/Makefile index fd0d1f0afc..bb28aea1e2 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -528,7 +528,8 @@ OBJS-$(CONFIG_SUNRAST_ENCODER) += sunrastenc.o OBJS-$(CONFIG_SVQ1_DECODER) += svq1dec.o svq1.o svq13.o h263data.o OBJS-$(CONFIG_SVQ1_ENCODER) += svq1enc.o svq1.o h263data.o \ h263.o ituh263enc.o -OBJS-$(CONFIG_SVQ3_DECODER) += svq3.o svq13.o mpegutils.o h264_parse.o h264data.o +OBJS-$(CONFIG_SVQ3_DECODER) += svq3.o svq13.o mpegutils.o \ + h264_parse.o h264data.o h264_ps.o h2645_parse.o OBJS-$(CONFIG_TEXT_DECODER) += textdec.o ass.o OBJS-$(CONFIG_TEXT_ENCODER) += srtenc.o ass_split.o OBJS-$(CONFIG_TAK_DECODER) += takdec.o tak.o takdsp.o diff --git a/libavcodec/aac_adtstoasc_bsf.c b/libavcodec/aac_adtstoasc_bsf.c index 48889fc48e..d47fa230ab 100644 --- a/libavcodec/aac_adtstoasc_bsf.c +++ b/libavcodec/aac_adtstoasc_bsf.c @@ -49,14 +49,14 @@ static int aac_adtstoasc_filter(AVBSFContext *bsfc, AVPacket *out) if (ret < 0) return ret; + if (bsfc->par_in->extradata && in->size >= 2 && (AV_RB16(in->data) >> 4) != 0xfff) + goto finish; + if (in->size < AAC_ADTS_HEADER_SIZE) goto packet_too_small; init_get_bits(&gb, in->data, AAC_ADTS_HEADER_SIZE * 8); - if (bsfc->par_in->extradata && show_bits(&gb, 12) != 0xfff) - goto finish; - if (avpriv_aac_parse_header(&gb, &hdr) < 0) { av_log(bsfc, AV_LOG_ERROR, "Error parsing ADTS frame header!\n"); ret = AVERROR_INVALIDDATA; diff --git a/libavcodec/aac_defines.h b/libavcodec/aac_defines.h index c12dc2fab7..438d78a7aa 100644 --- a/libavcodec/aac_defines.h +++ b/libavcodec/aac_defines.h @@ -35,6 +35,7 @@ #define AAC_RENAME(x) x ## _fixed #define AAC_RENAME_32(x) x ## _fixed_32 typedef int INTFLOAT; +typedef unsigned UINTFLOAT; ///< Equivalent to INTFLOAT, Used as temporal cast to avoid undefined sign overflow operations. typedef int64_t INT64FLOAT; typedef int16_t SHORTFLOAT; typedef SoftFloat AAC_FLOAT; @@ -45,7 +46,7 @@ typedef int AAC_SIGNE; #define Q30(x) (int)((x)*1073741824.0 + 0.5) #define Q31(x) (int)((x)*2147483648.0 + 0.5) #define RANGE15(x) x -#define GET_GAIN(x, y) (-(y) << (x)) + 1024 +#define GET_GAIN(x, y) (-(y) * (1 << (x))) + 1024 #define AAC_MUL16(x, y) (int)(((int64_t)(x) * (y) + 0x8000) >> 16) #define AAC_MUL26(x, y) (int)(((int64_t)(x) * (y) + 0x2000000) >> 26) #define AAC_MUL30(x, y) (int)(((int64_t)(x) * (y) + 0x20000000) >> 30) @@ -72,7 +73,7 @@ typedef int AAC_SIGNE; #define AAC_MSUB31_V3(x, y, z) (int)((((int64_t)(x) * (z)) - \ ((int64_t)(y) * (z)) + \ 0x40000000) >> 31) -#define AAC_HALF_SUM(x, y) (x) >> 1 + (y) >> 1 +#define AAC_HALF_SUM(x, y) (((x) >> 1) + ((y) >> 1)) #define AAC_SRA_R(x, y) (int)(((x) + (1 << ((y) - 1))) >> (y)) #else @@ -83,6 +84,7 @@ typedef int AAC_SIGNE; #define AAC_RENAME(x) x #define AAC_RENAME_32(x) x typedef float INTFLOAT; +typedef float UINTFLOAT; typedef float INT64FLOAT; typedef float SHORTFLOAT; typedef float AAC_FLOAT; diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index ee9b4eb45f..ffb0f22ec0 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -424,6 +424,8 @@ static int read_payload_length_info(struct LATMContext *ctx, GetBitContext *gb) if (ctx->frame_length_type == 0) { int mux_slot_length = 0; do { + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; tmp = get_bits(gb, 8); mux_slot_length += tmp; } while (tmp == 255); @@ -453,7 +455,7 @@ static int read_audio_mux_element(struct LATMContext *latmctx, } if (latmctx->audio_mux_version_A == 0) { int mux_slot_length_bytes = read_payload_length_info(latmctx, gb); - if (mux_slot_length_bytes * 8 > get_bits_left(gb)) { + if (mux_slot_length_bytes < 0 || mux_slot_length_bytes * 8LL > get_bits_left(gb)) { av_log(latmctx->aac_ctx.avctx, AV_LOG_ERROR, "incomplete frame\n"); return AVERROR_INVALIDDATA; } else if (mux_slot_length_bytes * 8 + 256 < get_bits_left(gb)) { diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index acb8178337..e7c2d2d299 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -125,7 +125,7 @@ static inline int *DEC_SQUAD(int *dst, unsigned idx) static inline int *DEC_UPAIR(int *dst, unsigned idx, unsigned sign) { dst[0] = (idx & 15) * (1 - (sign & 0xFFFFFFFE)); - dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) << 1)); + dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) * 2)); return dst + 2; } @@ -134,16 +134,16 @@ static inline int *DEC_UQUAD(int *dst, unsigned idx, unsigned sign) { unsigned nz = idx >> 12; - dst[0] = (idx & 3) * (1 + (((int)sign >> 31) << 1)); + dst[0] = (idx & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) * 2)); return dst + 4; } @@ -171,20 +171,25 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len) s = offset - (s >> 2); - if (s > 0) { + if (s > 31) { + for (i=0; i 0) { round = 1 << (s-1); for (i=0; i> 32); dst[i] = ((int)(out+round) >> s) * ssign; } - } - else { + } else if (s > -32) { s = s + 32; round = 1 << (s-1); for (i=0; i> s); - dst[i] = out * ssign; + dst[i] = out * (unsigned)ssign; } + } else { + av_log(NULL, AV_LOG_ERROR, "Overflow in subband_scale()\n"); } } @@ -203,8 +208,12 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len) c /= band_energy; s = 21 + nlz - (s >> 2); - if (s > 0) { - round = 1 << (s-1); + if (s > 31) { + for (i=0; i= 0) { + round = s ? 1 << (s-1) : 0; for (i=0; i> 32); coefs[i] = ((int)(out+round) >> s) * ssign; @@ -296,8 +305,12 @@ static av_always_inline void predict(PredictorState *ps, int *coef, if (output_enable) { int shift = 28 - pv.exp; - if (shift < 31) - *coef += (pv.mant + (1 << (shift - 1))) >> shift; + if (shift < 31) { + if (shift > 0) { + *coef += (pv.mant + (1 << (shift - 1))) >> shift; + } else + *coef += pv.mant << -shift; + } } e0 = av_int2sf(*coef, 2); @@ -362,7 +375,9 @@ static void apply_dependent_coupling_fixed(AACContext *ac, shift = (gain-1024) >> 3; } - if (shift < 0) { + if (shift < -31) { + // Nothing to do + } else if (shift < 0) { shift = -shift; round = 1 << (shift - 1); @@ -379,7 +394,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac, for (k = offsets[i]; k < offsets[i + 1]; k++) { tmp = (int)(((int64_t)src[group * 128 + k] * c + \ (int64_t)0x1000000000) >> 37); - dest[group * 128 + k] += tmp << shift; + dest[group * 128 + k] += tmp * (1 << shift); } } } @@ -419,7 +434,7 @@ static void apply_independent_coupling_fixed(AACContext *ac, else { for (i = 0; i < len; i++) { tmp = (int)(((int64_t)src[i] * c + (int64_t)0x1000000000) >> 37); - dest[i] += tmp << shift; + dest[i] += tmp * (1 << shift); } } } diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 883ed527f7..7819d710bf 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1255,6 +1255,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, const MPEG4AudioConfig *const m4ac = &ac->oc[1].m4ac; const int aot = m4ac->object_type; const int sampling_index = m4ac->sampling_index; + int ret_fail = AVERROR_INVALIDDATA; + if (aot != AOT_ER_AAC_ELD) { if (get_bits1(gb)) { av_log(ac->avctx, AV_LOG_ERROR, "Reserved bit set.\n"); @@ -1305,8 +1307,10 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, ics->num_swb = ff_aac_num_swb_512[sampling_index]; ics->tns_max_bands = ff_tns_max_bands_512[sampling_index]; } - if (!ics->num_swb || !ics->swb_offset) - return AVERROR_BUG; + if (!ics->num_swb || !ics->swb_offset) { + ret_fail = AVERROR_BUG; + goto fail; + } } else { ics->swb_offset = ff_swb_offset_1024[sampling_index]; ics->num_swb = ff_aac_num_swb_1024[sampling_index]; @@ -1330,7 +1334,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, if (aot == AOT_ER_AAC_LD) { av_log(ac->avctx, AV_LOG_ERROR, "LTP in ER AAC LD not yet implemented.\n"); - return AVERROR_PATCHWELCOME; + ret_fail = AVERROR_PATCHWELCOME; + goto fail; } if ((ics->ltp.present = get_bits(gb, 1))) decode_ltp(&ics->ltp, gb, ics->max_sfb); @@ -1349,7 +1354,7 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, return 0; fail: ics->max_sfb = 0; - return AVERROR_INVALIDDATA; + return ret_fail; } /** @@ -2155,7 +2160,11 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che) coup->coupling_point += get_bits1(gb) || (coup->coupling_point >> 1); sign = get_bits(gb, 1); - scale = AAC_RENAME(cce_scale)[get_bits(gb, 2)]; +#if USE_FIXED + scale = get_bits(gb, 2); +#else + scale = cce_scale[get_bits(gb, 2)]; +#endif if ((ret = decode_ics(ac, sce, gb, 0, 0))) return ret; @@ -2169,6 +2178,10 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che) cge = coup->coupling_point == AFTER_IMDCT ? 1 : get_bits1(gb); gain = cge ? get_vlc2(gb, vlc_scalefactors.table, 7, 3) - 60: 0; gain_cache = GET_GAIN(scale, gain); +#if USE_FIXED + if ((abs(gain_cache)-1024) >> 3 > 30) + return AVERROR(ERANGE); +#endif } if (coup->coupling_point == AFTER_IMDCT) { coup->gain[c][0] = gain_cache; @@ -2186,6 +2199,10 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che) t >>= 1; } gain_cache = GET_GAIN(scale, t) * s; +#if USE_FIXED + if ((abs(gain_cache)-1024) >> 3 > 30) + return AVERROR(ERANGE); +#endif } } coup->gain[c][idx] = gain_cache; @@ -2359,7 +2376,7 @@ static int decode_extension_payload(AACContext *ac, GetBitContext *gb, int cnt, * @param decode 1 if tool is used normally, 0 if tool is used in LTP. * @param coef spectral coefficients */ -static void apply_tns(INTFLOAT coef[1024], TemporalNoiseShaping *tns, +static void apply_tns(INTFLOAT coef_param[1024], TemporalNoiseShaping *tns, IndividualChannelStream *ics, int decode) { const int mmm = FFMIN(ics->tns_max_bands, ics->max_sfb); @@ -2367,6 +2384,7 @@ static void apply_tns(INTFLOAT coef[1024], TemporalNoiseShaping *tns, int bottom, top, order, start, end, size, inc; INTFLOAT lpc[TNS_MAX_ORDER]; INTFLOAT tmp[TNS_MAX_ORDER+1]; + UINTFLOAT *coef = coef_param; for (w = 0; w < ics->num_windows; w++) { bottom = ics->num_swb; @@ -2396,7 +2414,7 @@ static void apply_tns(INTFLOAT coef[1024], TemporalNoiseShaping *tns, // ar filter for (m = 0; m < size; m++, start += inc) for (i = 1; i <= FFMIN(m, order); i++) - coef[start] -= AAC_MUL26(coef[start - i * inc], lpc[i - 1]); + coef[start] -= AAC_MUL26((INTFLOAT)coef[start - i * inc], lpc[i - 1]); } else { // ma filter for (m = 0; m < size; m++, start += inc) { diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 2653cefaaa..4b80d38c29 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -622,8 +622,8 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } for (k = 0; k < 1024; k++) { - if (!isfinite(cpe->ch[ch].coeffs[k])) { - av_log(avctx, AV_LOG_ERROR, "Input contains NaN/+-Inf\n"); + if (!(fabs(cpe->ch[ch].coeffs[k]) < 1E16)) { // Ensure headroom for energy calculation + av_log(avctx, AV_LOG_ERROR, "Input contains (near) NaN/+-Inf\n"); return AVERROR(EINVAL); } } diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index ccc79ffc1d..aa0220b147 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -499,13 +499,13 @@ static void map_idx_34_to_20(int8_t *par_mapped, const int8_t *par, int full) static void map_val_34_to_20(INTFLOAT par[PS_MAX_NR_IIDICC]) { #if USE_FIXED - par[ 0] = (int)(((int64_t)(par[ 0] + (par[ 1]>>1)) * 1431655765 + \ + par[ 0] = (int)(((int64_t)(par[ 0] + (unsigned)(par[ 1]>>1)) * 1431655765 + \ 0x40000000) >> 31); - par[ 1] = (int)(((int64_t)((par[ 1]>>1) + par[ 2]) * 1431655765 + \ + par[ 1] = (int)(((int64_t)((par[ 1]>>1) + (unsigned)par[ 2]) * 1431655765 + \ 0x40000000) >> 31); - par[ 2] = (int)(((int64_t)(par[ 3] + (par[ 4]>>1)) * 1431655765 + \ + par[ 2] = (int)(((int64_t)(par[ 3] + (unsigned)(par[ 4]>>1)) * 1431655765 + \ 0x40000000) >> 31); - par[ 3] = (int)(((int64_t)((par[ 4]>>1) + par[ 5]) * 1431655765 + \ + par[ 3] = (int)(((int64_t)((par[ 4]>>1) + (unsigned)par[ 5]) * 1431655765 + \ 0x40000000) >> 31); #else par[ 0] = (2*par[ 0] + par[ 1]) * 0.33333333f; @@ -692,26 +692,17 @@ static void decorrelation(PSContext *ps, INTFLOAT (*out)[32][2], const INTFLOAT for (i = 0; i < NR_PAR_BANDS[is34]; i++) { for (n = n0; n < nL; n++) { int decayed_peak; - int denom; - decayed_peak = (int)(((int64_t)peak_decay_factor * \ peak_decay_nrg[i] + 0x40000000) >> 31); peak_decay_nrg[i] = FFMAX(decayed_peak, power[i][n]); - power_smooth[i] += (power[i][n] - power_smooth[i] + 2) >> 2; - peak_decay_diff_smooth[i] += (peak_decay_nrg[i] - power[i][n] - \ - peak_decay_diff_smooth[i] + 2) >> 2; - denom = peak_decay_diff_smooth[i] + (peak_decay_diff_smooth[i] >> 1); - if (denom > power_smooth[i]) { - int p = power_smooth[i]; - while (denom < 0x40000000) { - denom <<= 1; - p <<= 1; - } - transient_gain[i][n] = p / (denom >> 16); - } - else { - transient_gain[i][n] = 1 << 16; - } + power_smooth[i] += (power[i][n] + 2LL - power_smooth[i]) >> 2; + peak_decay_diff_smooth[i] += (peak_decay_nrg[i] + 2LL - power[i][n] - \ + peak_decay_diff_smooth[i]) >> 2; + + if (peak_decay_diff_smooth[i]) { + transient_gain[i][n] = FFMIN(power_smooth[i]*43691LL / peak_decay_diff_smooth[i], 1<<16); + } else + transient_gain[i][n] = 1 << 16; } } #else @@ -942,7 +933,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r) int stop = ps->border_position[e+1]; INTFLOAT width = Q30(1.f) / ((stop - start) ? (stop - start) : 1); #if USE_FIXED - width <<= 1; + width = FFMIN(2U*width, INT_MAX); #endif b = k_to_i[k]; h[0][0] = H11[0][e][b]; @@ -975,7 +966,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r) h_step[1][3] = AAC_MSUB31_V3(H22[1][e+1][b], h[1][3], width); } ps->dsp.stereo_interpolate[!PS_BASELINE && ps->enable_ipdopd]( - l[k] + start + 1, r[k] + start + 1, + l[k] + 1 + start, r[k] + 1 + start, h, h_step, stop - start); } } diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index b26314a7eb..1f5ff410d1 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -288,6 +288,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, shift = a00.exp; if (shift >= 3) alpha0[k][0] = 0x7fffffff; + else if (shift <= -30) + alpha0[k][0] = 0; else { a00.mant <<= 1; shift = 2-shift; @@ -302,6 +304,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, shift = a01.exp; if (shift >= 3) alpha0[k][1] = 0x7fffffff; + else if (shift <= -30) + alpha0[k][1] = 0; else { a01.mant <<= 1; shift = 2-shift; @@ -315,6 +319,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, shift = a10.exp; if (shift >= 3) alpha1[k][0] = 0x7fffffff; + else if (shift <= -30) + alpha1[k][0] = 0; else { a10.mant <<= 1; shift = 2-shift; @@ -329,6 +335,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, shift = a11.exp; if (shift >= 3) alpha1[k][1] = 0x7fffffff; + else if (shift <= -30) + alpha1[k][1] = 0; else { a11.mant <<= 1; shift = 2-shift; @@ -567,20 +575,33 @@ static void sbr_hf_assemble(int Y1[38][64][2], SoftFloat *in = sbr->s_m[e]; for (m = 0; m+1 < m_max; m+=2) { - shift = 22 - in[m ].exp; - round = 1 << (shift-1); - out[2*m ] += (in[m ].mant * A + round) >> shift; + int shift2; + shift = 22 - in[m ].exp; + shift2= 22 - in[m+1].exp; + if (shift < 1 || shift2 < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_assemble, shift=%d,%d\n", shift, shift2); + return; + } + if (shift < 32) { + round = 1 << (shift-1); + out[2*m ] += (in[m ].mant * A + round) >> shift; + } - shift = 22 - in[m+1].exp; - round = 1 << (shift-1); - out[2*m+2] += (in[m+1].mant * B + round) >> shift; + if (shift2 < 32) { + round = 1 << (shift2-1); + out[2*m+2] += (in[m+1].mant * B + round) >> shift2; + } } if(m_max&1) { - shift = 22 - in[m ].exp; - round = 1 << (shift-1); - - out[2*m ] += (in[m ].mant * A + round) >> shift; + shift = 22 - in[m ].exp; + if (shift < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_assemble, shift=%d\n", shift); + return; + } else if (shift < 32) { + round = 1 << (shift-1); + out[2*m ] += (in[m ].mant * A + round) >> shift; + } } } indexnoise = (indexnoise + m_max) & 0x1ff; diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index 511054276a..f69c2d612b 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -623,24 +623,26 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, int abs_bord_trail = 16; int num_rel_lead, num_rel_trail; unsigned bs_num_env_old = ch_data->bs_num_env; + int bs_frame_class, bs_num_env; ch_data->bs_freq_res[0] = ch_data->bs_freq_res[ch_data->bs_num_env]; ch_data->bs_amp_res = sbr->bs_amp_res_header; ch_data->t_env_num_env_old = ch_data->t_env[bs_num_env_old]; - switch (ch_data->bs_frame_class = get_bits(gb, 2)) { + switch (bs_frame_class = get_bits(gb, 2)) { case FIXFIX: - ch_data->bs_num_env = 1 << get_bits(gb, 2); + bs_num_env = 1 << get_bits(gb, 2); + if (bs_num_env > 4) { + av_log(ac->avctx, AV_LOG_ERROR, + "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", + bs_num_env); + return -1; + } + ch_data->bs_num_env = bs_num_env; num_rel_lead = ch_data->bs_num_env - 1; if (ch_data->bs_num_env == 1) ch_data->bs_amp_res = 0; - if (ch_data->bs_num_env > 4) { - av_log(ac->avctx, AV_LOG_ERROR, - "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", - ch_data->bs_num_env); - return -1; - } ch_data->t_env[0] = 0; ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail; @@ -688,14 +690,15 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, abs_bord_trail += get_bits(gb, 2); num_rel_lead = get_bits(gb, 2); num_rel_trail = get_bits(gb, 2); - ch_data->bs_num_env = num_rel_lead + num_rel_trail + 1; + bs_num_env = num_rel_lead + num_rel_trail + 1; - if (ch_data->bs_num_env > 5) { + if (bs_num_env > 5) { av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n", - ch_data->bs_num_env); + bs_num_env); return -1; } + ch_data->bs_num_env = bs_num_env; ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail; @@ -710,6 +713,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, get_bits1_vector(gb, ch_data->bs_freq_res + 1, ch_data->bs_num_env); break; } + ch_data->bs_frame_class = bs_frame_class; av_assert0(bs_pointer >= 0); if (bs_pointer > ch_data->bs_num_env + 1) { diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index fac189b6b6..00f59275d1 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -744,30 +744,31 @@ static void ac3_upmix_delay(AC3DecodeContext *s) * @param[in] default_band_struct default band structure table * @param[out] num_bands number of bands (optionally NULL) * @param[out] band_sizes array containing the number of bins in each band (optionally NULL) + * @param[in,out] band_struct current band structure */ static void decode_band_structure(GetBitContext *gbc, int blk, int eac3, int ecpl, int start_subband, int end_subband, const uint8_t *default_band_struct, - int *num_bands, uint8_t *band_sizes) + int *num_bands, uint8_t *band_sizes, + uint8_t *band_struct, int band_struct_size) { int subbnd, bnd, n_subbands, n_bands=0; uint8_t bnd_sz[22]; - uint8_t coded_band_struct[22]; - const uint8_t *band_struct; n_subbands = end_subband - start_subband; + if (!blk) + memcpy(band_struct, default_band_struct, band_struct_size); + + av_assert0(band_struct_size >= start_subband + n_subbands); + + band_struct += start_subband + 1; + /* decode band structure from bitstream or use default */ if (!eac3 || get_bits1(gbc)) { for (subbnd = 0; subbnd < n_subbands - 1; subbnd++) { - coded_band_struct[subbnd] = get_bits1(gbc); + band_struct[subbnd] = get_bits1(gbc); } - band_struct = coded_band_struct; - } else if (!blk) { - band_struct = &default_band_struct[start_subband+1]; - } else { - /* no change in band structure */ - return; } /* calculate number of bands and band sizes based on band structure. @@ -894,7 +895,8 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) start_subband, end_subband, ff_eac3_default_spx_band_struct, &s->num_spx_bands, - s->spx_band_sizes); + s->spx_band_sizes, + s->spx_band_struct, sizeof(s->spx_band_struct)); } } if (!s->eac3 || !s->spx_in_use) { @@ -1028,7 +1030,8 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) decode_band_structure(gbc, blk, s->eac3, 0, cpl_start_subband, cpl_end_subband, ff_eac3_default_cpl_band_struct, - &s->num_cpl_bands, s->cpl_band_sizes); + &s->num_cpl_bands, s->cpl_band_sizes, + s->cpl_band_struct, sizeof(s->cpl_band_struct)); } else { /* coupling not in use */ for (ch = 1; ch <= fbw_channels; ch++) { @@ -1328,7 +1331,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) for (ch = 1; ch <= s->channels; ch++) { int audio_channel = 0; INTFLOAT gain; - if (s->channel_mode == AC3_CHMODE_DUALMONO) + if (s->channel_mode == AC3_CHMODE_DUALMONO && ch <= 2) audio_channel = 2-ch; if (s->heavy_compression && s->compression_exists[audio_channel]) gain = s->heavy_dynamic_range[audio_channel]; diff --git a/libavcodec/ac3dec.h b/libavcodec/ac3dec.h index c2b867e32c..5330a5156a 100644 --- a/libavcodec/ac3dec.h +++ b/libavcodec/ac3dec.h @@ -128,6 +128,7 @@ typedef struct AC3DecodeContext { int phase_flags_in_use; ///< phase flags in use (phsflginu) int phase_flags[AC3_MAX_CPL_BANDS]; ///< phase flags (phsflg) int num_cpl_bands; ///< number of coupling bands (ncplbnd) + uint8_t cpl_band_struct[AC3_MAX_CPL_BANDS]; uint8_t cpl_band_sizes[AC3_MAX_CPL_BANDS]; ///< number of coeffs in each coupling band int firstchincpl; ///< first channel in coupling int first_cpl_coords[AC3_MAX_CHANNELS]; ///< first coupling coordinates states (firstcplcos) @@ -144,6 +145,7 @@ typedef struct AC3DecodeContext { int spx_dst_start_freq; ///< spx starting frequency bin for copying (copystartmant) ///< the copy region ends at the start of the spx region. int num_spx_bands; ///< number of spx bands (nspxbnds) + uint8_t spx_band_struct[SPX_MAX_BANDS]; uint8_t spx_band_sizes[SPX_MAX_BANDS]; ///< number of bins in each spx band uint8_t first_spx_coords[AC3_MAX_CHANNELS]; ///< first spx coordinates states (firstspxcos) INTFLOAT spx_noise_blend[AC3_MAX_CHANNELS][SPX_MAX_BANDS]; ///< spx noise blending factor (nblendfact) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index 6416da436e..56b62548ec 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -65,11 +65,11 @@ static void scale_coefs ( int len) { int i, shift, round; - int16_t mul; + unsigned mul; int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7; mul = (dynrng & 0x1f) + 0x20; - shift = 4 - ((dynrng << 23) >> 28); + shift = 4 - (sign_extend(dynrng, 9) >> 5); if (shift > 0 ) { round = 1 << (shift-1); for (i=0; ibits_per_coded_sample != 4) { int samples_per_block = ff_adpcm_ima_block_samples[avctx->bits_per_coded_sample - 2]; int block_size = ff_adpcm_ima_block_sizes[avctx->bits_per_coded_sample - 2]; - uint8_t temp[20] = { 0 }; + uint8_t temp[20 + AV_INPUT_BUFFER_PADDING_SIZE] = { 0 }; GetBitContext g; for (n = 0; n < (nb_samples - 1) / samples_per_block; n++) { diff --git a/libavcodec/adxdec.c b/libavcodec/adxdec.c index 32cc0f005a..178ea99dcf 100644 --- a/libavcodec/adxdec.c +++ b/libavcodec/adxdec.c @@ -81,7 +81,7 @@ static int adx_decode(ADXContext *c, int16_t *out, int offset, s2 = prev->s2; for (i = 0; i < BLOCK_SAMPLES; i++) { d = get_sbits(&gb, 4); - s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; + s0 = ((d * (1 << COEFF_BITS)) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; s2 = s1; s1 = av_clip_int16(s0); *out++ = s1; diff --git a/libavcodec/alacenc.c b/libavcodec/alacenc.c index 9ac35f1a14..9095611289 100644 --- a/libavcodec/alacenc.c +++ b/libavcodec/alacenc.c @@ -623,7 +623,7 @@ static int alac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, else max_frame_size = s->max_coded_frame_size; - if ((ret = ff_alloc_packet2(avctx, avpkt, 2 * max_frame_size, 0)) < 0) + if ((ret = ff_alloc_packet2(avctx, avpkt, 4 * max_frame_size, 0)) < 0) return ret; /* use verbatim mode for compression_level 0 */ diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 7d0c135c5e..57aed874cc 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -262,7 +262,7 @@ static void decode_pitch_lag_high(int *lag_int, int *lag_frac, int pitch_index, *lag_frac = pitch_index - (*lag_int << 2) + 136; } else if (pitch_index < 440) { *lag_int = (pitch_index + 257 - 376) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) << 1; + *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) * 2; /* the actual resolution is 1/2 but expressed as 1/4 */ } else { *lag_int = pitch_index - 280; @@ -292,7 +292,7 @@ static void decode_pitch_lag_low(int *lag_int, int *lag_frac, int pitch_index, if (subframe == 0 || (subframe == 2 && mode != MODE_6k60)) { if (pitch_index < 116) { *lag_int = (pitch_index + 69) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1) + 68) << 1; + *lag_frac = (pitch_index - (*lag_int << 1) + 68) * 2; } else { *lag_int = pitch_index - 24; *lag_frac = 0; @@ -302,7 +302,7 @@ static void decode_pitch_lag_low(int *lag_int, int *lag_frac, int pitch_index, AMRWB_P_DELAY_MIN, AMRWB_P_DELAY_MAX - 15); } else { *lag_int = (pitch_index + 1) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1)) << 1; + *lag_frac = (pitch_index - (*lag_int << 1)) * 2; *lag_int += *base_lag_int; } } diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index 4808ea7fff..8032aebe5e 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -80,10 +80,6 @@ static av_cold int decode_init(AVCodecContext *avctx) AnsiContext *s = avctx->priv_data; avctx->pix_fmt = AV_PIX_FMT_PAL8; - s->frame = av_frame_alloc(); - if (!s->frame) - return AVERROR(ENOMEM); - /* defaults */ s->font = avpriv_vga16_font; s->font_height = 16; @@ -94,7 +90,15 @@ static av_cold int decode_init(AVCodecContext *avctx) int ret = ff_set_dimensions(avctx, 80 << 3, 25 << 4); if (ret < 0) return ret; + } else if (avctx->width % FONT_WIDTH || avctx->height % s->font_height) { + av_log(avctx, AV_LOG_ERROR, "Invalid dimensions %d %d\n", avctx->width, avctx->height); + return AVERROR(EINVAL); } + + s->frame = av_frame_alloc(); + if (!s->frame) + return AVERROR(ENOMEM); + return 0; } diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index b99598b4ee..072e3b42cf 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1412,6 +1412,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, int32_t *sample24; int i, ch, ret; int blockstodecode; + uint64_t decoded_buffer_size; /* this should never be negative, but bad things will happen if it is, so check it just to make sure. */ @@ -1467,7 +1468,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, skip_bits_long(&s->gb, offset); } - if (!nblocks || nblocks > INT_MAX) { + if (!nblocks || nblocks > INT_MAX / 2 / sizeof(*s->decoded_buffer) - 8) { av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %"PRIu32".\n", nblocks); return AVERROR_INVALIDDATA; @@ -1493,8 +1494,9 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, blockstodecode = s->samples; /* reallocate decoded sample buffer if needed */ - av_fast_malloc(&s->decoded_buffer, &s->decoded_size, - 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)); + decoded_buffer_size = 2LL * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer); + av_assert0(decoded_buffer_size <= INT_MAX); + av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size); if (!s->decoded_buffer) return AVERROR(ENOMEM); memset(s->decoded_buffer, 0, s->decoded_size); diff --git a/libavcodec/asvenc.c b/libavcodec/asvenc.c index ec98a0ce35..c4eca2a13d 100644 --- a/libavcodec/asvenc.c +++ b/libavcodec/asvenc.c @@ -61,7 +61,7 @@ static inline void asv2_put_level(ASV1Context *a, PutBitContext *pb, int level) } else { put_bits(pb, ff_asv2_level_tab[31][1], ff_asv2_level_tab[31][0]); if (level < -128 || level > 127) { - av_log(a->avctx, AV_LOG_WARNING, "Cliping level %d, increase qscale\n", level); + av_log(a->avctx, AV_LOG_WARNING, "Clipping level %d, increase qscale\n", level); level = av_clip_int8(level); } asv2_put_bits(pb, 8, level & 0xFF); diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 39713ed76b..1be52e7a12 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -1515,7 +1515,17 @@ enum AVPacketSideDataType { * should be associated with a video stream and containts data in the form * of the AVMasteringDisplayMetadata struct. */ - AV_PKT_DATA_MASTERING_DISPLAY_METADATA + AV_PKT_DATA_MASTERING_DISPLAY_METADATA, + + /** + * The number of side data elements (in fact a bit more than it). + * This is not part of the public API/ABI in the sense that it may + * change when new side data types are added. + * This must stay the last enum value. + * If its value becomes huge, some code using it + * needs to be updated as it assumes it to be smaller than other limits. + */ + AV_PKT_DATA_NB }; #define AV_PKT_DATA_QUALITY_FACTOR AV_PKT_DATA_QUALITY_STATS //DEPRECATED diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index 9218689239..8ffae4bcb2 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -139,7 +139,8 @@ int av_grow_packet(AVPacket *pkt, int grow_by) pkt->buf = av_buffer_alloc(new_size); if (!pkt->buf) return AVERROR(ENOMEM); - memcpy(pkt->buf->data, pkt->data, pkt->size); + if (pkt->size > 0) + memcpy(pkt->buf->data, pkt->data, pkt->size); pkt->data = pkt->buf->data; } pkt->size += grow_by; @@ -198,6 +199,7 @@ static int copy_packet_data(AVPacket *pkt, const AVPacket *src, int dup) { pkt->data = NULL; pkt->side_data = NULL; + pkt->side_data_elems = 0; if (pkt->buf) { AVBufferRef *ref = av_buffer_ref(src->buf); if (!ref) @@ -207,9 +209,11 @@ static int copy_packet_data(AVPacket *pkt, const AVPacket *src, int dup) } else { DUP_DATA(pkt->data, src->data, pkt->size, 1, ALLOC_BUF); } - if (pkt->side_data_elems && dup) + if (src->side_data_elems && dup) { pkt->side_data = src->side_data; - if (pkt->side_data_elems && !dup) { + pkt->side_data_elems = src->side_data_elems; + } + if (src->side_data_elems && !dup) { return av_copy_packet_side_data(pkt, src); } return 0; @@ -291,16 +295,17 @@ FF_ENABLE_DEPRECATION_WARNINGS int av_packet_add_side_data(AVPacket *pkt, enum AVPacketSideDataType type, uint8_t *data, size_t size) { + AVPacketSideData *tmp; int elems = pkt->side_data_elems; - if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data)) + if ((unsigned)elems + 1 > AV_PKT_DATA_NB) return AVERROR(ERANGE); - pkt->side_data = av_realloc(pkt->side_data, - (elems + 1) * sizeof(*pkt->side_data)); - if (!pkt->side_data) + tmp = av_realloc(pkt->side_data, (elems + 1) * sizeof(*tmp)); + if (!tmp) return AVERROR(ENOMEM); + pkt->side_data = tmp; pkt->side_data[elems].data = data; pkt->side_data[elems].size = size; pkt->side_data[elems].type = type; @@ -343,6 +348,8 @@ uint8_t *av_packet_get_side_data(AVPacket *pkt, enum AVPacketSideDataType type, return pkt->side_data[i].data; } } + if (size) + *size = 0; return NULL; } @@ -426,6 +433,9 @@ int av_packet_split_side_data(AVPacket *pkt){ p-= size+5; } + if (i > AV_PKT_DATA_NB) + return AVERROR(ERANGE); + pkt->side_data = av_malloc_array(i, sizeof(*pkt->side_data)); if (!pkt->side_data) return AVERROR(ENOMEM); diff --git a/libavcodec/bitstream_filters.c b/libavcodec/bitstream_filters.c index 840bb43e4d..462cacf02c 100644 --- a/libavcodec/bitstream_filters.c +++ b/libavcodec/bitstream_filters.c @@ -58,6 +58,9 @@ const AVBitStreamFilter *av_bsf_get_by_name(const char *name) { int i; + if (!name) + return NULL; + for (i = 0; bitstream_filters[i]; i++) { const AVBitStreamFilter *f = bitstream_filters[i]; if (!strcmp(f->name, name)) diff --git a/libavcodec/bmvvideo.c b/libavcodec/bmvvideo.c index 97f850dbae..cf7f0a0501 100644 --- a/libavcodec/bmvvideo.c +++ b/libavcodec/bmvvideo.c @@ -107,7 +107,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, if (src < source || src >= source_end) return AVERROR_INVALIDDATA; shift += 2; - val |= *src << shift; + val |= (unsigned)*src << shift; if (*src & 0xC) break; } diff --git a/libavcodec/cavs.c b/libavcodec/cavs.c index 10e118e55b..c1b280b344 100644 --- a/libavcodec/cavs.c +++ b/libavcodec/cavs.c @@ -537,8 +537,7 @@ void ff_cavs_inter(AVSContext *h, enum cavs_mb mb_type) static inline void scale_mv(AVSContext *h, int *d_x, int *d_y, cavs_vector *src, int distp) { - int den = h->scale_den[FFMAX(src->ref, 0)]; - + int64_t den = h->scale_den[FFMAX(src->ref, 0)]; *d_x = (src->x * distp * den + 256 + FF_SIGNBIT(src->x)) >> 9; *d_y = (src->y * distp * den + 256 + FF_SIGNBIT(src->y)) >> 9; } @@ -613,8 +612,15 @@ void ff_cavs_mv(AVSContext *h, enum cavs_mv_loc nP, enum cavs_mv_loc nC, mv_pred_median(h, mvP, mvA, mvB, mvC); if (mode < MV_PRED_PSKIP) { - mvP->x += get_se_golomb(&h->gb); - mvP->y += get_se_golomb(&h->gb); + int mx = get_se_golomb(&h->gb) + (unsigned)mvP->x; + int my = get_se_golomb(&h->gb) + (unsigned)mvP->y; + + if (mx != (int16_t)mx || my != (int16_t)my) { + av_log(h->avctx, AV_LOG_ERROR, "MV %d %d out of supported range\n", mx, my); + } else { + mvP->x = mx; + mvP->y = my; + } } set_mvs(mvP, size); } diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 70ac6f8a42..cd4eec9caf 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -465,7 +465,7 @@ static inline void mv_pred_direct(AVSContext *h, cavs_vector *pmv_fw, cavs_vector *col_mv) { cavs_vector *pmv_bw = pmv_fw + MV_BWD_OFFS; - int den = h->direct_den[col_mv->ref]; + unsigned den = h->direct_den[col_mv->ref]; int m = FF_SIGNBIT(col_mv->x); pmv_fw->dist = h->dist[1]; @@ -615,7 +615,7 @@ static inline int decode_residual_inter(AVSContext *h) /* get quantizer */ if (h->cbp && !h->qp_fixed) - h->qp = (h->qp + get_se_golomb(&h->gb)) & 63; + h->qp = (h->qp + (unsigned)get_se_golomb(&h->gb)) & 63; for (block = 0; block < 4; block++) if (h->cbp & (1 << block)) decode_residual_block(h, &h->gb, inter_dec, 0, h->qp, @@ -1031,6 +1031,10 @@ static int decode_pic(AVSContext *h) h->scale_den[1] = h->dist[1] ? 512/h->dist[1] : 0; if (h->cur.f->pict_type == AV_PICTURE_TYPE_B) { h->sym_factor = h->dist[0] * h->scale_den[1]; + if (FFABS(h->sym_factor) > 32768) { + av_log(h->avctx, AV_LOG_ERROR, "sym_factor %d too large\n", h->sym_factor); + return AVERROR_INVALIDDATA; + } } else { h->direct_den[0] = h->dist[0] ? 16384 / h->dist[0] : 0; h->direct_den[1] = h->dist[1] ? 16384 / h->dist[1] : 0; @@ -1217,6 +1221,8 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, h->got_keyframe = 1; } case PIC_PB_START_CODE: + if (*got_frame) + av_frame_unref(data); *got_frame = 0; if (!h->got_keyframe) break; diff --git a/libavcodec/cavsdsp.c b/libavcodec/cavsdsp.c index 91f6d7350b..df9490ad8f 100644 --- a/libavcodec/cavsdsp.c +++ b/libavcodec/cavsdsp.c @@ -188,7 +188,6 @@ static void cavs_filter_ch_c(uint8_t *d, int stride, int alpha, int beta, int tc static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, int stride) { int i; int16_t (*src)[8] = (int16_t(*)[8])block; - const uint8_t *cm = ff_crop_tab + MAX_NEG_CROP; src[0][0] += 8; @@ -243,14 +242,14 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, int stride) { const int b2 = a5 - a7; const int b3 = a4 - a6; - dst[i + 0*stride] = cm[ dst[i + 0*stride] + ((b0 + b4) >> 7)]; - dst[i + 1*stride] = cm[ dst[i + 1*stride] + ((b1 + b5) >> 7)]; - dst[i + 2*stride] = cm[ dst[i + 2*stride] + ((b2 + b6) >> 7)]; - dst[i + 3*stride] = cm[ dst[i + 3*stride] + ((b3 + b7) >> 7)]; - dst[i + 4*stride] = cm[ dst[i + 4*stride] + ((b3 - b7) >> 7)]; - dst[i + 5*stride] = cm[ dst[i + 5*stride] + ((b2 - b6) >> 7)]; - dst[i + 6*stride] = cm[ dst[i + 6*stride] + ((b1 - b5) >> 7)]; - dst[i + 7*stride] = cm[ dst[i + 7*stride] + ((b0 - b4) >> 7)]; + dst[i + 0*stride] = av_clip_uint8( dst[i + 0*stride] + ((b0 + b4) >> 7)); + dst[i + 1*stride] = av_clip_uint8( dst[i + 1*stride] + ((b1 + b5) >> 7)); + dst[i + 2*stride] = av_clip_uint8( dst[i + 2*stride] + ((b2 + b6) >> 7)); + dst[i + 3*stride] = av_clip_uint8( dst[i + 3*stride] + ((b3 + b7) >> 7)); + dst[i + 4*stride] = av_clip_uint8( dst[i + 4*stride] + ((b3 - b7) >> 7)); + dst[i + 5*stride] = av_clip_uint8( dst[i + 5*stride] + ((b2 - b6) >> 7)); + dst[i + 6*stride] = av_clip_uint8( dst[i + 6*stride] + ((b1 - b5) >> 7)); + dst[i + 7*stride] = av_clip_uint8( dst[i + 7*stride] + ((b0 - b4) >> 7)); } } diff --git a/libavcodec/ccaption_dec.c b/libavcodec/ccaption_dec.c index 3b15149d79..360c6872e1 100644 --- a/libavcodec/ccaption_dec.c +++ b/libavcodec/ccaption_dec.c @@ -247,7 +247,8 @@ typedef struct CCaptionSubContext { int64_t last_real_time; char prev_cmd[2]; /* buffer to store pkt data */ - AVBufferRef *pktbuf; + uint8_t *pktbuf; + int pktbuf_size; int readorder; } CCaptionSubContext; @@ -273,11 +274,7 @@ static av_cold int init_decoder(AVCodecContext *avctx) if (ret < 0) { return ret; } - /* allocate pkt buffer */ - ctx->pktbuf = av_buffer_alloc(128); - if (!ctx->pktbuf) { - ret = AVERROR(ENOMEM); - } + return ret; } @@ -285,7 +282,8 @@ static av_cold int close_decoder(AVCodecContext *avctx) { CCaptionSubContext *ctx = avctx->priv_data; av_bprint_finalize(&ctx->buffer, NULL); - av_buffer_unref(&ctx->pktbuf); + av_freep(&ctx->pktbuf); + ctx->pktbuf_size = 0; return 0; } @@ -729,16 +727,13 @@ static int decode(AVCodecContext *avctx, void *data, int *got_sub, AVPacket *avp int ret = 0; int i; - if (ctx->pktbuf->size < len) { - ret = av_buffer_realloc(&ctx->pktbuf, len); - if (ret < 0) { - av_log(ctx, AV_LOG_WARNING, "Insufficient Memory of %d truncated to %d\n", len, ctx->pktbuf->size); - len = ctx->pktbuf->size; - ret = 0; - } + av_fast_padded_malloc(&ctx->pktbuf, &ctx->pktbuf_size, len); + if (!ctx->pktbuf) { + av_log(ctx, AV_LOG_WARNING, "Insufficient Memory of %d truncated to %d\n", len, ctx->pktbuf_size); + return AVERROR(ENOMEM); } - memcpy(ctx->pktbuf->data, avpkt->data, len); - bptr = ctx->pktbuf->data; + memcpy(ctx->pktbuf, avpkt->data, len); + bptr = ctx->pktbuf; for (i = 0; i < len; i += 3) { uint8_t cc_type = *(bptr + i) & 3; diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c index c8d66b5845..78f5d50102 100644 --- a/libavcodec/cdxl.c +++ b/libavcodec/cdxl.c @@ -275,11 +275,11 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data, else aligned_width = FFALIGN(c->avctx->width, 16); c->padded_bits = aligned_width - c->avctx->width; - if (c->video_size < aligned_width * avctx->height * c->bpp / 8) + if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8) return AVERROR_INVALIDDATA; - if (!encoding && c->palette_size && c->bpp <= 8) { + if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) { + } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8) && c->format != CHUNKY) { if (c->palette_size != (1 << (c->bpp - 1))) return AVERROR_INVALIDDATA; avctx->pix_fmt = AV_PIX_FMT_BGR24; diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 74facd462d..e11ebf9ee2 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -258,6 +258,11 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->coded_height = data; } else if (tag == 101) { av_log(avctx, AV_LOG_DEBUG, "Bits per component: %"PRIu16"\n", data); + if (data < 1 || data > 31) { + av_log(avctx, AV_LOG_ERROR, "Bits per component %d is invalid\n", data); + ret = AVERROR(EINVAL); + break; + } s->bpc = data; } else if (tag == 12) { av_log(avctx, AV_LOG_DEBUG, "Channel Count: %"PRIu16"\n", data); @@ -317,22 +322,22 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->prescale_shift[2] = (data >> 6) & 0x7; av_log(avctx, AV_LOG_DEBUG, "Prescale shift (VC-5): %x\n", data); } else if (tag == 27) { - s->plane[s->channel_num].band[0][0].width = data; - s->plane[s->channel_num].band[0][0].stride = data; av_log(avctx, AV_LOG_DEBUG, "Lowpass width %"PRIu16"\n", data); - if (data < 2 || data > s->plane[s->channel_num].band[0][0].a_width) { + if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_width) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass width\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[0][0].width = data; + s->plane[s->channel_num].band[0][0].stride = data; } else if (tag == 28) { - s->plane[s->channel_num].band[0][0].height = data; av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data); - if (data < 2 || data > s->plane[s->channel_num].band[0][0].height) { + if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_height) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[0][0].height = data; } else if (tag == 1) av_log(avctx, AV_LOG_DEBUG, "Sample type? %"PRIu16"\n", data); else if (tag == 10) { @@ -363,39 +368,39 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, av_log(avctx, AV_LOG_DEBUG, "Tag/Value = %x %x\n", tag2, val2); } } else if (tag == 41) { - s->plane[s->channel_num].band[s->level][s->subband_num].width = data; - s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); av_log(avctx, AV_LOG_DEBUG, "Highpass width %i channel %i level %i subband %i\n", data, s->channel_num, s->level, s->subband_num); - if (data < 2) { + if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass width\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].width = data; + s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); } else if (tag == 42) { - s->plane[s->channel_num].band[s->level][s->subband_num].height = data; av_log(avctx, AV_LOG_DEBUG, "Highpass height %i\n", data); - if (data < 2) { + if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass height\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].height = data; } else if (tag == 49) { - s->plane[s->channel_num].band[s->level][s->subband_num].width = data; - s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); av_log(avctx, AV_LOG_DEBUG, "Highpass width2 %i\n", data); - if (data < 2) { + if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass width2\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].width = data; + s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); } else if (tag == 50) { - s->plane[s->channel_num].band[s->level][s->subband_num].height = data; av_log(avctx, AV_LOG_DEBUG, "Highpass height2 %i\n", data); - if (data < 2) { + if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass height2\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].height = data; } else if (tag == 71) { s->codebook = data; av_log(avctx, AV_LOG_DEBUG, "Codebook %i\n", s->codebook); @@ -404,12 +409,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, av_log(avctx, AV_LOG_DEBUG, "Other codebook? %i\n", s->codebook); } else if (tag == 70) { av_log(avctx, AV_LOG_DEBUG, "Subsampling or bit-depth flag? %i\n", data); - s->bpc = data; - if (!(s->bpc == 10 || s->bpc == 12)) { + if (!(data == 10 || data == 12)) { av_log(avctx, AV_LOG_ERROR, "Invalid bits per channel\n"); ret = AVERROR(EINVAL); break; } + s->bpc = data; } else if (tag == 84) { av_log(avctx, AV_LOG_DEBUG, "Sample format? %i\n", data); if (data == 1) @@ -657,7 +662,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, output = s->plane[plane].subband[0]; for (i = 0; i < lowpass_height * 2; i++) { for (j = 0; j < lowpass_width * 2; j++) - output[j] <<= 2; + output[j] *= 4; output += lowpass_width * 2; } @@ -710,7 +715,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, output = s->plane[plane].subband[0]; for (i = 0; i < lowpass_height * 2; i++) { for (j = 0; j < lowpass_width * 2; j++) - output[j] <<= 2; + output[j] *= 4; output += lowpass_width * 2; } diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index a2190d7598..4b12fcbca6 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -322,9 +322,6 @@ static int cinepak_decode (CinepakContext *s) int y0 = 0; int encoded_buf_size; - if (s->size < 10) - return AVERROR_INVALIDDATA; - frame_flags = s->data[0]; num_strips = AV_RB16 (&s->data[8]); encoded_buf_size = AV_RB24(&s->data[1]); @@ -439,14 +436,20 @@ static int cinepak_decode_frame(AVCodecContext *avctx, s->data = buf; s->size = buf_size; + if (s->size < 10) + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; if (s->palette_video) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); - if (pal) { + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); + if (pal && size == AVPALETTE_SIZE) { s->frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } } diff --git a/libavcodec/cllc.c b/libavcodec/cllc.c index 1c6902afd4..97d3ae40ea 100644 --- a/libavcodec/cllc.c +++ b/libavcodec/cllc.c @@ -29,6 +29,10 @@ #include "avcodec.h" #include "internal.h" +#define VLC_BITS 7 +#define VLC_DEPTH 2 + + typedef struct CLLCContext { AVCodecContext *avctx; BswapDSPContext bdsp; @@ -51,6 +55,13 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) num_lens = get_bits(gb, 5); + if (num_lens > VLC_BITS * VLC_DEPTH) { + vlc->table = NULL; + + av_log(ctx->avctx, AV_LOG_ERROR, "To long VLCs %d\n", num_lens); + return AVERROR_INVALIDDATA; + } + for (i = 0; i < num_lens; i++) { num_codes = get_bits(gb, 9); num_codes_sum += num_codes; @@ -70,11 +81,15 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) count++; } + if (prefix > (65535 - 256)/2) { + vlc->table = NULL; + return AVERROR_INVALIDDATA; + } prefix <<= 1; } - return ff_init_vlc_sparse(vlc, 7, count, bits, 1, 1, + return ff_init_vlc_sparse(vlc, VLC_BITS, count, bits, 1, 1, codes, 2, 2, symbols, 1, 1, 0); } @@ -101,7 +116,7 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left, for (i = 0; i < ctx->avctx->width; i++) { /* Always get the alpha component */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[0].table, 7, 2); + GET_VLC(code, bits, gb, vlc[0].table, VLC_BITS, VLC_DEPTH); pred[0] += code; dst[0] = pred[0]; @@ -110,21 +125,21 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left, if (dst[0]) { /* Red */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[1].table, 7, 2); + GET_VLC(code, bits, gb, vlc[1].table, VLC_BITS, VLC_DEPTH); pred[1] += code; dst[1] = pred[1]; /* Green */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[2].table, 7, 2); + GET_VLC(code, bits, gb, vlc[2].table, VLC_BITS, VLC_DEPTH); pred[2] += code; dst[2] = pred[2]; /* Blue */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[3].table, 7, 2); + GET_VLC(code, bits, gb, vlc[3].table, VLC_BITS, VLC_DEPTH); pred[3] += code; dst[3] = pred[3]; @@ -166,7 +181,7 @@ static int read_rgb24_component_line(CLLCContext *ctx, GetBitContext *gb, /* Simultaneously read and restore the line */ for (i = 0; i < ctx->avctx->width; i++) { UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc->table, 7, 2); + GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH); pred += code; dst[0] = pred; @@ -195,7 +210,7 @@ static int read_yuv_component_line(CLLCContext *ctx, GetBitContext *gb, /* Simultaneously read and restore the line */ for (i = 0; i < ctx->avctx->width >> is_chroma; i++) { UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc->table, 7, 2); + GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH); pred += code; outbuf[i] = pred; diff --git a/libavcodec/dca_lbr.c b/libavcodec/dca_lbr.c index 342603c7d4..56c5f40982 100644 --- a/libavcodec/dca_lbr.c +++ b/libavcodec/dca_lbr.c @@ -310,7 +310,7 @@ static int parse_tonal(DCALbrDecoder *s, int group) break; // End of subframe freq += diff - 2; - if (freq >> (5 - group) > s->nsubbands * 4 - 5) { + if (freq >> (5 - group) > s->nsubbands * 4 - 6) { av_log(s->avctx, AV_LOG_ERROR, "Invalid spectral line offset\n"); return -1; } diff --git a/libavcodec/dcadsp.c b/libavcodec/dcadsp.c index 1cd2e4eddf..4cb7fab9ac 100644 --- a/libavcodec/dcadsp.c +++ b/libavcodec/dcadsp.c @@ -320,7 +320,7 @@ static void dmix_sub_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t le int i; for (i = 0; i < len; i++) - dst[i] -= mul15(src[i], coeff); + dst[i] -= (unsigned)mul15(src[i], coeff); } static void dmix_add_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t len) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index 763371a3aa..ddb6b1b2c9 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -39,7 +39,7 @@ #define DDPF_FOURCC (1 << 2) #define DDPF_PALETTE (1 << 5) -#define DDPF_NORMALMAP (1 << 31) +#define DDPF_NORMALMAP (1U << 31) enum DDSPostProc { DDS_NONE = 0, @@ -688,7 +688,7 @@ static int dds_decode(AVCodecContext *avctx, void *data, (frame->data[1][2+i*4]<<0)+ (frame->data[1][1+i*4]<<8)+ (frame->data[1][0+i*4]<<16)+ - (frame->data[1][3+i*4]<<24) + ((unsigned)frame->data[1][3+i*4]<<24) ); frame->palette_has_changed = 1; diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index f45d019a79..8067ac94e5 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -67,7 +67,8 @@ static int decode_tsw1(GetByteContext *gb, uint8_t *frame, int width, int height const uint8_t *frame_start = frame; const uint8_t *frame_end = frame + width * height; int mask = 0x10000, bitbuf = 0; - int v, count, segments; + int v, count; + unsigned segments; unsigned offset; segments = bytestream2_get_le32(gb); @@ -175,7 +176,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height return AVERROR_INVALIDDATA; frame += v; } else { - if (frame_end - frame < width + 3) + if (frame_end - frame < width + 4) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); @@ -249,7 +250,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le16u(gb); while ((segments & 0xC000) == 0xC000) { unsigned skip_lines = -(int16_t)segments; - unsigned delta = -((int16_t)segments * width); + int64_t delta = -((int16_t)segments * (int64_t)width); if (frame_end - frame <= delta || y + lines + skip_lines > height) return AVERROR_INVALIDDATA; frame += delta; diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 4d338651fa..755d5e5d2d 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -99,7 +99,7 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b1 + ((b0 + b2 + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ - (b2 + ((-b0 + 9*b1 + 9*b3 - b4 + 8) >> 4)) + (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ (b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5)) @@ -111,22 +111,22 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b0 + b1) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 - ((-8*(b0+b8) + 21*(b1+b7) - 46*(b2+b6) + 161*(b3+b5) + 128) >> 8)) + (b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) + (b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ - (b1 - ((1817*(b0 + b2) + 2048) >> 12)) + (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ - (b1 - (( 113*(b0 + b2) + 64) >> 7)) + (b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ - (b1 + (( 217*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ - (b1 + ((6497*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 972c711cff..e436c247a1 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_ TYPE *b1 = (TYPE *)_b1; TYPE *b2 = (TYPE *)_b2; for (i = 0; i < width; i++) - b1[i] -= (b0[i] + b2[i] + 2) >> 2; + b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2; } static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2, diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index c473e8778f..4f6de7af3d 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -231,7 +231,7 @@ enum dirac_subband { /* magic number division by 3 from schroedinger */ static inline int divide3(int x) { - return ((x+1)*21845 + 10922) >> 16; + return (int)((x+1U)*21845 + 10922) >> 16; } static DiracFrame *remove_frame(DiracFrame *framelist[], int picnum) @@ -462,7 +462,8 @@ static inline int coeff_unpack_golomb(GetBitContext *gb, int qfactor, int qoffse static inline void coeff_unpack_arith_##n(DiracArith *c, int qfactor, int qoffset, \ SubBand *b, type *buf, int x, int y) \ { \ - int coeff, sign, sign_pred = 0, pred_ctx = CTX_ZPZN_F1; \ + int sign, sign_pred = 0, pred_ctx = CTX_ZPZN_F1; \ + unsigned coeff; \ const int mstride = -(b->stride >> (1+b->pshift)); \ if (b->parent) { \ const type *pbuf = (type *)b->parent->ibuf; \ @@ -593,7 +594,7 @@ static inline void codeblock(DiracContext *s, SubBand *b, } \ INTRA_DC_PRED(8, int16_t) -INTRA_DC_PRED(10, int32_t) +INTRA_DC_PRED(10, uint32_t) /** * Dirac Specification -> @@ -1081,6 +1082,10 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) s->globalmc[ref].perspective[0] = dirac_get_se_golomb(gb); s->globalmc[ref].perspective[1] = dirac_get_se_golomb(gb); } + if (s->globalmc[ref].perspective_exp + (uint64_t)s->globalmc[ref].zrs_exp > 30) { + return AVERROR_INVALIDDATA; + } + } } @@ -1099,6 +1104,11 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) if (get_bits1(gb)) { s->weight_log2denom = get_interleaved_ue_golomb(gb); + if (s->weight_log2denom < 1 || s->weight_log2denom > 8) { + av_log(s->avctx, AV_LOG_ERROR, "weight_log2denom unsupported or invalid\n"); + s->weight_log2denom = 1; + return AVERROR_INVALIDDATA; + } s->weight[0] = dirac_get_se_golomb(gb); if (s->num_refs == 2) s->weight[1] = dirac_get_se_golomb(gb); @@ -1153,6 +1163,11 @@ static int dirac_unpack_idwt_params(DiracContext *s) else { s->num_x = get_interleaved_ue_golomb(gb); s->num_y = get_interleaved_ue_golomb(gb); + if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX) { + av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n"); + s->num_x = s->num_y = 0; + return AVERROR_INVALIDDATA; + } if (s->ld_picture) { s->lowdelay.bytes.num = get_interleaved_ue_golomb(gb); s->lowdelay.bytes.den = get_interleaved_ue_golomb(gb); @@ -1328,7 +1343,7 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock if (!block->ref) { pred_block_dc(block, stride, x, y); for (i = 0; i < 3; i++) - block->u.dc[i] += dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); + block->u.dc[i] += (unsigned)dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); return; } @@ -1895,7 +1910,9 @@ static int dirac_decode_picture_header(DiracContext *s) for (j = 0; j < MAX_FRAMES; j++) if (!s->all_frames[j].avframe->data[0]) { s->ref_pics[i] = &s->all_frames[j]; - get_buffer_with_edge(s->avctx, s->ref_pics[i]->avframe, AV_GET_BUFFER_FLAG_REF); + ret = get_buffer_with_edge(s->avctx, s->ref_pics[i]->avframe, AV_GET_BUFFER_FLAG_REF); + if (ret < 0) + return ret; break; } @@ -1959,9 +1976,9 @@ static int get_delayed_pic(DiracContext *s, AVFrame *picture, int *got_frame) if (out) { out->reference ^= DELAYED_PIC_REF; - *got_frame = 1; if((ret = av_frame_ref(picture, out->avframe)) < 0) return ret; + *got_frame = 1; } return 0; diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 18080803fa..862e964b51 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -118,11 +118,6 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) av_log(ctx->avctx, AV_LOG_ERROR, "bit depth mismatches %d %d\n", ff_dnxhd_cid_table[index].bit_depth, bitdepth); return AVERROR_INVALIDDATA; } - if (bitdepth > 10) { - avpriv_request_sample(ctx->avctx, "DNXHR 12-bit"); - if (ctx->avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) - return AVERROR_PATCHWELCOME; - } ctx->cid_table = &ff_dnxhd_cid_table[index]; av_log(ctx->avctx, AV_LOG_VERBOSE, "Profile cid %d.\n", cid); @@ -133,7 +128,7 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, ctx->cid_table->ac_bits, 1, 1, ctx->cid_table->ac_codes, 2, 2, 0); - init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth + 4, + init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, ctx->cid_table->dc_bits, 1, 1, ctx->cid_table->dc_codes, 1, 1, 0); init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, @@ -278,14 +273,18 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, if (header_prefix == DNXHD_HEADER_HR2) { ctx->data_offset = 0x170 + (ctx->mb_height << 2); } else { - if (ctx->mb_height > 68 || - (ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) { + if (ctx->mb_height > 68) { av_log(ctx->avctx, AV_LOG_ERROR, "mb height too big: %d\n", ctx->mb_height); return AVERROR_INVALIDDATA; } ctx->data_offset = 0x280; } + if ((ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) { + av_log(ctx->avctx, AV_LOG_ERROR, + "mb height too big: %d\n", ctx->mb_height); + return AVERROR_INVALIDDATA; + } if (buf_size < ctx->data_offset) { av_log(ctx->avctx, AV_LOG_ERROR, diff --git a/libavcodec/dss_sp.c b/libavcodec/dss_sp.c index ddea48304f..14025fcdde 100644 --- a/libavcodec/dss_sp.c +++ b/libavcodec/dss_sp.c @@ -33,7 +33,7 @@ #define DSS_SP_FRAME_SIZE 42 #define DSS_SP_SAMPLE_COUNT (66 * SUBFRAMES) -#define DSS_SP_FORMULA(a, b, c) (((((a) << 15) + (b) * (c)) + 0x4000) >> 15) +#define DSS_SP_FORMULA(a, b, c) ((int)((((a) * (1 << 15)) + (b) * (unsigned)(c)) + 0x4000) >> 15) typedef struct DssSpSubframe { int16_t gain; @@ -499,7 +499,7 @@ static void dss_sp_scale_vector(int32_t *vec, int bits, int size) vec[i] = vec[i] >> -bits; else for (i = 0; i < size; i++) - vec[i] = vec[i] << bits; + vec[i] = vec[i] * (1 << bits); } static void dss_sp_update_buf(int32_t *hist, int32_t *vector) @@ -524,12 +524,12 @@ static void dss_sp_shift_sq_sub(const int32_t *filter_buf, tmp = dst[a] * filter_buf[0]; for (i = 14; i > 0; i--) - tmp -= error_buf[i] * filter_buf[i]; + tmp -= error_buf[i] * (unsigned)filter_buf[i]; for (i = 14; i > 0; i--) error_buf[i] = error_buf[i - 1]; - tmp = (tmp + 4096) >> 13; + tmp = (int)(tmp + 4096U) >> 13; error_buf[1] = tmp; diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index e9f4765b15..9525cb7885 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -24,6 +24,7 @@ #include "bytestream.h" #include "internal.h" #include "libavutil/colorspace.h" +#include "libavutil/imgutils.h" #include "libavutil/opt.h" #define DVBSUB_PAGE_SEGMENT 0x10 @@ -810,7 +811,7 @@ static void compute_default_clut(AVSubtitleRect *rect, int w, int h) list_inv[ i ] = bestv; } - count = i - 1; + count = FFMAX(i - 1, 1); for (i--; i>=0; i--) { int v = i*255/count; AV_WN32(rect->data[1] + 4*list_inv[i], RGBA(v/2,v,v/2,v)); @@ -1217,9 +1218,9 @@ static int dvbsub_parse_clut_segment(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } - if (depth & 0x80) + if (depth & 0x80 && entry_id < 4) clut->clut4[entry_id] = RGBA(r,g,b,255 - alpha); - else if (depth & 0x40) + else if (depth & 0x40 && entry_id < 16) clut->clut16[entry_id] = RGBA(r,g,b,255 - alpha); else if (depth & 0x20) clut->clut256[entry_id] = RGBA(r,g,b,255 - alpha); @@ -1242,6 +1243,7 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx, DVBSubObject *object; DVBSubObjectDisplay *display; int fill; + int ret; if (buf_size < 10) return AVERROR_INVALIDDATA; @@ -1270,6 +1272,12 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx, region->height = AV_RB16(buf); buf += 2; + ret = av_image_check_size(region->width, region->height, 0, avctx); + if (ret < 0) { + region->width= region->height= 0; + return ret; + } + if (region->width * region->height != region->buf_size) { av_free(region->pbuf); diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 19f25f0e60..917adc3dfe 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -60,7 +60,7 @@ static void yuv_a_to_rgba(const uint8_t *ycbcr, const uint8_t *alpha, uint32_t * cb = *ycbcr++; YUV_TO_RGB1_CCIR(cb, cr); YUV_TO_RGB2_CCIR(r, g, b, y); - *rgba++ = (*alpha++ << 24) | (r << 16) | (g << 8) | b; + *rgba++ = ((unsigned)*alpha++ << 24) | (r << 16) | (g << 8) | b; } } @@ -185,16 +185,16 @@ static void guess_palette(DVDSubContext* ctx, for(i = 0; i < 4; i++) { if (alpha[i] != 0) { if (!color_used[colormap[i]]) { - level = level_map[nb_opaque_colors][j]; + level = level_map[nb_opaque_colors - 1][j]; r = (((subtitle_color >> 16) & 0xff) * level) >> 8; g = (((subtitle_color >> 8) & 0xff) * level) >> 8; b = (((subtitle_color >> 0) & 0xff) * level) >> 8; - rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17) << 24); + rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17U) << 24); color_used[colormap[i]] = (i + 1); j++; } else { rgba_palette[i] = (rgba_palette[color_used[colormap[i]] - 1] & 0x00ffffff) | - ((alpha[i] * 17) << 24); + ((alpha[i] * 17U) << 24); } } } @@ -548,7 +548,8 @@ static int append_to_cached_buf(AVCodecContext *avctx, { DVDSubContext *ctx = avctx->priv_data; - if (ctx->buf_size >= sizeof(ctx->buf) - buf_size) { + av_assert0(buf_size >= 0 && ctx->buf_size <= sizeof(ctx->buf)); + if (buf_size >= sizeof(ctx->buf) - ctx->buf_size) { av_log(avctx, AV_LOG_WARNING, "Attempt to reconstruct " "too large SPU packets aborted.\n"); ctx->buf_size = 0; diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index 05a9aadd24..f194b134b5 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -331,6 +331,9 @@ static int dxv_decompress_raw(AVCodecContext *avctx) DXVContext *ctx = avctx->priv_data; GetByteContext *gbc = &ctx->gbc; + if (bytestream2_get_bytes_left(gbc) < ctx->tex_size) + return AVERROR_INVALIDDATA; + bytestream2_get_buffer(gbc, ctx->tex_data, ctx->tex_size); return 0; } diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index 47e5aa6587..939c06d4df 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -252,7 +252,7 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) /* Vector Quantization */ int v = get_bits(gbc, bits); for (blk = 0; blk < 6; blk++) { - s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] << 8; + s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] * (1 << 8); } } else { /* Gain Adaptive Quantization */ @@ -271,16 +271,16 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) int b; int mbits = bits - (2 - log_gain); mant = get_sbits(gbc, mbits); - mant <<= (23 - (mbits - 1)); + mant = ((unsigned)mant) << (23 - (mbits - 1)); /* remap mantissa value to correct for asymmetric quantization */ if (mant >= 0) b = 1 << (23 - log_gain); else - b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] << 8; + b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] * (1 << 8); mant += ((ff_eac3_gaq_remap_2_4_a[hebap-8][log_gain-1] * (int64_t)mant) >> 15) + b; } else { /* small mantissa, no GAQ, or Gk=1 */ - mant <<= 24 - bits; + mant *= (1 << 24 - bits); if (!log_gain) { /* remap mantissa value for no GAQ or Gk=1 */ mant += (ff_eac3_gaq_remap_1[hebap-8] * (int64_t)mant) >> 15; diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index bb0f0053ff..c28fd11d42 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -284,7 +284,7 @@ static int decode_frame(AVCodecContext *avctx, if (avctx->width != width || avctx->height != height) { av_frame_unref(s->last_frame); - if((width * height)/2048*7 > bytestream2_get_bytes_left(&gb)) + if((width * (int64_t)height)/2048*7 > bytestream2_get_bytes_left(&gb)) return AVERROR_INVALIDDATA; if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c index 8fd5cdb17f..92b23d009c 100644 --- a/libavcodec/eatqi.c +++ b/libavcodec/eatqi.c @@ -112,7 +112,7 @@ static inline void tqi_idct_put(AVCodecContext *avctx, AVFrame *frame, static void tqi_calculate_qtable(TqiContext *t, int quant) { - const int qscale = (215 - 2*quant)*5; + const int64_t qscale = (215 - 2*quant)*5; int i; t->intra_matrix[0] = (ff_inv_aanscales[0] * ff_mpeg1_default_intra_matrix[0]) >> 11; diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 9a51bdaa9c..71e22779f6 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -250,6 +250,10 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This codebook can be cut off at places other than // powers of 2, leaving some of the entries undefined. cb_size = get_bits_long(&gb, 20); + if (!cb_size) { + av_log(avctx, AV_LOG_ERROR, "Invalid codebook size 0.\n"); + return AVERROR_INVALIDDATA; + } cb_depth = av_log2(cb_size - 1) + 1; } else { cb_depth = get_bits(&gb, 4); diff --git a/libavcodec/exr.c b/libavcodec/exr.c index c87187c05c..0a7475fcb3 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -216,9 +216,9 @@ static union av_intfloat32 exr_half2float(uint16_t hf) * * @return normalized 16-bit unsigned int */ -static inline uint16_t exr_flt2uint(uint32_t v) +static inline uint16_t exr_flt2uint(int32_t v) { - unsigned int exp = v >> 23; + int32_t exp = v >> 23; // "HACK": negative values result in exp< 0, so clipping them to 0 // is also handled by this condition, avoids explicit check for sign bit. if (exp <= 127 + 7 - 24) // we would shift out all bits anyway @@ -749,6 +749,9 @@ static int piz_uncompress(EXRContext *s, const uint8_t *src, int ssize, uint16_t *tmp = (uint16_t *)td->tmp; uint8_t *out; int ret, i, j; + int pixel_half_size;/* 1 for half, 2 for float and uint32 */ + EXRChannel *channel; + int tmp_offset; if (!td->bitmap) td->bitmap = av_malloc(BITMAP_SIZE); @@ -781,24 +784,38 @@ static int piz_uncompress(EXRContext *s, const uint8_t *src, int ssize, ptr = tmp; for (i = 0; i < s->nb_channels; i++) { - EXRChannel *channel = &s->channels[i]; - int size = channel->pixel_type; + channel = &s->channels[i]; - for (j = 0; j < size; j++) - wav_decode(ptr + j, td->xsize, size, td->ysize, - td->xsize * size, maxval); - ptr += td->xsize * td->ysize * size; + if (channel->pixel_type == EXR_HALF) + pixel_half_size = 1; + else + pixel_half_size = 2; + + for (j = 0; j < pixel_half_size; j++) + wav_decode(ptr + j, td->xsize, pixel_half_size, td->ysize, + td->xsize * pixel_half_size, maxval); + ptr += td->xsize * td->ysize * pixel_half_size; } apply_lut(td->lut, tmp, dsize / sizeof(uint16_t)); out = td->uncompressed_data; - for (i = 0; i < td->ysize; i++) + for (i = 0; i < td->ysize; i++) { + tmp_offset = 0; for (j = 0; j < s->nb_channels; j++) { - uint16_t *in = tmp + j * td->xsize * td->ysize + i * td->xsize; - memcpy(out, in, td->xsize * 2); - out += td->xsize * 2; + uint16_t *in; + EXRChannel *channel = &s->channels[j]; + if (channel->pixel_type == EXR_HALF) + pixel_half_size = 1; + else + pixel_half_size = 2; + + in = tmp + tmp_offset * td->xsize * td->ysize + i * td->xsize * pixel_half_size; + tmp_offset += pixel_half_size; + memcpy(out, in, td->xsize * 2 * pixel_half_size); + out += td->xsize * 2 * pixel_half_size; } + } return 0; } @@ -1010,8 +1027,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata, uint64_t line_offset, uncompressed_size; uint16_t *ptr_x; uint8_t *ptr; - uint32_t data_size, line, col = 0; - uint32_t tileX, tileY, tileLevelX, tileLevelY; + uint32_t data_size; + uint64_t line, col = 0; + uint64_t tileX, tileY, tileLevelX, tileLevelY; const uint8_t *src; int axmax = (avctx->width - (s->xmax + 1)) * 2 * s->desc->nb_components; /* nb pixel to add at the right of the datawindow */ int bxmin = s->xmin * 2 * s->desc->nb_components; /* nb pixel to add at the left of the datawindow */ @@ -1042,9 +1060,18 @@ static int decode_block(AVCodecContext *avctx, void *tdata, return AVERROR_PATCHWELCOME; } + if (s->xmin || s->ymin) { + avpriv_report_missing_feature(s->avctx, "Tiles with xmin/ymin"); + return AVERROR_PATCHWELCOME; + } + line = s->tile_attr.ySize * tileY; col = s->tile_attr.xSize * tileX; + if (line < s->ymin || line > s->ymax || + col < s->xmin || col > s->xmax) + return AVERROR_INVALIDDATA; + td->ysize = FFMIN(s->tile_attr.ySize, s->ydelta - tileY * s->tile_attr.ySize); td->xsize = FFMIN(s->tile_attr.xSize, s->xdelta - tileX * s->tile_attr.xSize); @@ -1390,17 +1417,15 @@ static int decode_header(EXRContext *s) return AVERROR_PATCHWELCOME; } - if (s->channel_offsets[channel_index] == -1){/* channel have not been previously assign */ - if (channel_index >= 0) { - if (s->pixel_type != EXR_UNKNOWN && - s->pixel_type != current_pixel_type) { - av_log(s->avctx, AV_LOG_ERROR, - "RGB channels not of the same depth.\n"); - return AVERROR_INVALIDDATA; - } - s->pixel_type = current_pixel_type; - s->channel_offsets[channel_index] = s->current_channel_offset; + if (channel_index >= 0 && s->channel_offsets[channel_index] == -1) { /* channel has not been previously assigned */ + if (s->pixel_type != EXR_UNKNOWN && + s->pixel_type != current_pixel_type) { + av_log(s->avctx, AV_LOG_ERROR, + "RGB channels not of the same depth.\n"); + return AVERROR_INVALIDDATA; } + s->pixel_type = current_pixel_type; + s->channel_offsets[channel_index] = s->current_channel_offset; } s->channels = av_realloc(s->channels, diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 6a932b2934..c532eb227c 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -45,7 +45,8 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state, if (get_rac(c, state + 0)) return 0; else { - int i, e, a; + int i, e; + unsigned a; e = 0; while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10 e++; @@ -482,7 +483,7 @@ static int read_quant_table(RangeCoder *c, int16_t *quant_table, int scale) memset(state, 128, sizeof(state)); for (v = 0; i < 128; v++) { - unsigned len = get_symbol(c, state, 0) + 1; + unsigned len = get_symbol(c, state, 0) + 1U; if (len > 128 - i || !len) return AVERROR_INVALIDDATA; @@ -1003,7 +1004,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac const uint8_t *src[4]; uint8_t *dst[4]; ff_thread_await_progress(&f->last_picture, INT_MAX, 0); - for (j = 0; j < 4; j++) { + for (j = 0; j < desc->nb_components; j++) { int pixshift = desc->comp[j].depth > 8; int sh = (j == 1 || j == 2) ? f->chroma_h_shift : 0; int sv = (j == 1 || j == 2) ? f->chroma_v_shift : 0; @@ -1011,6 +1012,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac (fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift); src[j] = f->last_picture.f->data[j] + f->last_picture.f->linesize[j] * (fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift); + + } + if (desc->flags & AV_PIX_FMT_FLAG_PAL || + desc->flags & AV_PIX_FMT_FLAG_PSEUDOPAL) { + dst[1] = p->data[1]; + src[1] = f->last_picture.f->data[1]; } av_image_copy(dst, p->linesize, src, f->last_picture.f->linesize, diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 948a230419..fec3e928cb 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -781,14 +781,12 @@ FF_ENABLE_DEPRECATION_WARNINGS s->colorspace = 1; s->transparency = 1; s->chroma_planes = 1; - if (!avctx->bits_per_raw_sample) - s->bits_per_raw_sample = 8; + s->bits_per_raw_sample = 8; break; case AV_PIX_FMT_0RGB32: s->colorspace = 1; s->chroma_planes = 1; - if (!avctx->bits_per_raw_sample) - s->bits_per_raw_sample = 8; + s->bits_per_raw_sample = 8; break; case AV_PIX_FMT_GBRP9: if (!avctx->bits_per_raw_sample) @@ -1225,7 +1223,6 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, FFV1Context *f = avctx->priv_data; RangeCoder *const c = &f->slice_context[0]->c; AVFrame *const p = f->picture.f; - int used_count = 0; uint8_t keystate = 128; uint8_t *buf_p; int i, ret; @@ -1281,6 +1278,11 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, if (f->version > 3) maxsize = AV_INPUT_BUFFER_MIN_SIZE + avctx->width*avctx->height*3LL*4; + if (maxsize > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - 32) { + av_log(avctx, AV_LOG_WARNING, "Cannot allocate worst case packet size, the encoding could fail\n"); + maxsize = INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - 32; + } + if ((ret = ff_alloc_packet2(avctx, pkt, maxsize, 0)) < 0) return ret; @@ -1314,11 +1316,17 @@ FF_ENABLE_DEPRECATION_WARNINGS } } - for (i = 1; i < f->slice_count; i++) { + for (i = 0; i < f->slice_count; i++) { FFV1Context *fs = f->slice_context[i]; - uint8_t *start = pkt->data + (pkt->size - used_count) * (int64_t)i / f->slice_count; + uint8_t *start = pkt->data + pkt->size * (int64_t)i / f->slice_count; int len = pkt->size / f->slice_count; - ff_init_range_encoder(&fs->c, start, len); + if (i) { + ff_init_range_encoder(&fs->c, start, len); + } else { + av_assert0(fs->c.bytestream_end >= fs->c.bytestream_start + len); + av_assert0(fs->c.bytestream < fs->c.bytestream_start + len); + fs->c.bytestream_end = fs->c.bytestream_start + len; + } } avctx->execute(avctx, encode_slice, &f->slice_context[0], NULL, f->slice_count, sizeof(void *)); diff --git a/libavcodec/fic.c b/libavcodec/fic.c index d3952a4c01..f66c05b94b 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -84,26 +84,26 @@ static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' }; static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd) { - const int t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; - const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; - const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; - const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; - const int t4 = 5793 * (t2 + t0 + 0x800 >> 12); - const int t5 = 5793 * (t3 + t1 + 0x800 >> 12); - const int t6 = t2 - t0; - const int t7 = t3 - t1; - const int t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; - const int t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; - const int tA = (blk[0 * step] - blk[4 * step] << 15) + rnd; - const int tB = (blk[0 * step] + blk[4 * step] << 15) + rnd; - blk[0 * step] = ( t4 + t9 + tB) >> shift; - blk[1 * step] = ( t6 + t7 + t8 + tA) >> shift; - blk[2 * step] = ( t6 - t7 - t8 + tA) >> shift; - blk[3 * step] = ( t5 - t9 + tB) >> shift; - blk[4 * step] = ( -t5 - t9 + tB) >> shift; - blk[5 * step] = (-(t6 - t7) - t8 + tA) >> shift; - blk[6 * step] = (-(t6 + t7) + t8 + tA) >> shift; - blk[7 * step] = ( -t4 + t9 + tB) >> shift; + const unsigned t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; + const unsigned t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; + const unsigned t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; + const unsigned t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; + const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12); + const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12); + const unsigned t6 = t2 - t0; + const unsigned t7 = t3 - t1; + const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; + const unsigned t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; + const unsigned tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; + const unsigned tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; + blk[0 * step] = (int)( t4 + t9 + tB) >> shift; + blk[1 * step] = (int)( t6 + t7 + t8 + tA) >> shift; + blk[2 * step] = (int)( t6 - t7 - t8 + tA) >> shift; + blk[3 * step] = (int)( t5 - t9 + tB) >> shift; + blk[4 * step] = (int)( -t5 - t9 + tB) >> shift; + blk[5 * step] = (int)(-(t6 - t7) - t8 + tA) >> shift; + blk[6 * step] = (int)(-(t6 + t7) + t8 + tA) >> shift; + blk[7 * step] = (int)( -t4 + t9 + tB) >> shift; } static void fic_idct_put(uint8_t *dst, int stride, int16_t *block) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index f5cc35a4f2..e69f1d72e9 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -586,10 +586,12 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, temp = curr->next; av_freep(&curr->link_penalty); av_free(curr); + fpc->nb_headers_buffered--; } fpc->headers = fpc->best_header->next; av_freep(&fpc->best_header->link_penalty); av_freep(&fpc->best_header); + fpc->nb_headers_buffered--; } /* Find and score new headers. */ diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index b7237e18f0..c372c1b91d 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -201,12 +201,12 @@ static int get_metadata_size(const uint8_t *buf, int buf_size) buf += 4; do { if (buf_end - buf < 4) - return 0; + return AVERROR_INVALIDDATA; flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size); buf += 4; if (buf_end - buf < metadata_size) { /* need more data in order to read the complete header */ - return 0; + return AVERROR_INVALIDDATA; } buf += metadata_size; } while (!metadata_last); @@ -268,7 +268,8 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded, int pred_order, int bps) { const int blocksize = s->blocksize; - int av_uninit(a), av_uninit(b), av_uninit(c), av_uninit(d), i; + unsigned av_uninit(a), av_uninit(b), av_uninit(c), av_uninit(d); + int i; int ret; /* warm up samples */ @@ -447,7 +448,7 @@ static inline int decode_subframe(FLACContext *s, int channel) if (wasted) { int i; for (i = 0; i < s->blocksize; i++) - decoded[i] <<= wasted; + decoded[i] = (unsigned)decoded[i] << wasted; } return 0; diff --git a/libavcodec/flacdsp_template.c b/libavcodec/flacdsp_template.c index 62c0a15ff6..776c78da71 100644 --- a/libavcodec/flacdsp_template.c +++ b/libavcodec/flacdsp_template.c @@ -56,7 +56,7 @@ static void FUNC(flac_decorrelate_indep_c)(uint8_t **out, int32_t **in, for (j = 0; j < len; j++) for (i = 0; i < channels; i++) - S(samples, i, j) = in[i][j] << shift; + S(samples, i, j) = (int)((unsigned)in[i][j] << shift); } static void FUNC(flac_decorrelate_ls_c)(uint8_t **out, int32_t **in, diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index c9c6c24e55..157f0c31a7 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -202,6 +202,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, num_chunks = bytestream2_get_le16(&g2); bytestream2_skip(&g2, 8); /* skip padding */ + if (frame_size < 16) + return AVERROR_INVALIDDATA; + frame_size -= 16; /* iterate through the chunks */ @@ -272,10 +275,14 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, while (compressed_lines > 0) { if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) break; + if (y_ptr > pixel_limit) + return AVERROR_INVALIDDATA; line_packets = bytestream2_get_le16(&g2); if ((line_packets & 0xC000) == 0xC000) { // line skip opcode line_packets = -line_packets; + if (line_packets > s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr += line_packets * s->frame->linesize[0]; } else if ((line_packets & 0xC000) == 0x4000) { av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets); @@ -324,6 +331,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, case FLI_LC: /* line compressed */ starting_line = bytestream2_get_le16(&g2); + if (starting_line >= s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr = 0; y_ptr += starting_line * s->frame->linesize[0]; @@ -522,6 +531,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, if (frame_size > buf_size) frame_size = buf_size; + if (frame_size < 16) + return AVERROR_INVALIDDATA; frame_size -= 16; /* iterate through the chunks */ @@ -558,9 +569,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, while (compressed_lines > 0) { if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) break; + if (y_ptr > pixel_limit) + return AVERROR_INVALIDDATA; line_packets = bytestream2_get_le16(&g2); if (line_packets < 0) { line_packets = -line_packets; + if (line_packets > s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr += line_packets * s->frame->linesize[0]; } else { compressed_lines--; diff --git a/libavcodec/g722.c b/libavcodec/g722.c index ee3b85f845..ef7ca6d446 100644 --- a/libavcodec/g722.c +++ b/libavcodec/g722.c @@ -88,14 +88,14 @@ static inline void s_zero(int cur_diff, struct G722Band *band) ACCUM(3, band->diff_mem[2], 1); ACCUM(2, band->diff_mem[1], 1); ACCUM(1, band->diff_mem[0], 1); - ACCUM(0, cur_diff << 1, 1); + ACCUM(0, cur_diff * 2, 1); } else { ACCUM(5, band->diff_mem[4], 0); ACCUM(4, band->diff_mem[3], 0); ACCUM(3, band->diff_mem[2], 0); ACCUM(2, band->diff_mem[1], 0); ACCUM(1, band->diff_mem[0], 0); - ACCUM(0, cur_diff << 1, 0); + ACCUM(0, cur_diff * 2, 0); } #undef ACCUM band->s_zero = s_zero; @@ -119,14 +119,14 @@ static void do_adaptive_prediction(struct G722Band *band, const int cur_diff) band->part_reconst_mem[0] = cur_part_reconst; band->pole_mem[1] = av_clip((sg[0] * av_clip(band->pole_mem[0], -8191, 8191) >> 5) + - (sg[1] << 7) + (band->pole_mem[1] * 127 >> 7), -12288, 12288); + (sg[1] * 128) + (band->pole_mem[1] * 127 >> 7), -12288, 12288); limit = 15360 - band->pole_mem[1]; band->pole_mem[0] = av_clip(-192 * sg[0] + (band->pole_mem[0] * 255 >> 8), -limit, limit); s_zero(cur_diff, band); - cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) << 1); + cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) * 2); band->s_predictor = av_clip_int16(band->s_zero + (band->pole_mem[0] * cur_qtzd_reconst >> 15) + (band->pole_mem[1] * band->prev_qtzd_reconst >> 15)); diff --git a/libavcodec/g723_1.c b/libavcodec/g723_1.c index a11fec8a9e..78ce922266 100644 --- a/libavcodec/g723_1.c +++ b/libavcodec/g723_1.c @@ -41,7 +41,7 @@ int ff_g723_1_scale_vector(int16_t *dst, const int16_t *vector, int length) bits= FFMAX(bits, 0); for (i = 0; i < length; i++) - dst[i] = vector[i] << bits >> 3; + dst[i] = (vector[i] * (1 << bits)) >> 3; return bits - 3; } @@ -125,9 +125,9 @@ static void lsp2lpc(int16_t *lpc) for (j = 0; j < LPC_ORDER; j++) { int index = (lpc[j] >> 7) & 0x1FF; int offset = lpc[j] & 0x7f; - int temp1 = cos_tab[index] << 16; + int temp1 = cos_tab[index] * (1 << 16); int temp2 = (cos_tab[index + 1] - cos_tab[index]) * - ((offset << 8) + 0x80) << 1; + (((offset << 8) + 0x80) << 1); lpc[j] = -(av_sat_dadd32(1 << 15, temp1 + temp2) >> 16); } @@ -138,11 +138,11 @@ static void lsp2lpc(int16_t *lpc) */ /* Initialize with values in Q28 */ f1[0] = 1 << 28; - f1[1] = (lpc[0] << 14) + (lpc[2] << 14); + f1[1] = (lpc[0] + lpc[2]) * (1 << 14); f1[2] = lpc[0] * lpc[2] + (2 << 28); f2[0] = 1 << 28; - f2[1] = (lpc[1] << 14) + (lpc[3] << 14); + f2[1] = (lpc[1] + lpc[3]) * (1 << 14); f2[2] = lpc[1] * lpc[3] + (2 << 28); /* @@ -162,8 +162,8 @@ static void lsp2lpc(int16_t *lpc) f1[0] >>= 1; f2[0] >>= 1; - f1[1] = ((lpc[2 * i] << 16 >> i) + f1[1]) >> 1; - f2[1] = ((lpc[2 * i + 1] << 16 >> i) + f2[1]) >> 1; + f1[1] = ((lpc[2 * i] * 65536 >> i) + f1[1]) >> 1; + f2[1] = ((lpc[2 * i + 1] * 65536 >> i) + f2[1]) >> 1; } /* Convert polynomial coefficients to LPC coefficients */ @@ -171,8 +171,8 @@ static void lsp2lpc(int16_t *lpc) int64_t ff1 = f1[i + 1] + f1[i]; int64_t ff2 = f2[i + 1] - f2[i]; - lpc[i] = av_clipl_int32(((ff1 + ff2) << 3) + (1 << 15)) >> 16; - lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) << 3) + + lpc[i] = av_clipl_int32(((ff1 + ff2) * 8) + (1 << 15)) >> 16; + lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) * 8) + (1 << 15)) >> 16; } } diff --git a/libavcodec/g723_1.h b/libavcodec/g723_1.h index 40d6e700b1..f833af01c6 100644 --- a/libavcodec/g723_1.h +++ b/libavcodec/g723_1.h @@ -55,7 +55,7 @@ * @param b 16 bit multiplier */ #define MULL2(a, b) \ - ((((a) >> 16) * (b) << 1) + (((a) & 0xffff) * (b) >> 15)) + ((((a) >> 16) * (b) * 2) + (((a) & 0xffff) * (b) >> 15)) /** * G723.1 frame types diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index 6f283b449f..de70957387 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -487,7 +487,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag, (FRAME_LEN - lag) * sizeof(*out)); } else { /* Unvoiced */ for (i = 0; i < FRAME_LEN; i++) { - *rseed = *rseed * 521 + 259; + *rseed = (int16_t)(*rseed * 521 + 259); out[i] = gain * *rseed >> 15; } memset(buf, 0, (FRAME_LEN + PITCH_MAX) * sizeof(*buf)); @@ -516,7 +516,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag, (iir_coef)[n - 1] * ((dest)[m - n] >> in_shift);\ }\ \ - (dest)[m] = av_clipl_int32(((src)[m] << 16) + (filter << 3) +\ + (dest)[m] = av_clipl_int32(((src)[m] * 65536) + (filter * 8) +\ (1 << 15)) >> res_shift;\ }\ } @@ -663,7 +663,7 @@ static int estimate_sid_gain(G723_1_Context *p) t = p->sid_gain << shift; else t = p->sid_gain >> -shift; - x = t * cng_filt[0] >> 16; + x = av_clipl_int32(t * (int64_t)cng_filt[0] >> 16); if (x >= cng_bseg[2]) return 0x3F; @@ -694,13 +694,13 @@ static int estimate_sid_gain(G723_1_Context *p) if (y <= 0) { t = seg * 32 + (val + 1 << seg2); t = t * t - x; - val = (seg2 - 1 << 4) + val; + val = (seg2 - 1) * 16 + val; if (t >= y) val++; } else { t = seg * 32 + (val - 1 << seg2); t = t * t - x; - val = (seg2 - 1 << 4) + val; + val = (seg2 - 1) * 16 + val; if (t >= y) val--; } @@ -732,7 +732,7 @@ static void generate_noise(G723_1_Context *p) off[i * 2 + 1] = ((t >> 1) & 1) + SUBFRAME_LEN; t >>= 2; for (j = 0; j < 11; j++) { - signs[i * 11 + j] = (t & 1) * 2 - 1 << 14; + signs[i * 11 + j] = ((t & 1) * 2 - 1) * (1 << 14); t >>= 1; } } @@ -776,7 +776,7 @@ static void generate_noise(G723_1_Context *p) sum = 0; if (shift < 0) { for (j = 0; j < SUBFRAME_LEN * 2; j++) { - t = vector_ptr[j] << -shift; + t = vector_ptr[j] * (1 << -shift); sum += t * t; tmp[j] = t; } @@ -814,7 +814,7 @@ static void generate_noise(G723_1_Context *p) if (shift < 0) x >>= -shift; else - x <<= shift; + x *= 1 << shift; x = av_clip(x, -10000, 10000); for (j = 0; j < 11; j++) { @@ -903,7 +903,7 @@ static int g723_1_decode_frame(AVCodecContext *avctx, void *data, &p->subframe[i], p->cur_rate); /* Get the total excitation */ for (j = 0; j < SUBFRAME_LEN; j++) { - int v = av_clip_int16(vector_ptr[j] << 1); + int v = av_clip_int16(vector_ptr[j] * 2); vector_ptr[j] = av_clip_int16(v + acb_vector[j]); } vector_ptr += SUBFRAME_LEN; diff --git a/libavcodec/g726.c b/libavcodec/g726.c index c7d138e4b5..6922b40f87 100644 --- a/libavcodec/g726.c +++ b/libavcodec/g726.c @@ -206,7 +206,7 @@ static int16_t g726_decode(G726Context* c, int I) if (I_sig) /* get the sign */ dq = -dq; - re_signal = c->se + dq; + re_signal = (int16_t)(c->se + dq); /* Update second order predictor coefficient A2 and A1 */ pk0 = (c->sez + dq) ? sgn(c->sez + dq) : 0; @@ -269,7 +269,7 @@ static int16_t g726_decode(G726Context* c, int I) c->se += mult(i2f(c->a[i] >> 2, &f), &c->sr[i]); c->se >>= 1; - return av_clip(re_signal << 2, -0xffff, 0xffff); + return av_clip(re_signal * 4, -0xffff, 0xffff); } static av_cold int g726_reset(G726Context *c) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 0f183e0358..e8888419b5 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -369,6 +369,10 @@ static inline uint64_t get_bits64(GetBitContext *s, int n) */ static inline int get_sbits_long(GetBitContext *s, int n) { + // sign_extend(x, 0) is undefined + if (!n) + return 0; + return sign_extend(get_bits_long(s, n), n); } diff --git a/libavcodec/h264.c b/libavcodec/h264.c index a61379cc9f..40c4ea1efe 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -898,7 +898,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size) } ret = ff_h2645_packet_split(&h->pkt, buf, buf_size, avctx, h->is_avc, - h->nal_length_size, avctx->codec_id); + h->nal_length_size, avctx->codec_id, avctx->flags2 & AV_CODEC_FLAG2_FAST); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Error splitting the input into NAL units.\n"); @@ -1023,7 +1023,8 @@ again: #endif } else context_count++; - } + } else + sl->ref_count[0] = sl->ref_count[1] = 0; break; case NAL_DPA: case NAL_DPB: diff --git a/libavcodec/h264.h b/libavcodec/h264.h index efe3555132..309f91df68 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -57,8 +57,6 @@ #define MAX_DELAYED_PIC_COUNT 16 -#define MAX_MBPAIR_SIZE (256*1024) // a tighter bound could be calculated if someone cares about a few bytes - /* Compiling in interlaced support reduces the speed * of progressive decoding by about 2%. */ #define ALLOW_INTERLACE diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c index 9979b63c3b..c3961a5e90 100644 --- a/libavcodec/h2645_parse.c +++ b/libavcodec/h2645_parse.c @@ -30,10 +30,11 @@ #include "h2645_parse.h" int ff_h2645_extract_rbsp(const uint8_t *src, int length, - H2645NAL *nal) + H2645NAL *nal, int small_padding) { int i, si, di; uint8_t *dst; + int64_t padding = small_padding ? 0 : MAX_MBPAIR_SIZE; nal->skipped_bytes = 0; #define STARTCODE_TEST \ @@ -81,16 +82,17 @@ int ff_h2645_extract_rbsp(const uint8_t *src, int length, } #endif /* HAVE_FAST_UNALIGNED */ - if (i >= length - 1) { // no escaped 0 + if (i >= length - 1 && small_padding) { // no escaped 0 nal->data = nal->raw_data = src; nal->size = nal->raw_size = length; return length; - } + } else if (i > length) + i = length; - av_fast_malloc(&nal->rbsp_buffer, &nal->rbsp_buffer_size, - length + AV_INPUT_BUFFER_PADDING_SIZE); + av_fast_padded_malloc(&nal->rbsp_buffer, &nal->rbsp_buffer_size, + length + padding); if (!nal->rbsp_buffer) return AVERROR(ENOMEM); @@ -247,7 +249,7 @@ static int h264_parse_nal_header(H2645NAL *nal, void *logctx) int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, void *logctx, int is_nalff, int nal_length_size, - enum AVCodecID codec_id) + enum AVCodecID codec_id, int small_padding) { int consumed, ret = 0; const uint8_t *next_avc = is_nalff ? buf : buf + length; @@ -258,19 +260,21 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, int extract_length = 0; int skip_trailing_zeros = 1; - if (buf >= next_avc) { - int i; - for (i = 0; i < nal_length_size; i++) - extract_length = (extract_length << 8) | buf[i]; + if (buf == next_avc) { + int i = 0; + extract_length = get_nalsize(nal_length_size, + buf, length, &i, logctx); + if (extract_length < 0) + return extract_length; + buf += nal_length_size; length -= nal_length_size; - if (extract_length > length) { - av_log(logctx, AV_LOG_ERROR, "Invalid NAL unit size.\n"); - return AVERROR_INVALIDDATA; - } next_avc = buf + extract_length; } else { + if (buf > next_avc) + av_log(logctx, AV_LOG_WARNING, "Exceeded next NALFF position, re-syncing.\n"); + /* search start code */ while (buf[0] != 0 || buf[1] != 0 || buf[2] != 1) { ++buf; @@ -290,7 +294,7 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, buf += 3; length -= 3; - extract_length = length; + extract_length = FFMIN(length, next_avc - buf); if (buf >= next_avc) { /* skip to the start of the next NAL */ @@ -322,7 +326,7 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, } nal = &pkt->nals[pkt->nb_nals]; - consumed = ff_h2645_extract_rbsp(buf, extract_length, nal); + consumed = ff_h2645_extract_rbsp(buf, extract_length, nal, small_padding); if (consumed < 0) return consumed; diff --git a/libavcodec/h2645_parse.h b/libavcodec/h2645_parse.h index a3c7e1f814..3a60f3fb9b 100644 --- a/libavcodec/h2645_parse.h +++ b/libavcodec/h2645_parse.h @@ -26,6 +26,8 @@ #include "avcodec.h" #include "get_bits.h" +#define MAX_MBPAIR_SIZE (256*1024) // a tighter bound could be calculated if someone cares about a few bytes + typedef struct H2645NAL { uint8_t *rbsp_buffer; int rbsp_buffer_size; @@ -74,18 +76,38 @@ typedef struct H2645Packet { * Extract the raw (unescaped) bitstream. */ int ff_h2645_extract_rbsp(const uint8_t *src, int length, - H2645NAL *nal); + H2645NAL *nal, int small_padding); /** * Split an input packet into NAL units. */ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, void *logctx, int is_nalff, int nal_length_size, - enum AVCodecID codec_id); + enum AVCodecID codec_id, int small_padding); /** * Free all the allocated memory in the packet. */ void ff_h2645_packet_uninit(H2645Packet *pkt); +static inline int get_nalsize(int nal_length_size, const uint8_t *buf, + int buf_size, int *buf_index, void *logctx) +{ + int i, nalsize = 0; + + if (*buf_index >= buf_size - nal_length_size) { + // the end of the buffer is reached, refill it + return AVERROR(EAGAIN); + } + + for (i = 0; i < nal_length_size; i++) + nalsize = ((unsigned)nalsize << 8) | buf[(*buf_index)++]; + if (nalsize <= 0 || nalsize > buf_size - *buf_index) { + av_log(logctx, AV_LOG_ERROR, + "Invalid nal size %d\n", nalsize); + return AVERROR_INVALIDDATA; + } + return nalsize; +} + #endif /* AVCODEC_H2645_PARSE_H */ diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 68d7282717..111d7917b8 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1744,7 +1744,7 @@ decode_cabac_residual_internal(const H264Context *h, H264SliceContext *sl, while( j-- ) { \ coeff_abs += coeff_abs + get_cabac_bypass( CC ); \ } \ - coeff_abs+= 14; \ + coeff_abs+= 14U; \ } \ \ if( is_dc ) { \ @@ -2348,21 +2348,40 @@ decode_intra_mb: if (CHROMA444(h) && IS_8x8DCT(mb_type)){ int i; uint8_t *nnz_cache = sl->non_zero_count_cache; - for (i = 0; i < 2; i++){ - if (sl->left_type[LEFT(i)] && !IS_8x8DCT(sl->left_type[LEFT(i)])) { - nnz_cache[3+8* 1 + 2*8*i]= - nnz_cache[3+8* 2 + 2*8*i]= - nnz_cache[3+8* 6 + 2*8*i]= - nnz_cache[3+8* 7 + 2*8*i]= - nnz_cache[3+8*11 + 2*8*i]= - nnz_cache[3+8*12 + 2*8*i]= IS_INTRA(mb_type) ? 64 : 0; + if (h->sei.unregistered.x264_build < 151U) { + for (i = 0; i < 2; i++){ + if (sl->left_type[LEFT(i)] && !IS_8x8DCT(sl->left_type[LEFT(i)])) { + nnz_cache[3+8* 1 + 2*8*i]= + nnz_cache[3+8* 2 + 2*8*i]= + nnz_cache[3+8* 6 + 2*8*i]= + nnz_cache[3+8* 7 + 2*8*i]= + nnz_cache[3+8*11 + 2*8*i]= + nnz_cache[3+8*12 + 2*8*i]= IS_INTRA(mb_type) ? 64 : 0; + } + } + if (sl->top_type && !IS_8x8DCT(sl->top_type)){ + uint32_t top_empty = !IS_INTRA(mb_type) ? 0 : 0x40404040; + AV_WN32A(&nnz_cache[4+8* 0], top_empty); + AV_WN32A(&nnz_cache[4+8* 5], top_empty); + AV_WN32A(&nnz_cache[4+8*10], top_empty); + } + } else { + for (i = 0; i < 2; i++){ + if (sl->left_type[LEFT(i)] && !IS_8x8DCT(sl->left_type[LEFT(i)])) { + nnz_cache[3+8* 1 + 2*8*i]= + nnz_cache[3+8* 2 + 2*8*i]= + nnz_cache[3+8* 6 + 2*8*i]= + nnz_cache[3+8* 7 + 2*8*i]= + nnz_cache[3+8*11 + 2*8*i]= + nnz_cache[3+8*12 + 2*8*i]= !IS_INTRA_PCM(sl->left_type[LEFT(i)]) ? 0 : 64; + } + } + if (sl->top_type && !IS_8x8DCT(sl->top_type)){ + uint32_t top_empty = !IS_INTRA_PCM(sl->top_type) ? 0 : 0x40404040; + AV_WN32A(&nnz_cache[4+8* 0], top_empty); + AV_WN32A(&nnz_cache[4+8* 5], top_empty); + AV_WN32A(&nnz_cache[4+8*10], top_empty); } - } - if (sl->top_type && !IS_8x8DCT(sl->top_type)){ - uint32_t top_empty = CABAC(h) && !IS_INTRA(mb_type) ? 0 : 0x40404040; - AV_WN32A(&nnz_cache[4+8* 0], top_empty); - AV_WN32A(&nnz_cache[4+8* 5], top_empty); - AV_WN32A(&nnz_cache[4+8*10], top_empty); } } h->cur_pic.mb_type[mb_xy] = mb_type; @@ -2371,14 +2390,6 @@ decode_intra_mb: const uint8_t *scan, *scan8x8; const uint32_t *qmul; - if(IS_INTERLACED(mb_type)){ - scan8x8 = sl->qscale ? h->field_scan8x8 : h->field_scan8x8_q0; - scan = sl->qscale ? h->field_scan : h->field_scan_q0; - }else{ - scan8x8 = sl->qscale ? h->zigzag_scan8x8 : h->zigzag_scan8x8_q0; - scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; - } - // decode_cabac_mb_dqp if(get_cabac_noinline( &sl->cabac, &sl->cabac_state[60 + (sl->last_qscale_diff != 0)])){ int val = 1; @@ -2409,6 +2420,14 @@ decode_intra_mb: }else sl->last_qscale_diff=0; + if(IS_INTERLACED(mb_type)){ + scan8x8 = sl->qscale ? h->field_scan8x8 : h->field_scan8x8_q0; + scan = sl->qscale ? h->field_scan : h->field_scan_q0; + }else{ + scan8x8 = sl->qscale ? h->zigzag_scan8x8 : h->zigzag_scan8x8_q0; + scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; + } + decode_cabac_luma_residual(h, sl, scan, scan8x8, pixel_shift, mb_type, cbp, 0); if (CHROMA444(h)) { decode_cabac_luma_residual(h, sl, scan, scan8x8, pixel_shift, mb_type, cbp, 1); diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 3293c66816..4d743e1324 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -1102,17 +1102,9 @@ decode_intra_mb: const uint8_t *scan, *scan8x8; const int max_qp = 51 + 6 * (h->ps.sps->bit_depth_luma - 8); - if(IS_INTERLACED(mb_type)){ - scan8x8 = sl->qscale ? h->field_scan8x8_cavlc : h->field_scan8x8_cavlc_q0; - scan = sl->qscale ? h->field_scan : h->field_scan_q0; - }else{ - scan8x8 = sl->qscale ? h->zigzag_scan8x8_cavlc : h->zigzag_scan8x8_cavlc_q0; - scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; - } - dquant= get_se_golomb(&sl->gb); - sl->qscale += dquant; + sl->qscale += (unsigned)dquant; if (((unsigned)sl->qscale) > max_qp){ if (sl->qscale < 0) sl->qscale += max_qp + 1; @@ -1126,6 +1118,14 @@ decode_intra_mb: sl->chroma_qp[0] = get_chroma_qp(h, 0, sl->qscale); sl->chroma_qp[1] = get_chroma_qp(h, 1, sl->qscale); + if(IS_INTERLACED(mb_type)){ + scan8x8 = sl->qscale ? h->field_scan8x8_cavlc : h->field_scan8x8_cavlc_q0; + scan = sl->qscale ? h->field_scan : h->field_scan_q0; + }else{ + scan8x8 = sl->qscale ? h->zigzag_scan8x8_cavlc : h->zigzag_scan8x8_cavlc_q0; + scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; + } + if ((ret = decode_luma_residual(h, sl, gb, scan, scan8x8, pixel_shift, mb_type, cbp, 0)) < 0 ) { return -1; } diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c index e137ff9227..e9570b8eb2 100644 --- a/libavcodec/h264_direct.c +++ b/libavcodec/h264_direct.c @@ -613,7 +613,7 @@ single_col: { const int16_t *mv_col = l1mv[x8 * 3 + y8 * b4_stride]; - int my_col = (mv_col[1] << y_shift) / 2; + int my_col = (mv_col[1] * (1 << y_shift)) / 2; int mx = (scale * mv_col[0] + 128) >> 8; int my = (scale * my_col + 128) >> 8; fill_rectangle(&sl->mv_cache[0][scan8[i8 * 4]], 2, 2, 8, diff --git a/libavcodec/h264_mb.c b/libavcodec/h264_mb.c index e33a59e4ca..4ae56ae8c2 100644 --- a/libavcodec/h264_mb.c +++ b/libavcodec/h264_mb.c @@ -636,7 +636,7 @@ static av_always_inline void hl_decode_mb_predict_luma(const H264Context *h, uint8_t *const ptr = dest_y + block_offset[i]; const int dir = sl->intra4x4_pred_mode_cache[scan8[i]]; if (transform_bypass && h->ps.sps->profile_idc == 244 && dir <= 1) { - if (h->sei.unregistered.x264_build != -1) { + if (h->sei.unregistered.x264_build < 151U) { h->hpc.pred8x8l_add[dir](ptr, sl->mb + (i * 16 + p * 256 << pixel_shift), linesize); } else h->hpc.pred8x8l_filter_add[dir](ptr, sl->mb + (i * 16 + p * 256 << pixel_shift), diff --git a/libavcodec/h264_mvpred.h b/libavcodec/h264_mvpred.h index be02e5af9b..cb7faa68f9 100644 --- a/libavcodec/h264_mvpred.h +++ b/libavcodec/h264_mvpred.h @@ -68,7 +68,7 @@ static av_always_inline int fetch_diagonal_mv(const H264Context *h, H264SliceCon } if (MB_FIELD(sl) && !IS_INTERLACED(sl->left_type[0])) { // left shift will turn LIST_NOT_USED into PART_NOT_AVAILABLE, but that's OK. - SET_DIAG_MV(/ 2, << 1, sl->left_mb_xy[i >= 36], ((i >> 2)) & 3); + SET_DIAG_MV(/ 2, *2, sl->left_mb_xy[i >= 36], ((i >> 2)) & 3); } } #undef SET_DIAG_MV @@ -248,7 +248,7 @@ static av_always_inline void pred_8x16_motion(const H264Context *const h, if (IS_INTERLACED(type)) { \ refn >>= 1; \ AV_COPY32(mvbuf[idx], mvn); \ - mvbuf[idx][1] <<= 1; \ + mvbuf[idx][1] *= 2; \ mvn = mvbuf[idx]; \ } \ } \ diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c index a63530de58..f50f01b5b7 100644 --- a/libavcodec/h264_parse.c +++ b/libavcodec/h264_parse.c @@ -327,7 +327,7 @@ static int decode_extradata_ps(const uint8_t *data, int size, H264ParamSets *ps, H2645Packet pkt = { 0 }; int i, ret = 0; - ret = ff_h2645_packet_split(&pkt, data, size, logctx, is_avc, 2, AV_CODEC_ID_H264); + ret = ff_h2645_packet_split(&pkt, data, size, logctx, is_avc, 2, AV_CODEC_ID_H264, 1); if (ret < 0) { ret = 0; goto fail; diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index ce4bab225e..abe596146d 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -226,26 +226,6 @@ static int scan_mmco_reset(AVCodecParserContext *s, GetBitContext *gb, return 0; } -static inline int get_avc_nalsize(H264ParseContext *p, const uint8_t *buf, - int buf_size, int *buf_index, void *logctx) -{ - int i, nalsize = 0; - - if (*buf_index >= buf_size - p->nal_length_size) { - // the end of the buffer is reached, refill it - return AVERROR(EAGAIN); - } - - for (i = 0; i < p->nal_length_size; i++) - nalsize = ((unsigned)nalsize << 8) | buf[(*buf_index)++]; - if (nalsize <= 0 || nalsize > buf_size - *buf_index) { - av_log(logctx, AV_LOG_ERROR, - "AVC: nal size %d\n", nalsize); - return AVERROR_INVALIDDATA; - } - return nalsize; -} - /** * Parse NAL units of found picture and decode some basic information. * @@ -286,7 +266,7 @@ static inline int parse_nal_units(AVCodecParserContext *s, int src_length, consumed, nalsize = 0; if (buf_index >= next_avc) { - nalsize = get_avc_nalsize(p, buf, buf_size, &buf_index, avctx); + nalsize = get_nalsize(p->nal_length_size, buf, buf_size, &buf_index, avctx); if (nalsize < 0) break; next_avc = buf_index + nalsize; @@ -316,7 +296,7 @@ static inline int parse_nal_units(AVCodecParserContext *s, } break; } - consumed = ff_h2645_extract_rbsp(buf + buf_index, src_length, &nal); + consumed = ff_h2645_extract_rbsp(buf + buf_index, src_length, &nal, 1); if (consumed < 0) break; @@ -367,13 +347,26 @@ static inline int parse_nal_units(AVCodecParserContext *s, "non-existing PPS %u referenced\n", pps_id); goto fail; } - p->ps.pps = (const PPS*)p->ps.pps_list[pps_id]->data; + + av_buffer_unref(&p->ps.pps_ref); + av_buffer_unref(&p->ps.sps_ref); + p->ps.pps = NULL; + p->ps.sps = NULL; + p->ps.pps_ref = av_buffer_ref(p->ps.pps_list[pps_id]); + if (!p->ps.pps_ref) + goto fail; + p->ps.pps = (const PPS*)p->ps.pps_ref->data; + if (!p->ps.sps_list[p->ps.pps->sps_id]) { av_log(avctx, AV_LOG_ERROR, "non-existing SPS %u referenced\n", p->ps.pps->sps_id); goto fail; } - p->ps.sps = (SPS*)p->ps.sps_list[p->ps.pps->sps_id]->data; + + p->ps.sps_ref = av_buffer_ref(p->ps.sps_list[p->ps.pps->sps_id]); + if (!p->ps.sps_ref) + goto fail; + p->ps.sps = (SPS*)p->ps.sps_ref->data; sps = p->ps.sps; diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 943d953645..1aa5532e15 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -803,8 +803,8 @@ int ff_h264_decode_picture_parameter_set(GetBitContext *gb, AVCodecContext *avct pps->weighted_pred = get_bits1(gb); pps->weighted_bipred_idc = get_bits(gb, 2); - pps->init_qp = get_se_golomb(gb) + 26 + qp_bd_offset; - pps->init_qs = get_se_golomb(gb) + 26 + qp_bd_offset; + pps->init_qp = get_se_golomb(gb) + 26U + qp_bd_offset; + pps->init_qs = get_se_golomb(gb) + 26U + qp_bd_offset; pps->chroma_qp_index_offset[0] = get_se_golomb(gb); pps->deblocking_filter_parameters_present = get_bits1(gb); pps->constrained_intra_pred = get_bits1(gb); diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 474400ba2f..cdd56af1f7 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1667,7 +1667,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264SliceContext *sl) } sl->last_qscale_diff = 0; - tmp = pps->init_qp + get_se_golomb(&sl->gb); + tmp = pps->init_qp + (unsigned)get_se_golomb(&sl->gb); if (tmp > 51 + 6 * (sps->bit_depth_luma - 8)) { av_log(h->avctx, AV_LOG_ERROR, "QP %u out of range\n", tmp); return AVERROR_INVALIDDATA; @@ -1697,17 +1697,19 @@ int ff_h264_decode_slice_header(H264Context *h, H264SliceContext *sl) sl->deblocking_filter ^= 1; // 1<->0 if (sl->deblocking_filter) { - sl->slice_alpha_c0_offset = get_se_golomb(&sl->gb) * 2; - sl->slice_beta_offset = get_se_golomb(&sl->gb) * 2; - if (sl->slice_alpha_c0_offset > 12 || - sl->slice_alpha_c0_offset < -12 || - sl->slice_beta_offset > 12 || - sl->slice_beta_offset < -12) { + int slice_alpha_c0_offset_div2 = get_se_golomb(&sl->gb); + int slice_beta_offset_div2 = get_se_golomb(&sl->gb); + if (slice_alpha_c0_offset_div2 > 6 || + slice_alpha_c0_offset_div2 < -6 || + slice_beta_offset_div2 > 6 || + slice_beta_offset_div2 < -6) { av_log(h->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", - sl->slice_alpha_c0_offset, sl->slice_beta_offset); + slice_alpha_c0_offset_div2, slice_beta_offset_div2); return AVERROR_INVALIDDATA; } + sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2; + sl->slice_beta_offset = slice_beta_offset_div2 * 2; } } diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index b478065db2..de734310dc 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -246,6 +246,8 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb) nb_sps = get_ue_golomb_long(gb); nb_sh = get_ue_golomb_long(gb); + if (nb_sps > sps->num_long_term_ref_pics_sps) + return AVERROR_INVALIDDATA; if (nb_sh + (uint64_t)nb_sps > FF_ARRAY_ELEMS(rps->poc)) return AVERROR_INVALIDDATA; @@ -269,12 +271,16 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb) delta_poc_msb_present = get_bits1(gb); if (delta_poc_msb_present) { - int delta = get_ue_golomb_long(gb); + int64_t delta = get_ue_golomb_long(gb); + int64_t poc; if (i && i != nb_sps) delta += prev_delta_msb; - rps->poc[i] += s->poc - delta * max_poc_lsb - s->sh.pic_order_cnt_lsb; + poc = rps->poc[i] + s->poc - delta * max_poc_lsb - s->sh.pic_order_cnt_lsb; + if (poc != (int32_t)poc) + return AVERROR_INVALIDDATA; + rps->poc[i] = poc; prev_delta_msb = delta; } } @@ -2786,6 +2792,10 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) } if (s->sh.first_slice_in_pic_flag) { + if (s->ref) { + av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); + goto fail; + } ret = hevc_frame_start(s); if (ret < 0) return ret; @@ -2867,7 +2877,7 @@ static int decode_nal_units(HEVCContext *s, const uint8_t *buf, int length) /* split the input packet into NAL units, so we know the upper bound on the * number of slices in the frame */ ret = ff_h2645_packet_split(&s->pkt, buf, length, s->avctx, s->is_nalff, - s->nal_length_size, s->avctx->codec_id); + s->nal_length_size, s->avctx->codec_id, 1); if (ret < 0) { av_log(s->avctx, AV_LOG_ERROR, "Error splitting the input into NAL units.\n"); diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index be91010378..162ca0e582 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -539,8 +539,8 @@ typedef struct HEVCPPS { uint8_t chroma_qp_offset_list_enabled_flag; uint8_t diff_cu_chroma_qp_offset_depth; uint8_t chroma_qp_offset_list_len_minus1; - int8_t cb_qp_offset_list[5]; - int8_t cr_qp_offset_list[5]; + int8_t cb_qp_offset_list[6]; + int8_t cr_qp_offset_list[6]; uint8_t log2_sao_offset_scale_luma; uint8_t log2_sao_offset_scale_chroma; diff --git a/libavcodec/hevc_filter.c b/libavcodec/hevc_filter.c index 1f33b0cdfe..9fbcd1d8b8 100644 --- a/libavcodec/hevc_filter.c +++ b/libavcodec/hevc_filter.c @@ -471,7 +471,7 @@ static int get_pcm(HEVCContext *s, int x, int y) #define TC_CALC(qp, bs) \ tctable[av_clip((qp) + DEFAULT_INTRA_TC_OFFSET * ((bs) - 1) + \ - (tc_offset >> 1 << 1), \ + (tc_offset & -2), \ 0, MAX_QP + DEFAULT_INTRA_TC_OFFSET)] static void deblocking_filter_CTB(HEVCContext *s, int x0, int y0) diff --git a/libavcodec/hevc_parser.c b/libavcodec/hevc_parser.c index b5633f16ef..d93586ba7d 100644 --- a/libavcodec/hevc_parser.c +++ b/libavcodec/hevc_parser.c @@ -90,7 +90,7 @@ static int parse_nal_units(AVCodecParserContext *s, const uint8_t *buf, int ret, i; ret = ff_h2645_packet_split(&ctx->pkt, buf, buf_size, avctx, 0, 0, - AV_CODEC_ID_HEVC); + AV_CODEC_ID_HEVC, 1); if (ret < 0) return ret; @@ -243,7 +243,7 @@ static inline int parse_nal_units(AVCodecParserContext *s, const uint8_t *buf, src_length = 20; } - consumed = ff_h2645_extract_rbsp(buf, src_length, nal); + consumed = ff_h2645_extract_rbsp(buf, src_length, nal, 1); if (consumed < 0) return consumed; diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 83f2ec2bac..c1b69a0199 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -169,6 +169,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, } } + if (k >= FF_ARRAY_ELEMS(rps->used)) { + av_log(avctx, AV_LOG_ERROR, + "Invalid num_delta_pocs: %d\n", k); + return AVERROR_INVALIDDATA; + } + rps->num_delta_pocs = k; rps->num_negative_pics = k0; // sort in increasing order (smallest first) @@ -218,6 +224,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, prev = 0; for (i = 0; i < rps->num_negative_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; + if (delta_poc < 1 || delta_poc > 32768) { + av_log(avctx, AV_LOG_ERROR, + "Invalid value of delta_poc: %d\n", + delta_poc); + return AVERROR_INVALIDDATA; + } prev -= delta_poc; rps->delta_poc[i] = prev; rps->used[i] = get_bits1(gb); @@ -225,6 +237,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, prev = 0; for (i = 0; i < nb_positive_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; + if (delta_poc < 1 || delta_poc > 32768) { + av_log(avctx, AV_LOG_ERROR, + "Invalid value of delta_poc: %d\n", + delta_poc); + return AVERROR_INVALIDDATA; + } prev += delta_poc; rps->delta_poc[rps->num_negative_pics + i] = prev; rps->used[rps->num_negative_pics + i] = get_bits1(gb); @@ -738,7 +756,7 @@ static int scaling_list_data(GetBitContext *gb, AVCodecContext *avctx, ScalingLi ff_hevc_diag_scan8x8_x[i]; scaling_list_delta_coef = get_se_golomb(gb); - next_coef = (next_coef + scaling_list_delta_coef + 256) % 256; + next_coef = (next_coef + 256U + scaling_list_delta_coef) % 256; sl->sl[size_id][matrix_id][pos] = next_coef; } } @@ -996,10 +1014,10 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, sps->pcm.log2_min_pcm_cb_size = get_ue_golomb_long(gb) + 3; sps->pcm.log2_max_pcm_cb_size = sps->pcm.log2_min_pcm_cb_size + get_ue_golomb_long(gb); - if (sps->pcm.bit_depth > sps->bit_depth) { + if (FFMAX(sps->pcm.bit_depth, sps->pcm.bit_depth_chroma) > sps->bit_depth) { av_log(avctx, AV_LOG_ERROR, - "PCM bit depth (%d) is greater than normal bit depth (%d)\n", - sps->pcm.bit_depth, sps->bit_depth); + "PCM bit depth (%d, %d) is greater than normal bit depth (%d)\n", + sps->pcm.bit_depth, sps->pcm.bit_depth_chroma, sps->bit_depth); return AVERROR_INVALIDDATA; } @@ -1407,6 +1425,7 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, HEVCSPS *sps = NULL; int i, ret = 0; unsigned int pps_id = 0; + unsigned log2_parallel_merge_level_minus2; AVBufferRef *pps_buf; HEVCPPS *pps = av_mallocz(sizeof(*pps)); @@ -1566,20 +1585,22 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, pps->deblocking_filter_override_enabled_flag = get_bits1(gb); pps->disable_dbf = get_bits1(gb); if (!pps->disable_dbf) { - pps->beta_offset = get_se_golomb(gb) * 2; - pps->tc_offset = get_se_golomb(gb) * 2; - if (pps->beta_offset/2 < -6 || pps->beta_offset/2 > 6) { + int beta_offset_div2 = get_se_golomb(gb); + int tc_offset_div2 = get_se_golomb(gb) ; + if (beta_offset_div2 < -6 || beta_offset_div2 > 6) { av_log(avctx, AV_LOG_ERROR, "pps_beta_offset_div2 out of range: %d\n", - pps->beta_offset/2); + beta_offset_div2); ret = AVERROR_INVALIDDATA; goto err; } - if (pps->tc_offset/2 < -6 || pps->tc_offset/2 > 6) { + if (tc_offset_div2 < -6 || tc_offset_div2 > 6) { av_log(avctx, AV_LOG_ERROR, "pps_tc_offset_div2 out of range: %d\n", - pps->tc_offset/2); + tc_offset_div2); ret = AVERROR_INVALIDDATA; goto err; } + pps->beta_offset = 2 * beta_offset_div2; + pps->tc_offset = 2 * tc_offset_div2; } } @@ -1591,13 +1612,14 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, goto err; } pps->lists_modification_present_flag = get_bits1(gb); - pps->log2_parallel_merge_level = get_ue_golomb_long(gb) + 2; - if (pps->log2_parallel_merge_level > sps->log2_ctb_size) { + log2_parallel_merge_level_minus2 = get_ue_golomb_long(gb); + if (log2_parallel_merge_level_minus2 > sps->log2_ctb_size) { av_log(avctx, AV_LOG_ERROR, "log2_parallel_merge_level_minus2 out of range: %d\n", - pps->log2_parallel_merge_level - 2); + log2_parallel_merge_level_minus2); ret = AVERROR_INVALIDDATA; goto err; } + pps->log2_parallel_merge_level = log2_parallel_merge_level_minus2 + 2; pps->slice_header_extension_present_flag = get_bits1(gb); diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c index 611ad458de..df52e401ad 100644 --- a/libavcodec/hevc_refs.c +++ b/libavcodec/hevc_refs.c @@ -438,7 +438,7 @@ static int add_candidate_ref(HEVCContext *s, RefPicList *list, { HEVCFrame *ref = find_ref_idx(s, poc); - if (ref == s->ref) + if (ref == s->ref || list->nb_refs >= MAX_REFS) return AVERROR_INVALIDDATA; if (!ref) { diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index 148f246df1..971350e0af 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -145,7 +145,7 @@ static int decode_nal_sei_display_orientation(HEVCContext *s) return 0; } -static int decode_pic_timing(HEVCContext *s) +static int decode_pic_timing(HEVCContext *s, int size) { GetBitContext *gb = &s->HEVClc->gb; HEVCSPS *sps; @@ -166,8 +166,12 @@ static int decode_pic_timing(HEVCContext *s) } get_bits(gb, 2); // source_scan_type get_bits(gb, 1); // duplicate_flag + skip_bits1(gb); + size--; } - return 1; + skip_bits_long(gb, 8 * size); + + return 0; } static int decode_registered_user_data_closed_caption(HEVCContext *s, int size) @@ -297,9 +301,8 @@ static int decode_nal_sei_prefix(HEVCContext *s, int type, int size) return decode_nal_sei_display_orientation(s); case SEI_TYPE_PICTURE_TIMING: { - int ret = decode_pic_timing(s); + int ret = decode_pic_timing(s, size); av_log(s->avctx, AV_LOG_DEBUG, "Skipped PREFIX SEI %d\n", type); - skip_bits(gb, 8 * size); return ret; } case SEI_TYPE_MASTERING_DISPLAY_INFO: diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index b840d179c3..5bca02342d 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -599,7 +599,7 @@ static void FUNC(put_hevc_pel_bi_w_pixels)(uint8_t *_dst, ptrdiff_t _dststride, ox1 = ox1 * (1 << (BIT_DEPTH - 8)); for (y = 0; y < height; y++) { for (x = 0; x < width; x++) { - dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + (ox0 + ox1 + 1) * (1 << log2Wd)) >> (log2Wd + 1)); } src += srcstride; dst += dststride; diff --git a/libavcodec/hevcpred_template.c b/libavcodec/hevcpred_template.c index 6ae87cca13..6fe33546b1 100644 --- a/libavcodec/hevcpred_template.c +++ b/libavcodec/hevcpred_template.c @@ -35,7 +35,7 @@ static av_always_inline void FUNC(intra_pred)(HEVCContext *s, int x0, int y0, #define MVF(x, y) \ (s->ref->tab_mvf[(x) + (y) * min_pu_width]) #define MVF_PU(x, y) \ - MVF(PU(x0 + ((x) << hshift)), PU(y0 + ((y) << vshift))) + MVF(PU(x0 + ((x) * (1 << hshift))), PU(y0 + ((y) * (1 << vshift)))) #define IS_INTRA(x, y) \ (MVF_PU(x, y).pred_flag == PF_INTRA) #define MIN_TB_ADDR_ZS(x, y) \ diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index 8825f3d8b7..14bd38f5c0 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -67,11 +67,11 @@ static int hq_decode_block(HQContext *c, GetBitContext *gb, int16_t block[64], memset(block, 0, 64 * sizeof(*block)); if (!is_hqa) { - block[0] = get_sbits(gb, 9) << 6; + block[0] = get_sbits(gb, 9) * 64; q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)]; } else { q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)]; - block[0] = get_sbits(gb, 9) << 6; + block[0] = get_sbits(gb, 9) * 64; } for (;;) { @@ -82,7 +82,7 @@ static int hq_decode_block(HQContext *c, GetBitContext *gb, int16_t block[64], pos += ff_hq_ac_skips[val]; if (pos >= 64) break; - block[ff_zigzag_direct[pos]] = (ff_hq_ac_syms[val] * q[pos]) >> 12; + block[ff_zigzag_direct[pos]] = (int)(ff_hq_ac_syms[val] * (unsigned)q[pos]) >> 12; pos++; } diff --git a/libavcodec/hqxdsp.c b/libavcodec/hqxdsp.c index feff9c0b68..7f8044e463 100644 --- a/libavcodec/hqxdsp.c +++ b/libavcodec/hqxdsp.c @@ -39,18 +39,18 @@ static inline void idct_col(int16_t *blk, const uint8_t *quant) s6 = (int) blk[6 * 8] * quant[6 * 8]; s7 = (int) blk[7 * 8] * quant[7 * 8]; - t0 = (s3 * 19266 + s5 * 12873) >> 15; - t1 = (s5 * 19266 - s3 * 12873) >> 15; - t2 = ((s7 * 4520 + s1 * 22725) >> 15) - t0; - t3 = ((s1 * 4520 - s7 * 22725) >> 15) - t1; + t0 = (int)(s3 * 19266U + s5 * 12873U) >> 15; + t1 = (int)(s5 * 19266U - s3 * 12873U) >> 15; + t2 = ((int)(s7 * 4520U + s1 * 22725U) >> 15) - t0; + t3 = ((int)(s1 * 4520U - s7 * 22725U) >> 15) - t1; t4 = t0 * 2 + t2; t5 = t1 * 2 + t3; t6 = t2 - t3; t7 = t3 * 2 + t6; - t8 = (t6 * 11585) >> 14; - t9 = (t7 * 11585) >> 14; - tA = (s2 * 8867 - s6 * 21407) >> 14; - tB = (s6 * 8867 + s2 * 21407) >> 14; + t8 = (int)(t6 * 11585U) >> 14; + t9 = (int)(t7 * 11585U) >> 14; + tA = (int)(s2 * 8867U - s6 * 21407U) >> 14; + tB = (int)(s6 * 8867U + s2 * 21407U) >> 14; tC = (s0 >> 1) - (s4 >> 1); tD = (s4 >> 1) * 2 + tC; tE = tC - (tA >> 1); diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index a2cd40fad3..70311c66d5 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -46,15 +46,17 @@ typedef struct SrtStack { static void rstrip_spaces_buf(AVBPrint *buf) { - while (buf->len > 0 && buf->str[buf->len - 1] == ' ') - buf->str[--buf->len] = 0; + if (av_bprint_is_complete(buf)) + while (buf->len > 0 && buf->str[buf->len - 1] == ' ') + buf->str[--buf->len] = 0; } -void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) +int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) { char *param, buffer[128], tmp[128]; int len, tag_close, sptr = 1, line_start = 1, an = 0, end = 0; SrtStack stack[16]; + int closing_brace_missing = 0; stack[0].tag[0] = 0; strcpy(stack[0].param[PARAM_SIZE], "{\\fs}"); @@ -82,11 +84,20 @@ void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) and all microdvd like styles such as {Y:xxx} */ len = 0; an += sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0; - if ((an != 1 && (len = 0, sscanf(in, "{\\%*[^}]}%n", &len) >= 0 && len > 0)) || - (len = 0, sscanf(in, "{%*1[CcFfoPSsYy]:%*[^}]}%n", &len) >= 0 && len > 0)) { - in += len - 1; - } else - av_bprint_chars(dst, *in, 1); + + if (!closing_brace_missing) { + if ( (an != 1 && in[1] == '\\') + || (in[1] && strchr("CcFfoPSsYy", in[1]) && in[2] == ':')) { + char *bracep = strchr(in+2, '}'); + if (bracep) { + in = bracep; + break; + } else + closing_brace_missing = 1; + } + } + + av_bprint_chars(dst, *in, 1); break; case '<': tag_close = in[1] == '/'; @@ -146,7 +157,7 @@ void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) if (stack[sptr].param[i][0]) av_bprintf(dst, "%s", stack[sptr].param[i]); } - } else if (!tagname[1] && strspn(tagname, "bisu") == 1) { + } else if (tagname[0] && !tagname[1] && strspn(tagname, "bisu") == 1) { av_bprintf(dst, "{\\%c%d}", tagname[0], !tag_close); } else { unknown = 1; @@ -171,8 +182,13 @@ void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) line_start = 0; } + if (!av_bprint_is_complete(dst)) + return AVERROR(ENOMEM); + while (dst->len >= 2 && !strncmp(&dst->str[dst->len - 2], "\\N", 2)) dst->len -= 2; dst->str[dst->len] = 0; rstrip_spaces_buf(dst); + + return 0; } diff --git a/libavcodec/htmlsubtitles.h b/libavcodec/htmlsubtitles.h index e10cdda241..f3a8ef5d8b 100644 --- a/libavcodec/htmlsubtitles.h +++ b/libavcodec/htmlsubtitles.h @@ -23,6 +23,6 @@ #include "libavutil/bprint.h" -void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in); +int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in); #endif /* AVCODEC_HTMLSUBTITLES_H */ diff --git a/libavcodec/idcinvideo.c b/libavcodec/idcinvideo.c index 0870172794..cff9ad31ac 100644 --- a/libavcodec/idcinvideo.c +++ b/libavcodec/idcinvideo.c @@ -214,7 +214,8 @@ static int idcin_decode_frame(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; IdcinContext *s = avctx->priv_data; - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int pal_size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); AVFrame *frame = data; int ret; @@ -227,9 +228,11 @@ static int idcin_decode_frame(AVCodecContext *avctx, if (idcin_decode_vlcs(s, frame)) return AVERROR_INVALIDDATA; - if (pal) { + if (pal && pal_size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); } /* make the palette available on the way out */ memcpy(frame->data[1], s->pal, AVPALETTE_SIZE); diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 17f236761d..d99ad18f0e 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -68,6 +68,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (i = 0; i < c * 2; i++) dst[out++] = 0x80; } else { /* copy two values from table */ + if (c <= 0) + return AVERROR_INVALIDDATA; dst[out++] = table[c * 2]; dst[out++] = table[(c * 2) + 1]; } @@ -76,6 +78,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (j = 1; j < height; j++) { out = 0; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; while (out < width) { int c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ @@ -87,7 +91,10 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst out++; } } else { /* add two deltas from table */ - int t = dst[out - pitch] + (table[c * 2] - 128); + int t; + if (c <= 0) + return AVERROR_INVALIDDATA; + t = dst[out - pitch] + (table[c * 2] - 128); t = av_clip_uint8(t); dst[out] = t; out++; @@ -115,12 +122,16 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_ for (j = 0; j < height; j++) { out = 0; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; while (out < width) { c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ c -= 0x7F; out += c * 2; } else { /* add two deltas from table */ + if (c <= 0) + return AVERROR_INVALIDDATA; t = dst[out] + (((table[c * 2] - 128)*3) >> 2); t = av_clip_uint8(t); dst[out] = t; @@ -171,6 +182,12 @@ static int ir2_decode_frame(AVCodecContext *avctx, ltab = buf[0x22] & 3; ctab = buf[0x22] >> 2; + + if (ctab > 3) { + av_log(avctx, AV_LOG_ERROR, "ctab %d is invalid\n", ctab); + return AVERROR_INVALIDDATA; + } + if (s->decode_delta) { /* intraframe */ if ((ret = ir2_decode_plane(s, avctx->width, avctx->height, p->data[0], p->linesize[0], diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 69f78c90b2..53bb5a239c 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -237,6 +237,8 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) /* skip picture header extension if any */ while (get_bits1(&ctx->gb)) { ff_dlog(avctx, "Pic hdr extension encountered!\n"); + if (get_bits_left(&ctx->gb) < 10) + return AVERROR_INVALIDDATA; skip_bits(&ctx->gb, 8); } diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c index a676bcb931..8b340093df 100644 --- a/libavcodec/interplayacm.c +++ b/libavcodec/interplayacm.c @@ -61,6 +61,11 @@ static av_cold int decode_init(AVCodecContext *avctx) if (avctx->extradata_size < 14) return AVERROR_INVALIDDATA; + if (avctx->channels <= 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid number of channels: %d\n", avctx->channels); + return AVERROR_INVALIDDATA; + } + s->level = AV_RL16(avctx->extradata + 12) & 0xf; s->rows = AV_RL16(avctx->extradata + 12) >> 4; s->cols = 1 << s->level; @@ -71,7 +76,7 @@ static av_cold int decode_init(AVCodecContext *avctx) s->block = av_calloc(s->block_len, sizeof(int)); s->wrapbuf = av_calloc(s->wrapbuf_len, sizeof(int)); s->ampbuf = av_calloc(0x10000, sizeof(int)); - s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream)); + s->bitstream = av_calloc(s->max_framesize + AV_INPUT_BUFFER_PADDING_SIZE / sizeof(*s->bitstream) + 1, sizeof(*s->bitstream)); if (!s->block || !s->wrapbuf || !s->ampbuf || !s->bitstream) return AVERROR(ENOMEM); @@ -325,6 +330,10 @@ static int t15(InterplayACMContext *s, unsigned ind, unsigned col) for (i = 0; i < s->rows; i++) { /* b = (x1) + (x2 * 3) + (x3 * 9) */ b = get_bits(gb, 5); + if (b > 26) { + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 26\n", b); + return AVERROR_INVALIDDATA; + } n1 = (mul_3x3[b] & 0x0F) - 1; n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1; @@ -350,6 +359,10 @@ static int t27(InterplayACMContext *s, unsigned ind, unsigned col) for (i = 0; i < s->rows; i++) { /* b = (x1) + (x2 * 5) + (x3 * 25) */ b = get_bits(gb, 7); + if (b > 124) { + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 124\n", b); + return AVERROR_INVALIDDATA; + } n1 = (mul_3x5[b] & 0x0F) - 2; n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2; @@ -374,6 +387,10 @@ static int t37(InterplayACMContext *s, unsigned ind, unsigned col) for (i = 0; i < s->rows; i++) { /* b = (x1) + (x2 * 11) */ b = get_bits(gb, 7); + if (b > 120) { + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 120\n", b); + return AVERROR_INVALIDDATA; + } n1 = (mul_2x11[b] & 0x0F) - 5; n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5; diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index 88c610d651..2b78c69200 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -988,6 +988,11 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, AVFrame *frame = data; int ret; + if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) { + av_frame_unref(s->last_frame); + av_frame_unref(s->second_last_frame); + } + if (buf_size < 2) return AVERROR_INVALIDDATA; @@ -999,10 +1004,6 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, if (buf_size < s->decoding_map_size + 2) return buf_size; - if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) { - av_frame_unref(s->last_frame); - av_frame_unref(s->second_last_frame); - } s->decoding_map = buf + 2; bytestream2_init(&s->stream_ptr, buf + 2 + s->decoding_map_size, @@ -1012,10 +1013,13 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, return ret; if (!s->is_16bpp) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); - if (pal) { + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); + if (pal && size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } } diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index a26244f393..228f6ace49 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -167,6 +167,7 @@ static int h263_decode_gob_header(MpegEncContext *s) /* We have a GBSC probably with GSTUFF */ skip_bits(&s->gb, 16); /* Drop the zeros */ left= get_bits_left(&s->gb); + left = FFMIN(left, 32); //MN: we must check the bits left or we might end in an infinite loop (or segfault) for(;left>13; left--){ if(get_bits1(&s->gb)) break; /* Seek the '1' bit */ @@ -523,7 +524,7 @@ retry: }else{ level = SHOW_UBITS(re, &s->gb, 5); SKIP_CACHE(re, &s->gb, 5); - level |= SHOW_SBITS(re, &s->gb, 6)<<5; + level |= SHOW_SBITS(re, &s->gb, 6) * (1<<5); SKIP_COUNTER(re, &s->gb, 5 + 6); } } diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index bc9de1a72f..a57d09e0fb 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -116,10 +116,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, b0_2 = b0_ptr[pitch+indx+1]; tmp1 = tmp0 + b0_1; - p0 = tmp0 << 4; - p1 = tmp1 << 3; - p2 = (tmp0 + tmp2) << 3; - p3 = (tmp1 + tmp2 + b0_2) << 2; + p0 = tmp0 * 16; + p1 = tmp1 * 8; + p2 = (tmp0 + tmp2) * 8; + p3 = (tmp1 + tmp2 + b0_2) * 4; } /* process the HL-band by applying HPF vertically and LPF horizontally */ @@ -132,10 +132,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, tmp2 = tmp1 - tmp0*6 + b1_3; b1_3 = b1_1 - b1_2*6 + b1_ptr[pitch+indx+1]; - p0 += (tmp0 + tmp1) << 3; - p1 += (tmp0 + tmp1 + b1_1 + b1_2) << 2; - p2 += tmp2 << 2; - p3 += (tmp2 + b1_3) << 1; + p0 += (tmp0 + tmp1) * 8; + p1 += (tmp0 + tmp1 + b1_1 + b1_2) * 4; + p2 += tmp2 * 4; + p3 += (tmp2 + b1_3) * 2; } /* process the LH-band by applying LPF vertically and HPF horizontally */ @@ -146,10 +146,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, tmp0 = b2_1 + b2_2; tmp1 = b2_1 - b2_2*6 + b2_3; - p0 += tmp0 << 3; - p1 += tmp1 << 2; - p2 += (tmp0 + b2_4 + b2_5) << 2; - p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) << 1; + p0 += tmp0 * 8; + p1 += tmp1 * 4; + p2 += (tmp0 + b2_4 + b2_5) * 4; + p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) * 2; } /* process the HH-band by applying HPF both vertically and horizontally */ @@ -163,9 +163,9 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, b3_9 = b3_3 - b3_6*6 + b3_ptr[pitch+indx+1]; - p0 += (tmp0 + tmp1) << 2; - p1 += (tmp0 - tmp1*6 + tmp2) << 1; - p2 += (b3_7 + b3_8) << 1; + p0 += (tmp0 + tmp1) * 4; + p1 += (tmp0 - tmp1*6 + tmp2) * 2; + p2 += (b3_7 + b3_8) * 2; p3 += b3_7 - b3_8*6 + b3_9; } @@ -243,7 +243,7 @@ void ff_ivi_recompose_haar(const IVIPlaneDesc *plane, uint8_t *dst, #define INV_HAAR8(s1, s5, s3, s7, s2, s4, s6, s8,\ d1, d2, d3, d4, d5, d6, d7, d8,\ t0, t1, t2, t3, t4, t5, t6, t7, t8) {\ - t1 = (s1) << 1; t5 = (s5) << 1;\ + t1 = (s1) * 2; t5 = (s5) * 2;\ IVI_HAAR_BFLY(t1, t5, t1, t5, t0); IVI_HAAR_BFLY(t1, s3, t1, t3, t0);\ IVI_HAAR_BFLY(t5, s7, t5, t7, t0); IVI_HAAR_BFLY(t1, s2, t1, t2, t0);\ IVI_HAAR_BFLY(t3, s4, t3, t4, t0); IVI_HAAR_BFLY(t5, s6, t5, t6, t0);\ @@ -284,10 +284,10 @@ void ff_ivi_inverse_haar_8x8(const int32_t *in, int16_t *out, uint32_t pitch, if (flags[i]) { /* pre-scaling */ shift = !(i & 4); - sp1 = src[ 0] << shift; - sp2 = src[ 8] << shift; - sp3 = src[16] << shift; - sp4 = src[24] << shift; + sp1 = src[ 0] * (1 << shift); + sp2 = src[ 8] * (1 << shift); + sp3 = src[16] * (1 << shift); + sp4 = src[24] * (1 << shift); INV_HAAR8( sp1, sp2, sp3, sp4, src[32], src[40], src[48], src[56], dst[ 0], dst[ 8], dst[16], dst[24], @@ -393,8 +393,8 @@ void ff_ivi_inverse_haar_4x4(const int32_t *in, int16_t *out, uint32_t pitch, if (flags[i]) { /* pre-scaling */ shift = !(i & 2); - sp1 = src[0] << shift; - sp2 = src[4] << shift; + sp1 = src[0] * (1 << shift); + sp2 = src[4] * (1 << shift); INV_HAAR4( sp1, sp2, src[8], src[12], dst[0], dst[4], dst[8], dst[12], t0, t1, t2, t3, t4); diff --git a/libavcodec/jni.c b/libavcodec/jni.c index 32456f59fb..85dcf2abaf 100644 --- a/libavcodec/jni.c +++ b/libavcodec/jni.c @@ -20,19 +20,18 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "config.h" + #include -#include "config.h" +#include "libavutil/error.h" #include "jni.h" #if CONFIG_JNI - -#include #include #include #include "libavutil/log.h" -#include "libavutil/error.h" #include "ffjni.h" void *java_vm; @@ -69,7 +68,7 @@ void *av_jni_get_java_vm(void *log_ctx) int av_jni_set_java_vm(void *vm, void *log_ctx) { - return 0; + return AVERROR(ENOSYS); } void *av_jni_get_java_vm(void *log_ctx) diff --git a/libavcodec/jpeg2000.h b/libavcodec/jpeg2000.h index ed3b421ad8..8a022ad918 100644 --- a/libavcodec/jpeg2000.h +++ b/libavcodec/jpeg2000.h @@ -215,12 +215,12 @@ typedef struct Jpeg2000Component { /* misc tools */ static inline int ff_jpeg2000_ceildivpow2(int a, int b) { - return -(((int64_t)(-a)) >> b); + return -((-(int64_t)a) >> b); } static inline int ff_jpeg2000_ceildiv(int a, int b) { - return (a + b - 1) / b; + return (a + (int64_t)b - 1) / b; } /* TIER-1 routines */ diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index e9f5f51af3..f1abc9a5ef 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -260,6 +260,7 @@ static int get_siz(Jpeg2000DecoderContext *s) uint32_t log2_chroma_wh = 0; const enum AVPixelFormat *possible_fmts = NULL; int possible_fmts_nb = 0; + int ret; if (bytestream2_get_bytes_left(&s->g) < 36) { av_log(s->avctx, AV_LOG_ERROR, "Insufficient space for SIZ\n"); @@ -298,6 +299,16 @@ static int get_siz(Jpeg2000DecoderContext *s) return AVERROR_PATCHWELCOME; } + if (s->tile_offset_x < 0 || s->tile_offset_y < 0 || + s->image_offset_x < s->tile_offset_x || + s->image_offset_y < s->tile_offset_y || + s->tile_width + (int64_t)s->tile_offset_x <= s->image_offset_x || + s->tile_height + (int64_t)s->tile_offset_y <= s->image_offset_y + ) { + av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n"); + return AVERROR_INVALIDDATA; + } + s->ncomponents = ncomponents; if (s->tile_width <= 0 || s->tile_height <= 0) { @@ -349,10 +360,13 @@ static int get_siz(Jpeg2000DecoderContext *s) } /* compute image size with reduction factor */ - s->avctx->width = ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x, - s->reduction_factor); - s->avctx->height = ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y, - s->reduction_factor); + ret = ff_set_dimensions(s->avctx, + ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x, + s->reduction_factor), + ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y, + s->reduction_factor)); + if (ret < 0) + return ret; if (s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_2K || s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_4K) { @@ -946,9 +960,9 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, if (!cblk->npasses) { int v = expn[bandno] + numgbits - 1 - tag_tree_decode(s, prec->zerobits + cblkno, 100); - if (v < 0) { + if (v < 0 || v > 30) { av_log(s->avctx, AV_LOG_ERROR, - "nonzerobits %d invalid\n", v); + "nonzerobits %d invalid or unsupported\n", v); return AVERROR_INVALIDDATA; } cblk->nonzerobits = v; diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c index d183cbb87d..85a12d0e9b 100644 --- a/libavcodec/jpeg2000dsp.c +++ b/libavcodec/jpeg2000dsp.c @@ -64,10 +64,10 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize) int i; for (i = 0; i < csize; i++) { - i0 = *src0 + (((i_ict_params[0] * *src2) + (1 << 15)) >> 16); - i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16) + i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16); + i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16) - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16); - i2 = *src0 + (((i_ict_params[3] * *src1) + (1 << 15)) >> 16); + i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16); *src0++ = i0; *src1++ = i1; *src2++ = i2; diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 188cc261a4..e4aa2e4a3d 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -488,7 +488,7 @@ static void dwt_decode97_int(DWTContext *s, int32_t *t) line += 5; for (i = 0; i < w * h; i++) - data[i] <<= I_PRESHIFT; + data[i] *= 1LL << I_PRESHIFT; for (lev = 0; lev < s->ndeclevels; lev++) { int lh = s->linelen[lev][0], diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 68151cbbd8..20b40445fd 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -385,6 +385,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan); } + if (get_bits_left(&s->gb) < s->height) { + ret = AVERROR_INVALIDDATA; + goto end; + } if (ilv == 0) { /* separate planes */ if (s->cur_scan > s->nb_components) { ret = AVERROR_INVALIDDATA; diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index 7acaba7d21..ffe6a142e9 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -268,7 +268,8 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame, int i, ret; int header; int blocksize; - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int pal_size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); bytestream2_init(&ctx->g, avpkt->data, avpkt->size); @@ -303,9 +304,11 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame, } } - if (pal) { + if (pal && pal_size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(ctx->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); } if (ctx->setpal) { diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 93d13448c9..2ad6c61c59 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -98,7 +98,7 @@ static uint32_t softfloat_mul(uint32_t x, uint64_t mantissa) static uint8_t lag_calc_zero_run(int8_t x) { - return (x << 1) ^ (x >> 7); + return (x * 2) ^ (x >> 7); } static int lag_decode_prob(GetBitContext *gb, uint32_t *value) @@ -191,7 +191,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb) } scale_factor++; - cumulative_target = 1 << scale_factor; + if (scale_factor >= 32U) + return AVERROR_INVALIDDATA; + cumulative_target = 1U << scale_factor; if (scaled_cumul_prob > cumulative_target) { av_log(rac->avctx, AV_LOG_ERROR, diff --git a/libavcodec/libfdk-aacdec.c b/libavcodec/libfdk-aacdec.c index e5f7c4ebdc..2857b9453f 100644 --- a/libavcodec/libfdk-aacdec.c +++ b/libavcodec/libfdk-aacdec.c @@ -325,7 +325,7 @@ static int fdk_aac_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) s->decoder_buffer, s->decoder_buffer_size, 0); + err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) s->decoder_buffer, s->decoder_buffer_size / sizeof(INT_PCM), 0); if (err == AAC_DEC_NOT_ENOUGH_BITS) { ret = avpkt->size - valid; goto end; diff --git a/libavcodec/libopenjpegdec.c b/libavcodec/libopenjpegdec.c index 65167e6aee..b4ce834778 100644 --- a/libavcodec/libopenjpegdec.c +++ b/libavcodec/libopenjpegdec.c @@ -24,8 +24,6 @@ * JPEG 2000 decoder using libopenjpeg */ -#define OPJ_STATIC - #include "libavutil/common.h" #include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" diff --git a/libavcodec/libopenjpegenc.c b/libavcodec/libopenjpegenc.c index 14435515bc..1b7e1684af 100644 --- a/libavcodec/libopenjpegenc.c +++ b/libavcodec/libopenjpegenc.c @@ -24,8 +24,6 @@ * JPEG 2000 encoder using libopenjpeg */ -#define OPJ_STATIC - #include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/imgutils.h" @@ -54,7 +52,9 @@ typedef struct LibOpenJPEGContext { AVClass *avclass; +#if OPENJPEG_MAJOR_VERSION == 1 opj_image_t *image; +#endif // OPENJPEG_MAJOR_VERSION == 1 opj_cparameters_t enc_params; #if OPENJPEG_MAJOR_VERSION == 1 opj_event_mgr_t event_mgr; @@ -371,18 +371,22 @@ static av_cold int libopenjpeg_encode_init(AVCodecContext *avctx) cinema_parameters(&ctx->enc_params); } +#if OPENJPEG_MAJOR_VERSION == 1 ctx->image = mj2_create_image(avctx, &ctx->enc_params); if (!ctx->image) { av_log(avctx, AV_LOG_ERROR, "Error creating the mj2 image\n"); err = AVERROR(EINVAL); goto fail; } +#endif // OPENJPEG_MAJOR_VERSION == 1 return 0; fail: +#if OPENJPEG_MAJOR_VERSION == 1 opj_image_destroy(ctx->image); ctx->image = NULL; +#endif // OPENJPEG_MAJOR_VERSION == 1 return err; } @@ -417,7 +421,7 @@ static int libopenjpeg_copy_packed8(AVCodecContext *avctx, const AVFrame *frame, for (; y < image->comps[compno].h; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; for (x = 0; x < image->comps[compno].w; ++x) { - image_line[x] = image_line[x - image->comps[compno].w]; + image_line[x] = image_line[x - (int)image->comps[compno].w]; } } } @@ -457,7 +461,7 @@ static int libopenjpeg_copy_packed12(AVCodecContext *avctx, const AVFrame *frame for (; y < image->comps[compno].h; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; for (x = 0; x < image->comps[compno].w; ++x) { - image_line[x] = image_line[x - image->comps[compno].w]; + image_line[x] = image_line[x - (int)image->comps[compno].w]; } } } @@ -497,7 +501,7 @@ static int libopenjpeg_copy_packed16(AVCodecContext *avctx, const AVFrame *frame for (; y < image->comps[compno].h; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; for (x = 0; x < image->comps[compno].w; ++x) { - image_line[x] = image_line[x - image->comps[compno].w]; + image_line[x] = image_line[x - (int)image->comps[compno].w]; } } } @@ -524,8 +528,8 @@ static int libopenjpeg_copy_unpacked8(AVCodecContext *avctx, const AVFrame *fram } for (compno = 0; compno < numcomps; ++compno) { - width = avctx->width / image->comps[compno].dx; - height = avctx->height / image->comps[compno].dy; + width = (avctx->width + image->comps[compno].dx - 1) / image->comps[compno].dx; + height = (avctx->height + image->comps[compno].dy - 1) / image->comps[compno].dy; for (y = 0; y < height; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; frame_index = y * frame->linesize[compno]; @@ -538,7 +542,7 @@ static int libopenjpeg_copy_unpacked8(AVCodecContext *avctx, const AVFrame *fram for (; y < image->comps[compno].h; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; for (x = 0; x < image->comps[compno].w; ++x) { - image_line[x] = image_line[x - image->comps[compno].w]; + image_line[x] = image_line[x - (int)image->comps[compno].w]; } } } @@ -566,8 +570,8 @@ static int libopenjpeg_copy_unpacked16(AVCodecContext *avctx, const AVFrame *fra } for (compno = 0; compno < numcomps; ++compno) { - width = avctx->width / image->comps[compno].dx; - height = avctx->height / image->comps[compno].dy; + width = (avctx->width + image->comps[compno].dx - 1) / image->comps[compno].dx; + height = (avctx->height + image->comps[compno].dy - 1) / image->comps[compno].dy; frame_ptr = (uint16_t *)frame->data[compno]; for (y = 0; y < height; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; @@ -581,7 +585,7 @@ static int libopenjpeg_copy_unpacked16(AVCodecContext *avctx, const AVFrame *fra for (; y < image->comps[compno].h; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; for (x = 0; x < image->comps[compno].w; ++x) { - image_line[x] = image_line[x - image->comps[compno].w]; + image_line[x] = image_line[x - (int)image->comps[compno].w]; } } } @@ -593,19 +597,25 @@ static int libopenjpeg_encode_frame(AVCodecContext *avctx, AVPacket *pkt, const AVFrame *frame, int *got_packet) { LibOpenJPEGContext *ctx = avctx->priv_data; - opj_image_t *image = ctx->image; + int ret; + AVFrame *gbrframe; + int cpyresult = 0; #if OPENJPEG_MAJOR_VERSION == 1 + opj_image_t *image = ctx->image; opj_cinfo_t *compress = NULL; opj_cio_t *stream = NULL; int len; #else // OPENJPEG_MAJOR_VERSION == 2 + PacketWriter writer = { 0 }; opj_codec_t *compress = NULL; opj_stream_t *stream = NULL; - PacketWriter writer = { 0 }; + opj_image_t *image = mj2_create_image(avctx, &ctx->enc_params); + if (!image) { + av_log(avctx, AV_LOG_ERROR, "Error creating the mj2 image\n"); + ret = AVERROR(EINVAL); + goto done; + } #endif // OPENJPEG_MAJOR_VERSION == 1 - int cpyresult = 0; - int ret; - AVFrame *gbrframe; switch (avctx->pix_fmt) { case AV_PIX_FMT_RGB24: @@ -628,8 +638,10 @@ static int libopenjpeg_encode_frame(AVCodecContext *avctx, AVPacket *pkt, case AV_PIX_FMT_GBRP14: case AV_PIX_FMT_GBRP16: gbrframe = av_frame_clone(frame); - if (!gbrframe) - return AVERROR(ENOMEM); + if (!gbrframe) { + ret = AVERROR(ENOMEM); + goto done; + } gbrframe->data[0] = frame->data[2]; // swap to be rgb gbrframe->data[1] = frame->data[0]; gbrframe->data[2] = frame->data[1]; @@ -686,19 +698,21 @@ static int libopenjpeg_encode_frame(AVCodecContext *avctx, AVPacket *pkt, av_log(avctx, AV_LOG_ERROR, "The frame's pixel format '%s' is not supported\n", av_get_pix_fmt_name(avctx->pix_fmt)); - return AVERROR(EINVAL); + ret = AVERROR(EINVAL); + goto done; break; } if (!cpyresult) { av_log(avctx, AV_LOG_ERROR, "Could not copy the frame data to the internal image buffer\n"); - return -1; + ret = -1; + goto done; } #if OPENJPEG_MAJOR_VERSION == 2 if ((ret = ff_alloc_packet2(avctx, pkt, 1024, 0)) < 0) { - return ret; + goto done; } #endif // OPENJPEG_MAJOR_VERSION == 2 @@ -765,7 +779,7 @@ static int libopenjpeg_encode_frame(AVCodecContext *avctx, AVPacket *pkt, #error Missing call to opj_stream_set_user_data #endif - if (!opj_start_compress(compress, ctx->image, stream) || + if (!opj_start_compress(compress, image, stream) || !opj_encode(compress, stream) || !opj_end_compress(compress, stream)) { av_log(avctx, AV_LOG_ERROR, "Error during the opj encode\n"); @@ -784,6 +798,7 @@ done: #if OPENJPEG_MAJOR_VERSION == 2 opj_stream_destroy(stream); opj_destroy_codec(compress); + opj_image_destroy(image); #else opj_cio_close(stream); opj_destroy_compress(compress); @@ -793,10 +808,12 @@ done: static av_cold int libopenjpeg_encode_close(AVCodecContext *avctx) { +#if OPENJPEG_MAJOR_VERSION == 1 LibOpenJPEGContext *ctx = avctx->priv_data; opj_image_destroy(ctx->image); ctx->image = NULL; +#endif // OPENJPEG_MAJOR_VERSION == 1 return 0; } diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c index acc62f14d8..e6ca61a78f 100644 --- a/libavcodec/libopusdec.c +++ b/libavcodec/libopusdec.c @@ -47,6 +47,13 @@ static av_cold int libopus_decode_init(AVCodecContext *avc) int ret, channel_map = 0, gain_db = 0, nb_streams, nb_coupled; uint8_t mapping_arr[8] = { 0, 1 }, *mapping; + avc->channels = avc->extradata_size >= 10 ? avc->extradata[9] : (avc->channels == 1) ? 1 : 2; + if (avc->channels <= 0) { + av_log(avc, AV_LOG_WARNING, + "Invalid number of channels %d, defaulting to stereo\n", avc->channels); + avc->channels = 2; + } + avc->sample_rate = 48000; avc->sample_fmt = avc->request_sample_fmt == AV_SAMPLE_FMT_FLT ? AV_SAMPLE_FMT_FLT : AV_SAMPLE_FMT_S16; diff --git a/libavcodec/libopusenc.c b/libavcodec/libopusenc.c index 3f3e80d4a0..c1dcd0456a 100644 --- a/libavcodec/libopusenc.c +++ b/libavcodec/libopusenc.c @@ -362,7 +362,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, // Check if subtraction resulted in an overflow if ((discard_padding < opus->opts.packet_size) != (avpkt->duration > 0)) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(EINVAL); } if (discard_padding > 0) { @@ -371,7 +370,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, 10); if(!side_data) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(ENOMEM); } AV_WL32(side_data + 4, discard_padding); diff --git a/libavcodec/libschroedingerdec.c b/libavcodec/libschroedingerdec.c index 152cbe7d47..471077b2fe 100644 --- a/libavcodec/libschroedingerdec.c +++ b/libavcodec/libschroedingerdec.c @@ -218,6 +218,7 @@ static int libschroedinger_decode_frame(AVCodecContext *avctx, int outer = 1; SchroParseUnitContext parse_ctx; LibSchroFrameContext *framewithpts = NULL; + int ret; *got_frame = 0; @@ -307,11 +308,10 @@ static int libschroedinger_decode_frame(AVCodecContext *avctx, /* Grab next frame to be returned from the top of the queue. */ framewithpts = ff_schro_queue_pop(&p_schro_params->dec_frame_queue); - if (framewithpts && framewithpts->frame) { - int ret; + if (framewithpts && framewithpts->frame && framewithpts->frame->components[0].stride) { if ((ret = ff_get_buffer(avctx, avframe, 0)) < 0) - return ret; + goto end; memcpy(avframe->data[0], framewithpts->frame->components[0].data, @@ -332,15 +332,17 @@ static int libschroedinger_decode_frame(AVCodecContext *avctx, avframe->linesize[2] = framewithpts->frame->components[2].stride; *got_frame = 1; - - /* Now free the frame resources. */ - libschroedinger_decode_frame_free(framewithpts->frame); - av_free(framewithpts); } else { data = NULL; *got_frame = 0; } - return buf_size; + ret = buf_size; +end: + /* Now free the frame resources. */ + if (framewithpts && framewithpts->frame) + libschroedinger_decode_frame_free(framewithpts->frame); + av_freep(&framewithpts); + return ret; } diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index 4ea932d779..542add4ceb 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -805,7 +805,6 @@ FF_ENABLE_DEPRECATION_WARNINGS cx_frame->sz_alpha + 8); if(!side_data) { av_packet_unref(pkt); - av_free(pkt); return AVERROR(ENOMEM); } AV_WB64(side_data, 1); diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index c8f2380d8e..b730c91ef2 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -777,8 +777,8 @@ FF_ENABLE_DEPRECATION_WARNINGS if(x4->x264opts){ const char *p= x4->x264opts; while(p){ - char param[256]={0}, val[256]={0}; - if(sscanf(p, "%255[^:=]=%255[^:]", param, val) == 1){ + char param[4096]={0}, val[4096]={0}; + if(sscanf(p, "%4095[^:=]=%4095[^:]", param, val) == 1){ OPT_STR(param, "1"); }else OPT_STR(param, val); diff --git a/libavcodec/lpc.h b/libavcodec/lpc.h index edb1a6bc7d..704ffa9d4b 100644 --- a/libavcodec/lpc.h +++ b/libavcodec/lpc.h @@ -117,11 +117,14 @@ void ff_lpc_end(LPCContext *s); #if USE_FIXED typedef int LPC_TYPE; +typedef unsigned LPC_TYPE_U; #else #ifdef LPC_USE_DOUBLE typedef double LPC_TYPE; +typedef double LPC_TYPE_U; #else typedef float LPC_TYPE; +typedef float LPC_TYPE_U; #endif #endif // USE_FIXED @@ -192,8 +195,8 @@ static inline int AAC_RENAME(compute_lpc_coefs)(const LPC_TYPE *autoc, int max_o for(j=0; j < (i+1)>>1; j++) { LPC_TYPE f = lpc_last[ j]; LPC_TYPE b = lpc_last[i-1-j]; - lpc[ j] = f + AAC_MUL26(r, b); - lpc[i-1-j] = b + AAC_MUL26(r, f); + lpc[ j] = f + (LPC_TYPE_U)AAC_MUL26(r, b); + lpc[i-1-j] = b + (LPC_TYPE_U)AAC_MUL26(r, f); } if (fail && err < 0) diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c index 409a7ffdd3..5b7526ef18 100644 --- a/libavcodec/lzf.c +++ b/libavcodec/lzf.c @@ -53,6 +53,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) ret = av_reallocp(buf, *size); if (ret < 0) return ret; + p = *buf + len; } bytestream2_get_buffer(gb, p, s); @@ -75,6 +76,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) ret = av_reallocp(buf, *size); if (ret < 0) return ret; + p = *buf + len; } av_memcpy_backptr(p, off, l); diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index 3bb4c5a8b4..fdd427920c 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -90,6 +90,8 @@ static int build_huff(VLC *vlc, uint8_t *len) for (i = 0; i < 256; i++) { he[i].sym = 255 - i; he[i].len = len[i]; + if (len[i] == 0 || len[i] > 32) + return AVERROR_INVALIDDATA; } AV_QSORT(he, 256, HuffEntry, ff_magy_huff_cmp_len); diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c index 1cc4ca4742..8e28aa04f0 100644 --- a/libavcodec/mdec.c +++ b/libavcodec/mdec.c @@ -73,7 +73,7 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) if (diff >= 0xffff) return AVERROR_INVALIDDATA; a->last_dc[component] += diff; - block[0] = a->last_dc[component] << 3; + block[0] = a->last_dc[component] * (1 << 3); } i = 0; @@ -111,11 +111,11 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) j = scantable[i]; if (level < 0) { level = -level; - level = (level * qscale * quant_matrix[j]) >> 3; + level = (level * (unsigned)qscale * quant_matrix[j]) >> 3; level = (level - 1) | 1; level = -level; } else { - level = (level * qscale * quant_matrix[j]) >> 3; + level = (level * (unsigned)qscale * quant_matrix[j]) >> 3; level = (level - 1) | 1; } } diff --git a/libavcodec/me_cmp.c b/libavcodec/me_cmp.c index dc76b07ba2..4234000487 100644 --- a/libavcodec/me_cmp.c +++ b/libavcodec/me_cmp.c @@ -555,7 +555,7 @@ static int dct_sad8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); return s->mecc.sum_abs_dctelem(temp); } @@ -595,7 +595,7 @@ static int dct264_sad8x8_c(MpegEncContext *s, uint8_t *src1, int16_t dct[8][8]; int i, sum = 0; - s->pdsp.diff_pixels(dct[0], src1, src2, stride); + s->pdsp.diff_pixels_unaligned(dct[0], src1, src2, stride); #define SRC(x) dct[i][x] #define DST(x, v) dct[i][x] = v @@ -622,7 +622,7 @@ static int dct_max8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); for (i = 0; i < 64; i++) @@ -641,7 +641,7 @@ static int quant_psnr8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); s->mb_intra = 0; - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); memcpy(bak, temp, 64 * sizeof(int16_t)); @@ -744,7 +744,7 @@ static int bit8x8_c(MpegEncContext *s, uint8_t *src1, uint8_t *src2, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->block_last_index[0 /* FIXME */] = last = diff --git a/libavcodec/mediacodecdec_h264.c b/libavcodec/mediacodecdec_h264.c index eb63ab5327..f663267996 100644 --- a/libavcodec/mediacodecdec_h264.c +++ b/libavcodec/mediacodecdec_h264.c @@ -65,6 +65,58 @@ static av_cold int mediacodec_decode_close(AVCodecContext *avctx) return 0; } +static int h264_ps_to_nalu(const uint8_t *src, int src_size, uint8_t **out, int *out_size) +{ + int i; + int ret = 0; + uint8_t *p = NULL; + static const uint8_t nalu_header[] = { 0x00, 0x00, 0x00, 0x01 }; + + if (!out || !out_size) { + return AVERROR(EINVAL); + } + + p = av_malloc(sizeof(nalu_header) + src_size); + if (!p) { + return AVERROR(ENOMEM); + } + + *out = p; + *out_size = sizeof(nalu_header) + src_size; + + memcpy(p, nalu_header, sizeof(nalu_header)); + memcpy(p + sizeof(nalu_header), src, src_size); + + /* Escape 0x00, 0x00, 0x0{0-3} pattern */ + for (i = 4; i < *out_size; i++) { + if (i < *out_size - 3 && + p[i + 0] == 0 && + p[i + 1] == 0 && + p[i + 2] <= 3) { + uint8_t *new; + + *out_size += 1; + new = av_realloc(*out, *out_size); + if (!new) { + ret = AVERROR(ENOMEM); + goto done; + } + *out = p = new; + + i = i + 2; + memmove(p + i + 1, p + i, *out_size - (i + 1)); + p[i] = 0x03; + } + } +done: + if (ret < 0) { + av_freep(out); + *out_size = 0; + } + + return ret; +} + static av_cold int mediacodec_decode_init(AVCodecContext *avctx) { int i; @@ -112,8 +164,20 @@ static av_cold int mediacodec_decode_init(AVCodecContext *avctx) } if (pps && sps) { - ff_AMediaFormat_setBuffer(format, "csd-0", (void*)sps->data, sps->data_size); - ff_AMediaFormat_setBuffer(format, "csd-1", (void*)pps->data, pps->data_size); + uint8_t *data = NULL; + size_t data_size = 0; + + if ((ret = h264_ps_to_nalu(sps->data, sps->data_size, &data, &data_size)) < 0) { + goto done; + } + ff_AMediaFormat_setBuffer(format, "csd-0", (void*)data, data_size); + av_freep(&data); + + if ((ret = h264_ps_to_nalu(pps->data, pps->data_size, &data, &data_size)) < 0) { + goto done; + } + ff_AMediaFormat_setBuffer(format, "csd-1", (void*)data, data_size); + av_freep(&data); } else { av_log(avctx, AV_LOG_ERROR, "Could not extract PPS/SPS from extradata"); ret = AVERROR_INVALIDDATA; diff --git a/libavcodec/mimic.c b/libavcodec/mimic.c index 06fb393b92..b77171a822 100644 --- a/libavcodec/mimic.c +++ b/libavcodec/mimic.c @@ -262,7 +262,7 @@ static int vlc_decode_block(MimicContext *ctx, int num_coeffs, int qscale) coeff = vlcdec_lookup[num_bits][value]; if (pos < 3) - coeff <<= 4; + coeff *= 16; else /* TODO Use >> 10 instead of / 1001 */ coeff = (coeff * qscale) / 1001; @@ -390,9 +390,11 @@ static int mimic_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + res = ff_set_dimensions(avctx, width, height); + if (res < 0) + return res; + ctx->avctx = avctx; - avctx->width = width; - avctx->height = height; avctx->pix_fmt = AV_PIX_FMT_YUV420P; for (i = 0; i < 3; i++) { ctx->num_vblocks[i] = AV_CEIL_RSHIFT(height, 3 + !!i); diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 633a8f02c0..714c51013d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -693,7 +693,7 @@ static int decode_block(MJpegDecodeContext *s, int16_t *block, int component, return AVERROR_INVALIDDATA; } val = val * quant_matrix[0] + s->last_dc[component]; - val = FFMIN(val, 32767); + val = av_clip_int16(val); s->last_dc[component] = val; block[0] = val; /* AC coefs */ @@ -734,7 +734,7 @@ static int decode_dc_progressive(MJpegDecodeContext *s, int16_t *block, int component, int dc_index, int16_t *quant_matrix, int Al) { - int val; + unsigned val; s->bdsp.clear_block(block); val = mjpeg_decode_dc(s, dc_index); if (val == 0xfffff) { @@ -753,7 +753,8 @@ static int decode_block_progressive(MJpegDecodeContext *s, int16_t *block, int16_t *quant_matrix, int ss, int se, int Al, int *EOBRUN) { - int code, i, j, level, val, run; + int code, i, j, val, run; + unsigned level; if (*EOBRUN) { (*EOBRUN)--; @@ -1082,6 +1083,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, for (mb_y = 0; mb_y < s->mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { + if (get_bits_left(&s->gb) < 1) { + av_log(s->avctx, AV_LOG_ERROR, "bitstream end in yuv_scan\n"); + return AVERROR_INVALIDDATA; + } if (s->restart_interval && !s->restart_count){ s->restart_count = s->restart_interval; resync_mb_x = mb_x; @@ -1133,7 +1138,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, if (s->interlaced && s->bottom_field) ptr += linesize >> 1; pred &= mask; - *ptr= pred + (dc << point_transform); + *ptr= pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap if(y==0 && toprow){ @@ -1153,7 +1158,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, if (s->interlaced && s->bottom_field) ptr16 += linesize >> 1; pred &= mask; - *ptr16= pred + (dc << point_transform); + *ptr16= pred + ((unsigned)dc << point_transform); } if (++x == h) { x = 0; @@ -1192,13 +1197,13 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor); pred &= mask; - *ptr = pred + (dc << point_transform); + *ptr = pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap PREDICT(pred, ptr16[-linesize-1], ptr16[-linesize], ptr16[-1], predictor); pred &= mask; - *ptr16= pred + (dc << point_transform); + *ptr16= pred + ((unsigned)dc << point_transform); } if (++x == h) { @@ -1393,6 +1398,10 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, int block_idx = mb_y * s->block_stride[c]; int16_t (*block)[64] = &s->blocks[c][block_idx]; uint8_t *last_nnz = &s->last_nnz[c][block_idx]; + if (get_bits_left(&s->gb) <= 0) { + av_log(s->avctx, AV_LOG_ERROR, "bitstream truncated in mjpeg_decode_scan_progressive_ac\n"); + return AVERROR_INVALIDDATA; + } for (mb_x = 0; mb_x < s->mb_width; mb_x++, block++, last_nnz++) { int ret; if (s->restart_interval && !s->restart_count) @@ -1466,6 +1475,15 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask, return -1; } + if (reference) { + if (reference->width != s->picture_ptr->width || + reference->height != s->picture_ptr->height || + reference->format != s->picture_ptr->format) { + av_log(s->avctx, AV_LOG_ERROR, "Reference mismatching\n"); + return AVERROR_INVALIDDATA; + } + } + av_assert0(s->picture_ptr->data[0]); /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); @@ -2119,6 +2137,8 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, ret = mjpeg_decode_com(s); if (ret < 0) return ret; + } else if (start_code == DQT) { + ff_mjpeg_decode_dqt(s); } ret = -1; @@ -2151,9 +2171,6 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, s->restart_count = 0; /* nothing to do on SOI */ break; - case DQT: - ff_mjpeg_decode_dqt(s); - break; case DHT: if ((ret = ff_mjpeg_decode_dht(s)) < 0) { av_log(avctx, AV_LOG_ERROR, "huffman table decode error\n"); @@ -2384,7 +2401,7 @@ the_end: } } } - if (s->flipped) { + if (s->flipped && !s->rgb) { int j; avcodec_get_chroma_sub_sample(s->avctx->pix_fmt, &hshift, &vshift); av_assert0(s->nb_components == av_pix_fmt_count_planes(s->picture_ptr->format)); diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index c93b058dd7..f60f14cc71 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -264,7 +264,7 @@ static inline int read_huff_channels(MLPDecodeContext *m, GetBitContext *gbp, result = (result << lsb_bits) + get_bits(gbp, lsb_bits); result += cp->sign_huff_offset; - result <<= quant_step_size; + result *= 1 << quant_step_size; m->sample_buffer[pos + s->blockpos][channel] = result; } @@ -684,7 +684,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp, } for (i = 0; i < order; i++) - fcoeff[i] = get_sbits(gbp, coeff_bits) << coeff_shift; + fcoeff[i] = get_sbits(gbp, coeff_bits) * (1 << coeff_shift); if (get_bits1(gbp)) { int state_bits, state_shift; @@ -701,7 +701,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp, /* TODO: Check validity of state data. */ for (i = 0; i < order; i++) - fp->state[i] = state_bits ? get_sbits(gbp, state_bits) << state_shift : 0; + fp->state[i] = state_bits ? get_sbits(gbp, state_bits) * (1 << state_shift) : 0; } } @@ -729,7 +729,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Number of primitive matrices cannot be greater than %d.\n", max_primitive_matrices); - return AVERROR_INVALIDDATA; + goto error; } for (mat = 0; mat < s->num_primitive_matrices; mat++) { @@ -742,12 +742,12 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Invalid channel %d specified as output from matrix.\n", s->matrix_out_ch[mat]); - return AVERROR_INVALIDDATA; + goto error; } if (frac_bits > 14) { av_log(m->avctx, AV_LOG_ERROR, "Too many fractional bits specified.\n"); - return AVERROR_INVALIDDATA; + goto error; } max_chan = s->max_matrix_channel; @@ -759,7 +759,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo if (get_bits1(gbp)) coeff_val = get_sbits(gbp, frac_bits + 2); - s->matrix_coeff[mat][ch] = coeff_val << (14 - frac_bits); + s->matrix_coeff[mat][ch] = coeff_val * (1 << (14 - frac_bits)); } if (s->noise_type) @@ -769,6 +769,11 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo } return 0; +error: + s->num_primitive_matrices = 0; + memset(s->matrix_out_ch, 0, sizeof(s->matrix_out_ch)); + + return AVERROR_INVALIDDATA; } /** Read channel parameters. */ @@ -999,8 +1004,8 @@ static void generate_2_noise_channels(MLPDecodeContext *m, unsigned int substr) for (i = 0; i < s->blockpos; i++) { uint16_t seed_shr7 = seed >> 7; - m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) << s->noise_shift; - m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) << s->noise_shift; + m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) * (1 << s->noise_shift); + m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) * (1 << s->noise_shift); seed = (seed << 16) ^ seed_shr7 ^ (seed_shr7 << 5); } @@ -1162,6 +1167,11 @@ static int read_access_unit(AVCodecContext *avctx, void* data, substr_header_size += 2; } + if (length < header_size + substr_header_size) { + av_log(m->avctx, AV_LOG_ERROR, "Insuffient data for headers\n"); + goto error; + } + if (!(nonrestart_substr ^ m->is_major_sync_unit)) { av_log(m->avctx, AV_LOG_ERROR, "Invalid nonrestart_substr.\n"); goto error; diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 3ae8c37708..fbafa92d72 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -113,8 +113,8 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, for (i = 0; i < blockpos; i++) { for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) { int mat_ch = ch_assign[out_ch]; - int32_t sample = sample_buffer[i][mat_ch] - << output_shift[mat_ch]; + int32_t sample = sample_buffer[i][mat_ch] * + (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) *data_32++ = sample << 8; diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index abf8711a9c..81fd1d6deb 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -116,6 +116,8 @@ static void mov_text_cleanup(MovTextContext *m) av_freep(&m->s[i]); } av_freep(&m->s); + m->count_s = 0; + m->style_entries = 0; } } @@ -279,12 +281,14 @@ static int decode_hclr(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) { int i; - m->style_entries = AV_RB16(tsmb); + int style_entries = AV_RB16(tsmb); tsmb += 2; // A single style record is of length 12 bytes. - if (m->tracksize + m->size_var + 2 + m->style_entries * 12 > avpkt->size) + if (m->tracksize + m->size_var + 2 + style_entries * 12 > avpkt->size) return -1; + m->style_entries = style_entries; + m->box_flags |= STYL_BOX; for(i = 0; i < m->style_entries; i++) { m->s_temp = av_malloc(sizeof(*m->s_temp)); @@ -481,7 +485,12 @@ static int mov_text_decode_frame(AVCodecContext *avctx, m->size_var = 8; //size_var is equal to 8 or 16 depending on the size of box - if (m->tracksize + tsmb_size > avpkt->size) + if (tsmb_size == 0) { + av_log(avctx, AV_LOG_ERROR, "tsmb_size is 0\n"); + return AVERROR_INVALIDDATA; + } + + if (tsmb_size > avpkt->size - m->tracksize) break; for (size_t i = 0; i < box_count; i++) { diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 204a57891e..50360c8132 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -497,7 +497,7 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, dc = s->last_dc[component]; dc += diff; s->last_dc[component] = dc; - block[0] = dc << (3 - s->intra_dc_precision); + block[0] = dc * (1 << (3 - s->intra_dc_precision)); ff_tlog(s->avctx, "dc=%d\n", block[0]); mismatch = block[0] ^ 1; i = 0; @@ -865,8 +865,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) s->last_mv[i][0][1]); /* full_pel: only for MPEG-1 */ if (s->full_pel[i]) { - s->mv[i][0][0] <<= 1; - s->mv[i][0][1] <<= 1; + s->mv[i][0][0] *= 2; + s->mv[i][0][1] *= 2; } } } @@ -948,8 +948,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) dmy = get_dmv(s); - s->last_mv[i][0][1] = my << my_shift; - s->last_mv[i][1][1] = my << my_shift; + s->last_mv[i][0][1] = my * (1 << my_shift); + s->last_mv[i][1][1] = my * (1 << my_shift); s->mv[i][0][0] = mx; s->mv[i][0][1] = my; @@ -994,7 +994,7 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) cbp = get_vlc2(&s->gb, ff_mb_pat_vlc.table, MB_PAT_VLC_BITS, 1); if (mb_block_count > 6) { - cbp <<= mb_block_count - 6; + cbp *= 1 << mb_block_count - 6; cbp |= get_bits(&s->gb, mb_block_count - 6); s->bdsp.clear_blocks(s->block[6]); } @@ -1242,7 +1242,8 @@ static int mpeg_decode_postinit(AVCodecContext *avctx) if (avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO) { // MPEG-1 aspect - avctx->sample_aspect_ratio = av_d2q(1.0 / ff_mpeg1_aspect[s->aspect_ratio_info], 255); + AVRational aspect_inv = av_d2q(ff_mpeg1_aspect[s->aspect_ratio_info], 255); + avctx->sample_aspect_ratio = (AVRational) { aspect_inv.den, aspect_inv.num }; } else { // MPEG-2 // MPEG-2 aspect if (s->aspect_ratio_info > 1) { @@ -2389,7 +2390,7 @@ FF_ENABLE_DEPRECATION_WARNINGS #endif s->closed_gop = get_bits1(&s->gb); - /* broken_link indicate that after editing the + /* broken_link indicates that after editing the * reference frames of the first B-Frames after GOP I-Frame * are missing (open gop) */ broken_link = get_bits1(&s->gb); @@ -2784,6 +2785,7 @@ static int mpeg_decode_frame(AVCodecContext *avctx, void *data, avctx->extradata, avctx->extradata_size); if (*got_output) { av_log(avctx, AV_LOG_ERROR, "picture in extradata\n"); + av_frame_unref(picture); *got_output = 0; } s->extradata_decoded = 1; diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 3adf28d2f8..d04286bc3d 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -171,13 +171,14 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int a = 2 << s->sprite_warping_accuracy; int rho = 3 - s->sprite_warping_accuracy; int r = 16 / a; - int alpha = 0; + int alpha = 1; int beta = 0; int w = s->width; int h = s->height; int min_ab, i, w2, h2, w3, h3; int sprite_ref[4][2]; int virtual_ref[2][2]; + int64_t sprite_offset[2][2]; // only true for rectangle shapes const int vop_ref[4][2] = { { 0, 0 }, { s->width, 0 }, @@ -242,25 +243,25 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g * from w&h based to w2&h2 based which are of the 2^x form. */ virtual_ref[0][0] = 16 * (vop_ref[0][0] + w2) + ROUNDED_DIV(((w - w2) * - (r * sprite_ref[0][0] - 16 * vop_ref[0][0]) + - w2 * (r * sprite_ref[1][0] - 16 * vop_ref[1][0])), w); + (r * sprite_ref[0][0] - 16LL * vop_ref[0][0]) + + w2 * (r * sprite_ref[1][0] - 16LL * vop_ref[1][0])), w); virtual_ref[0][1] = 16 * vop_ref[0][1] + ROUNDED_DIV(((w - w2) * - (r * sprite_ref[0][1] - 16 * vop_ref[0][1]) + - w2 * (r * sprite_ref[1][1] - 16 * vop_ref[1][1])), w); + (r * sprite_ref[0][1] - 16LL * vop_ref[0][1]) + + w2 * (r * sprite_ref[1][1] - 16LL * vop_ref[1][1])), w); virtual_ref[1][0] = 16 * vop_ref[0][0] + - ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][0] - 16 * vop_ref[0][0]) + - h2 * (r * sprite_ref[2][0] - 16 * vop_ref[2][0])), h); + ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][0] - 16LL * vop_ref[0][0]) + + h2 * (r * sprite_ref[2][0] - 16LL * vop_ref[2][0])), h); virtual_ref[1][1] = 16 * (vop_ref[0][1] + h2) + - ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][1] - 16 * vop_ref[0][1]) + - h2 * (r * sprite_ref[2][1] - 16 * vop_ref[2][1])), h); + ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][1] - 16LL * vop_ref[0][1]) + + h2 * (r * sprite_ref[2][1] - 16LL * vop_ref[2][1])), h); switch (ctx->num_sprite_warping_points) { case 0: - s->sprite_offset[0][0] = - s->sprite_offset[0][1] = - s->sprite_offset[1][0] = - s->sprite_offset[1][1] = 0; + sprite_offset[0][0] = + sprite_offset[0][1] = + sprite_offset[1][0] = + sprite_offset[1][1] = 0; s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = s->sprite_delta[1][0] = 0; @@ -269,11 +270,11 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 1: // GMC only - s->sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0]; - s->sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1]; - s->sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) - + sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0]; + sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1]; + sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) - a * (vop_ref[0][0] / 2); - s->sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - + sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - a * (vop_ref[0][1] / 2); s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = @@ -283,26 +284,26 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 2: - s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + rho)) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-vop_ref[0][0]) + - (r * sprite_ref[0][1] - virtual_ref[0][1]) * - (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + rho)) + - (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - (-vop_ref[0][0]) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-2 * vop_ref[0][0] + 1) + - (r * sprite_ref[0][1] - virtual_ref[0][1]) * - (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * - sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); - s->sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * - (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * - sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); + sprite_offset[0][0] = ((int64_t) sprite_ref[0][0] * (1 << alpha + rho)) + + ((int64_t) -r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t) -vop_ref[0][0]) + + ((int64_t) r * sprite_ref[0][1] - virtual_ref[0][1]) * + ((int64_t) -vop_ref[0][1]) + (1 << (alpha + rho - 1)); + sprite_offset[0][1] = ((int64_t) sprite_ref[0][1] * (1 << alpha + rho)) + + ((int64_t) -r * sprite_ref[0][1] + virtual_ref[0][1]) * + ((int64_t) -vop_ref[0][0]) + + ((int64_t) -r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t) -vop_ref[0][1]) + (1 << (alpha + rho - 1)); + sprite_offset[1][0] = (((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-2 * vop_ref[0][0] + 1) + + ((int64_t) r * sprite_ref[0][1] - virtual_ref[0][1]) * + ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * + (int64_t) sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); + sprite_offset[1][1] = (((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * + ((int64_t)-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * + (int64_t) sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); s->sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]); s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]); @@ -315,30 +316,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g min_ab = FFMIN(alpha, beta); w3 = w2 >> min_ab; h3 = h2 >> min_ab; - s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + beta + rho - min_ab)) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - h3 * (-vop_ref[0][0]) + - (-r * sprite_ref[0][0] + virtual_ref[1][0]) * - w3 * (-vop_ref[0][1]) + - (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + beta + rho - min_ab)) + - (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - h3 * (-vop_ref[0][0]) + - (-r * sprite_ref[0][1] + virtual_ref[1][1]) * - w3 * (-vop_ref[0][1]) + - (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[1][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - h3 * (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][0] + virtual_ref[1][0]) * - w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 * - r * sprite_ref[0][0] - 16 * w2 * h3 + - (1 << (alpha + beta + rho - min_ab + 1)); - s->sprite_offset[1][1] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - h3 * (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][1] + virtual_ref[1][1]) * - w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 * - r * sprite_ref[0][1] - 16 * w2 * h3 + - (1 << (alpha + beta + rho - min_ab + 1)); + sprite_offset[0][0] = ((int64_t)sprite_ref[0][0] * (1 << (alpha + beta + rho - min_ab))) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-vop_ref[0][0]) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-vop_ref[0][1]) + + ((int64_t)1 << (alpha + beta + rho - min_ab - 1)); + sprite_offset[0][1] = ((int64_t)sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-vop_ref[0][0]) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-vop_ref[0][1]) + + ((int64_t)1 << (alpha + beta + rho - min_ab - 1)); + sprite_offset[1][0] = ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-2 * vop_ref[0][1] + 1) + + (int64_t)2 * w2 * h3 * r * sprite_ref[0][0] - 16 * w2 * h3 + + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); + sprite_offset[1][1] = ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-2 * vop_ref[0][1] + 1) + + (int64_t)2 * w2 * h3 * r * sprite_ref[0][1] - 16 * w2 * h3 + + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3; s->sprite_delta[0][1] = (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3; s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3; @@ -353,10 +346,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[0][1] == 0 && s->sprite_delta[1][0] == 0 && s->sprite_delta[1][1] == a << ctx->sprite_shift[0]) { - s->sprite_offset[0][0] >>= ctx->sprite_shift[0]; - s->sprite_offset[0][1] >>= ctx->sprite_shift[0]; - s->sprite_offset[1][0] >>= ctx->sprite_shift[1]; - s->sprite_offset[1][1] >>= ctx->sprite_shift[1]; + sprite_offset[0][0] >>= ctx->sprite_shift[0]; + sprite_offset[0][1] >>= ctx->sprite_shift[0]; + sprite_offset[1][0] >>= ctx->sprite_shift[1]; + sprite_offset[1][1] >>= ctx->sprite_shift[1]; s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = 0; s->sprite_delta[1][0] = 0; @@ -367,17 +360,61 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g } else { int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; + for (i = 0; i < 2; i++) { - s->sprite_offset[0][i] <<= shift_y; - s->sprite_offset[1][i] <<= shift_c; - s->sprite_delta[0][i] <<= shift_y; - s->sprite_delta[1][i] <<= shift_y; + if (shift_c < 0 || shift_y < 0 || + FFABS( sprite_offset[0][i]) >= INT_MAX >> shift_y || + FFABS( sprite_offset[1][i]) >= INT_MAX >> shift_c || + FFABS(s->sprite_delta[0][i]) >= INT_MAX >> shift_y || + FFABS(s->sprite_delta[1][i]) >= INT_MAX >> shift_y + ) { + avpriv_request_sample(s->avctx, "Too large sprite shift, delta or offset"); + goto overflow; + } + } + + for (i = 0; i < 2; i++) { + sprite_offset[0][i] *= 1 << shift_y; + sprite_offset[1][i] *= 1 << shift_c; + s->sprite_delta[0][i] *= 1 << shift_y; + s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; + + } + for (i = 0; i < 2; i++) { + int64_t sd[2] = { + s->sprite_delta[i][0] - a * (1LL<<16), + s->sprite_delta[i][1] - a * (1LL<<16) + }; + + if (llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX || + llabs(sd[0]) >= INT_MAX || + llabs(sd[1]) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX + ) { + avpriv_request_sample(s->avctx, "Overflow on sprite points"); + goto overflow; + } } s->real_sprite_warping_points = ctx->num_sprite_warping_points; } + s->sprite_offset[0][0] = sprite_offset[0][0]; + s->sprite_offset[0][1] = sprite_offset[0][1]; + s->sprite_offset[1][0] = sprite_offset[1][0]; + s->sprite_offset[1][1] = sprite_offset[1][1]; + return 0; +overflow: + memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); + memset(s->sprite_delta, 0, sizeof(s->sprite_delta)); + return AVERROR_PATCHWELCOME; } static int decode_new_pred(Mpeg4DecContext *ctx, GetBitContext *gb) { @@ -504,7 +541,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) if (ctx->divx_version == 500 && ctx->divx_build == 413) sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample)); else - sum = RSHIFT(s->sprite_offset[0][n] << s->quarter_sample, a); + sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a); } else { dx = s->sprite_delta[n][0]; dy = s->sprite_delta[n][1]; @@ -2246,6 +2283,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) int time_incr, time_increment; int64_t pts; + s->mcsel = 0; s->pict_type = get_bits(gb, 2) + AV_PICTURE_TYPE_I; /* pict type: I = 0 , P = 1 */ if (s->pict_type == AV_PICTURE_TYPE_B && s->low_delay && ctx->vol_control_parameters == 0 && !(s->avctx->flags & AV_CODEC_FLAG_LOW_DELAY)) { @@ -2298,7 +2336,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) if (s->pict_type != AV_PICTURE_TYPE_B) { s->last_time_base = s->time_base; s->time_base += time_incr; - s->time = s->time_base * s->avctx->framerate.num + time_increment; + s->time = s->time_base * (int64_t)s->avctx->framerate.num + time_increment; if (s->workaround_bugs & FF_BUG_UMP4) { if (s->time < s->last_non_b_time) { /* header is not mpeg-4-compatible, broken encoder, @@ -2310,7 +2348,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) s->pp_time = s->time - s->last_non_b_time; s->last_non_b_time = s->time; } else { - s->time = (s->last_time_base + time_incr) * s->avctx->framerate.num + time_increment; + s->time = (s->last_time_base + time_incr) * (int64_t)s->avctx->framerate.num + time_increment; s->pb_time = s->pp_time - (s->last_non_b_time - s->time); if (s->pp_time <= s->pb_time || s->pp_time <= s->pp_time - s->pb_time || @@ -2413,16 +2451,20 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) ff_init_scantable(s->idsp.idct_permutation, &s->intra_v_scantable, ff_alternate_vertical_scan); } - if (s->pict_type == AV_PICTURE_TYPE_S && - (ctx->vol_sprite_usage == STATIC_SPRITE || - ctx->vol_sprite_usage == GMC_SPRITE)) { - if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0) - return AVERROR_INVALIDDATA; - if (ctx->sprite_brightness_change) - av_log(s->avctx, AV_LOG_ERROR, - "sprite_brightness_change not supported\n"); - if (ctx->vol_sprite_usage == STATIC_SPRITE) - av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); + if (s->pict_type == AV_PICTURE_TYPE_S) { + if((ctx->vol_sprite_usage == STATIC_SPRITE || + ctx->vol_sprite_usage == GMC_SPRITE)) { + if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0) + return AVERROR_INVALIDDATA; + if (ctx->sprite_brightness_change) + av_log(s->avctx, AV_LOG_ERROR, + "sprite_brightness_change not supported\n"); + if (ctx->vol_sprite_usage == STATIC_SPRITE) + av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); + } else { + memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); + memset(s->sprite_delta, 0, sizeof(s->sprite_delta)); + } } if (ctx->shape != BIN_ONLY_SHAPE) { @@ -2520,6 +2562,7 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb) MpegEncContext *s = &ctx->m; unsigned startcode, v; int ret; + int vol = 0; /* search next start code */ align_get_bits(gb); @@ -2608,6 +2651,11 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb) } if (startcode >= 0x120 && startcode <= 0x12F) { + if (vol) { + av_log(s->avctx, AV_LOG_ERROR, "Multiple VOL headers"); + return AVERROR_INVALIDDATA; + } + vol++; if ((ret = decode_vol_header(ctx, gb)) < 0) return ret; } else if (startcode == USER_DATA_STARTCODE) { diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index 873f941237..8c39825792 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -98,7 +98,7 @@ static int mpegaudio_parse(AVCodecParserContext *s1, } else if (codec_id == AV_CODEC_ID_MP3ADU) { avpriv_report_missing_feature(avctx, "MP3ADU full parser"); - return AVERROR_PATCHWELCOME; + return 0; /* parsers must not return error codes */ } break; diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index 1114428f33..37b1af9bd9 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -253,7 +253,7 @@ static inline int l3_unscale(int value, int exponent) #endif if (e > 31) return 0; - m = (m + (1 << (e - 1))) >> e; + m = (m + ((1U << e)>>1)) >> e; return m; } @@ -1665,7 +1665,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, header = AV_RB32(buf); if (header>>8 == AV_RB32("TAG")>>8) { av_log(avctx, AV_LOG_DEBUG, "discarding ID3 tag\n"); - return buf_size; + return buf_size + skipped; } ret = avpriv_mpegaudio_decode_header((MPADecodeHeader *)s, header); if (ret < 0) { diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 87d795478a..30d2e2cfde 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -2911,6 +2911,8 @@ int ff_mpv_reallocate_putbitbuffer(MpegEncContext *s, size_t threshold, size_t s return AVERROR(ENOMEM); } + emms_c(); + av_fast_padded_malloc(&new_buffer, &new_buffer_size, s->avctx->internal->byte_buffer_size + size_increase); if (!new_buffer) diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c index c29810f598..ef32757780 100644 --- a/libavcodec/mpegvideo_motion.c +++ b/libavcodec/mpegvideo_motion.c @@ -48,8 +48,8 @@ static void gmc1_motion(MpegEncContext *s, motion_y = s->sprite_offset[0][1]; src_x = s->mb_x * 16 + (motion_x >> (s->sprite_warping_accuracy + 1)); src_y = s->mb_y * 16 + (motion_y >> (s->sprite_warping_accuracy + 1)); - motion_x <<= (3 - s->sprite_warping_accuracy); - motion_y <<= (3 - s->sprite_warping_accuracy); + motion_x *= 1 << (3 - s->sprite_warping_accuracy); + motion_y *= 1 << (3 - s->sprite_warping_accuracy); src_x = av_clip(src_x, -16, s->width); if (src_x == s->width) motion_x = 0; @@ -95,8 +95,8 @@ static void gmc1_motion(MpegEncContext *s, motion_y = s->sprite_offset[1][1]; src_x = s->mb_x * 8 + (motion_x >> (s->sprite_warping_accuracy + 1)); src_y = s->mb_y * 8 + (motion_y >> (s->sprite_warping_accuracy + 1)); - motion_x <<= (3 - s->sprite_warping_accuracy); - motion_y <<= (3 - s->sprite_warping_accuracy); + motion_x *= 1 << (3 - s->sprite_warping_accuracy); + motion_y *= 1 << (3 - s->sprite_warping_accuracy); src_x = av_clip(src_x, -8, s->width >> 1); if (src_x == s->width >> 1) motion_x = 0; diff --git a/libavcodec/msmpeg4dec.c b/libavcodec/msmpeg4dec.c index 2f908770e3..27703163e0 100644 --- a/libavcodec/msmpeg4dec.c +++ b/libavcodec/msmpeg4dec.c @@ -140,7 +140,7 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64]) if(s->msmpeg4_version==2) cbp= get_vlc2(&s->gb, v2_intra_cbpc_vlc.table, V2_INTRA_CBPC_VLC_BITS, 1); else - cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 1); + cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 2); if(cbp<0 || cbp>3){ av_log(s->avctx, AV_LOG_ERROR, "cbpc %d invalid at %d %d\n", cbp, s->mb_x, s->mb_y); return -1; @@ -169,12 +169,23 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64]) s->mv[0][0][1] = my; *mb_type_ptr = MB_TYPE_L0 | MB_TYPE_16x16; } else { + int v; if(s->msmpeg4_version==2){ s->ac_pred = get_bits1(&s->gb); - cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors + v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1); + if (v < 0) { + av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n"); + return -1; + } + cbp|= v<<2; } else{ s->ac_pred = 0; - cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors + v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1); + if (v < 0) { + av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n"); + return -1; + } + cbp|= v<<2; if(s->pict_type==AV_PICTURE_TYPE_P) cbp^=0x3C; } *mb_type_ptr = MB_TYPE_INTRA; diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c index c2f624283d..adb55b1302 100644 --- a/libavcodec/msrle.c +++ b/libavcodec/msrle.c @@ -99,11 +99,14 @@ static int msrle_decode_frame(AVCodecContext *avctx, return ret; if (avctx->bits_per_coded_sample > 1 && avctx->bits_per_coded_sample <= 8) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { s->frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } /* make the palette available */ memcpy(s->frame->data[1], s->pal, AVPALETTE_SIZE); diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c index d255dd4337..fdc07168c7 100644 --- a/libavcodec/mss2.c +++ b/libavcodec/mss2.c @@ -422,7 +422,13 @@ static int decode_wmv9(AVCodecContext *avctx, const uint8_t *buf, int buf_size, ff_vc1_decode_blocks(v); - ff_er_frame_end(&s->er); + if (v->end_mb_x == s->mb_width && s->end_mb_y == s->mb_height) { + ff_er_frame_end(&s->er); + } else { + av_log(v->s.avctx, AV_LOG_WARNING, + "disabling error correction due to block count mismatch %dx%d != %dx%d\n", + v->end_mb_x, s->end_mb_y, s->mb_width, s->mb_height); + } ff_mpv_frame_end(s); diff --git a/libavcodec/mss3.c b/libavcodec/mss3.c index 01941967a5..8344bfe8a7 100644 --- a/libavcodec/mss3.c +++ b/libavcodec/mss3.c @@ -356,8 +356,9 @@ static int rac_get_model2_sym(RangeCoder *c, Model2 *m) static int rac_get_model_sym(RangeCoder *c, Model *m) { - int prob, prob2, helper, val; + int val; int end, end2; + unsigned prob, prob2, helper; prob = 0; prob2 = c->range; diff --git a/libavcodec/mss34dsp.c b/libavcodec/mss34dsp.c index 0397add17d..4965ac514d 100644 --- a/libavcodec/mss34dsp.c +++ b/libavcodec/mss34dsp.c @@ -62,30 +62,30 @@ void ff_mss34_gen_quant_mat(uint16_t *qmat, int quality, int luma) } #define DCT_TEMPLATE(blk, step, SOP, shift) \ - const int t0 = -39409 * blk[7 * step] - 58980 * blk[1 * step]; \ - const int t1 = 39410 * blk[1 * step] - 58980 * blk[7 * step]; \ - const int t2 = -33410 * blk[5 * step] - 167963 * blk[3 * step]; \ - const int t3 = 33410 * blk[3 * step] - 167963 * blk[5 * step]; \ - const int t4 = blk[3 * step] + blk[7 * step]; \ - const int t5 = blk[1 * step] + blk[5 * step]; \ - const int t6 = 77062 * t4 + 51491 * t5; \ - const int t7 = 77062 * t5 - 51491 * t4; \ - const int t8 = 35470 * blk[2 * step] - 85623 * blk[6 * step]; \ - const int t9 = 35470 * blk[6 * step] + 85623 * blk[2 * step]; \ - const int tA = SOP(blk[0 * step] - blk[4 * step]); \ - const int tB = SOP(blk[0 * step] + blk[4 * step]); \ + const unsigned t0 =-39409U * blk[7 * step] - 58980U * blk[1 * step]; \ + const unsigned t1 = 39410U * blk[1 * step] - 58980U * blk[7 * step]; \ + const unsigned t2 =-33410U * blk[5 * step] -167963U * blk[3 * step]; \ + const unsigned t3 = 33410U * blk[3 * step] -167963U * blk[5 * step]; \ + const unsigned t4 = blk[3 * step] + blk[7 * step]; \ + const unsigned t5 = blk[1 * step] + blk[5 * step]; \ + const unsigned t6 = 77062U * t4 + 51491U * t5; \ + const unsigned t7 = 77062U * t5 - 51491U * t4; \ + const unsigned t8 = 35470U * blk[2 * step] - 85623U * blk[6 * step]; \ + const unsigned t9 = 35470U * blk[6 * step] + 85623U * blk[2 * step]; \ + const unsigned tA = SOP(blk[0 * step] - blk[4 * step]); \ + const unsigned tB = SOP(blk[0 * step] + blk[4 * step]); \ \ - blk[0 * step] = ( t1 + t6 + t9 + tB) >> shift; \ - blk[1 * step] = ( t3 + t7 + t8 + tA) >> shift; \ - blk[2 * step] = ( t2 + t6 - t8 + tA) >> shift; \ - blk[3 * step] = ( t0 + t7 - t9 + tB) >> shift; \ - blk[4 * step] = (-(t0 + t7) - t9 + tB) >> shift; \ - blk[5 * step] = (-(t2 + t6) - t8 + tA) >> shift; \ - blk[6 * step] = (-(t3 + t7) + t8 + tA) >> shift; \ - blk[7 * step] = (-(t1 + t6) + t9 + tB) >> shift; \ + blk[0 * step] = (int)( t1 + t6 + t9 + tB) >> shift; \ + blk[1 * step] = (int)( t3 + t7 + t8 + tA) >> shift; \ + blk[2 * step] = (int)( t2 + t6 - t8 + tA) >> shift; \ + blk[3 * step] = (int)( t0 + t7 - t9 + tB) >> shift; \ + blk[4 * step] = (int)(-(t0 + t7) - t9 + tB) >> shift; \ + blk[5 * step] = (int)(-(t2 + t6) - t8 + tA) >> shift; \ + blk[6 * step] = (int)(-(t3 + t7) + t8 + tA) >> shift; \ + blk[7 * step] = (int)(-(t1 + t6) + t9 + tB) >> shift; \ -#define SOP_ROW(a) (((a) << 16) + 0x2000) -#define SOP_COL(a) (((a) + 32) << 16) +#define SOP_ROW(a) (((a) * (1U << 16)) + 0x2000) +#define SOP_COL(a) (((a) + 32) * (1U << 16)) void ff_mss34_dct_put(uint8_t *dst, int stride, int *block) { diff --git a/libavcodec/msvideo1.c b/libavcodec/msvideo1.c index 1d141723f6..29700f54b6 100644 --- a/libavcodec/msvideo1.c +++ b/libavcodec/msvideo1.c @@ -301,15 +301,24 @@ static int msvideo1_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; + // Discard frame if its smaller than the minimum frame size + if (buf_size < (avctx->width/4) * (avctx->height/4) / 512) { + av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); + return AVERROR_INVALIDDATA; + } + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; if (s->mode_8bit) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { memcpy(s->pal, pal, AVPALETTE_SIZE); s->frame->palette_has_changed = 1; + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } } diff --git a/libavcodec/nellymoser.c b/libavcodec/nellymoser.c index 0740c75a0f..d6d5b7a910 100644 --- a/libavcodec/nellymoser.c +++ b/libavcodec/nellymoser.c @@ -85,7 +85,7 @@ const int16_t ff_nelly_delta_table[32] = { static inline int signed_shift(int i, int shift) { if (shift > 0) - return i << shift; + return (unsigned)i << shift; return i >> -shift; } @@ -109,7 +109,7 @@ static int headroom(int *la) return 31; } l = 30 - av_log2(FFABS(*la)); - *la <<= l; + *la *= 1<width + 31) & ~31; - allocSurf.height = (avctx->height + 31) & ~31; + allocSurf.width = avctx->width; + allocSurf.height = avctx->height; allocSurf.memoryHeap = NV_ENC_MEMORY_HEAP_SYSMEM_CACHED; allocSurf.bufferFmt = ctx->surfaces[idx].format; @@ -1609,8 +1609,8 @@ int ff_nvenc_encode_frame(AVCodecContext *avctx, AVPacket *pkt, pic_params.inputBuffer = inSurf->input_surface; pic_params.bufferFmt = inSurf->format; - pic_params.inputWidth = avctx->width; - pic_params.inputHeight = avctx->height; + pic_params.inputWidth = inSurf->width; + pic_params.inputHeight = inSurf->height; pic_params.outputBitstream = inSurf->output_surface; if (avctx->flags & AV_CODEC_FLAG_INTERLACED_DCT) { diff --git a/libavcodec/nvenc_hevc.c b/libavcodec/nvenc_hevc.c index 1ce7c89a4b..17a0c2d13d 100644 --- a/libavcodec/nvenc_hevc.c +++ b/libavcodec/nvenc_hevc.c @@ -76,7 +76,7 @@ static const AVOption options[] = { { "surfaces", "Number of concurrent surfaces", OFFSET(nb_surfaces), AV_OPT_TYPE_INT, { .i64 = 32 }, 0, INT_MAX, VE }, { "cbr", "Use cbr encoding mode", OFFSET(cbr), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, VE }, { "2pass", "Use 2pass encoding mode", OFFSET(twopass), AV_OPT_TYPE_BOOL, { .i64 = -1 }, -1, 1, VE }, - { "gpu", "Selects which NVENC capable GPU to use. First GPU is 0, second is 1, and so on.", OFFSET(device), AV_OPT_TYPE_INT, { .i64 = ANY_DEVICE }, -2, INT_MAX, VE }, + { "gpu", "Selects which NVENC capable GPU to use. First GPU is 0, second is 1, and so on.", OFFSET(device), AV_OPT_TYPE_INT, { .i64 = ANY_DEVICE }, -2, INT_MAX, VE, "device" }, { "any", "Pick the first device available", 0, AV_OPT_TYPE_CONST, { .i64 = ANY_DEVICE }, 0, 0, VE, "device" }, { "list", "List the available devices", 0, AV_OPT_TYPE_CONST, { .i64 = LIST_DEVICES }, 0, 0, VE, "device" }, { "delay", "Delay frame output by the given amount of frames", OFFSET(async_depth), AV_OPT_TYPE_INT, { .i64 = INT_MAX }, 0, INT_MAX, VE }, diff --git a/libavcodec/omx.c b/libavcodec/omx.c index 1b2ae0d997..1dabbbbf3f 100644 --- a/libavcodec/omx.c +++ b/libavcodec/omx.c @@ -352,12 +352,12 @@ static av_cold int find_component(OMXContext *omx_context, void *logctx, av_log(logctx, AV_LOG_WARNING, "No component for role %s found\n", role); return AVERROR_ENCODER_NOT_FOUND; } - components = av_mallocz(sizeof(char*) * num); + components = av_mallocz_array(num, sizeof(*components)); if (!components) return AVERROR(ENOMEM); for (i = 0; i < num; i++) { components[i] = av_mallocz(OMX_MAX_STRINGNAME_SIZE); - if (!components) { + if (!components[i]) { ret = AVERROR(ENOMEM); goto end; } @@ -761,7 +761,10 @@ static int omx_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } else { // If not, we need to allocate a new buffer with the right // size and copy the input frame into it. - uint8_t *buf = av_malloc(av_image_get_buffer_size(avctx->pix_fmt, s->stride, s->plane_size, 1)); + uint8_t *buf = NULL; + int image_buffer_size = av_image_get_buffer_size(avctx->pix_fmt, s->stride, s->plane_size, 1); + if (image_buffer_size >= 0) + buf = av_malloc(image_buffer_size); if (!buf) { // Return the buffer to the queue so it's not lost append_buffer(&s->input_mutex, &s->input_cond, &s->num_free_in_buffers, s->free_in_buffers, buffer); diff --git a/libavcodec/options.c b/libavcodec/options.c index d8e3dbfa33..e124fb442e 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -187,6 +187,30 @@ void avcodec_free_context(AVCodecContext **pavctx) } #if FF_API_COPY_CONTEXT +static void copy_context_reset(AVCodecContext *avctx) +{ + int i; + + av_opt_free(avctx); +#if FF_API_CODED_FRAME +FF_DISABLE_DEPRECATION_WARNINGS + av_frame_free(&avctx->coded_frame); +FF_ENABLE_DEPRECATION_WARNINGS +#endif + av_freep(&avctx->rc_override); + av_freep(&avctx->intra_matrix); + av_freep(&avctx->inter_matrix); + av_freep(&avctx->extradata); + av_freep(&avctx->subtitle_header); + av_buffer_unref(&avctx->hw_frames_ctx); + for (i = 0; i < avctx->nb_coded_side_data; i++) + av_freep(&avctx->coded_side_data[i].data); + av_freep(&avctx->coded_side_data); + avctx->subtitle_header_size = 0; + avctx->nb_coded_side_data = 0; + avctx->extradata_size = 0; +} + int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src) { const AVCodec *orig_codec = dest->codec; @@ -199,12 +223,7 @@ int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src) return AVERROR(EINVAL); } - av_opt_free(dest); - av_freep(&dest->rc_override); - av_freep(&dest->intra_matrix); - av_freep(&dest->inter_matrix); - av_freep(&dest->extradata); - av_freep(&dest->subtitle_header); + copy_context_reset(dest); memcpy(dest, src, sizeof(*dest)); av_opt_copy(dest, src); @@ -229,11 +248,13 @@ FF_ENABLE_DEPRECATION_WARNINGS /* reallocate values that should be allocated separately */ dest->extradata = NULL; + dest->coded_side_data = NULL; dest->intra_matrix = NULL; dest->inter_matrix = NULL; dest->rc_override = NULL; dest->subtitle_header = NULL; dest->hw_frames_ctx = NULL; + dest->nb_coded_side_data = 0; #define alloc_and_copy_or_fail(obj, size, pad) \ if (src->obj && size > 0) { \ @@ -263,15 +284,7 @@ FF_ENABLE_DEPRECATION_WARNINGS return 0; fail: - av_freep(&dest->subtitle_header); - av_freep(&dest->rc_override); - av_freep(&dest->intra_matrix); - av_freep(&dest->inter_matrix); - av_freep(&dest->extradata); - av_buffer_unref(&dest->hw_frames_ctx); - dest->subtitle_header_size = 0; - dest->extradata_size = 0; - av_opt_free(dest); + copy_context_reset(dest); return AVERROR(ENOMEM); } #endif diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 9c30b122dc..1274a144cf 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -851,8 +851,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_ if (nlsf[0] < min_delta[0]) nlsf[0] = min_delta[0]; for (i = 1; i < order; i++) - if (nlsf[i] < nlsf[i - 1] + min_delta[i]) - nlsf[i] = nlsf[i - 1] + min_delta[i]; + nlsf[i] = FFMAX(nlsf[i], FFMIN(nlsf[i - 1] + min_delta[i], 32767)); /* push backwards to increase distance */ if (nlsf[order-1] > 32768 - min_delta[order]) diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index cab3129f8f..91bfe16376 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -267,12 +267,20 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, uint8_t code, *dst, *end; int i, frame, ret; - if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) - return ret; + if (pkt->size < 2) + return AVERROR_INVALIDDATA; bytestream2_init(&c->gb, pkt->data, pkt->size); code = bytestream2_get_byte(&c->gb); + if ((code & 0xF) > 4 || (code & 0xF) == 3) { + avpriv_request_sample(avctx, "unknown/invalid code"); + return AVERROR_INVALIDDATA; + } + + if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) + return ret; + if (code & 0x20) { // frame is keyframe for (i = 0; i < 4; i++) memset(c->frame[i], 0, c->frame_size); @@ -367,8 +375,7 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, } break; default: - avpriv_request_sample(avctx, "unknown/invalid code"); - return AVERROR_INVALIDDATA; + av_assert0(0); } av_image_copy_plane(c->pic->data[0], c->pic->linesize[0], diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index cef477d8c2..b897d72aab 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -300,8 +300,11 @@ static int parse_object_segment(AVCodecContext *avctx, av_fast_padded_malloc(&object->rle, &object->rle_buffer_size, rle_bitmap_len); - if (!object->rle) + if (!object->rle) { + object->rle_data_len = 0; + object->rle_remaining_len = 0; return AVERROR(ENOMEM); + } memcpy(object->rle, buf, buf_size); object->rle_data_len = buf_size; @@ -556,12 +559,13 @@ static int display_end_segment(AVCodecContext *avctx, void *data, sub->rects[i]->x = ctx->presentation.objects[i].x; sub->rects[i]->y = ctx->presentation.objects[i].y; - sub->rects[i]->w = object->w; - sub->rects[i]->h = object->h; - - sub->rects[i]->linesize[0] = object->w; if (object->rle) { + sub->rects[i]->w = object->w; + sub->rects[i]->h = object->h; + + sub->rects[i]->linesize[0] = object->w; + if (object->rle_remaining_len) { av_log(avctx, AV_LOG_ERROR, "RLE data length %u is %u bytes shorter than expected\n", object->rle_data_len, object->rle_remaining_len); diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index ff6eb7f4fc..a09ee379c0 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -77,10 +77,10 @@ static void picmemset(PicContext *s, AVFrame *frame, int value, int run, if (*y < 0) { *y = s->height - 1; *plane += 1; + if (*plane >= s->nb_planes) + return; value <<= bits_per_plane; mask <<= bits_per_plane; - if (*plane >= s->nb_planes) - break; } } } @@ -142,7 +142,7 @@ static int decode_frame(AVCodecContext *avctx, if (av_image_check_size(s->width, s->height, 0, avctx) < 0) return -1; - if (s->width != avctx->width && s->height != avctx->height) { + if (s->width != avctx->width || s->height != avctx->height) { ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret; @@ -236,7 +236,7 @@ static int decode_frame(AVCodecContext *avctx, } } - if (x < avctx->width) { + if (plane < s->nb_planes && x < avctx->width) { int run = (y + 1) * avctx->width - x; if (bits_per_plane == 8) picmemset_8bpp(s, frame, val, run, &x, &y); diff --git a/libavcodec/pixblockdsp.c b/libavcodec/pixblockdsp.c index f0883d3d08..6152fe40c3 100644 --- a/libavcodec/pixblockdsp.c +++ b/libavcodec/pixblockdsp.c @@ -82,6 +82,7 @@ av_cold void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx) { const unsigned high_bit_depth = avctx->bits_per_raw_sample > 8; + c->diff_pixels_unaligned = c->diff_pixels = diff_pixels_c; switch (avctx->bits_per_raw_sample) { diff --git a/libavcodec/pixblockdsp.h b/libavcodec/pixblockdsp.h index 79ed86c3a6..b14514de7e 100644 --- a/libavcodec/pixblockdsp.h +++ b/libavcodec/pixblockdsp.h @@ -31,6 +31,11 @@ typedef struct PixblockDSPContext { const uint8_t *s1 /* align 8 */, const uint8_t *s2 /* align 8 */, int stride); + void (*diff_pixels_unaligned)(int16_t *av_restrict block /* align 16 */, + const uint8_t *s1, + const uint8_t *s2, + int stride); + } PixblockDSPContext; void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx); diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 36275ae43f..7f0d416683 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -437,13 +437,13 @@ static int decode_zbuf(AVBPrint *bp, const uint8_t *data, av_bprint_init(bp, 0, -1); while (zstream.avail_in > 0) { - av_bprint_get_buffer(bp, 1, &buf, &buf_size); - if (!buf_size) { + av_bprint_get_buffer(bp, 2, &buf, &buf_size); + if (buf_size < 2) { ret = AVERROR(ENOMEM); goto fail; } zstream.next_out = buf; - zstream.avail_out = buf_size; + zstream.avail_out = buf_size - 1; ret = inflate(&zstream, Z_PARTIAL_FLUSH); if (ret != Z_OK && ret != Z_STREAM_END) { ret = AVERROR_EXTERNAL; @@ -559,6 +559,11 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } s->bit_depth = bytestream2_get_byte(&s->gb); + if (s->bit_depth != 1 && s->bit_depth != 2 && s->bit_depth != 4 && + s->bit_depth != 8 && s->bit_depth != 16) { + av_log(avctx, AV_LOG_ERROR, "Invalid bit depth\n"); + goto error; + } s->color_type = bytestream2_get_byte(&s->gb); s->compression_type = bytestream2_get_byte(&s->gb); s->filter_type = bytestream2_get_byte(&s->gb); @@ -572,6 +577,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, s->compression_type, s->filter_type, s->interlace_type); return 0; +error: + s->cur_w = s->cur_h = s->width = s->height = 0; + s->bit_depth = 8; + return AVERROR_INVALIDDATA; } static int decode_phys_chunk(AVCodecContext *avctx, PNGDecContext *s) @@ -602,8 +611,9 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, } if (!(s->state & PNG_IDAT)) { /* init image info */ - avctx->width = s->width; - avctx->height = s->height; + ret = ff_set_dimensions(avctx, s->width, s->height); + if (ret < 0) + return ret; s->channels = ff_png_get_nb_channels(s->color_type); s->bits_per_pixel = s->bit_depth * s->channels; @@ -772,17 +782,28 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s, { int v, i; + if (!(s->state & PNG_IHDR)) { + av_log(avctx, AV_LOG_ERROR, "trns before IHDR\n"); + return AVERROR_INVALIDDATA; + } + + if (s->state & PNG_IDAT) { + av_log(avctx, AV_LOG_ERROR, "trns after IDAT\n"); + return AVERROR_INVALIDDATA; + } + if (s->color_type == PNG_COLOR_TYPE_PALETTE) { if (length > 256 || !(s->state & PNG_PLTE)) return AVERROR_INVALIDDATA; for (i = 0; i < length; i++) { - v = bytestream2_get_byte(&s->gb); + unsigned v = bytestream2_get_byte(&s->gb); s->palette[i] = (s->palette[i] & 0x00ffffff) | (v << 24); } } else if (s->color_type == PNG_COLOR_TYPE_GRAY || s->color_type == PNG_COLOR_TYPE_RGB) { if ((s->color_type == PNG_COLOR_TYPE_GRAY && length != 2) || - (s->color_type == PNG_COLOR_TYPE_RGB && length != 6)) + (s->color_type == PNG_COLOR_TYPE_RGB && length != 6) || + s->bit_depth == 1) return AVERROR_INVALIDDATA; for (i = 0; i < length / 2; i++) { @@ -1241,6 +1262,8 @@ exit_loop: size_t raw_bpp = s->bpp - byte_depth; unsigned x, y; + av_assert0(s->bit_depth > 1); + for (y = 0; y < s->height; ++y) { uint8_t *row = &s->image_buf[s->image_linesize * y]; @@ -1335,7 +1358,7 @@ static int decode_frame_png(AVCodecContext *avctx, } if ((ret = av_frame_ref(data, s->picture.f)) < 0) - return ret; + goto the_end; *got_frame = 1; diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c index 1675959fbf..8b4a4ac292 100644 --- a/libavcodec/pnm.c +++ b/libavcodec/pnm.c @@ -24,6 +24,7 @@ #include "libavutil/imgutils.h" #include "avcodec.h" +#include "internal.h" #include "pnm.h" static inline int pnm_space(int c) @@ -61,6 +62,7 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) { char buf1[32], tuple_type[32]; int h, w, depth, maxval; + int ret; pnm_get(s, buf1, sizeof(buf1)); if(buf1[0] != 'P') @@ -110,8 +112,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) if (w <= 0 || h <= 0 || maxval <= 0 || depth <= 0 || tuple_type[0] == '\0' || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) return AVERROR_INVALIDDATA; - avctx->width = w; - avctx->height = h; + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + return ret; s->maxval = maxval; if (depth == 1) { if (maxval == 1) { @@ -153,8 +156,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) if(w <= 0 || h <= 0 || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) return AVERROR_INVALIDDATA; - avctx->width = w; - avctx->height = h; + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + return ret; if (avctx->pix_fmt != AV_PIX_FMT_MONOWHITE && avctx->pix_fmt != AV_PIX_FMT_MONOBLACK) { pnm_get(s, buf1, sizeof(buf1)); diff --git a/libavcodec/pnm_parser.c b/libavcodec/pnm_parser.c index a7d70b9931..43dbfc7f27 100644 --- a/libavcodec/pnm_parser.c +++ b/libavcodec/pnm_parser.c @@ -66,6 +66,8 @@ retry: } #endif next = END_NOT_FOUND; + } else if (pnmctx.type < 4) { + next = END_NOT_FOUND; } else { next = pnmctx.bytestream - pnmctx.bytestream_start + av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index d4261a4530..4e2045d2b3 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -43,7 +43,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, int buf_size = avpkt->size; PNMContext * const s = avctx->priv_data; AVFrame * const p = data; - int i, j, n, linesize, h, upgrade = 0, is_mono = 0; + int i, j, k, n, linesize, h, upgrade = 0, is_mono = 0; unsigned char *ptr; int components, sample_len, ret; @@ -143,10 +143,14 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, v = (*s->bytestream++)&1; } else { /* read a sequence of digits */ - do { + for (k = 0; k < 5 && c <= 9; k += 1) { v = 10*v + c; c = (*s->bytestream++) - '0'; - } while (c <= 9); + } + if (v > s->maxval) { + av_log(avctx, AV_LOG_ERROR, "value %d larger than maxval %d\n", v, s->maxval); + return AVERROR_INVALIDDATA; + } } if (sample_len == 16) { ((uint16_t*)ptr)[j] = (((1<maxval>>1))/s->maxval; diff --git a/libavcodec/ppc/pixblockdsp.c b/libavcodec/ppc/pixblockdsp.c index 84aa562bb6..f3a5050469 100644 --- a/libavcodec/ppc/pixblockdsp.c +++ b/libavcodec/ppc/pixblockdsp.c @@ -67,10 +67,10 @@ static void get_pixels_altivec(int16_t *restrict block, const uint8_t *pixels, ptrdiff_t line_size) { int i; - vec_u8 perm = vec_lvsl(0, pixels); const vec_u8 zero = (const vec_u8)vec_splat_u8(0); for (i = 0; i < 8; i++) { + vec_u8 perm = vec_lvsl(0, pixels); /* Read potentially unaligned pixels. * We're reading 16 pixels, and actually only want 8, * but we simply ignore the extras. */ @@ -157,8 +157,7 @@ static void diff_pixels_altivec(int16_t *restrict block, const uint8_t *s1, const uint8_t *s2, int stride) { int i; - vec_u8 perm1 = vec_lvsl(0, s1); - vec_u8 perm2 = vec_lvsl(0, s2); + vec_u8 perm; const vec_u8 zero = (const vec_u8)vec_splat_u8(0); vec_s16 shorts1, shorts2; @@ -166,17 +165,19 @@ static void diff_pixels_altivec(int16_t *restrict block, const uint8_t *s1, /* Read potentially unaligned pixels. * We're reading 16 pixels, and actually only want 8, * but we simply ignore the extras. */ + perm = vec_lvsl(0, s1); vec_u8 pixl = vec_ld(0, s1); vec_u8 pixr = vec_ld(15, s1); - vec_u8 bytes = vec_perm(pixl, pixr, perm1); + vec_u8 bytes = vec_perm(pixl, pixr, perm); // Convert the bytes into shorts. shorts1 = (vec_s16)vec_mergeh(zero, bytes); // Do the same for the second block of pixels. + perm = vec_lvsl(0, s2); pixl = vec_ld(0, s2); pixr = vec_ld(15, s2); - bytes = vec_perm(pixl, pixr, perm2); + bytes = vec_perm(pixl, pixr, perm); // Convert the bytes into shorts. shorts2 = (vec_s16)vec_mergeh(zero, bytes); @@ -197,17 +198,19 @@ static void diff_pixels_altivec(int16_t *restrict block, const uint8_t *s1, /* Read potentially unaligned pixels. * We're reading 16 pixels, and actually only want 8, * but we simply ignore the extras. */ + perm = vec_lvsl(0, s1); pixl = vec_ld(0, s1); pixr = vec_ld(15, s1); - bytes = vec_perm(pixl, pixr, perm1); + bytes = vec_perm(pixl, pixr, perm); // Convert the bytes into shorts. shorts1 = (vec_s16)vec_mergeh(zero, bytes); // Do the same for the second block of pixels. + perm = vec_lvsl(0, s2); pixl = vec_ld(0, s2); pixr = vec_ld(15, s2); - bytes = vec_perm(pixl, pixr, perm2); + bytes = vec_perm(pixl, pixr, perm); // Convert the bytes into shorts. shorts2 = (vec_s16)vec_mergeh(zero, bytes); diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index a3a1ebdecb..3ed9478211 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -267,6 +267,8 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons \ if (q > switch_bits) { /* exp golomb */ \ bits = exp_order - switch_bits + (q<<1); \ + if (bits > MIN_CACHE_BITS) \ + return AVERROR_INVALIDDATA; \ val = SHOW_UBITS(re, gb, bits) - (1 << exp_order) + \ ((switch_bits + 1) << rice_order); \ SKIP_BITS(re, gb, bits); \ @@ -286,7 +288,7 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons static const uint8_t dc_codebook[7] = { 0x04, 0x28, 0x28, 0x4D, 0x4D, 0x70, 0x70}; -static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out, +static av_always_inline int decode_dc_coeffs(GetBitContext *gb, int16_t *out, int blocks_per_slice) { int16_t prev_dc; @@ -310,6 +312,7 @@ static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out, out[0] = prev_dc; } CLOSE_READER(re, gb); + return 0; } // adaptive codebook switching lut according to previous run/level values @@ -376,7 +379,8 @@ static int decode_slice_luma(AVCodecContext *avctx, SliceContext *slice, init_get_bits(&gb, buf, buf_size << 3); - decode_dc_coeffs(&gb, blocks, blocks_per_slice); + if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0) + return ret; if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0) return ret; @@ -409,7 +413,8 @@ static int decode_slice_chroma(AVCodecContext *avctx, SliceContext *slice, init_get_bits(&gb, buf, buf_size << 3); - decode_dc_coeffs(&gb, blocks, blocks_per_slice); + if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0) + return ret; if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0) return ret; diff --git a/libavcodec/proresdec_lgpl.c b/libavcodec/proresdec_lgpl.c index 467a423f23..bc5bdb5a4d 100644 --- a/libavcodec/proresdec_lgpl.c +++ b/libavcodec/proresdec_lgpl.c @@ -625,7 +625,7 @@ static int decode_slice(AVCodecContext *avctx, void *tdata) /* if V or alpha component size is negative that means that previous component sizes are too large */ - if (v_data_size < 0 || a_data_size < 0 || hdr_size < 6) { + if (v_data_size < 0 || a_data_size < 0 || hdr_size < 6 || coff[3] > slice_data_size) { av_log(avctx, AV_LOG_ERROR, "invalid data size\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index 828cfea3fd..2cf18869e1 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -55,6 +55,8 @@ static int parse_palette(AVCodecContext *avctx, GetByteContext *gbc, bytestream2_skip(gbc, 6); continue; } + if (avctx->pix_fmt != AV_PIX_FMT_PAL8) + return AVERROR_INVALIDDATA; r = bytestream2_get_byte(gbc); bytestream2_skip(gbc, 1); g = bytestream2_get_byte(gbc); @@ -227,7 +229,9 @@ static int decode_frame(AVCodecContext *avctx, if ((ret = ff_get_buffer(avctx, p, 0)) < 0) return ret; - parse_palette(avctx, &gbc, (uint32_t *)p->data[1], colors); + ret = parse_palette(avctx, &gbc, (uint32_t *)p->data[1], colors); + if (ret < 0) + return ret; p->palette_has_changed = 1; /* jump to image data */ diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index 9eaf9b8054..9bfecc3a31 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -260,7 +260,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame * const ref = a->ref; uint8_t* outdata; int delta, ret; - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int pal_size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); if (avpkt->size < 0x86) { av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); @@ -287,9 +288,11 @@ static int decode_frame(AVCodecContext *avctx, } /* make the palette available on the way out */ - if (pal) { + if (pal && pal_size == AVPALETTE_SIZE) { p->palette_has_changed = 1; memcpy(a->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); } memcpy(p->data[1], a->pal, AVPALETTE_SIZE); diff --git a/libavcodec/qsvenc_hevc.c b/libavcodec/qsvenc_hevc.c index 1d1e801cc6..b775ef1ee6 100644 --- a/libavcodec/qsvenc_hevc.c +++ b/libavcodec/qsvenc_hevc.c @@ -69,7 +69,7 @@ static int generate_fake_vps(QSVEncContext *q, AVCodecContext *avctx) } /* parse the SPS */ - ret = ff_h2645_extract_rbsp(avctx->extradata + 4, avctx->extradata_size - 4, &sps_nal); + ret = ff_h2645_extract_rbsp(avctx->extradata + 4, avctx->extradata_size - 4, &sps_nal, 1); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Error unescaping the SPS buffer\n"); return ret; diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index d9d27f0506..1b0d2016b5 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -506,11 +506,14 @@ static int qtrle_decode_frame(AVCodecContext *avctx, } if(has_palette) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { s->frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } /* make the palette available on the way out */ diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index ceec32d79d..c077b7b327 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1512,7 +1512,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m, v[0] = 0; for (i=!skip_first; i<3; i++) - v[i] = (ff_gain_val_tab[n][i] * m[i]) >> ff_gain_exp_tab[n]; + v[i] = (ff_gain_val_tab[n][i] * (unsigned)m[i]) >> ff_gain_exp_tab[n]; if (v[0]) { for (i=0; i < BLOCKSIZE; i++) @@ -1573,7 +1573,7 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx) if((int)(a*(unsigned)b) != a*(int64_t)b) return 1; #endif - bp1[j] = ((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * b) >> 12; + bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12; } if ((unsigned) bp1[i] + 0x1000 > 0x1fff) @@ -1598,10 +1598,10 @@ void ff_eval_coefs(int *coefs, const int *refl) int i, j; for (i=0; i < LPC_ORDER; i++) { - b1[i] = refl[i] << 4; + b1[i] = refl[i] * 16; for (j=0; j < i; j++) - b1[j] = ((refl[i] * b2[i-j-1]) >> 12) + b2[j]; + b1[j] = ((int)(refl[i] * (unsigned)b2[i-j-1]) >> 12) + b2[j]; FFSWAP(int *, b1, b2); } @@ -1701,7 +1701,7 @@ void ff_subblock_synthesis(RA144Context *ractx, const int16_t *lpc_coefs, if (cba_idx) { cba_idx += BLOCKSIZE/2 - 1; ff_copy_and_dup(ractx->buffer_a, ractx->adapt_cb, cba_idx); - m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * gval) >> 12; + m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * (unsigned)gval) >> 12; } else { m[0] = 0; } diff --git a/libavcodec/ra144dec.c b/libavcodec/ra144dec.c index 3eed17c0da..c716c32e67 100644 --- a/libavcodec/ra144dec.c +++ b/libavcodec/ra144dec.c @@ -113,7 +113,7 @@ static int ra144_decode_frame(AVCodecContext * avctx, void *data, do_output_subblock(ractx, block_coefs[i], refl_rms[i], &gb); for (j=0; j < BLOCKSIZE; j++) - *samples++ = av_clip_int16(ractx->curr_sblock[j + 10] << 2); + *samples++ = av_clip_int16(ractx->curr_sblock[j + 10] * (1 << 2)); } ractx->old_energy = energy; diff --git a/libavcodec/raw.c b/libavcodec/raw.c index bfa2537b5a..d36b68bfae 100644 --- a/libavcodec/raw.c +++ b/libavcodec/raw.c @@ -31,6 +31,7 @@ const PixelFormatTag ff_raw_pix_fmt_tags[] = { { AV_PIX_FMT_YUV420P, MKTAG('I', '4', '2', '0') }, /* Planar formats */ { AV_PIX_FMT_YUV420P, MKTAG('I', 'Y', 'U', 'V') }, + { AV_PIX_FMT_YUV420P, MKTAG('y', 'v', '1', '2') }, { AV_PIX_FMT_YUV420P, MKTAG('Y', 'V', '1', '2') }, { AV_PIX_FMT_YUV410P, MKTAG('Y', 'U', 'V', '9') }, { AV_PIX_FMT_YUV410P, MKTAG('Y', 'V', 'U', '9') }, diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 765e567d1f..ca0927ca1b 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -204,8 +204,9 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, desc = av_pix_fmt_desc_get(avctx->pix_fmt); - if ((avctx->bits_per_coded_sample == 8 || avctx->bits_per_coded_sample == 4 - || avctx->bits_per_coded_sample <= 2) && + if ((avctx->bits_per_coded_sample == 8 || avctx->bits_per_coded_sample == 4 || + avctx->bits_per_coded_sample == 2 || avctx->bits_per_coded_sample == 1 || + (avctx->bits_per_coded_sample == 0 && (context->is_nut_pal8 || context->is_mono)) ) && (context->is_mono || context->is_pal8) && (!avctx->codec_tag || avctx->codec_tag == MKTAG('r','a','w',' ') || context->is_nut_mono || context->is_nut_pal8)) { @@ -363,22 +364,38 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, } if (avctx->pix_fmt == AV_PIX_FMT_PAL8) { + int pal_size; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, - NULL); - if (pal) { - av_buffer_unref(&context->palette); + &pal_size); + int ret; + + if (pal && pal_size != AVPALETTE_SIZE) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); + pal = NULL; + } + + if (!context->palette) context->palette = av_buffer_alloc(AVPALETTE_SIZE); - if (!context->palette) { - av_buffer_unref(&frame->buf[0]); - return AVERROR(ENOMEM); - } + if (!context->palette) { + av_buffer_unref(&frame->buf[0]); + return AVERROR(ENOMEM); + } + ret = av_buffer_make_writable(&context->palette); + if (ret < 0) { + av_buffer_unref(&frame->buf[0]); + return ret; + } + + if (pal) { memcpy(context->palette->data, pal, AVPALETTE_SIZE); frame->palette_has_changed = 1; } else if (context->is_nut_pal8) { int vid_size = avctx->width * avctx->height; - if (avpkt->size - vid_size) { + int pal_size = avpkt->size - vid_size; + + if (avpkt->size > vid_size && pal_size <= AVPALETTE_SIZE) { pal = avpkt->data + vid_size; - memcpy(context->palette->data, pal, avpkt->size - vid_size); + memcpy(context->palette->data, pal, pal_size); frame->palette_has_changed = 1; } } diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c index fe0df2eec1..618002f6da 100644 --- a/libavcodec/rscc.c +++ b/libavcodec/rscc.c @@ -209,6 +209,12 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, ctx->tiles[i].y = bytestream2_get_le16(gbc); ctx->tiles[i].h = bytestream2_get_le16(gbc); + if (pixel_size + ctx->tiles[i].w * (int64_t)ctx->tiles[i].h * ctx->component_size > INT_MAX) { + av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions\n"); + ret = AVERROR_INVALIDDATA; + goto end; + } + pixel_size += ctx->tiles[i].w * ctx->tiles[i].h * ctx->component_size; ff_dlog(avctx, "tile %d orig(%d,%d) %dx%d.\n", i, diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index aca8382f20..c9cedfe8b2 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1585,10 +1585,13 @@ int ff_rv34_decode_update_thread_context(AVCodecContext *dst, const AVCodecConte return ff_mpeg_update_thread_context(dst, src); } -static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n) +static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n, int slice_count, int buf_size) { - if(avctx->slice_count) return avctx->slice_offset[n]; - else return AV_RL32(buf + n*8 - 4) == 1 ? AV_RL32(buf + n*8) : AV_RB32(buf + n*8); + if (n < slice_count) { + if(avctx->slice_count) return avctx->slice_offset[n]; + else return AV_RL32(buf + n*8 - 4) == 1 ? AV_RL32(buf + n*8) : AV_RB32(buf + n*8); + } else + return buf_size; } static int finish_frame(AVCodecContext *avctx, AVFrame *pict) @@ -1627,7 +1630,7 @@ static AVRational update_sar(int old_w, int old_h, AVRational sar, int new_w, in if (!sar.num) sar = (AVRational){1, 1}; - sar = av_mul_q(sar, (AVRational){new_h * old_w, new_w * old_h}); + sar = av_mul_q(sar, av_mul_q((AVRational){new_h, new_w}, (AVRational){old_w, old_h})); return sar; } @@ -1646,6 +1649,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, const uint8_t *slices_hdr = NULL; int last = 0; int faulty_b = 0; + int offset; /* no supplementary picture */ if (buf_size == 0) { @@ -1668,13 +1672,13 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, }else slice_count = avctx->slice_count; + offset = get_slice_offset(avctx, slices_hdr, 0, slice_count, buf_size); //parse first slice header to check whether this frame can be decoded - if(get_slice_offset(avctx, slices_hdr, 0) < 0 || - get_slice_offset(avctx, slices_hdr, 0) > buf_size){ + if(offset < 0 || offset > buf_size){ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); return AVERROR_INVALIDDATA; } - init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); + init_get_bits(&s->gb, buf+offset, (buf_size-offset)*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){ av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n"); return AVERROR_INVALIDDATA; @@ -1777,40 +1781,32 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; for(i = 0; i < slice_count; i++){ - int offset = get_slice_offset(avctx, slices_hdr, i); + int offset = get_slice_offset(avctx, slices_hdr, i , slice_count, buf_size); + int offset1 = get_slice_offset(avctx, slices_hdr, i+1, slice_count, buf_size); int size; - if(i+1 == slice_count) - size = buf_size - offset; - else - size = get_slice_offset(avctx, slices_hdr, i+1) - offset; - if(offset < 0 || offset > buf_size){ + if(offset < 0 || offset > offset1 || offset1 > buf_size){ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } + size = offset1 - offset; r->si.end = s->mb_width * s->mb_height; s->mb_num_left = r->s.mb_x + r->s.mb_y*r->s.mb_width - r->si.start; if(i+1 < slice_count){ - if (get_slice_offset(avctx, slices_hdr, i+1) < 0 || - get_slice_offset(avctx, slices_hdr, i+1) > buf_size) { + int offset2 = get_slice_offset(avctx, slices_hdr, i+2, slice_count, buf_size); + if (offset2 < offset1 || offset2 > buf_size) { av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } - init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8); + init_get_bits(&s->gb, buf+offset1, (buf_size-offset1)*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0){ - if(i+2 < slice_count) - size = get_slice_offset(avctx, slices_hdr, i+2) - offset; - else - size = buf_size - offset; + size = offset2 - offset; }else r->si.end = si.start; } - if (size < 0 || size > buf_size - offset) { - av_log(avctx, AV_LOG_ERROR, "Slice size is invalid\n"); - break; - } + av_assert0 (size >= 0 && size <= buf_size - offset); last = rv34_decode_slice(r, r->si.end, buf + offset, size); if(last) break; diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c index 465011a079..dfeebda838 100644 --- a/libavcodec/rv40.c +++ b/libavcodec/rv40.c @@ -109,6 +109,8 @@ static int get_dimension(GetBitContext *gb, const int *dim) val = dim[get_bits1(gb) - val]; if(!val){ do{ + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; t = get_bits(gb, 8); val += t << 2; }while(t == 0xFF); @@ -187,7 +189,7 @@ static int rv40_decode_intra_types(RV34DecContext *r, GetBitContext *gb, int8_t A = ptr[-r->intra_types_stride + 1]; // it won't be used for the last coefficient in a row B = ptr[-r->intra_types_stride]; C = ptr[-1]; - pattern = A + (B << 4) + (C << 8); + pattern = A + B * (1 << 4) + C * (1 << 8); for(k = 0; k < MODE2_PATTERNS_NUM; k++) if(pattern == rv40_aic_table_index[k]) break; diff --git a/libavcodec/rv40dsp.c b/libavcodec/rv40dsp.c index 19b0e93696..95ba0a9259 100644 --- a/libavcodec/rv40dsp.c +++ b/libavcodec/rv40dsp.c @@ -449,7 +449,7 @@ static av_always_inline void rv40_weak_loop_filter(uint8_t *src, if (u > 3 - (filter_p1 && filter_q1)) continue; - t <<= 2; + t *= 1 << 2; if (filter_p1 && filter_q1) t += src[-2*step] - src[1*step]; diff --git a/libavcodec/s302m.c b/libavcodec/s302m.c index ccfb5913a0..a68ac79f2c 100644 --- a/libavcodec/s302m.c +++ b/libavcodec/s302m.c @@ -120,10 +120,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, if (avctx->bits_per_raw_sample == 24) { uint32_t *o = (uint32_t *)frame->data[0]; for (; buf_size > 6; buf_size -= 7) { - *o++ = (ff_reverse[buf[2]] << 24) | + *o++ = ((unsigned)ff_reverse[buf[2]] << 24) | (ff_reverse[buf[1]] << 16) | (ff_reverse[buf[0]] << 8); - *o++ = (ff_reverse[buf[6] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[6] & 0xf0] << 28) | (ff_reverse[buf[5]] << 20) | (ff_reverse[buf[4]] << 12) | (ff_reverse[buf[3] & 0x0f] << 4); @@ -142,10 +142,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, } else if (avctx->bits_per_raw_sample == 20) { uint32_t *o = (uint32_t *)frame->data[0]; for (; buf_size > 5; buf_size -= 6) { - *o++ = (ff_reverse[buf[2] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[2] & 0xf0] << 28) | (ff_reverse[buf[1]] << 20) | (ff_reverse[buf[0]] << 12); - *o++ = (ff_reverse[buf[5] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[5] & 0xf0] << 28) | (ff_reverse[buf[4]] << 20) | (ff_reverse[buf[3]] << 12); buf += 6; diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 1aa002b6a5..065bf7aca1 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -462,11 +462,11 @@ static void destroy_buffers(SANMVideoContext *ctx) static av_cold int init_buffers(SANMVideoContext *ctx) { - av_fast_padded_malloc(&ctx->frm0, &ctx->frm0_size, ctx->buf_size); - av_fast_padded_malloc(&ctx->frm1, &ctx->frm1_size, ctx->buf_size); - av_fast_padded_malloc(&ctx->frm2, &ctx->frm2_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm0, &ctx->frm0_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm1, &ctx->frm1_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm2, &ctx->frm2_size, ctx->buf_size); if (!ctx->version) - av_fast_padded_malloc(&ctx->stored_frame, + av_fast_padded_mallocz(&ctx->stored_frame, &ctx->stored_frame_size, ctx->buf_size); if (!ctx->frm0 || !ctx->frm1 || !ctx->frm2 || diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index f4e3de0c71..f45bb847a8 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -136,19 +136,19 @@ static av_always_inline void autocorrelate(const int x[40][2], SoftFloat phi[3][ if (lag) { for (i = 1; i < 38; i++) { - accu_re += (int64_t)x[i][0] * x[i+lag][0]; - accu_re += (int64_t)x[i][1] * x[i+lag][1]; - accu_im += (int64_t)x[i][0] * x[i+lag][1]; - accu_im -= (int64_t)x[i][1] * x[i+lag][0]; + accu_re += (uint64_t)x[i][0] * x[i+lag][0]; + accu_re += (uint64_t)x[i][1] * x[i+lag][1]; + accu_im += (uint64_t)x[i][0] * x[i+lag][1]; + accu_im -= (uint64_t)x[i][1] * x[i+lag][0]; } real_sum = accu_re; imag_sum = accu_im; - accu_re += (int64_t)x[ 0][0] * x[lag][0]; - accu_re += (int64_t)x[ 0][1] * x[lag][1]; - accu_im += (int64_t)x[ 0][0] * x[lag][1]; - accu_im -= (int64_t)x[ 0][1] * x[lag][0]; + accu_re += (uint64_t)x[ 0][0] * x[lag][0]; + accu_re += (uint64_t)x[ 0][1] * x[lag][1]; + accu_im += (uint64_t)x[ 0][0] * x[lag][1]; + accu_im -= (uint64_t)x[ 0][1] * x[lag][0]; phi[2-lag][1][0] = autocorr_calc(accu_re); phi[2-lag][1][1] = autocorr_calc(accu_im); @@ -156,28 +156,28 @@ static av_always_inline void autocorrelate(const int x[40][2], SoftFloat phi[3][ if (lag == 1) { accu_re = real_sum; accu_im = imag_sum; - accu_re += (int64_t)x[38][0] * x[39][0]; - accu_re += (int64_t)x[38][1] * x[39][1]; - accu_im += (int64_t)x[38][0] * x[39][1]; - accu_im -= (int64_t)x[38][1] * x[39][0]; + accu_re += (uint64_t)x[38][0] * x[39][0]; + accu_re += (uint64_t)x[38][1] * x[39][1]; + accu_im += (uint64_t)x[38][0] * x[39][1]; + accu_im -= (uint64_t)x[38][1] * x[39][0]; phi[0][0][0] = autocorr_calc(accu_re); phi[0][0][1] = autocorr_calc(accu_im); } } else { for (i = 1; i < 38; i++) { - accu_re += (int64_t)x[i][0] * x[i][0]; - accu_re += (int64_t)x[i][1] * x[i][1]; + accu_re += (uint64_t)x[i][0] * x[i][0]; + accu_re += (uint64_t)x[i][1] * x[i][1]; } real_sum = accu_re; - accu_re += (int64_t)x[ 0][0] * x[ 0][0]; - accu_re += (int64_t)x[ 0][1] * x[ 0][1]; + accu_re += (uint64_t)x[ 0][0] * x[ 0][0]; + accu_re += (uint64_t)x[ 0][1] * x[ 0][1]; phi[2][1][0] = autocorr_calc(accu_re); accu_re = real_sum; - accu_re += (int64_t)x[38][0] * x[38][0]; - accu_re += (int64_t)x[38][1] * x[38][1]; + accu_re += (uint64_t)x[38][0] * x[38][0]; + accu_re += (uint64_t)x[38][1] * x[38][1]; phi[1][0][0] = autocorr_calc(accu_re); } @@ -229,11 +229,11 @@ static void sbr_hf_gen_c(int (*X_high)[2], const int (*X_low)[2], static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2], const SoftFloat *g_filt, int m_max, intptr_t ixh) { - int m, r; + int m; int64_t accu; for (m = 0; m < m_max; m++) { - r = 1 << (22-g_filt[m].exp); + int64_t r = 1LL << (22-g_filt[m].exp); accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7); Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp)); @@ -242,7 +242,7 @@ static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2], } } -static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], +static av_always_inline int sbr_hf_apply_noise(int (*Y)[2], const SoftFloat *s_m, const SoftFloat *q_filt, int noise, @@ -253,14 +253,17 @@ static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], int m; for (m = 0; m < m_max; m++) { - int y0 = Y[m][0]; - int y1 = Y[m][1]; + unsigned y0 = Y[m][0]; + unsigned y1 = Y[m][1]; noise = (noise + 1) & 0x1ff; if (s_m[m].mant) { int shift, round; shift = 22 - s_m[m].exp; - if (shift < 30) { + if (shift < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_apply_noise, shift=%d\n", shift); + return AVERROR(ERANGE); + } else if (shift < 30) { round = 1 << (shift-1); y0 += (s_m[m].mant * phi_sign0 + round) >> shift; y1 += (s_m[m].mant * phi_sign1 + round) >> shift; @@ -270,7 +273,10 @@ static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], int64_t accu; shift = 22 - q_filt[m].exp; - if (shift < 30) { + if (shift < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_apply_noise, shift=%d\n", shift); + return AVERROR(ERANGE); + } else if (shift < 30) { round = 1 << (shift-1); accu = (int64_t)q_filt[m].mant * ff_sbr_noise_table_fixed[noise][0]; @@ -286,6 +292,7 @@ static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], Y[m][1] = y1; phi_sign1 = -phi_sign1; } + return 0; } #include "sbrdsp_template.c" diff --git a/libavcodec/sbrdsp_template.c b/libavcodec/sbrdsp_template.c index b649dfd7ee..897a3bbffb 100644 --- a/libavcodec/sbrdsp_template.c +++ b/libavcodec/sbrdsp_template.c @@ -33,8 +33,13 @@ static void sbr_qmf_deint_bfly_c(INTFLOAT *v, const INTFLOAT *src0, const INTFLO { int i; for (i = 0; i < 64; i++) { - v[ i] = AAC_SRA_R((src0[i] - src1[63 - i]), 5); - v[127 - i] = AAC_SRA_R((src0[i] + src1[63 - i]), 5); +#if USE_FIXED + v[ i] = (int)(0x10U + src0[i] - src1[63 - i]) >> 5; + v[127 - i] = (int)(0x10U + src0[i] + src1[63 - i]) >> 5; +#else + v[ i] = src0[i] - src1[63 - i]; + v[127 - i] = src0[i] + src1[63 - i]; +#endif } } diff --git a/libavcodec/sheervideo.c b/libavcodec/sheervideo.c index 2f08b7bff0..5b03ce4431 100644 --- a/libavcodec/sheervideo.c +++ b/libavcodec/sheervideo.c @@ -3098,6 +3098,11 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_PATCHWELCOME; } + if (avpkt->size < 20 + avctx->width * avctx->height / 16) { + av_log(avctx, AV_LOG_ERROR, "Input packet too small\n"); + return AVERROR_INVALIDDATA; + } + if (s->format != format) { if (ret < 0) return ret; diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index e4cef61811..b56d205932 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -155,8 +155,11 @@ static int allocate_buffers(ShortenContext *s) static inline unsigned int get_uint(ShortenContext *s, int k) { - if (s->version != 0) + if (s->version != 0) { k = get_ur_golomb_shorten(&s->gb, ULONGSIZE); + if (k > 31U) + return AVERROR_INVALIDDATA; + } return get_ur_golomb_shorten(&s->gb, k); } @@ -433,6 +436,10 @@ static int read_header(ShortenContext *s) s->blocksize = blocksize; maxnlpc = get_uint(s, LPCQSIZE); + if (maxnlpc > 1024U) { + av_log(s->avctx, AV_LOG_ERROR, "maxnlpc is: %d\n", maxnlpc); + return AVERROR_INVALIDDATA; + } s->nmean = get_uint(s, 0); skip_bytes = get_uint(s, NSKIPSIZE); @@ -446,12 +453,6 @@ static int read_header(ShortenContext *s) } s->nwrap = FFMAX(NWRAP, maxnlpc); - if ((ret = allocate_buffers(s)) < 0) - return ret; - - if ((ret = init_offset(s)) < 0) - return ret; - if (s->version > 1) s->lpcqoffset = V2LPCQOFFSET; @@ -487,6 +488,13 @@ static int read_header(ShortenContext *s) } end: + + if ((ret = allocate_buffers(s)) < 0) + return ret; + + if ((ret = init_offset(s)) < 0) + return ret; + s->cur_chan = 0; s->bitshift = 0; diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index f4fc16c42c..9085a8a427 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -129,8 +129,12 @@ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t pref /** * Decode header tree */ -static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx) +static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx, int length) { + if(length > 500) { // Larger length can cause segmentation faults due to too deep recursion. + av_log(NULL, AV_LOG_ERROR, "length too long\n"); + return AVERROR_INVALIDDATA; + } if (hc->current + 1 >= hc->length) { av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); return AVERROR_INVALIDDATA; @@ -159,12 +163,12 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx int r = 0, r_new, t; t = hc->current++; - r = smacker_decode_bigtree(gb, hc, ctx); + r = smacker_decode_bigtree(gb, hc, ctx, length + 1); if(r < 0) return r; hc->values[t] = SMK_NODE | r; r++; - r_new = smacker_decode_bigtree(gb, hc, ctx); + r_new = smacker_decode_bigtree(gb, hc, ctx, length + 1); if (r_new < 0) return r_new; return r + r_new; @@ -275,7 +279,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int goto error; } - if (smacker_decode_bigtree(gb, &huff, &ctx) < 0) + if (smacker_decode_bigtree(gb, &huff, &ctx, 0) < 0) err = -1; skip_bits1(gb); if(ctx.last[0] == -1) ctx.last[0] = huff.current++; diff --git a/libavcodec/smc.c b/libavcodec/smc.c index 69d78ad1d1..bb5f808da2 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -132,6 +132,10 @@ static void smc_decode_stream(SmcContext *s) row_ptr, image_size); return; } + if (bytestream2_get_bytes_left(&s->gb) < 1) { + av_log(s->avctx, AV_LOG_ERROR, "input too small\n"); + return; + } opcode = bytestream2_get_byte(&s->gb); switch (opcode & 0xF0) { diff --git a/libavcodec/smvjpegdec.c b/libavcodec/smvjpegdec.c index 9057e86161..e319e5781b 100644 --- a/libavcodec/smvjpegdec.c +++ b/libavcodec/smvjpegdec.c @@ -152,6 +152,10 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz cur_frame = avpkt->pts % s->frames_per_jpeg; + /* cur_frame is later used to calculate the buffer offset, so it mustn't be negative */ + if (cur_frame < 0) + cur_frame += s->frames_per_jpeg; + /* Are we at the start of a block? */ if (!cur_frame) { av_frame_unref(mjpeg_data); diff --git a/libavcodec/snow.h b/libavcodec/snow.h index 59c710b5f9..f7ed1f82e7 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -540,7 +540,8 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state, int is_signed){ if(get_rac(c, state+0)) return 0; else{ - int i, e, a; + int i, e; + unsigned a; e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 042aecbbeb..0ac0b55012 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -140,7 +140,7 @@ static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, sli v = b->x_coeff[new_index].coeff; x = b->x_coeff[new_index++].x; while(x < w){ - register int t= ( (v>>1)*qmul + qadd)>>QEXPSHIFT; + register int t= (int)( (v>>1)*(unsigned)qmul + qadd)>>QEXPSHIFT; register int u= -(v&1); line[x] = (t^u) - u; @@ -355,7 +355,7 @@ static int decode_header(SnowContext *s){ Plane *p= &s->plane[plane_index]; p->diag_mc= get_rac(&s->c, s->header_state); htaps= get_symbol(&s->c, s->header_state, 0)*2 + 2; - if((unsigned)htaps > HTAPS_MAX || htaps==0) + if((unsigned)htaps >= HTAPS_MAX || htaps==0) return AVERROR_INVALIDDATA; p->htaps= htaps; for(i= htaps/2; i; i--){ @@ -384,6 +384,10 @@ static int decode_header(SnowContext *s){ av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_count %d too large for size\n", s->spatial_decomposition_count); return AVERROR_INVALIDDATA; } + if (s->avctx->width > 65536-4) { + av_log(s->avctx, AV_LOG_ERROR, "Width %d is too large\n", s->avctx->width); + return AVERROR_INVALIDDATA; + } s->qlog += get_symbol(&s->c, s->header_state, 1); @@ -395,6 +399,11 @@ static int decode_header(SnowContext *s){ s->block_max_depth= 0; return AVERROR_INVALIDDATA; } + if (FFABS(s->qbias) > 127) { + av_log(s->avctx, AV_LOG_ERROR, "qbias %d is too large\n", s->qbias); + s->qbias = 0; + return AVERROR_INVALIDDATA; + } return 0; } @@ -577,7 +586,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for(; yqsb, yq); for(x=0; x> 20; - output[stride * 2 + offset] = (z1 + z2) * qmul + 0x80000 >> 20; - output[stride * 8 + offset] = (z1 - z2) * qmul + 0x80000 >> 20; - output[stride * 10 + offset] = (z0 - z3) * qmul + 0x80000 >> 20; + output[stride * 0 + offset] = (int)((z0 + z3) * qmul + 0x80000) >> 20; + output[stride * 2 + offset] = (int)((z1 + z2) * qmul + 0x80000) >> 20; + output[stride * 8 + offset] = (int)((z1 - z2) * qmul + 0x80000) >> 20; + output[stride * 10 + offset] = (int)((z0 - z3) * qmul + 0x80000) >> 20; } } #undef stride @@ -249,7 +250,7 @@ static void svq3_add_idct_c(uint8_t *dst, int16_t *block, int i; if (dc) { - dc = 13 * 13 * (dc == 1 ? 1538 * block[0] + dc = 13 * 13 * (dc == 1 ? 1538U* block[0] : qmul * (block[0] >> 3) / 2); block[0] = 0; } @@ -267,16 +268,16 @@ static void svq3_add_idct_c(uint8_t *dst, int16_t *block, } for (i = 0; i < 4; i++) { - const int z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]); - const int z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); - const int z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; - const int z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; - const int rr = (dc + 0x80000); + const unsigned z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]); + const unsigned z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); + const unsigned z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; + const unsigned z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; + const int rr = (dc + 0x80000u); - dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((z0 + z3) * qmul + rr >> 20)); - dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((z1 + z2) * qmul + rr >> 20)); - dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((z1 - z2) * qmul + rr >> 20)); - dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((z0 - z3) * qmul + rr >> 20)); + dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((int)((z0 + z3) * qmul + rr) >> 20)); + dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((int)((z1 + z2) * qmul + rr) >> 20)); + dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((int)((z1 - z2) * qmul + rr) >> 20)); + dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((int)((z0 - z3) * qmul + rr) >> 20)); } memset(block, 0, 16 * sizeof(int16_t)); @@ -510,8 +511,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, if (mode != PREDICT_MODE) { svq3_pred_motion(s, k, part_width >> 2, dir, 1, &mx, &my); } else { - mx = s->next_pic->motion_val[0][b_xy][0] << 1; - my = s->next_pic->motion_val[0][b_xy][1] << 1; + mx = s->next_pic->motion_val[0][b_xy][0] * 2; + my = s->next_pic->motion_val[0][b_xy][1] * 2; if (dir == 0) { mx = mx * s->frame_num_offset / @@ -537,7 +538,7 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, dy = get_interleaved_se_golomb(&s->gb_slice); dx = get_interleaved_se_golomb(&s->gb_slice); - if (dx == INVALID_VLC || dy == INVALID_VLC) { + if (dx != (int16_t)dx || dy != (int16_t)dy) { av_log(s->avctx, AV_LOG_ERROR, "invalid MV vlc\n"); return -1; } @@ -548,8 +549,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, int fx, fy; mx = (mx + 1 >> 1) + dx; my = (my + 1 >> 1) + dy; - fx = (unsigned)(mx + 0x3000) / 3 - 0x1000; - fy = (unsigned)(my + 0x3000) / 3 - 0x1000; + fx = (unsigned)(mx + 0x30000) / 3 - 0x10000; + fy = (unsigned)(my + 0x30000) / 3 - 0x10000; dxy = (mx - 3 * fx) + 4 * (my - 3 * fy); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -557,8 +558,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, mx += mx; my += my; } else if (mode == HALFPEL_MODE || mode == PREDICT_MODE) { - mx = (unsigned)(mx + 1 + 0x3000) / 3 + dx - 0x1000; - my = (unsigned)(my + 1 + 0x3000) / 3 + dy - 0x1000; + mx = (unsigned)(mx + 1 + 0x30000) / 3 + dx - 0x10000; + my = (unsigned)(my + 1 + 0x30000) / 3 + dy - 0x10000; dxy = (mx & 1) + 2 * (my & 1); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -566,8 +567,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, mx *= 3; my *= 3; } else { - mx = (unsigned)(mx + 3 + 0x6000) / 6 + dx - 0x1000; - my = (unsigned)(my + 3 + 0x6000) / 6 + dy - 0x1000; + mx = (unsigned)(mx + 3 + 0x60000) / 6 + dx - 0x10000; + my = (unsigned)(my + 3 + 0x60000) / 6 + dy - 0x10000; svq3_mc_dir_part(s, x, y, part_width, part_height, mx, my, 0, 0, dir, avg); @@ -1027,7 +1028,7 @@ static int svq3_decode_slice_header(AVCodecContext *avctx) slice_bits = slice_length * 8; slice_bytes = slice_length + length - 1; - if (slice_bytes > get_bits_left(&s->gb)) { + if (8LL*slice_bytes > get_bits_left(&s->gb)) { av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); return -1; } @@ -1057,7 +1058,7 @@ static int svq3_decode_slice_header(AVCodecContext *avctx) return -1; } - s->pict_type = ff_h264_golomb_to_pict_type[slice_id]; + s->slice_type = ff_h264_golomb_to_pict_type[slice_id]; if ((header & 0x9F) == 2) { i = (s->mb_num < 64) ? 6 : (1 + av_log2(s->mb_num - 1)); @@ -1426,6 +1427,8 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data, if (svq3_decode_slice_header(avctx)) return -1; + s->pict_type = s->slice_type; + if (s->pict_type != AV_PICTURE_TYPE_B) FFSWAP(H264Picture*, s->next_pic, s->last_pic); @@ -1539,6 +1542,9 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data, if (svq3_decode_slice_header(avctx)) return -1; } + if (s->slice_type != s->pict_type) { + avpriv_request_sample(avctx, "non constant slice type\n"); + } /* TODO: support s->mb_skip_run */ } diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 023bc878e8..b422dd1b07 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -204,7 +204,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length) int a1 = *coeffs++; for (i = 0; i < length - 1 >> 1; i++) { *coeffs += a1; - coeffs[1] += *coeffs; + coeffs[1] += (unsigned)*coeffs; a1 = coeffs[1]; coeffs += 2; } @@ -265,11 +265,11 @@ static int decode_segment(TAKDecContext *s, int8_t mode, int32_t *decoded, int l code = xcodes[mode - 1]; for (i = 0; i < len; i++) { - int x = get_bits_long(gb, code.init); + unsigned x = get_bits_long(gb, code.init); if (x >= code.escape && get_bits1(gb)) { x |= 1 << code.init; if (x >= code.aescape) { - int scale = get_unary(gb, 1, 9); + unsigned scale = get_unary(gb, 1, 9); if (scale == 9) { int scale_bits = get_bits(gb, 3); if (scale_bits > 0) { @@ -431,19 +431,19 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, s->predictors[0] = get_sbits(gb, 10); s->predictors[1] = get_sbits(gb, 10); - s->predictors[2] = get_sbits(gb, size) << (10 - size); - s->predictors[3] = get_sbits(gb, size) << (10 - size); + s->predictors[2] = get_sbits(gb, size) * (1 << (10 - size)); + s->predictors[3] = get_sbits(gb, size) * (1 << (10 - size)); if (filter_order > 4) { int tmp = size - get_bits1(gb); for (i = 4; i < filter_order; i++) { if (!(i & 3)) x = tmp - get_bits(gb, 2); - s->predictors[i] = get_sbits(gb, x) << (10 - size); + s->predictors[i] = get_sbits(gb, x) * (1 << (10 - size)); } } - tfilter[0] = s->predictors[0] << 6; + tfilter[0] = s->predictors[0] * 64; for (i = 1; i < filter_order; i++) { int32_t *p1 = &tfilter[0]; int32_t *p2 = &tfilter[i - 1]; @@ -455,7 +455,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, p2--; } - tfilter[i] = s->predictors[i] << 6; + tfilter[i] = s->predictors[i] * 64; } x = 1 << (32 - (15 - filter_quant)); @@ -481,15 +481,15 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, int v = 1 << (filter_quant - 1); if (filter_order & -16) - v += s->adsp.scalarproduct_int16(&s->residues[i], s->filter, + v += (unsigned)s->adsp.scalarproduct_int16(&s->residues[i], s->filter, filter_order & -16); for (j = filter_order & -16; j < filter_order; j += 4) { - v += s->residues[i + j + 3] * s->filter[j + 3] + - s->residues[i + j + 2] * s->filter[j + 2] + - s->residues[i + j + 1] * s->filter[j + 1] + - s->residues[i + j ] * s->filter[j ]; + v += s->residues[i + j + 3] * (unsigned)s->filter[j + 3] + + s->residues[i + j + 2] * (unsigned)s->filter[j + 2] + + s->residues[i + j + 1] * (unsigned)s->filter[j + 1] + + s->residues[i + j ] * (unsigned)s->filter[j ]; } - v = (av_clip_intp2(v >> filter_quant, 13) << dshift) - *decoded; + v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - (unsigned)*decoded; *decoded++ = v; s->residues[filter_order + i] = v >> dshift; } @@ -860,7 +860,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, if (s->sample_shift[chan] > 0) for (i = 0; i < s->nb_samples; i++) - decoded[i] <<= s->sample_shift[chan]; + decoded[i] *= 1U << s->sample_shift[chan]; } } @@ -887,7 +887,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, uint8_t *samples = (uint8_t *)frame->extended_data[chan]; int32_t *decoded = s->decoded[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] = decoded[i] + 0x80; + samples[i] = decoded[i] + 0x80U; } break; case AV_SAMPLE_FMT_S16P: @@ -902,7 +902,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, for (chan = 0; chan < avctx->channels; chan++) { int32_t *samples = (int32_t *)frame->extended_data[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] <<= 8; + samples[i] *= 1U << 8; } break; } diff --git a/libavcodec/targa_y216dec.c b/libavcodec/targa_y216dec.c index 21b3d35d67..443d48a92f 100644 --- a/libavcodec/targa_y216dec.c +++ b/libavcodec/targa_y216dec.c @@ -35,7 +35,8 @@ static int y216_decode_frame(AVCodecContext *avctx, void *data, { AVFrame *pic = data; const uint16_t *src = (uint16_t *)avpkt->data; - uint16_t *y, *u, *v, aligned_width = FFALIGN(avctx->width, 4); + uint16_t *y, *u, *v; + int aligned_width = FFALIGN(avctx->width, 4); int i, j, ret; if (avpkt->size < 4 * avctx->height * aligned_width) { diff --git a/libavcodec/texturedsp.c b/libavcodec/texturedsp.c index 5012245a26..90b1eb4f11 100644 --- a/libavcodec/texturedsp.c +++ b/libavcodec/texturedsp.c @@ -35,7 +35,7 @@ #define RGBA(r, g, b, a) (((uint8_t)(r) << 0) | \ ((uint8_t)(g) << 8) | \ ((uint8_t)(b) << 16) | \ - ((uint8_t)(a) << 24)) + ((unsigned)(uint8_t)(a) << 24)) static av_always_inline void extract_color(uint32_t colors[4], uint16_t color0, @@ -158,7 +158,7 @@ static inline void dxt3_block_internal(uint8_t *dst, ptrdiff_t stride, for (x = 0; x < 4; x++) { uint8_t alpha = alpha_values[x]; - uint32_t pixel = colors[code & 3] | (alpha << 24); + uint32_t pixel = colors[code & 3] | ((unsigned)alpha << 24); code >>= 2; AV_WL32(dst + x * 4, pixel); @@ -291,7 +291,7 @@ static inline void dxt5_block_internal(uint8_t *dst, ptrdiff_t stride, } } } - pixel = colors[code & 3] | (alpha << 24); + pixel = colors[code & 3] | ((unsigned)alpha << 24); code >>= 2; AV_WL32(dst + x * 4, pixel); } diff --git a/libavcodec/tiertexseqv.c b/libavcodec/tiertexseqv.c index df12ee3809..f86ae2aac1 100644 --- a/libavcodec/tiertexseqv.c +++ b/libavcodec/tiertexseqv.c @@ -213,10 +213,15 @@ static int seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int static av_cold int seqvideo_decode_init(AVCodecContext *avctx) { SeqVideoContext *seq = avctx->priv_data; + int ret; seq->avctx = avctx; avctx->pix_fmt = AV_PIX_FMT_PAL8; + ret = ff_set_dimensions(avctx, 256, 128); + if (ret < 0) + return ret; + seq->frame = av_frame_alloc(); if (!seq->frame) return AVERROR(ENOMEM); diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 4be587d569..fcfa32dc8b 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -408,7 +408,7 @@ static int tiff_unpack_lzma(TiffContext *s, AVFrame *p, uint8_t *dst, int stride const uint8_t *src, int size, int width, int lines, int strip_start, int is_yuv) { - uint64_t outlen = width * lines; + uint64_t outlen = width * (uint64_t)lines; int ret, line; uint8_t *buf = av_malloc(outlen); if (!buf) @@ -904,6 +904,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_STRIP_OFFS: if (count == 1) { + if (value > INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, + "strippos %u too large\n", value); + return AVERROR_INVALIDDATA; + } s->strippos = 0; s->stripoff = value; } else @@ -915,6 +920,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_STRIP_SIZE: if (count == 1) { + if (value > INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, + "stripsize %u too large\n", value); + return AVERROR_INVALIDDATA; + } s->stripsizesoff = 0; s->stripsize = value; s->strips = 1; @@ -1008,6 +1018,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->subsampling[i] = ff_tget(&s->gb, type, s->le); if (s->subsampling[i] <= 0) { av_log(s->avctx, AV_LOG_ERROR, "subsampling %d is invalid\n", s->subsampling[i]); + s->subsampling[i] = 1; return AVERROR_INVALIDDATA; } } @@ -1035,6 +1046,10 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) ADD_METADATA(count, "ModelTiepointTag", NULL); break; case TIFF_GEO_KEY_DIRECTORY: + if (s->geotag_count) { + avpriv_request_sample(s->avctx, "Multiple geo key directories\n"); + return AVERROR_INVALIDDATA; + } ADD_METADATA(1, "GeoTIFF_Version", NULL); ADD_METADATA(2, "GeoTIFF_Key_Revision", "."); s->geotag_count = ff_tget_short(&s->gb, s->le); @@ -1042,7 +1057,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->geotag_count = count / 4 - 1; av_log(s->avctx, AV_LOG_WARNING, "GeoTIFF key directory buffer shorter than specified\n"); } - if (bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4) { + if ( bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4 + || s->geotag_count == 0) { s->geotag_count = 0; return -1; } @@ -1080,6 +1096,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) if (s->geotags[i].count == 0 || s->geotags[i].offset + s->geotags[i].count > count) { av_log(s->avctx, AV_LOG_WARNING, "Invalid GeoTIFF key %d\n", s->geotags[i].key); + } else if (s->geotags[i].val) { + av_log(s->avctx, AV_LOG_WARNING, "Duplicate GeoTIFF key %d\n", s->geotags[i].key); } else { char *ap = doubles2str(&dp[s->geotags[i].offset], s->geotags[i].count, ", "); if (!ap) { @@ -1106,6 +1124,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) bytestream2_seek(&s->gb, pos + s->geotags[i].offset, SEEK_SET); if (bytestream2_get_bytes_left(&s->gb) < s->geotags[i].count) return AVERROR_INVALIDDATA; + if (s->geotags[i].val) + return AVERROR_INVALIDDATA; ap = av_malloc(s->geotags[i].count); if (!ap) { av_log(s->avctx, AV_LOG_ERROR, "Error allocating temporary buffer\n"); @@ -1268,6 +1288,8 @@ static int decode_frame(AVCodecContext *avctx, stride = p->linesize[plane]; dst = p->data[plane]; for (i = 0; i < s->height; i += s->rps) { + if (i) + dst += s->rps * stride; if (s->stripsizesoff) ssize = ff_tget(&stripsizes, s->sstype, le); else @@ -1288,7 +1310,6 @@ static int decode_frame(AVCodecContext *avctx, return ret; break; } - dst += s->rps * stride; } if (s->predictor == 2) { if (s->photometric == TIFF_PHOTOMETRIC_YCBCR) { diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index da843c4440..28dccaae47 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -177,10 +177,10 @@ static int make_ydt15_entry(int p1, int p2, int16_t *ydt) int lo, hi; lo = ydt[p1]; - lo += (lo << 5) + (lo << 10); + lo += (lo * 32) + (lo * 1024); hi = ydt[p2]; - hi += (hi << 5) + (hi << 10); - return (lo + (hi << 16)) << 1; + hi += (hi * 32) + (hi * 1024); + return (lo + (hi * (1U << 16))) * 2; } static int make_cdt15_entry(int p1, int p2, int16_t *cdt) @@ -188,9 +188,9 @@ static int make_cdt15_entry(int p1, int p2, int16_t *cdt) int r, b, lo; b = cdt[p2]; - r = cdt[p1] << 10; + r = cdt[p1] * 1024; lo = b + r; - return (lo + (lo << 16)) << 1; + return (lo + (lo * (1U << 16))) * 2; } #if HAVE_BIGENDIAN diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 245a32a8d7..a463a925fd 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -272,7 +272,7 @@ static int tm2_read_deltas(TM2Context *ctx, int stream_id) for (i = 0; i < d; i++) { v = get_bits_long(&ctx->gb, mb); if (v & (1 << (mb - 1))) - ctx->deltas[stream_id][i] = v - (1 << mb); + ctx->deltas[stream_id][i] = v - (1U << mb); else ctx->deltas[stream_id][i] = v; } @@ -298,15 +298,15 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i /* get stream length in dwords */ bytestream2_init(&gb, buf, buf_size); len = bytestream2_get_be32(&gb); - skip = len * 4 + 4; if (len == 0) return 4; - if (len >= INT_MAX / 4 - 1 || len < 0 || skip > buf_size) { + if (len >= INT_MAX / 4 - 1 || len < 0 || len * 4 + 4 > buf_size) { av_log(ctx->avctx, AV_LOG_ERROR, "Error, invalid stream size.\n"); return AVERROR_INVALIDDATA; } + skip = len * 4 + 4; toks = bytestream2_get_be32(&gb); if (toks & 1) { @@ -915,7 +915,8 @@ static int decode_frame(AVCodecContext *avctx, buf_size - offset); if (t < 0) { int j = tm2_stream_order[i]; - memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]); + if (l->tok_lens[j]) + memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]); return t; } offset += t; diff --git a/libavcodec/tscc.c b/libavcodec/tscc.c index bd5fe035cf..cb86b584c1 100644 --- a/libavcodec/tscc.c +++ b/libavcodec/tscc.c @@ -98,11 +98,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, /* make the palette available on the way out */ if (c->avctx->pix_fmt == AV_PIX_FMT_PAL8) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(c->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } memcpy(frame->data[1], c->pal, AVPALETTE_SIZE); } diff --git a/libavcodec/utils.c b/libavcodec/utils.c index f7adb525f8..c4af9cbb17 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -376,6 +376,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 4; h_align = 4; } + if (s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) { + w_align = 8; + h_align = 8; + } break; case AV_PIX_FMT_PAL8: case AV_PIX_FMT_BGR8: @@ -385,7 +389,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 4; h_align = 4; } - if (s->codec_id == AV_CODEC_ID_JV) { + if (s->codec_id == AV_CODEC_ID_JV || + s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) { w_align = 8; h_align = 8; } @@ -991,6 +996,7 @@ int avcodec_default_execute(AVCodecContext *c, int (*func)(AVCodecContext *c2, v if (ret) ret[i] = r; } + emms_c(); return 0; } @@ -1003,6 +1009,7 @@ int avcodec_default_execute2(AVCodecContext *c, int (*func)(AVCodecContext *c2, if (ret) ret[i] = r; } + emms_c(); return 0; } @@ -1533,7 +1540,7 @@ FF_ENABLE_DEPRECATION_WARNINGS } if (!avctx->rc_initial_buffer_occupancy) - avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4; + avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3LL / 4; if (avctx->ticks_per_frame && avctx->time_base.num && avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) { @@ -2712,7 +2719,7 @@ void avsubtitle_free(AVSubtitle *sub) static int do_decode(AVCodecContext *avctx, AVPacket *pkt) { - int got_frame; + int got_frame = 0; int ret; av_assert0(!avctx->internal->buffer_frame->buf[0]); diff --git a/libavcodec/vaapi_encode_h264.c b/libavcodec/vaapi_encode_h264.c index 39e2ec09cd..ece6314d13 100644 --- a/libavcodec/vaapi_encode_h264.c +++ b/libavcodec/vaapi_encode_h264.c @@ -967,10 +967,10 @@ static const AVCodecDefault vaapi_encode_h264_defaults[] = { { "b", "0" }, { "bf", "2" }, { "g", "120" }, - { "i_qfactor", "1.0" }, - { "i_qoffset", "0.0" }, - { "b_qfactor", "1.2" }, - { "b_qoffset", "0.0" }, + { "i_qfactor", "1" }, + { "i_qoffset", "0" }, + { "b_qfactor", "6/5" }, + { "b_qoffset", "0" }, { NULL }, }; diff --git a/libavcodec/vaapi_encode_h265.c b/libavcodec/vaapi_encode_h265.c index c42c08efd4..cb376b194d 100644 --- a/libavcodec/vaapi_encode_h265.c +++ b/libavcodec/vaapi_encode_h265.c @@ -1338,10 +1338,10 @@ static const AVCodecDefault vaapi_encode_h265_defaults[] = { { "b", "0" }, { "bf", "2" }, { "g", "120" }, - { "i_qfactor", "1.0" }, - { "i_qoffset", "0.0" }, - { "b_qfactor", "1.2" }, - { "b_qoffset", "0.0" }, + { "i_qfactor", "1" }, + { "i_qoffset", "0" }, + { "b_qfactor", "6/5" }, + { "b_qoffset", "0" }, { NULL }, }; diff --git a/libavcodec/vb.c b/libavcodec/vb.c index 560165adc7..021657f7d8 100644 --- a/libavcodec/vb.c +++ b/libavcodec/vb.c @@ -205,6 +205,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (flags & VB_HAS_GMC) { i = (int16_t)bytestream2_get_le16(&c->stream); j = (int16_t)bytestream2_get_le16(&c->stream); + if (FFABS(j) > avctx->height) { + av_log(avctx, AV_LOG_ERROR, "GMV out of range\n"); + return AVERROR_INVALIDDATA; + } offset = i + j * avctx->width; } if (flags & VB_HAS_VIDEO) { diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index bbbeaa090e..e291047538 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -1193,7 +1193,8 @@ static av_cold int vc2_encode_init(AVCodecContext *avctx) /* DWT init */ if (ff_vc2enc_init_transforms(&s->transform_args[i].t, s->plane[i].coef_stride, - s->plane[i].dwt_height)) + s->plane[i].dwt_height, + s->slice_width, s->slice_height)) goto alloc_fail; } diff --git a/libavcodec/vc2enc_dwt.c b/libavcodec/vc2enc_dwt.c index c60b003a31..d22af8a313 100644 --- a/libavcodec/vc2enc_dwt.c +++ b/libavcodec/vc2enc_dwt.c @@ -255,21 +255,27 @@ static void vc2_subband_dwt_haar_shift(VC2TransformContext *t, dwtcoef *data, dwt_haar(t, data, stride, width, height, 1); } -av_cold int ff_vc2enc_init_transforms(VC2TransformContext *s, int p_width, int p_height) +av_cold int ff_vc2enc_init_transforms(VC2TransformContext *s, int p_stride, + int p_height, int slice_w, int slice_h) { s->vc2_subband_dwt[VC2_TRANSFORM_9_7] = vc2_subband_dwt_97; s->vc2_subband_dwt[VC2_TRANSFORM_5_3] = vc2_subband_dwt_53; s->vc2_subband_dwt[VC2_TRANSFORM_HAAR] = vc2_subband_dwt_haar; s->vc2_subband_dwt[VC2_TRANSFORM_HAAR_S] = vc2_subband_dwt_haar_shift; - s->buffer = av_malloc(2*p_width*p_height*sizeof(dwtcoef)); + /* Pad by the slice size, only matters for non-Haar wavelets */ + s->buffer = av_calloc((p_stride + slice_w)*(p_height + slice_h), sizeof(dwtcoef)); if (!s->buffer) return 1; + s->padding = (slice_h >> 1)*p_stride + (slice_w >> 1); + s->buffer += s->padding; + return 0; } av_cold void ff_vc2enc_free_transforms(VC2TransformContext *s) { - av_freep(&s->buffer); + av_free(s->buffer - s->padding); + s->buffer = NULL; } diff --git a/libavcodec/vc2enc_dwt.h b/libavcodec/vc2enc_dwt.h index 7fbbfbe0ed..a6932bcdaf 100644 --- a/libavcodec/vc2enc_dwt.h +++ b/libavcodec/vc2enc_dwt.h @@ -41,12 +41,14 @@ enum VC2TransformType { typedef struct VC2TransformContext { dwtcoef *buffer; + int padding; void (*vc2_subband_dwt[VC2_TRANSFORMS_NB])(struct VC2TransformContext *t, dwtcoef *data, ptrdiff_t stride, int width, int height); } VC2TransformContext; -int ff_vc2enc_init_transforms(VC2TransformContext *t, int p_width, int p_height); +int ff_vc2enc_init_transforms(VC2TransformContext *t, int p_stride, int p_height, + int slice_w, int slice_h); void ff_vc2enc_free_transforms(VC2TransformContext *t); #endif /* AVCODEC_VC2ENC_DWT_H */ diff --git a/libavcodec/vdpau_hevc.c b/libavcodec/vdpau_hevc.c index 03c61dc6cc..ce2610f67f 100644 --- a/libavcodec/vdpau_hevc.c +++ b/libavcodec/vdpau_hevc.c @@ -234,7 +234,7 @@ static int vdpau_hevc_start_frame(AVCodecContext *avctx, const HEVCFrame *frame = &h->DPB[i]; if (frame != h->ref && (frame->flags & (HEVC_FRAME_FLAG_LONG_REF | HEVC_FRAME_FLAG_SHORT_REF))) { - if (j > 16) { + if (j > 15) { av_log(avctx, AV_LOG_WARNING, "VDPAU only supports up to 16 references in the DPB. " "This frame may not be decoded correctly.\n"); diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index 49abb776f2..dfabfd394a 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -374,6 +374,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, w = bytestream2_get_be16(gb); h = bytestream2_get_be16(gb); enc = bytestream2_get_be32(gb); + if ((dx + w > c->width) || (dy + h > c->height)) { + av_log(avctx, AV_LOG_ERROR, + "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", + w, h, dx, dy, c->width, c->height); + return AVERROR_INVALIDDATA; + } outptr = c->pic->data[0] + dx * c->bpp2 + dy * c->pic->linesize[0]; size_left = bytestream2_get_bytes_left(gb); switch (enc) { @@ -451,12 +457,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, bytestream2_skip(gb, 2); break; case 0x00000000: // raw rectangle data - if ((dx + w > c->width) || (dy + h > c->height)) { - av_log(avctx, AV_LOG_ERROR, - "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", - w, h, dx, dy, c->width, c->height); - return AVERROR_INVALIDDATA; - } if (size_left < w * h * c->bpp2) { av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", @@ -467,12 +467,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, c->pic->linesize[0]); break; case 0x00000005: // HexTile encoded rectangle - if ((dx + w > c->width) || (dy + h > c->height)) { - av_log(avctx, AV_LOG_ERROR, - "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", - w, h, dx, dy, c->width, c->height); - return AVERROR_INVALIDDATA; - } res = decode_hextile(c, outptr, gb, w, h, c->pic->linesize[0]); if (res < 0) return res; diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index fa749be0b7..b10cb39f8a 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1071,6 +1071,9 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) s->dct_tokens[0][0] = s->dct_tokens_base; + if (get_bits_left(gb) < 16) + return AVERROR_INVALIDDATA; + /* fetch the DC table indexes */ dc_y_table = get_bits(gb, 4); dc_c_table = get_bits(gb, 4); @@ -1080,6 +1083,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) 0, residual_eob_run); if (residual_eob_run < 0) return residual_eob_run; + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; /* reverse prediction of the Y-plane DC coefficients */ reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]); @@ -1102,6 +1107,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) s->fragment_width[1], s->fragment_height[1]); } + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; /* fetch the AC table indexes */ ac_y_table = get_bits(gb, 4); ac_c_table = get_bits(gb, 4); @@ -2022,8 +2029,9 @@ static int vp3_decode_frame(AVCodecContext *avctx, ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); + return ret; } - return ret; + return buf_size; } else if (type == 2) { vp3_decode_end(avctx); ret = theora_decode_tables(avctx, &gb); @@ -2031,8 +2039,9 @@ static int vp3_decode_frame(AVCodecContext *avctx, ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); + return ret; } - return ret; + return buf_size; } av_log(avctx, AV_LOG_ERROR, diff --git a/libavcodec/vp3dsp.c b/libavcodec/vp3dsp.c index 814c78e34a..4b6c838b70 100644 --- a/libavcodec/vp3dsp.c +++ b/libavcodec/vp3dsp.c @@ -41,7 +41,7 @@ #define xC6S2 25080 #define xC7S1 12785 -#define M(a, b) (((a) * (b)) >> 16) +#define M(a, b) ((int)((SUINT)(a) * (b)) >> 16) static av_always_inline void idct(uint8_t *dst, int stride, int16_t *input, int type) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 5bcf9b6217..7100bb455d 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -39,8 +39,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) { VP56RangeCoder *c = &s->c; int rows, cols; + int ret; - ff_vp56_init_range_decoder(&s->c, buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->c, buf, buf_size); + if (ret < 0) + return ret; s->frames[VP56_FRAME_CURRENT]->key_frame = !vp56_rac_get(c); vp56_rac_get(c); ff_vp56_init_dequant(s, vp56_rac_gets(c, 6)); @@ -171,7 +174,7 @@ static int vp5_parse_coeff_models(VP56Context *s) return 0; } -static void vp5_parse_coeff(VP56Context *s) +static int vp5_parse_coeff(VP56Context *s) { VP56RangeCoder *c = &s->c; VP56Model *model = s->modelp; @@ -181,6 +184,11 @@ static void vp5_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx, ctx_last; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ + if (c->end <= c->buffer && c->bits >= 0) { + av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n"); + return AVERROR_INVALIDDATA; + } + for (b=0; b<6; b++) { int ct = 1; /* code type */ @@ -246,6 +254,7 @@ static void vp5_parse_coeff(VP56Context *s) s->coeff_ctx[ff_vp56_b6to4[b]][i] = 5; s->above_blocks[s->above_block_idx[b]].not_null_dc = s->coeff_ctx[ff_vp56_b6to4[b]][0]; } + return 0; } static void vp5_default_models_init(VP56Context *s) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 631924828d..bfc3d3bc7c 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -261,6 +261,25 @@ static VP56mb vp56_decode_mv(VP56Context *s, int row, int col) return s->mb_type; } +static VP56mb vp56_conceal_mv(VP56Context *s, int row, int col) +{ + VP56mv *mv, vect = {0,0}; + int b; + + s->mb_type = VP56_MB_INTER_NOVEC_PF; + s->macroblocks[row * s->mb_width + col].type = s->mb_type; + + mv = &vect; + + s->macroblocks[row*s->mb_width + col].mv = *mv; + + /* same vector for all blocks */ + for (b=0; b<6; b++) + s->mv[b] = *mv; + + return s->mb_type; +} + static void vp56_add_predictors_dc(VP56Context *s, VP56Frame ref_frame) { int idx = s->idct_scantable[0]; @@ -381,20 +400,11 @@ static void vp56_mc(VP56Context *s, int b, int plane, uint8_t *src, } } -static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +static av_always_inline void vp56_render_mb(VP56Context *s, int row, int col, int is_alpha, VP56mb mb_type) { - AVFrame *frame_current, *frame_ref; - VP56mb mb_type; - VP56Frame ref_frame; int b, ab, b_max, plane, off; - - if (s->frames[VP56_FRAME_CURRENT]->key_frame) - mb_type = VP56_MB_INTRA; - else - mb_type = vp56_decode_mv(s, row, col); - ref_frame = ff_vp56_reference_frame[mb_type]; - - s->parse_coeff(s); + AVFrame *frame_current, *frame_ref; + VP56Frame ref_frame = ff_vp56_reference_frame[mb_type]; vp56_add_predictors_dc(s, ref_frame); @@ -453,6 +463,39 @@ static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) } } +static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +{ + VP56mb mb_type; + int ret; + + if (s->frames[VP56_FRAME_CURRENT]->key_frame) + mb_type = VP56_MB_INTRA; + else + mb_type = vp56_decode_mv(s, row, col); + + ret = s->parse_coeff(s); + if (ret < 0) + return ret; + + vp56_render_mb(s, row, col, is_alpha, mb_type); + + return 0; +} + +static int vp56_conceal_mb(VP56Context *s, int row, int col, int is_alpha) +{ + VP56mb mb_type; + + if (s->frames[VP56_FRAME_CURRENT]->key_frame) + mb_type = VP56_MB_INTRA; + else + mb_type = vp56_conceal_mv(s, row, col); + + vp56_render_mb(s, row, col, is_alpha, mb_type); + + return 0; +} + static int vp56_size_changed(VP56Context *s) { AVCodecContext *avctx = s->avctx; @@ -464,6 +507,8 @@ static int vp56_size_changed(VP56Context *s) s->plane_height[0] = s->plane_height[3] = avctx->coded_height; s->plane_height[1] = s->plane_height[2] = avctx->coded_height/2; + s->have_undamaged_frame = 0; + for (i=0; i<4; i++) s->stride[i] = s->flip * s->frames[VP56_FRAME_CURRENT]->linesize[i]; @@ -529,13 +574,18 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } ret = ff_get_buffer(avctx, p, AV_GET_BUFFER_FLAG_REF); - if (ret < 0) + if (ret < 0) { + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(avctx, 0, 0); return ret; + } if (avctx->pix_fmt == AV_PIX_FMT_YUVA420P) { av_frame_unref(s->alpha_context->frames[VP56_FRAME_CURRENT]); if ((ret = av_frame_ref(s->alpha_context->frames[VP56_FRAME_CURRENT], p)) < 0) { av_frame_unref(p); + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(avctx, 0, 0); return ret; } } @@ -569,8 +619,12 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } } + s->discard_frame = 0; avctx->execute2(avctx, ff_vp56_decode_mbs, 0, 0, (avctx->pix_fmt == AV_PIX_FMT_YUVA420P) + 1); + if (s->discard_frame) + return AVERROR_INVALIDDATA; + if ((res = av_frame_ref(data, p)) < 0) return res; *got_frame = 1; @@ -589,6 +643,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, int block, y, uv; ptrdiff_t stride_y, stride_uv; int res; + int damaged = 0; if (p->key_frame) { p->pict_type = AV_PICTURE_TYPE_I; @@ -653,7 +708,18 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, s->block_offset[5] = s->block_offset[4]; for (mb_col=0; mb_colmb_width; mb_col++) { - vp56_decode_mb(s, mb_row, mb_col, is_alpha); + if (!damaged) { + int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); + if (ret < 0) { + damaged = 1; + if (!s->have_undamaged_frame || !avctx->error_concealment) { + s->discard_frame = 1; + return AVERROR_INVALIDDATA; + } + } + } + if (damaged) + vp56_conceal_mb(s, mb_row, mb_col, is_alpha); for (y=0; y<4; y++) { s->above_block_idx[y] += 2; @@ -667,6 +733,9 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, } } + if (!damaged) + s->have_undamaged_frame = 1; + next: if (p->key_frame || s->golden_frame) { av_frame_unref(s->frames[VP56_FRAME_GOLDEN]); diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 56c30919b7..c049399df8 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -74,7 +74,7 @@ typedef void (*VP56ParseVectorAdjustment)(VP56Context *s, typedef void (*VP56Filter)(VP56Context *s, uint8_t *dst, uint8_t *src, int offset1, int offset2, int stride, VP56mv mv, int mask, int select, int luma); -typedef void (*VP56ParseCoeff)(VP56Context *s); +typedef int (*VP56ParseCoeff)(VP56Context *s); typedef void (*VP56DefaultModelsInit)(VP56Context *s); typedef void (*VP56ParseVectorModels)(VP56Context *s); typedef int (*VP56ParseCoeffModels)(VP56Context *s); @@ -203,6 +203,9 @@ struct vp56_context { VLC runv_vlc[2]; VLC ract_vlc[2][3][6]; unsigned int nb_null[2][2]; /* number of consecutive NULL DC/AC */ + + int have_undamaged_frame; + int discard_frame; }; @@ -221,7 +224,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, */ extern const uint8_t ff_vp56_norm_shift[256]; -void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size); +int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size); static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c) { diff --git a/libavcodec/vp56rac.c b/libavcodec/vp56rac.c index 6061b7ee72..e70302bf85 100644 --- a/libavcodec/vp56rac.c +++ b/libavcodec/vp56rac.c @@ -37,11 +37,14 @@ const uint8_t ff_vp56_norm_shift[256]= { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, }; -void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size) +int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size) { c->high = 255; c->bits = -16; c->buffer = buf; c->end = buf + buf_size; + if (buf_size < 1) + return AVERROR_INVALIDDATA; c->code_word = bytestream_get_be24(&c->buffer); + return 0; } diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index a2bb4578d5..4afd67b3a4 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -40,8 +40,8 @@ #define VP6_MAX_HUFF_SIZE 12 -static void vp6_parse_coeff(VP56Context *s); -static void vp6_parse_coeff_huffman(VP56Context *s); +static int vp6_parse_coeff(VP56Context *s); +static int vp6_parse_coeff_huffman(VP56Context *s); static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) { @@ -52,6 +52,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) int sub_version; int rows, cols; int res = 0; + int ret; int separated_coeff = buf[0] & 1; s->frames[VP56_FRAME_CURRENT]->key_frame = !(buf[0] & 0x80); @@ -93,7 +94,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) s->avctx->coded_width = 16 * cols; s->avctx->coded_height = 16 * rows; } else { - int ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows); + ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows); if (ret < 0) return ret; @@ -105,7 +106,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) res = VP56_SIZE_CHANGE; } - ff_vp56_init_range_decoder(c, buf+6, buf_size-6); + ret = ff_vp56_init_range_decoder(c, buf+6, buf_size-6); + if (ret < 0) + goto fail; vp56_rac_gets(c, 2); parse_filter_info = s->filter_header; @@ -122,7 +125,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) buf += 2; buf_size -= 2; } - ff_vp56_init_range_decoder(c, buf+1, buf_size-1); + ret = ff_vp56_init_range_decoder(c, buf+1, buf_size-1); + if (ret < 0) + return ret; s->golden_frame = vp56_rac_get(c); if (s->filter_header) { @@ -157,15 +162,16 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) buf += coeff_offset; buf_size -= coeff_offset; if (buf_size < 0) { - if (s->frames[VP56_FRAME_CURRENT]->key_frame) - ff_set_dimensions(s->avctx, 0, 0); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (s->use_huffman) { s->parse_coeff = vp6_parse_coeff_huffman; init_get_bits(&s->gb, buf, buf_size<<3); } else { - ff_vp56_init_range_decoder(&s->cc, buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->cc, buf, buf_size); + if (ret < 0) + goto fail; s->ccp = &s->cc; } } else { @@ -173,6 +179,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) } return res; +fail: + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(s->avctx, 0, 0); + return ret; } static void vp6_coeff_order_table_init(VP56Context *s) @@ -380,7 +390,7 @@ static unsigned vp6_get_nb_null(VP56Context *s) return val; } -static void vp6_parse_coeff_huffman(VP56Context *s) +static int vp6_parse_coeff_huffman(VP56Context *s) { VP56Model *model = s->modelp; uint8_t *permute = s->idct_scantable; @@ -402,7 +412,7 @@ static void vp6_parse_coeff_huffman(VP56Context *s) break; } else { if (get_bits_left(&s->gb) <= 0) - return; + return AVERROR_INVALIDDATA; coeff = get_vlc2(&s->gb, vlc_coeff->table, FF_HUFFMAN_BITS, 3); if (coeff == 0) { if (coeff_idx) { @@ -437,9 +447,10 @@ static void vp6_parse_coeff_huffman(VP56Context *s) vlc_coeff = &s->ract_vlc[pt][ct][cg]; } } + return 0; } -static void vp6_parse_coeff(VP56Context *s) +static int vp6_parse_coeff(VP56Context *s) { VP56RangeCoder *c = s->ccp; VP56Model *model = s->modelp; @@ -449,6 +460,11 @@ static void vp6_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ + if (c->end <= c->buffer && c->bits >= 0) { + av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n"); + return AVERROR_INVALIDDATA; + } + for (b=0; b<6; b++) { int ct = 1; /* code type */ int run = 1; @@ -512,6 +528,7 @@ static void vp6_parse_coeff(VP56Context *s) s->left_block[ff_vp56_b6to4[b]].not_null_dc = s->above_blocks[s->above_block_idx[b]].not_null_dc = !!s->block_coeff[b][0]; } + return 0; } static int vp6_block_variance(uint8_t *src, int stride) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index c1c3eb7072..63e7849284 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -261,6 +261,7 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size) { const uint8_t *sizes = buf; int i; + int ret; s->num_coeff_partitions = 1 << vp8_rac_get_uint(&s->c, 2); @@ -274,13 +275,13 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size) if (buf_size - size < 0) return -1; - ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size); + ret = ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size); + if (ret < 0) + return ret; buf += size; buf_size -= size; } - ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size); - - return 0; + return ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size); } static void vp7_get_quants(VP8Context *s) @@ -518,7 +519,9 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si memcpy(s->put_pixels_tab, s->vp8dsp.put_vp8_epel_pixels_tab, sizeof(s->put_pixels_tab)); - ff_vp56_init_range_decoder(c, buf, part1_size); + ret = ff_vp56_init_range_decoder(c, buf, part1_size); + if (ret < 0) + return ret; buf += part1_size; buf_size -= part1_size; @@ -570,7 +573,9 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si s->lf_delta.enabled = 0; s->num_coeff_partitions = 1; - ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size); + if (ret < 0) + return ret; if (!s->macroblocks_base || /* first frame */ width != s->avctx->width || height != s->avctx->height || @@ -699,7 +704,9 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si memset(&s->lf_delta, 0, sizeof(s->lf_delta)); } - ff_vp56_init_range_decoder(c, buf, header_size); + ret = ff_vp56_init_range_decoder(c, buf, header_size); + if (ret < 0) + return ret; buf += header_size; buf_size -= header_size; @@ -2275,7 +2282,7 @@ static void vp8_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *cur_frame, #define update_pos(td, mb_y, mb_x) while(0) #endif -static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr, int is_vp7) { VP8Context *s = avctx->priv_data; @@ -2291,6 +2298,10 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void curframe->tf.f->data[1] + 8 * mb_y * s->uvlinesize, curframe->tf.f->data[2] + 8 * mb_y * s->uvlinesize }; + + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; + if (mb_y == 0) prev_td = td; else @@ -2319,6 +2330,8 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void s->mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; // Wait for previous thread to read mb_x+2, and reach mb_y-1. if (prev_td != td) { if (threadnr != 0) { @@ -2394,18 +2407,19 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void update_pos(td, mb_y, mb_x); } } + return 0; } -static void vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static int vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr) { - decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1); + return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1); } -static void vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static int vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr) { - decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0); + return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0); } static av_always_inline void filter_mb_row(AVCodecContext *avctx, void *tdata, @@ -2488,13 +2502,16 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr, VP8ThreadData *next_td = NULL, *prev_td = NULL; VP8Frame *curframe = s->curframe; int mb_y, num_jobs = s->num_jobs; + int ret; td->thread_nr = threadnr; for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) { - if (mb_y >= s->mb_height) - break; td->thread_mb_pos = mb_y << 16; - s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); + ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); + if (ret < 0) { + update_pos(td, s->mb_height, INT_MAX & 0xFFFF); + return ret; + } if (s->deblock_filter) s->filter_mb_row(avctx, tdata, jobnr, threadnr); update_pos(td, mb_y, INT_MAX & 0xFFFF); @@ -2531,6 +2548,8 @@ int vp78_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, enum AVDiscard skip_thresh; VP8Frame *av_uninit(curframe), *prev_frame; + av_assert0(avctx->pix_fmt == AV_PIX_FMT_YUVA420P || avctx->pix_fmt == AV_PIX_FMT_YUV420P); + if (is_vp7) ret = vp7_decode_frame_header(s, avpkt->data, avpkt->size); else diff --git a/libavcodec/vp8.h b/libavcodec/vp8.h index 374e1388e2..6218fe0567 100644 --- a/libavcodec/vp8.h +++ b/libavcodec/vp8.h @@ -275,7 +275,7 @@ typedef struct VP8Context { */ int mb_layout; - void (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); + int (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); void (*filter_mb_row)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); int vp7; diff --git a/libavcodec/vp8dsp.c b/libavcodec/vp8dsp.c index 07bea69c78..fed5c67a90 100644 --- a/libavcodec/vp8dsp.c +++ b/libavcodec/vp8dsp.c @@ -53,7 +53,8 @@ static void name ## _idct_dc_add4y_c(uint8_t *dst, int16_t block[4][16], \ #if CONFIG_VP7_DECODER static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) { - int i, a1, b1, c1, d1; + int i; + unsigned a1, b1, c1, d1; int16_t tmp[16]; for (i = 0; i < 4; i++) { @@ -61,10 +62,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) b1 = (dc[i * 4 + 0] - dc[i * 4 + 2]) * 23170; c1 = dc[i * 4 + 1] * 12540 - dc[i * 4 + 3] * 30274; d1 = dc[i * 4 + 1] * 30274 + dc[i * 4 + 3] * 12540; - tmp[i * 4 + 0] = (a1 + d1) >> 14; - tmp[i * 4 + 3] = (a1 - d1) >> 14; - tmp[i * 4 + 1] = (b1 + c1) >> 14; - tmp[i * 4 + 2] = (b1 - c1) >> 14; + tmp[i * 4 + 0] = (int)(a1 + d1) >> 14; + tmp[i * 4 + 3] = (int)(a1 - d1) >> 14; + tmp[i * 4 + 1] = (int)(b1 + c1) >> 14; + tmp[i * 4 + 2] = (int)(b1 - c1) >> 14; } for (i = 0; i < 4; i++) { @@ -73,10 +74,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274; d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540; AV_ZERO64(dc + i * 4); - block[0][i][0] = (a1 + d1 + 0x20000) >> 18; - block[3][i][0] = (a1 - d1 + 0x20000) >> 18; - block[1][i][0] = (b1 + c1 + 0x20000) >> 18; - block[2][i][0] = (b1 - c1 + 0x20000) >> 18; + block[0][i][0] = (int)(a1 + d1 + 0x20000) >> 18; + block[3][i][0] = (int)(a1 - d1 + 0x20000) >> 18; + block[1][i][0] = (int)(b1 + c1 + 0x20000) >> 18; + block[2][i][0] = (int)(b1 - c1 + 0x20000) >> 18; } } @@ -95,7 +96,8 @@ static void vp7_luma_dc_wht_dc_c(int16_t block[4][4][16], int16_t dc[16]) static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) { - int i, a1, b1, c1, d1; + int i; + unsigned a1, b1, c1, d1; int16_t tmp[16]; for (i = 0; i < 4; i++) { @@ -104,10 +106,10 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) c1 = block[i * 4 + 1] * 12540 - block[i * 4 + 3] * 30274; d1 = block[i * 4 + 1] * 30274 + block[i * 4 + 3] * 12540; AV_ZERO64(block + i * 4); - tmp[i * 4 + 0] = (a1 + d1) >> 14; - tmp[i * 4 + 3] = (a1 - d1) >> 14; - tmp[i * 4 + 1] = (b1 + c1) >> 14; - tmp[i * 4 + 2] = (b1 - c1) >> 14; + tmp[i * 4 + 0] = (int)(a1 + d1) >> 14; + tmp[i * 4 + 3] = (int)(a1 - d1) >> 14; + tmp[i * 4 + 1] = (int)(b1 + c1) >> 14; + tmp[i * 4 + 2] = (int)(b1 - c1) >> 14; } for (i = 0; i < 4; i++) { @@ -116,13 +118,13 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274; d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540; dst[0 * stride + i] = av_clip_uint8(dst[0 * stride + i] + - ((a1 + d1 + 0x20000) >> 18)); + ((int)(a1 + d1 + 0x20000) >> 18)); dst[3 * stride + i] = av_clip_uint8(dst[3 * stride + i] + - ((a1 - d1 + 0x20000) >> 18)); + ((int)(a1 - d1 + 0x20000) >> 18)); dst[1 * stride + i] = av_clip_uint8(dst[1 * stride + i] + - ((b1 + c1 + 0x20000) >> 18)); + ((int)(b1 + c1 + 0x20000) >> 18)); dst[2 * stride + i] = av_clip_uint8(dst[2 * stride + i] + - ((b1 - c1 + 0x20000) >> 18)); + ((int)(b1 - c1 + 0x20000) >> 18)); } } diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index cb2a4a2921..9118b05fcd 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -844,7 +844,10 @@ static int decode_frame_header(AVCodecContext *ctx, av_log(ctx, AV_LOG_ERROR, "Invalid compressed header size\n"); return AVERROR_INVALIDDATA; } - ff_vp56_init_range_decoder(&s->c, data2, size2); + res = ff_vp56_init_range_decoder(&s->c, data2, size2); + if (res < 0) + return res; + if (vp56_rac_get_prob_branchy(&s->c, 128)) { // marker bit av_log(ctx, AV_LOG_ERROR, "Marker bit was set\n"); return AVERROR_INVALIDDATA; @@ -3705,11 +3708,10 @@ static av_always_inline void adapt_prob(uint8_t *p, unsigned ct0, unsigned ct1, if (!ct) return; + update_factor = FASTDIV(update_factor * FFMIN(ct, max_count), max_count); p1 = *p; - p2 = ((ct0 << 8) + (ct >> 1)) / ct; + p2 = ((((int64_t) ct0) << 8) + (ct >> 1)) / ct; p2 = av_clip(p2, 1, 255); - ct = FFMIN(ct, max_count); - update_factor = FASTDIV(update_factor * ct, max_count); // (p1 * (256 - update_factor) + p2 * update_factor + 128) >> 8 *p = p1 + (((p2 - p1) * update_factor + 128) >> 8); @@ -4129,7 +4131,9 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame, ff_thread_report_progress(&s->s.frames[CUR_FRAME].tf, INT_MAX, 0); return AVERROR_INVALIDDATA; } - ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size); + res = ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size); + if (res < 0) + return res; if (vp56_rac_get_prob_branchy(&s->c_b[tile_col], 128)) { // marker bit ff_thread_report_progress(&s->s.frames[CUR_FRAME].tf, INT_MAX, 0); return AVERROR_INVALIDDATA; diff --git a/libavcodec/vp9_parser.c b/libavcodec/vp9_parser.c index 2e9235e657..9900e7ab1f 100644 --- a/libavcodec/vp9_parser.c +++ b/libavcodec/vp9_parser.c @@ -28,6 +28,7 @@ typedef struct VP9ParseContext { int n_frames; // 1-8 int size[8]; + int marker_size; int64_t pts; } VP9ParseContext; @@ -88,6 +89,21 @@ static int parse(AVCodecParserContext *ctx, return 0; } + if (s->n_frames > 0) { + int i; + int size_sum = 0; + + for (i = 0; i < s->n_frames ;i++) + size_sum += s->size[i]; + size_sum += s->marker_size; + + if (size_sum != size) { + av_log(avctx, AV_LOG_ERROR, "Inconsistent input frame sizes %d %d\n", + size_sum, size); + s->n_frames = 0; + } + } + if (s->n_frames > 0) { *out_data = data; *out_size = s->size[--s->n_frames]; @@ -131,6 +147,7 @@ static int parse(AVCodecParserContext *ctx, data += sz; \ size -= sz; \ } \ + s->marker_size = size; \ parse_frame(ctx, *out_data, *out_size); \ return s->n_frames > 0 ? *out_size : full_size diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index b6022f0fa5..0429adcfe1 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -184,7 +184,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, goto error; t += t2; } else { - if (get_bits_left(gb) < t2 - 1) + if (t2 >= 32 || get_bits_left(gb) < t2 - 1) goto error; t += get_bits_long(gb, t2 - 1) | (1 << (t2 - 1)); } @@ -219,7 +219,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, INC_MED(1); DEC_MED(2); } else { - base = GET_MED(0) + GET_MED(1) + GET_MED(2) * (t - 2); + base = GET_MED(0) + GET_MED(1) + GET_MED(2) * (t - 2U); add = GET_MED(2) - 1; INC_MED(0); INC_MED(1); @@ -239,7 +239,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, if (get_bits_left(gb) <= 0) goto error; if (get_bits1(gb)) { - add -= (mid - base); + add -= (mid - (unsigned)base); base = mid; } else add = mid - base - 1; @@ -267,7 +267,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, int bit; if (s->extra_bits) { - S <<= s->extra_bits; + S *= 1 << s->extra_bits; if (s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits) { @@ -307,8 +307,8 @@ static float wv_get_value_float(WavpackFrameContext *s, uint32_t *crc, int S) S <<= s->float_shift; sign = S < 0; if (sign) - S = -S; - if (S >= 0x1000000) { + S = -(unsigned)S; + if (S >= 0x1000000U) { if (s->got_extra_bits && get_bits1(&s->gb_extra_bits)) S = get_bits(&s->gb_extra_bits, 23); else @@ -474,7 +474,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, } if (type == AV_SAMPLE_FMT_S16P) { - if (FFABS(L) + FFABS(R) > (1<<19)) { + if (FFABS(L) + (unsigned)FFABS(R) > (1<<19)) { av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, R); return AVERROR_INVALIDDATA; } @@ -548,7 +548,7 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, if (type != AV_SAMPLE_FMT_S16P) S = T + ((s->decorr[i].weightA * (int64_t)A + 512) >> 10); else - S = T + ((s->decorr[i].weightA * A + 512) >> 10); + S = T + ((int)(s->decorr[i].weightA * (unsigned)A + 512) >> 10); if (A && T) s->decorr[i].weightA -= ((((T ^ A) >> 30) & 2) - 1) * s->decorr[i].delta; s->decorr[i].samplesA[j] = T = S; @@ -682,7 +682,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->hybrid_bitrate = s->frame_flags & WV_HYBRID_BITRATE; s->post_shift = bpp * 8 - orig_bpp + ((s->frame_flags >> 13) & 0x1f); s->hybrid_maxclip = ((1LL << (orig_bpp - 1)) - 1); - s->hybrid_minclip = ((-1LL << (orig_bpp - 1))); + s->hybrid_minclip = ((-1UL << (orig_bpp - 1))); s->CRC = bytestream2_get_le32(&gb); // parse metadata blocks @@ -736,13 +736,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, } for (i = 0; i < weights; i++) { t = (int8_t)bytestream2_get_byte(&gb); - s->decorr[s->terms - i - 1].weightA = t << 3; + s->decorr[s->terms - i - 1].weightA = t * (1 << 3); if (s->decorr[s->terms - i - 1].weightA > 0) s->decorr[s->terms - i - 1].weightA += (s->decorr[s->terms - i - 1].weightA + 64) >> 7; if (s->stereo_in) { t = (int8_t)bytestream2_get_byte(&gb); - s->decorr[s->terms - i - 1].weightB = t << 3; + s->decorr[s->terms - i - 1].weightB = t * (1 << 3); if (s->decorr[s->terms - i - 1].weightB > 0) s->decorr[s->terms - i - 1].weightB += (s->decorr[s->terms - i - 1].weightB + 64) >> 7; @@ -837,9 +837,9 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, continue; } bytestream2_get_buffer(&gb, val, 4); - if (val[0] > 32) { + if (val[0] > 30) { av_log(avctx, AV_LOG_ERROR, - "Invalid INT32INFO, extra_bits = %d (> 32)\n", val[0]); + "Invalid INT32INFO, extra_bits = %d (> 30)\n", val[0]); continue; } else if (val[0]) { s->extra_bits = val[0]; @@ -872,6 +872,12 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->float_flag = bytestream2_get_byte(&gb); s->float_shift = bytestream2_get_byte(&gb); s->float_max_exp = bytestream2_get_byte(&gb); + if (s->float_shift > 31) { + av_log(avctx, AV_LOG_ERROR, + "Invalid FLOATINFO, shift = %d (> 31)\n", s->float_shift); + s->float_shift = 0; + continue; + } got_float = 1; bytestream2_skip(&gb, 1); break; diff --git a/libavcodec/wavpack.h b/libavcodec/wavpack.h index a1b46d5bd7..c71006112a 100644 --- a/libavcodec/wavpack.h +++ b/libavcodec/wavpack.h @@ -94,7 +94,7 @@ typedef struct Decorr { typedef struct WvChannel { int median[3]; int slow_level, error_limit; - int bitrate_acc, bitrate_delta; + unsigned bitrate_acc, bitrate_delta; } WvChannel; // macros for manipulating median values diff --git a/libavcodec/webp.c b/libavcodec/webp.c index e715c4b164..6aa0e4aed8 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -693,7 +693,7 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, length = offset + get_bits(&s->gb, extra_bits) + 1; } prefix_code = huff_reader_get_symbol(&hg[HUFF_IDX_DIST], &s->gb); - if (prefix_code > 39) { + if (prefix_code > 39U) { av_log(s->avctx, AV_LOG_ERROR, "distance prefix code too large: %d\n", prefix_code); return AVERROR_INVALIDDATA; @@ -1042,7 +1042,7 @@ static int apply_color_indexing_transform(WebPContext *s) uint8_t *line; int pixel_bits = 8 >> pal->size_reduction; - line = av_malloc(img->frame->linesize[0]); + line = av_malloc(img->frame->linesize[0] + AV_INPUT_BUFFER_PADDING_SIZE); if (!line) return AVERROR(ENOMEM); @@ -1098,6 +1098,21 @@ static int apply_color_indexing_transform(WebPContext *s) return 0; } +static void update_canvas_size(AVCodecContext *avctx, int w, int h) +{ + WebPContext *s = avctx->priv_data; + if (s->width && s->width != w) { + av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n", + s->width, w); + } + s->width = w; + if (s->height && s->height != h) { + av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n", + s->height, h); + } + s->height = h; +} + static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, int *got_frame, uint8_t *data_start, unsigned int data_size, int is_alpha_chunk) @@ -1122,16 +1137,8 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, w = get_bits(&s->gb, 14) + 1; h = get_bits(&s->gb, 14) + 1; - if (s->width && s->width != w) { - av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n", - s->width, w); - } - s->width = w; - if (s->height && s->height != h) { - av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n", - s->width, w); - } - s->height = h; + + update_canvas_size(avctx, w, h); ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) @@ -1326,9 +1333,8 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, if (!s->initialized) { ff_vp8_decode_init(avctx); s->initialized = 1; - if (s->has_alpha) - avctx->pix_fmt = AV_PIX_FMT_YUVA420P; } + avctx->pix_fmt = s->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P; s->lossless = 0; if (data_size > INT_MAX) { @@ -1341,6 +1347,14 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, pkt.size = data_size; ret = ff_vp8_decode_frame(avctx, p, got_frame, &pkt); + if (ret < 0) + return ret; + + if (!*got_frame) + return AVERROR_INVALIDDATA; + + update_canvas_size(avctx, avctx->width, avctx->height); + if (s->has_alpha) { ret = vp8_lossy_decode_alpha(avctx, p, s->alpha_data, s->alpha_data_size); diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 6b4edfc6fd..7eb7b4cd30 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1271,6 +1271,11 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, } } + if (remaining_bits(s, gb) < 0) { + av_log(avctx, AV_LOG_ERROR, "Overread %d\n", -remaining_bits(s, gb)); + s->packet_loss = 1; + } + if (s->packet_done && !s->packet_loss && remaining_bits(s, gb) > 0) { /* save the rest of the data so that it can be decoded diff --git a/libavcodec/wmv2dsp.c b/libavcodec/wmv2dsp.c index 40e0bef0da..7b59d10a43 100644 --- a/libavcodec/wmv2dsp.c +++ b/libavcodec/wmv2dsp.c @@ -48,8 +48,8 @@ static void wmv2_idct_row(short * b) a4 = W0 * b[0] - W0 * b[4]; /* step 2 */ - s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7 - s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8; + s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7 + s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8; /* step 3 */ b[0] = (a0 + a2 + a1 + a5 + (1 << 7)) >> 8; @@ -78,8 +78,8 @@ static void wmv2_idct_col(short * b) a4 = (W0 * b[8 * 0] - W0 * b[8 * 4] ) >> 3; /* step 2 */ - s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; - s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8; + s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; + s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8; /* step 3 */ b[8 * 0] = (a0 + a2 + a1 + a5 + (1 << 13)) >> 14; diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 9ff99b2f98..915e9c7dc9 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -52,7 +52,7 @@ static inline int wnv1_get_code(WNV1Context *w, int base_value) if (v == 15) return ff_reverse[get_bits(&w->gb, 8 - w->shift)]; else - return base_value + ((v - 7) << w->shift); + return base_value + ((v - 7U) << w->shift); } static int decode_frame(AVCodecContext *avctx, @@ -68,7 +68,7 @@ static int decode_frame(AVCodecContext *avctx, int prev_y = 0, prev_u = 0, prev_v = 0; uint8_t *rbuf; - if (buf_size <= 8) { + if (buf_size < 8 + avctx->height * (avctx->width/2)/8) { av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/x86/pixblockdsp_init.c b/libavcodec/x86/pixblockdsp_init.c index 4d06a44c6d..b9027dee54 100644 --- a/libavcodec/x86/pixblockdsp_init.c +++ b/libavcodec/x86/pixblockdsp_init.c @@ -39,12 +39,14 @@ av_cold void ff_pixblockdsp_init_x86(PixblockDSPContext *c, if (EXTERNAL_MMX(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_mmx; + c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_mmx; } if (EXTERNAL_SSE2(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_sse2; + c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_sse2; } } diff --git a/libavcodec/x86/vc1dsp_init.c b/libavcodec/x86/vc1dsp_init.c index c8943fa2f7..c53a1328f2 100644 --- a/libavcodec/x86/vc1dsp_init.c +++ b/libavcodec/x86/vc1dsp_init.c @@ -106,10 +106,12 @@ av_cold void ff_vc1dsp_init_x86(VC1DSPContext *dsp) { int cpu_flags = av_get_cpu_flags(); - if (HAVE_6REGS && INLINE_MMX(cpu_flags) && EXTERNAL_MMX(cpu_flags)) + if (HAVE_6REGS && INLINE_MMX(cpu_flags)) + if (EXTERNAL_MMX(cpu_flags)) ff_vc1dsp_init_mmx(dsp); - if (HAVE_6REGS && INLINE_MMXEXT(cpu_flags) && EXTERNAL_MMXEXT(cpu_flags)) + if (HAVE_6REGS && INLINE_MMXEXT(cpu_flags)) + if (EXTERNAL_MMXEXT(cpu_flags)) ff_vc1dsp_init_mmxext(dsp); #define ASSIGN_LF(EXT) \ diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 64cd8418a2..8b0845fc01 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -157,9 +157,9 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, case XWD_GRAY_SCALE: if (bpp != 1 && bpp != 8) return AVERROR_INVALIDDATA; - if (pixdepth == 1) { + if (bpp == 1 && pixdepth == 1) { avctx->pix_fmt = AV_PIX_FMT_MONOWHITE; - } else if (pixdepth == 8) { + } else if (bpp == 8 && pixdepth == 8) { avctx->pix_fmt = AV_PIX_FMT_GRAY8; } break; diff --git a/libavcodec/y41pdec.c b/libavcodec/y41pdec.c index 1b177d4262..85a39e4ae2 100644 --- a/libavcodec/y41pdec.c +++ b/libavcodec/y41pdec.c @@ -43,7 +43,7 @@ static int y41p_decode_frame(AVCodecContext *avctx, void *data, uint8_t *y, *u, *v; int i, j, ret; - if (avpkt->size < 3LL * avctx->height * avctx->width / 2) { + if (avpkt->size < 3LL * avctx->height * FFALIGN(avctx->width, 8) / 2) { av_log(avctx, AV_LOG_ERROR, "Insufficient input data.\n"); return AVERROR(EINVAL); } diff --git a/libavcodec/ylc.c b/libavcodec/ylc.c index 95a5e05baa..346960a6cc 100644 --- a/libavcodec/ylc.c +++ b/libavcodec/ylc.c @@ -68,7 +68,7 @@ static void get_tree_codes(uint32_t *bits, int16_t *lens, uint8_t *xlat, s = nodes[node].sym; if (s != -1) { - bits[*pos] = (~pfx) & ((1 << FFMAX(pl, 1)) - 1); + bits[*pos] = (~pfx) & ((1ULL << FFMAX(pl, 1)) - 1); lens[*pos] = FFMAX(pl, 1); xlat[*pos] = s + (pl == 0); (*pos)++; @@ -108,7 +108,7 @@ static int build_vlc(AVCodecContext *avctx, VLC *vlc, const uint32_t *table) int new_node = j; int first_node = cur_node; int second_node = cur_node; - int nd, st; + unsigned nd, st; nodes[cur_node].count = -1; @@ -132,6 +132,10 @@ static int build_vlc(AVCodecContext *avctx, VLC *vlc, const uint32_t *table) st = nodes[first_node].count; nodes[second_node].count = 0; nodes[first_node].count = 0; + if (nd >= UINT32_MAX - st) { + av_log(avctx, AV_LOG_ERROR, "count overflow\n"); + return AVERROR_INVALIDDATA; + } nodes[cur_node].count = nd + st; nodes[cur_node].sym = -1; nodes[cur_node].n0 = cur_node; diff --git a/libavdevice/iec61883.c b/libavdevice/iec61883.c index c45ae9ae5c..382b989fb1 100644 --- a/libavdevice/iec61883.c +++ b/libavdevice/iec61883.c @@ -118,14 +118,16 @@ static int iec61883_callback(unsigned char *data, int length, goto exit; } - packet->buf = av_malloc(length); + packet->buf = av_malloc(length + AV_INPUT_BUFFER_PADDING_SIZE); if (!packet->buf) { + av_free(packet); ret = -1; goto exit; } packet->len = length; memcpy(packet->buf, data, length); + memset(packet->buf + length, 0, AV_INPUT_BUFFER_PADDING_SIZE); if (dv->queue_first) { dv->queue_last->next = packet; @@ -199,13 +201,21 @@ static int iec61883_parse_queue_dv(struct iec61883_data *dv, AVPacket *pkt) size = avpriv_dv_produce_packet(dv->dv_demux, pkt, packet->buf, packet->len, -1); dv->queue_first = packet->next; + if (size < 0) + av_free(packet->buf); av_free(packet); dv->packets--; - if (size > 0) - return size; + if (size < 0) + return -1; - return -1; + if (av_packet_from_data(pkt, pkt->data, pkt->size) < 0) { + av_freep(&pkt->data); + av_packet_unref(pkt); + return -1; + } + + return size; } static int iec61883_parse_queue_hdv(struct iec61883_data *dv, AVPacket *pkt) @@ -453,6 +463,7 @@ static int iec61883_close(AVFormatContext *context) } else { iec61883_dv_fb_stop(dv->iec61883_dv); iec61883_dv_fb_close(dv->iec61883_dv); + av_freep(&dv->dv_demux); } while (dv->queue_first) { DVPacket *packet = dv->queue_first; diff --git a/libavfilter/af_hdcd.c b/libavfilter/af_hdcd.c index 16bdcb01ea..92f3c9ea89 100644 --- a/libavfilter/af_hdcd.c +++ b/libavfilter/af_hdcd.c @@ -949,6 +949,7 @@ static int hdcd_envelope(int32_t *samples, int count, int stride, int gain, int int len = FFMIN(count, target_gain - gain); /* attenuate slowly */ for (i = 0; i < len; i++) { + ++gain; APPLY_GAIN(*samples, gain); samples += stride; } diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 1eb102c10a..7c02f6720d 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -109,7 +109,7 @@ static av_cold int init(AVFilterContext *ctx) if (!pan->args) { av_log(ctx, AV_LOG_ERROR, "pan filter needs a channel layout and a set " - "of channels definitions as parameter\n"); + "of channel definitions as parameter\n"); return AVERROR(EINVAL); } if (!args) @@ -276,7 +276,7 @@ static int config_props(AVFilterLink *link) if (link->channels > MAX_CHANNELS || pan->nb_output_channels > MAX_CHANNELS) { av_log(ctx, AV_LOG_ERROR, - "af_pan support a maximum of %d channels. " + "af_pan supports a maximum of %d channels. " "Feel free to ask for a higher limit.\n", MAX_CHANNELS); return AVERROR_PATCHWELCOME; } diff --git a/libavfilter/af_silenceremove.c b/libavfilter/af_silenceremove.c index f156d1883d..3d3651a76f 100644 --- a/libavfilter/af_silenceremove.c +++ b/libavfilter/af_silenceremove.c @@ -186,8 +186,17 @@ static int config_input(AVFilterLink *inlink) s->start_duration = av_rescale(s->start_duration, inlink->sample_rate, AV_TIME_BASE); + if (s->start_duration < 0) { + av_log(ctx, AV_LOG_WARNING, "start duration must be non-negative\n"); + s->start_duration = -s->start_duration; + } + s->stop_duration = av_rescale(s->stop_duration, inlink->sample_rate, AV_TIME_BASE); + if (s->stop_duration < 0) { + av_log(ctx, AV_LOG_WARNING, "stop duration must be non-negative\n"); + s->stop_duration = -s->stop_duration; + } s->start_holdoff = av_malloc_array(FFMAX(s->start_duration, 1), sizeof(*s->start_holdoff) * diff --git a/libavfilter/af_sofalizer.c b/libavfilter/af_sofalizer.c index 7558f57eb9..f41972508a 100644 --- a/libavfilter/af_sofalizer.c +++ b/libavfilter/af_sofalizer.c @@ -448,7 +448,7 @@ static int get_speaker_pos(AVFilterContext *ctx, /* set speaker positions according to input channel configuration: */ for (m = 0, ch = 0; ch < n_conv && m < 64; m++) { - uint64_t mask = channels_layout & (1 << m); + uint64_t mask = channels_layout & (1ULL << m); switch (mask) { case AV_CH_FRONT_LEFT: azim[ch] = 30; break; diff --git a/libavfilter/avfilter.h b/libavfilter/avfilter.h index 79227a7ea0..757b81a610 100644 --- a/libavfilter/avfilter.h +++ b/libavfilter/avfilter.h @@ -344,6 +344,13 @@ struct AVFilterContext { */ AVFilterInternal *internal; + struct AVFilterCommand *command_queue; + + char *enable_str; ///< enable expression string + void *enable; ///< parsed expression (AVExpr*) + double *var_values; ///< variable values for the enable expression + int is_disabled; ///< the enabled state from the last expression evaluation + /** * For filters which will create hardware frames, sets the device the * filter should create them in. All other filters will ignore this field: @@ -352,13 +359,6 @@ struct AVFilterContext { * hardware context information. */ AVBufferRef *hw_device_ctx; - - struct AVFilterCommand *command_queue; - - char *enable_str; ///< enable expression string - void *enable; ///< parsed expression (AVExpr*) - double *var_values; ///< variable values for the enable expression - int is_disabled; ///< the enabled state from the last expression evaluation }; /** @@ -473,12 +473,6 @@ struct AVFilterLink { */ AVRational frame_rate; - /** - * For hwaccel pixel formats, this should be a reference to the - * AVHWFramesContext describing the frames. - */ - AVBufferRef *hw_frames_ctx; - /** * Buffer partially filled with samples to achieve a fixed/minimum size. */ @@ -550,6 +544,12 @@ struct AVFilterLink { * cleared when a frame is filtered. */ int frame_wanted_out; + + /** + * For hwaccel pixel formats, this should be a reference to the + * AVHWFramesContext describing the frames. + */ + AVBufferRef *hw_frames_ctx; }; /** diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index 42751132af..64e12524eb 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -863,6 +863,8 @@ static void swap_samplerates_on_filter(AVFilterContext *filter) for (j = 0; j < outlink->in_samplerates->nb_formats; j++) { int diff = abs(sample_rate - outlink->in_samplerates->formats[j]); + av_assert0(diff < INT_MAX); // This would lead to the use of uninitialized best_diff but is only possible with invalid sample rates + if (diff < best_diff) { best_diff = diff; best_idx = j; diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c index 9294811d36..ba87211272 100644 --- a/libavfilter/buffersrc.c +++ b/libavfilter/buffersrc.c @@ -316,14 +316,16 @@ static av_cold int init_audio(AVFilterContext *ctx) return AVERROR(EINVAL); } - if (s->channel_layout_str) { + if (s->channel_layout_str || s->channel_layout) { int n; - s->channel_layout = av_get_channel_layout(s->channel_layout_str); if (!s->channel_layout) { - av_log(ctx, AV_LOG_ERROR, "Invalid channel layout %s.\n", - s->channel_layout_str); - return AVERROR(EINVAL); + s->channel_layout = av_get_channel_layout(s->channel_layout_str); + if (!s->channel_layout) { + av_log(ctx, AV_LOG_ERROR, "Invalid channel layout %s.\n", + s->channel_layout_str); + return AVERROR(EINVAL); + } } n = av_get_channel_layout_nb_channels(s->channel_layout); if (s->channels) { diff --git a/libavfilter/drawutils.c b/libavfilter/drawutils.c index e533040204..8153fdebb7 100644 --- a/libavfilter/drawutils.c +++ b/libavfilter/drawutils.c @@ -450,6 +450,7 @@ void ff_blend_rectangle(FFDrawContext *draw, FFDrawColor *color, alpha = 0x101 * color->rgba[3] + 0x2; } nb_planes = draw->nb_planes - !!(draw->desc->flags & AV_PIX_FMT_FLAG_ALPHA); + nb_planes += !nb_planes; for (plane = 0; plane < nb_planes; plane++) { nb_comp = draw->pixelstep[plane]; p0 = pointer_at(draw, dst, dst_linesize, plane, x0, y0); @@ -627,6 +628,7 @@ void ff_blend_mask(FFDrawContext *draw, FFDrawColor *color, alpha = (0x101 * color->rgba[3] + 0x2) >> 8; } nb_planes = draw->nb_planes - !!(draw->desc->flags & AV_PIX_FMT_FLAG_ALPHA); + nb_planes += !nb_planes; for (plane = 0; plane < nb_planes; plane++) { nb_comp = draw->pixelstep[plane]; p0 = pointer_at(draw, dst, dst_linesize, plane, x0, y0); diff --git a/libavfilter/version.h b/libavfilter/version.h index 1924cfeffa..6d56dadfa0 100644 --- a/libavfilter/version.h +++ b/libavfilter/version.h @@ -30,8 +30,8 @@ #include "libavutil/version.h" #define LIBAVFILTER_VERSION_MAJOR 6 -#define LIBAVFILTER_VERSION_MINOR 46 -#define LIBAVFILTER_VERSION_MICRO 102 +#define LIBAVFILTER_VERSION_MINOR 47 +#define LIBAVFILTER_VERSION_MICRO 100 #define LIBAVFILTER_VERSION_INT AV_VERSION_INT(LIBAVFILTER_VERSION_MAJOR, \ LIBAVFILTER_VERSION_MINOR, \ diff --git a/libavfilter/vf_blackframe.c b/libavfilter/vf_blackframe.c index ad6d488b3a..9fe2a42942 100644 --- a/libavfilter/vf_blackframe.c +++ b/libavfilter/vf_blackframe.c @@ -104,8 +104,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) #define OFFSET(x) offsetof(BlackFrameContext, x) #define FLAGS AV_OPT_FLAG_VIDEO_PARAM|AV_OPT_FLAG_FILTERING_PARAM static const AVOption blackframe_options[] = { - { "amount", "Percentage of the pixels that have to be below the threshold " - "for the frame to be considered black.", OFFSET(bamount), AV_OPT_TYPE_INT, { .i64 = 98 }, 0, 100, FLAGS }, + { "amount", "percentage of the pixels that have to be below the threshold " + "for the frame to be considered black", OFFSET(bamount), AV_OPT_TYPE_INT, { .i64 = 98 }, 0, 100, FLAGS }, { "threshold", "threshold below which a pixel value is considered black", OFFSET(bthresh), AV_OPT_TYPE_INT, { .i64 = 32 }, 0, 255, FLAGS }, { "thresh", "threshold below which a pixel value is considered black", diff --git a/libavfilter/vf_colorspace.c b/libavfilter/vf_colorspace.c index 3d39f13d1e..a54369054f 100644 --- a/libavfilter/vf_colorspace.c +++ b/libavfilter/vf_colorspace.c @@ -1008,7 +1008,7 @@ static const AVOption colorspace_options[] = { { "space", "Output colorspace", OFFSET(user_csp), AV_OPT_TYPE_INT, { .i64 = AVCOL_SPC_UNSPECIFIED }, - AVCOL_PRI_RESERVED0, AVCOL_PRI_NB - 1, FLAGS, "csp" }, + AVCOL_SPC_RGB, AVCOL_SPC_NB - 1, FLAGS, "csp"}, ENUM("bt709", AVCOL_SPC_BT709, "csp"), ENUM("fcc", AVCOL_SPC_FCC, "csp"), ENUM("bt470bg", AVCOL_SPC_BT470BG, "csp"), diff --git a/libavfilter/vf_hwupload_cuda.c b/libavfilter/vf_hwupload_cuda.c index c22221c699..0a6d031e00 100644 --- a/libavfilter/vf_hwupload_cuda.c +++ b/libavfilter/vf_hwupload_cuda.c @@ -191,7 +191,7 @@ fail: #define OFFSET(x) offsetof(CudaUploadContext, x) #define FLAGS (AV_OPT_FLAG_FILTERING_PARAM | AV_OPT_FLAG_VIDEO_PARAM) static const AVOption cudaupload_options[] = { - { "device", "Number of the device to use", OFFSET(device_idx), AV_OPT_TYPE_INT, { .i64 = 0 }, .flags = FLAGS }, + { "device", "Number of the device to use", OFFSET(device_idx), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, INT_MAX, FLAGS }, { NULL }, }; diff --git a/libavfilter/vf_ssim.c b/libavfilter/vf_ssim.c index dd8f264812..6fc80995a9 100644 --- a/libavfilter/vf_ssim.c +++ b/libavfilter/vf_ssim.c @@ -147,6 +147,8 @@ static float ssim_endn(const int (*sum0)[4], const int (*sum1)[4], int width) return ssim; } +#define SUM_LEN(w) (((w) >> 2) + 3) + static float ssim_plane(SSIMDSPContext *dsp, uint8_t *main, int main_stride, uint8_t *ref, int ref_stride, @@ -155,7 +157,7 @@ static float ssim_plane(SSIMDSPContext *dsp, int z = 0, y; float ssim = 0.0; int (*sum0)[4] = temp; - int (*sum1)[4] = sum0 + (width >> 2) + 3; + int (*sum1)[4] = sum0 + SUM_LEN(width); width >>= 2; height >>= 2; @@ -297,7 +299,7 @@ static int config_input_ref(AVFilterLink *inlink) for (i = 0; i < s->nb_components; i++) s->coefs[i] = (double) s->planeheight[i] * s->planewidth[i] / sum; - s->temp = av_malloc((2 * inlink->w + 12) * sizeof(*s->temp)); + s->temp = av_mallocz_array(2 * SUM_LEN(inlink->w), sizeof(int[4])); if (!s->temp) return AVERROR(ENOMEM); diff --git a/libavfilter/vf_uspp.c b/libavfilter/vf_uspp.c index f963254e11..41f72161d9 100644 --- a/libavfilter/vf_uspp.c +++ b/libavfilter/vf_uspp.c @@ -227,8 +227,8 @@ static void filter(USPPContext *p, uint8_t *dst[3], uint8_t *src[3], p->frame->quality = ff_norm_qscale((qpsum + qpcount/2) / qpcount, p->qscale_type) * FF_QP2LAMBDA; } // init per MB qscale stuff FIXME - p->frame->height = height; - p->frame->width = width; + p->frame->height = height + BLOCK; + p->frame->width = width + BLOCK; for (i = 0; i < count; i++) { const int x1 = offset[i+count-1][0]; diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index d191bc4c04..f4c13642ff 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -367,6 +367,11 @@ static int aiff_read_packet(AVFormatContext *s, if (max_size <= 0) return AVERROR_EOF; + if (!st->codecpar->block_align) { + av_log(s, AV_LOG_ERROR, "block_align not set\n"); + return AVERROR_INVALIDDATA; + } + /* Now for that packet */ switch (st->codecpar->codec_id) { case AV_CODEC_ID_ADPCM_IMA_QT: @@ -376,7 +381,7 @@ static int aiff_read_packet(AVFormatContext *s, size = st->codecpar->block_align; break; default: - size = (MAX_SIZE / st->codecpar->block_align) * st->codecpar->block_align; + size = st->codecpar->block_align ? (MAX_SIZE / st->codecpar->block_align) * st->codecpar->block_align : MAX_SIZE; } size = FFMIN(max_size, size); res = av_get_packet(s->pb, pkt, size); diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c index bb17896ee5..7a284e32c2 100644 --- a/libavformat/apngdec.c +++ b/libavformat/apngdec.c @@ -269,7 +269,7 @@ static int decode_fctl_chunk(AVFormatContext *s, APNGDemuxContext *ctx, AVPacket /* default is hundredths of seconds */ if (!delay_den) delay_den = 100; - if (!delay_num || delay_den / delay_num > ctx->max_fps) { + if (!delay_num || (ctx->max_fps && delay_den / delay_num > ctx->max_fps)) { delay_num = 1; delay_den = ctx->default_fps; } diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 2c81b138f2..2e9883b17e 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) count = avio_rl32(pb); // markers count avio_rl16(pb); // reserved 2 bytes name_len = avio_rl16(pb); // name length - for (i = 0; i < name_len; i++) - avio_r8(pb); // skip the name + avio_skip(pb, name_len); for (i = 0; i < count; i++) { int64_t pres_time; int name_len; + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time pres_time -= asf->hdr.preroll * 10000; @@ -1608,6 +1610,11 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index) int64_t pos = s->internal->data_offset + s->packet_size * (int64_t)pktnum; int64_t index_pts = FFMAX(av_rescale(itime, i, 10000) - asf->hdr.preroll, 0); + if (avio_feof(s->pb)) { + ret = AVERROR_INVALIDDATA; + goto end; + } + if (pos != last_pos) { av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d pts: %"PRId64"\n", pktnum, pktct, index_pts); diff --git a/libavformat/astdec.c b/libavformat/astdec.c index f3ca721ccf..7a53d0bb70 100644 --- a/libavformat/astdec.c +++ b/libavformat/astdec.c @@ -90,7 +90,7 @@ static int ast_read_packet(AVFormatContext *s, AVPacket *pkt) pos = avio_tell(s->pb); type = avio_rl32(s->pb); size = avio_rb32(s->pb); - if (size > INT_MAX / s->streams[0]->codecpar->channels) + if (!s->streams[0]->codecpar->channels || size > INT_MAX / s->streams[0]->codecpar->channels) return AVERROR_INVALIDDATA; size *= s->streams[0]->codecpar->channels; diff --git a/libavformat/avformat.h b/libavformat/avformat.h index 876f1e3ee4..4e7c615d33 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -985,17 +985,6 @@ typedef struct AVStream { int event_flags; #define AVSTREAM_EVENT_FLAG_METADATA_UPDATED 0x0001 ///< The call resulted in updated metadata. - /* - * Codec parameters associated with this stream. Allocated and freed by - * libavformat in avformat_new_stream() and avformat_free_context() - * respectively. - * - * - demuxing: filled by libavformat on stream creation or in - * avformat_find_stream_info() - * - muxing: filled by the caller before avformat_write_header() - */ - AVCodecParameters *codecpar; - /***************************************************************** * All fields below this line are not part of the public API. They * may not be used outside of libavformat and can be changed and @@ -1217,6 +1206,17 @@ typedef struct AVStream { * Must not be accessed in any way by callers. */ AVStreamInternal *internal; + + /* + * Codec parameters associated with this stream. Allocated and freed by + * libavformat in avformat_new_stream() and avformat_free_context() + * respectively. + * + * - demuxing: filled by libavformat on stream creation or in + * avformat_find_stream_info() + * - muxing: filled by the caller before avformat_write_header() + */ + AVCodecParameters *codecpar; } AVStream; AVRational av_stream_get_r_frame_rate(const AVStream *s); @@ -1884,6 +1884,13 @@ typedef struct AVFormatContext { * - decoding: set by user through AVOptions (NO direct access) */ char *protocol_blacklist; + + /** + * The maximum number of streams. + * - encoding: unused + * - decoding: set by user through AVOptions (NO direct access) + */ + int max_streams; } AVFormatContext; int av_format_get_probe_score(const AVFormatContext *s); diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 38ea86dbb3..65193289c4 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -344,14 +344,14 @@ static void avi_metadata_creation_time(AVDictionary **metadata, char *date) static void avi_read_nikon(AVFormatContext *s, uint64_t end) { - while (avio_tell(s->pb) < end) { + while (avio_tell(s->pb) < end && !avio_feof(s->pb)) { uint32_t tag = avio_rl32(s->pb); uint32_t size = avio_rl32(s->pb); switch (tag) { case MKTAG('n', 'c', 't', 'g'): /* Nikon Tags */ { uint64_t tag_end = avio_tell(s->pb) + size; - while (avio_tell(s->pb) < tag_end) { + while (avio_tell(s->pb) < tag_end && !avio_feof(s->pb)) { uint16_t tag = avio_rl16(s->pb); uint16_t size = avio_rl16(s->pb); const char *name = NULL; @@ -605,9 +605,13 @@ static int avi_read_header(AVFormatContext *s) ast = s->streams[0]->priv_data; av_freep(&s->streams[0]->codecpar->extradata); av_freep(&s->streams[0]->codecpar); + av_freep(&s->streams[0]->codec); if (s->streams[0]->info) av_freep(&s->streams[0]->info->duration_error); av_freep(&s->streams[0]->info); + if (s->streams[0]->internal) + av_freep(&s->streams[0]->internal->avctx); + av_freep(&s->streams[0]->internal); av_freep(&s->streams[0]); s->nb_streams = 0; if (CONFIG_DV_DEMUXER) { @@ -1084,6 +1088,9 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) if (!sub_demuxer) goto error; + if (strcmp(sub_demuxer->name, "srt") && strcmp(sub_demuxer->name, "ass")) + goto error; + if (!(ast->sub_ctx = avformat_alloc_context())) goto error; @@ -1093,6 +1100,8 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) goto error; if (!avformat_open_input(&ast->sub_ctx, "", sub_demuxer, NULL)) { + if (ast->sub_ctx->nb_streams != 1) + goto error; ff_read_packet(ast->sub_ctx, &ast->sub_pkt); avcodec_parameters_copy(st->codecpar, ast->sub_ctx->streams[0]->codecpar); time_base = ast->sub_ctx->streams[0]->time_base; @@ -1187,7 +1196,8 @@ start_sync: if ((d[0] == 'i' && d[1] == 'x' && n < s->nb_streams) || // parse JUNK (d[0] == 'J' && d[1] == 'U' && d[2] == 'N' && d[3] == 'K') || - (d[0] == 'i' && d[1] == 'd' && d[2] == 'x' && d[3] == '1')) { + (d[0] == 'i' && d[1] == 'd' && d[2] == 'x' && d[3] == '1') || + (d[0] == 'i' && d[1] == 'n' && d[2] == 'd' && d[3] == 'x')) { avio_skip(pb, size); goto start_sync; } @@ -1849,7 +1859,6 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, continue; // av_assert1(st2->codecpar->block_align); - av_assert0(fabs(av_q2d(st2->time_base) - ast2->scale / (double)ast2->rate) < av_q2d(st2->time_base) * 0.00000001); index = av_index_search_timestamp(st2, av_rescale_q(timestamp, st->time_base, diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 95793c92cd..2c56adb307 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -249,6 +249,8 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) offset1 = pos + (s->buf_ptr - s->buffer); if (offset == 0) return offset1; + if (offset > INT64_MAX - offset1) + return AVERROR(EINVAL); offset += offset1; } if (offset < 0) diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c index 0efedda1a3..545c97ad43 100644 --- a/libavformat/cinedec.c +++ b/libavformat/cinedec.c @@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx) /* parse image offsets */ avio_seek(pb, offImageOffsets, SEEK_SET); - for (i = 0; i < st->duration; i++) + for (i = 0; i < st->duration; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME); + } return 0; } diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index b3a430e5a0..9bb7556d9d 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -199,8 +199,11 @@ static int detect_stream_specific(AVFormatContext *avf, int idx) AVBitStreamFilterContext *bsf; int ret; - if (cat->auto_convert && st->codecpar->codec_id == AV_CODEC_ID_H264 && - (st->codecpar->extradata_size < 4 || AV_RB32(st->codecpar->extradata) != 1)) { + if (cat->auto_convert && st->codecpar->codec_id == AV_CODEC_ID_H264) { + if (!st->codecpar->extradata_size || + (st->codecpar->extradata_size >= 3 && AV_RB24(st->codecpar->extradata) == 1) || + (st->codecpar->extradata_size >= 4 && AV_RB32(st->codecpar->extradata) == 1)) + return 0; av_log(cat->avf, AV_LOG_INFO, "Auto-inserting h264_mp4toannexb bitstream filter\n"); if (!(bsf = av_bitstream_filter_init("h264_mp4toannexb"))) { diff --git a/libavformat/dcstr.c b/libavformat/dcstr.c index 69fae417e8..6035dd4334 100644 --- a/libavformat/dcstr.c +++ b/libavformat/dcstr.c @@ -33,6 +33,7 @@ static int dcstr_probe(AVProbeData *p) static int dcstr_read_header(AVFormatContext *s) { unsigned codec, align; + int mult; AVStream *st; st = avformat_new_stream(s, NULL); @@ -46,7 +47,12 @@ static int dcstr_read_header(AVFormatContext *s) align = avio_rl32(s->pb); avio_skip(s->pb, 4); st->duration = avio_rl32(s->pb); - st->codecpar->channels *= avio_rl32(s->pb); + mult = avio_rl32(s->pb); + if (st->codecpar->channels <= 0 || mult <= 0 || mult > INT_MAX / st->codecpar->channels) { + av_log(s, AV_LOG_ERROR, "invalid number of channels %d x %d\n", st->codecpar->channels, mult); + return AVERROR_INVALIDDATA; + } + st->codecpar->channels *= mult; if (!align || align > INT_MAX / st->codecpar->channels) return AVERROR_INVALIDDATA; st->codecpar->block_align = align * st->codecpar->channels; diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 16ba8ecf58..08f1fbe9b7 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -21,6 +21,7 @@ #include +#include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" #include "libavutil/intfloat.h" @@ -28,6 +29,7 @@ #include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/pixdesc.h" +#include "libavcodec/internal.h" #include "avformat.h" #include "internal.h" #include "ffm.h" @@ -277,6 +279,14 @@ static int ffm_append_recommended_configuration(AVStream *st, char **conf) return 0; } +#define VALIDATE_PARAMETER(parameter, name, check) { \ + if (check) { \ + av_log(codec, AV_LOG_ERROR, "Invalid " name " %d\n", codec->parameter); \ + ret = AVERROR_INVALIDDATA; \ + goto fail; \ + } \ +} + static int ffm2_read_header(AVFormatContext *s) { FFMContext *ffm = s->priv_data; @@ -342,6 +352,7 @@ static int ffm2_read_header(AVFormatContext *s) if (!codec_desc) { av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); codec->codec_id = AV_CODEC_ID_NONE; + ret = AVERROR_INVALIDDATA; goto fail; } codec->codec_type = avio_r8(pb); @@ -350,14 +361,25 @@ static int ffm2_read_header(AVFormatContext *s) codec_desc->type, codec->codec_type); codec->codec_id = AV_CODEC_ID_NONE; codec->codec_type = AVMEDIA_TYPE_UNKNOWN; + ret = AVERROR_INVALIDDATA; goto fail; } codec->bit_rate = avio_rb32(pb); + if (codec->bit_rate < 0) { + av_log(codec, AV_LOG_ERROR, "Invalid bit rate %"PRId64"\n", codec->bit_rate); + ret = AVERROR_INVALIDDATA; + goto fail; + } codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); codec->debug = avio_rb32(pb); if (codec->flags & AV_CODEC_FLAG_GLOBAL_HEADER) { int size = avio_rb32(pb); + if (size < 0 || size >= FF_MAX_EXTRADATA_SIZE) { + av_log(s, AV_LOG_ERROR, "Invalid extradata size %d\n", size); + ret = AVERROR_INVALIDDATA; + goto fail; + } codec->extradata = av_mallocz(size + AV_INPUT_BUFFER_PADDING_SIZE); if (!codec->extradata) return AVERROR(ENOMEM); @@ -366,7 +388,7 @@ static int ffm2_read_header(AVFormatContext *s) } break; case MKBETAG('S', 'T', 'V', 'I'): - if (f_stvi++) { + if (f_stvi++ || codec->codec_type != AVMEDIA_TYPE_VIDEO) { ret = AVERROR(EINVAL); goto fail; } @@ -380,6 +402,9 @@ static int ffm2_read_header(AVFormatContext *s) } codec->width = avio_rb16(pb); codec->height = avio_rb16(pb); + ret = av_image_check_size(codec->width, codec->height, 0, s); + if (ret < 0) + goto fail; codec->gop_size = avio_rb16(pb); codec->pix_fmt = avio_rb32(pb); if (!av_pix_fmt_desc_get(codec->pix_fmt)) { @@ -427,13 +452,16 @@ static int ffm2_read_header(AVFormatContext *s) codec->refs = avio_rb32(pb); break; case MKBETAG('S', 'T', 'A', 'U'): - if (f_stau++) { + if (f_stau++ || codec->codec_type != AVMEDIA_TYPE_AUDIO) { ret = AVERROR(EINVAL); goto fail; } codec->sample_rate = avio_rb32(pb); + VALIDATE_PARAMETER(sample_rate, "sample rate", codec->sample_rate < 0) codec->channels = avio_rl16(pb); + VALIDATE_PARAMETER(channels, "number of channels", codec->channels < 0) codec->frame_size = avio_rl16(pb); + VALIDATE_PARAMETER(frame_size, "frame size", codec->frame_size < 0) break; case MKBETAG('C', 'P', 'R', 'V'): if (f_cprv++) { @@ -453,7 +481,7 @@ static int ffm2_read_header(AVFormatContext *s) } break; case MKBETAG('S', '2', 'V', 'I'): - if (f_stvi++ || !size) { + if (f_stvi++ || !size || codec->codec_type != AVMEDIA_TYPE_VIDEO) { ret = AVERROR(EINVAL); goto fail; } @@ -468,7 +496,7 @@ static int ffm2_read_header(AVFormatContext *s) goto fail; break; case MKBETAG('S', '2', 'A', 'U'): - if (f_stau++ || !size) { + if (f_stau++ || !size || codec->codec_type != AVMEDIA_TYPE_AUDIO) { ret = AVERROR(EINVAL); goto fail; } @@ -513,7 +541,7 @@ static int ffm_read_header(AVFormatContext *s) AVIOContext *pb = s->pb; AVCodecContext *codec; const AVCodecDescriptor *codec_desc; - int i, nb_streams; + int i, nb_streams, ret; uint32_t tag; /* header */ @@ -565,6 +593,10 @@ static int ffm_read_header(AVFormatContext *s) goto fail; } codec->bit_rate = avio_rb32(pb); + if (codec->bit_rate < 0) { + av_log(codec, AV_LOG_WARNING, "Invalid bit rate %"PRId64"\n", codec->bit_rate); + goto fail; + } codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); codec->debug = avio_rb32(pb); @@ -580,6 +612,8 @@ static int ffm_read_header(AVFormatContext *s) } codec->width = avio_rb16(pb); codec->height = avio_rb16(pb); + if (av_image_check_size(codec->width, codec->height, 0, s) < 0) + goto fail; codec->gop_size = avio_rb16(pb); codec->pix_fmt = avio_rb32(pb); if (!av_pix_fmt_desc_get(codec->pix_fmt)) { @@ -628,14 +662,21 @@ static int ffm_read_header(AVFormatContext *s) break; case AVMEDIA_TYPE_AUDIO: codec->sample_rate = avio_rb32(pb); + VALIDATE_PARAMETER(sample_rate, "sample rate", codec->sample_rate < 0) codec->channels = avio_rl16(pb); + VALIDATE_PARAMETER(channels, "number of channels", codec->channels < 0) codec->frame_size = avio_rl16(pb); + VALIDATE_PARAMETER(frame_size, "frame size", codec->frame_size < 0) break; default: goto fail; } if (codec->flags & AV_CODEC_FLAG_GLOBAL_HEADER) { int size = avio_rb32(pb); + if (size < 0 || size >= FF_MAX_EXTRADATA_SIZE) { + av_log(s, AV_LOG_ERROR, "Invalid extradata size %d\n", size); + goto fail; + } codec->extradata = av_mallocz(size + AV_INPUT_BUFFER_PADDING_SIZE); if (!codec->extradata) return AVERROR(ENOMEM); diff --git a/libavformat/filmstripdec.c b/libavformat/filmstripdec.c index 414e276bfe..0aeb5947b0 100644 --- a/libavformat/filmstripdec.c +++ b/libavformat/filmstripdec.c @@ -25,6 +25,7 @@ */ #include "libavutil/intreadwrite.h" +#include "libavutil/imgutils.h" #include "avformat.h" #include "internal.h" @@ -68,10 +69,8 @@ static int read_header(AVFormatContext *s) st->codecpar->height = avio_rb16(pb); film->leading = avio_rb16(pb); - if (st->codecpar->width * 4LL * st->codecpar->height >= INT_MAX) { - av_log(s, AV_LOG_ERROR, "dimensions too large\n"); - return AVERROR_PATCHWELCOME; - } + if (av_image_check_size(st->codecpar->width, st->codecpar->height, 0, s) < 0) + return AVERROR_INVALIDDATA; avpriv_set_pts_info(st, 64, 1, avio_rb16(pb)); diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index 3060dc45fd..66baba5922 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -65,7 +65,8 @@ static int flac_read_header(AVFormatContext *s) /* process metadata blocks */ while (!avio_feof(s->pb) && !metadata_last) { - avio_read(s->pb, header, 4); + if (avio_read(s->pb, header, 4) != 4) + return AVERROR(AVERROR_INVALIDDATA); flac_parse_block_header(header, &metadata_last, &metadata_type, &metadata_size); switch (metadata_type) { diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 2bf1e059e1..b5f0b82461 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -61,6 +61,12 @@ typedef struct FLVContext { int broken_sizes; int sum_flv_tag_size; + + int last_keyframe_stream_index; + int keyframe_count; + int64_t *keyframe_times; + int64_t *keyframe_filepositions; + int missing_streams; } FLVContext; static int probe(AVProbeData *p, int live) @@ -92,8 +98,38 @@ static int live_flv_probe(AVProbeData *p) return probe(p, 1); } +static void add_keyframes_index(AVFormatContext *s) +{ + FLVContext *flv = s->priv_data; + AVStream *stream = NULL; + unsigned int i = 0; + + if (flv->last_keyframe_stream_index < 0) { + av_log(s, AV_LOG_DEBUG, "keyframe stream hasn't been created\n"); + return; + } + + av_assert0(flv->last_keyframe_stream_index <= s->nb_streams); + stream = s->streams[flv->last_keyframe_stream_index]; + + if (stream->nb_index_entries == 0) { + for (i = 0; i < flv->keyframe_count; i++) { + av_add_index_entry(stream, flv->keyframe_filepositions[i], + flv->keyframe_times[i] * 1000, 0, 0, AVINDEX_KEYFRAME); + } + } else + av_log(s, AV_LOG_WARNING, "Skipping duplicate index\n"); + + if (stream->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { + av_freep(&flv->keyframe_times); + av_freep(&flv->keyframe_filepositions); + flv->keyframe_count = 0; + } +} + static AVStream *create_stream(AVFormatContext *s, int codec_type) { + FLVContext *flv = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); if (!st) return NULL; @@ -102,8 +138,15 @@ static AVStream *create_stream(AVFormatContext *s, int codec_type) && s->streams[0]->codecpar->codec_type != AVMEDIA_TYPE_SUBTITLE && s->streams[1]->codecpar->codec_type != AVMEDIA_TYPE_SUBTITLE)) s->ctx_flags &= ~AVFMTCTX_NOHEADER; + if (codec_type == AVMEDIA_TYPE_AUDIO) + flv->missing_streams &= ~FLV_HEADER_FLAG_HASAUDIO; + if (codec_type == AVMEDIA_TYPE_VIDEO) + flv->missing_streams &= ~FLV_HEADER_FLAG_HASVIDEO; + avpriv_set_pts_info(st, 32, 1, 1000); /* 32 bit pts in ms */ + flv->last_keyframe_stream_index = s->nb_streams - 1; + add_keyframes_index(s); return st; } @@ -246,7 +289,9 @@ static int flv_same_video_codec(AVCodecParameters *vpar, int flags) static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, int flv_codecid, int read) { + int ret = 0; AVCodecParameters *par = vstream->codecpar; + enum AVCodecID old_codec_id = vstream->codecpar->codec_id; switch (flv_codecid) { case FLV_CODECID_H263: par->codec_id = AV_CODEC_ID_FLV1; @@ -274,20 +319,28 @@ static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, else avio_skip(s->pb, 1); } - return 1; // 1 byte body size adjustment for flv_read_packet() + ret = 1; // 1 byte body size adjustment for flv_read_packet() + break; case FLV_CODECID_H264: par->codec_id = AV_CODEC_ID_H264; vstream->need_parsing = AVSTREAM_PARSE_HEADERS; - return 3; // not 4, reading packet type will consume one byte + ret = 3; // not 4, reading packet type will consume one byte + break; case FLV_CODECID_MPEG4: par->codec_id = AV_CODEC_ID_MPEG4; - return 3; + ret = 3; + break; default: avpriv_request_sample(s, "Video codec (%x)", flv_codecid); par->codec_tag = flv_codecid; } - return 0; + if (!vstream->internal->need_context_update && par->codec_id != old_codec_id) { + avpriv_request_sample(s, "Changing the codec id midstream"); + return AVERROR_PATCHWELCOME; + } + + return ret; } static int amf_get_string(AVIOContext *ioc, char *buffer, int buffsize) @@ -305,8 +358,7 @@ static int amf_get_string(AVIOContext *ioc, char *buffer, int buffsize) return length; } -static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, - AVStream *vstream, int64_t max_pos) +static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t max_pos) { FLVContext *flv = s->priv_data; unsigned int timeslen = 0, fileposlen = 0, i; @@ -316,10 +368,12 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int ret = AVERROR(ENOSYS); int64_t initial_pos = avio_tell(ioc); - if (vstream->nb_index_entries>0) { - av_log(s, AV_LOG_WARNING, "Skipping duplicate index\n"); + if (flv->keyframe_count > 0) { + av_log(s, AV_LOG_DEBUG, "keyframes have been paresed\n"); return 0; } + av_assert0(!flv->keyframe_times); + av_assert0(!flv->keyframe_filepositions); if (s->flags & AVFMT_FLAG_IGNIDX) return 0; @@ -368,15 +422,16 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, } if (timeslen == fileposlen && fileposlen>1 && max_pos <= filepositions[0]) { - for (i = 0; i < fileposlen; i++) { - av_add_index_entry(vstream, filepositions[i], times[i] * 1000, - 0, 0, AVINDEX_KEYFRAME); - if (i < 2) { - flv->validate_index[i].pos = filepositions[i]; - flv->validate_index[i].dts = times[i] * 1000; - flv->validate_count = i + 1; - } + for (i = 0; i < FFMIN(2,fileposlen); i++) { + flv->validate_index[i].pos = filepositions[i]; + flv->validate_index[i].dts = times[i] * 1000; + flv->validate_count = i + 1; } + flv->keyframe_times = times; + flv->keyframe_filepositions = filepositions; + flv->keyframe_count = timeslen; + times = NULL; + filepositions = NULL; } else { invalid: av_log(s, AV_LOG_WARNING, "Invalid keyframes object, skipping.\n"); @@ -418,13 +473,14 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, } break; case AMF_DATA_TYPE_OBJECT: - if ((vstream || astream) && key && + if (key && ioc->seekable && !strcmp(KEYFRAMES_TAG, key) && depth == 1) - if (parse_keyframes_index(s, ioc, vstream ? vstream : astream, + if (parse_keyframes_index(s, ioc, max_pos) < 0) av_log(s, AV_LOG_ERROR, "Keyframe index parsing failed\n"); - + else + add_keyframes_index(s); while (avio_tell(ioc) < max_pos - 2 && amf_get_string(ioc, str_val, sizeof(str_val)) > 0) if (amf_parse_object(s, astream, vstream, str_val, max_pos, @@ -499,7 +555,9 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, st->codecpar->codec_id = AV_CODEC_ID_TEXT; } else if (flv->trust_metadata) { if (!strcmp(key, "videocodecid") && vpar) { - flv_set_video_codec(s, vstream, num_val, 0); + int ret = flv_set_video_codec(s, vstream, num_val, 0); + if (ret < 0) + return ret; } else if (!strcmp(key, "audiocodecid") && apar) { int id = ((int)num_val) << FLV_AUDIO_CODECID_OFFSET; flv_set_audio_codec(s, astream, apar, id); @@ -574,6 +632,7 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, static int flv_read_metabody(AVFormatContext *s, int64_t next_pos) { + FLVContext *flv = s->priv_data; AMFDataType type; AVStream *stream, *astream, *vstream; AVStream av_unused *dstream; @@ -612,10 +671,14 @@ static int flv_read_metabody(AVFormatContext *s, int64_t next_pos) // the lookup every time it is called. for (i = 0; i < s->nb_streams; i++) { stream = s->streams[i]; - if (stream->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) + if (stream->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { vstream = stream; - else if (stream->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) + flv->last_keyframe_stream_index = i; + } else if (stream->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) { astream = stream; + if (flv->last_keyframe_stream_index == -1) + flv->last_keyframe_stream_index = i; + } else if (stream->codecpar->codec_type == AVMEDIA_TYPE_SUBTITLE) dstream = stream; } @@ -629,11 +692,14 @@ static int flv_read_metabody(AVFormatContext *s, int64_t next_pos) static int flv_read_header(AVFormatContext *s) { + int flags; FLVContext *flv = s->priv_data; int offset; avio_skip(s->pb, 4); - avio_r8(s->pb); // flags + flags = avio_r8(s->pb); + + flv->missing_streams = flags & (FLV_HEADER_FLAG_HASVIDEO | FLV_HEADER_FLAG_HASAUDIO); s->ctx_flags |= AVFMTCTX_NOHEADER; @@ -643,6 +709,7 @@ static int flv_read_header(AVFormatContext *s) s->start_time = 0; flv->sum_flv_tag_size = 0; + flv->last_keyframe_stream_index = -1; return 0; } @@ -653,6 +720,8 @@ static int flv_read_close(AVFormatContext *s) FLVContext *flv = s->priv_data; for (i=0; inew_extradata[i]); + av_freep(&flv->keyframe_times); + av_freep(&flv->keyframe_filepositions); return 0; } @@ -1039,7 +1108,10 @@ retry_duration: avcodec_parameters_free(&par); } } else if (stream_type == FLV_STREAM_TYPE_VIDEO) { - size -= flv_set_video_codec(s, st, flags & FLV_VIDEO_CODECID_MASK, 1); + int ret = flv_set_video_codec(s, st, flags & FLV_VIDEO_CODECID_MASK, 1); + if (ret < 0) + return ret; + size -= ret; } else if (stream_type == FLV_STREAM_TYPE_DATA) { st->codecpar->codec_id = AV_CODEC_ID_TEXT; } @@ -1167,6 +1239,7 @@ static int flv_read_seek(AVFormatContext *s, int stream_index, #define VD AV_OPT_FLAG_VIDEO_PARAM | AV_OPT_FLAG_DECODING_PARAM static const AVOption options[] = { { "flv_metadata", "Allocate streams according to the onMetaData array", OFFSET(trust_metadata), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, VD }, + { "missing_streams", "", OFFSET(missing_streams), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 0xFF, VD | AV_OPT_FLAG_EXPORT | AV_OPT_FLAG_READONLY }, { NULL } }; diff --git a/libavformat/hls.c b/libavformat/hls.c index b962d67abc..087885a121 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -98,7 +98,11 @@ struct playlist { int index; AVFormatContext *ctx; AVPacket pkt; - int stream_offset; + + /* main demuxer streams associated with this playlist + * indexed by the subdemuxer stream indexes */ + AVStream **main_streams; + int n_main_streams; int finished; enum PlaylistType type; @@ -199,6 +203,8 @@ typedef struct HLSContext { char *http_proxy; ///< holds the address of the HTTP proxy server AVDictionary *avio_opts; int strict_std_compliance; + char *allowed_extensions; + int max_reload; } HLSContext; static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) @@ -239,6 +245,7 @@ static void free_playlist_list(HLSContext *c) struct playlist *pls = c->playlists[i]; free_segment_list(pls); free_init_section_list(pls); + av_freep(&pls->main_streams); av_freep(&pls->renditions); av_freep(&pls->id3_buf); av_dict_free(&pls->id3_initial); @@ -411,10 +418,10 @@ static struct segment *new_init_section(struct playlist *pls, } if (info->byterange[0]) { - sec->size = atoi(info->byterange); + sec->size = strtoll(info->byterange, NULL, 10); ptr = strchr(info->byterange, '@'); if (ptr) - sec->url_offset = atoi(ptr+1); + sec->url_offset = strtoll(ptr+1, NULL, 10); } else { /* the entire file is the init section */ sec->size = -1; @@ -590,7 +597,7 @@ static void update_options(char **dest, const char *name, void *src) } static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, - AVDictionary *opts, AVDictionary *opts2) + AVDictionary *opts, AVDictionary *opts2, int *is_http) { HLSContext *c = s->priv_data; AVDictionary *tmp = NULL; @@ -612,8 +619,19 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, return AVERROR_INVALIDDATA; // only http(s) & file are allowed - if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) + if (av_strstart(proto_name, "file", NULL)) { + if (strcmp(c->allowed_extensions, "ALL") && !av_match_ext(url, c->allowed_extensions)) { + av_log(s, AV_LOG_ERROR, + "Filename extension of \'%s\' is not a common multimedia extension, blocked for security reasons.\n" + "If you wish to override this adjust allowed_extensions, you can set it to \'ALL\' to allow all\n", + url); + return AVERROR_INVALIDDATA; + } + } else if (av_strstart(proto_name, "http", NULL)) { + ; + } else return AVERROR_INVALIDDATA; + if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':') ; else if (av_strstart(url, "crypto", NULL) && !strncmp(proto_name, url + 7, strlen(proto_name)) && url[7 + strlen(proto_name)] == ':') @@ -631,6 +649,9 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, av_dict_free(&tmp); + if (is_http) + *is_http = av_strstart(proto_name, "http", NULL); + return ret; } @@ -723,7 +744,7 @@ static int parse_playlist(HLSContext *c, const char *url, ret = ensure_playlist(c, &pls, url); if (ret < 0) goto fail; - pls->target_duration = atoi(ptr) * AV_TIME_BASE; + pls->target_duration = strtoll(ptr, NULL, 10) * AV_TIME_BASE; } else if (av_strstart(line, "#EXT-X-MEDIA-SEQUENCE:", &ptr)) { ret = ensure_playlist(c, &pls, url); if (ret < 0) @@ -752,10 +773,10 @@ static int parse_playlist(HLSContext *c, const char *url, is_segment = 1; duration = atof(ptr) * AV_TIME_BASE; } else if (av_strstart(line, "#EXT-X-BYTERANGE:", &ptr)) { - seg_size = atoi(ptr); + seg_size = strtoll(ptr, NULL, 10); ptr = strchr(ptr, '@'); if (ptr) - seg_offset = atoi(ptr+1); + seg_offset = strtoll(ptr+1, NULL, 10); } else if (av_strstart(line, "#", NULL)) { continue; } else if (line[0]) { @@ -1072,6 +1093,7 @@ static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg) { AVDictionary *opts = NULL; int ret; + int is_http = 0; // broker prior HTTP options that should be consistent across requests av_dict_set(&opts, "user-agent", c->user_agent, 0); @@ -1091,13 +1113,13 @@ static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg) seg->url, seg->url_offset, pls->index); if (seg->key_type == KEY_NONE) { - ret = open_url(pls->parent, &pls->input, seg->url, c->avio_opts, opts); + ret = open_url(pls->parent, &pls->input, seg->url, c->avio_opts, opts, &is_http); } else if (seg->key_type == KEY_AES_128) { AVDictionary *opts2 = NULL; char iv[33], key[33], url[MAX_URL_SIZE]; if (strcmp(seg->key, pls->key_url)) { AVIOContext *pb; - if (open_url(pls->parent, &pb, seg->key, c->avio_opts, opts) == 0) { + if (open_url(pls->parent, &pb, seg->key, c->avio_opts, opts, NULL) == 0) { ret = avio_read(pb, pls->key, sizeof(pls->key)); if (ret != sizeof(pls->key)) { av_log(NULL, AV_LOG_ERROR, "Unable to read key file %s\n", @@ -1122,7 +1144,7 @@ static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg) av_dict_set(&opts2, "key", key, 0); av_dict_set(&opts2, "iv", iv, 0); - ret = open_url(pls->parent, &pls->input, url, opts2, opts); + ret = open_url(pls->parent, &pls->input, url, opts2, opts, &is_http); av_dict_free(&opts2); @@ -1140,8 +1162,15 @@ static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg) /* Seek to the requested position. If this was a HTTP request, the offset * should already be where want it to, but this allows e.g. local testing - * without a HTTP server. */ - if (ret == 0 && seg->key_type == KEY_NONE && seg->url_offset) { + * without a HTTP server. + * + * This is not done for HTTP at all as avio_seek() does internal bookkeeping + * of file offset which is out-of-sync with the actual offset when "offset" + * AVOption is used with http protocol, causing the seek to not be a no-op + * as would be expected. Wrong offset received from the server will not be + * noticed without the call, though. + */ + if (ret == 0 && !is_http && seg->key_type == KEY_NONE && seg->url_offset) { int64_t seekret = avio_seek(pls->input, seg->url_offset, SEEK_SET); if (seekret < 0) { av_log(pls->parent, AV_LOG_ERROR, "Unable to seek to offset %"PRId64" of HLS segment '%s'\n", seg->url_offset, seg->url); @@ -1226,6 +1255,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size) HLSContext *c = v->parent->priv_data; int ret, i; int just_opened = 0; + int reload_count = 0; restart: if (!v->needed) @@ -1237,13 +1267,13 @@ restart: /* Check that the playlist is still needed before opening a new * segment. */ - if (v->ctx && v->ctx->nb_streams && - v->parent->nb_streams >= v->stream_offset + v->ctx->nb_streams) { + if (v->ctx && v->ctx->nb_streams) { v->needed = 0; - for (i = v->stream_offset; i < v->stream_offset + v->ctx->nb_streams; - i++) { - if (v->parent->streams[i]->discard < AVDISCARD_ALL) + for (i = 0; i < v->n_main_streams; i++) { + if (v->main_streams[i]->discard < AVDISCARD_ALL) { v->needed = 1; + break; + } } } if (!v->needed) { @@ -1257,6 +1287,9 @@ restart: reload_interval = default_reload_interval(v); reload: + reload_count++; + if (reload_count > c->max_reload) + return AVERROR_EOF; if (!v->finished && av_gettime_relative() - v->last_load_time >= reload_interval) { if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) { @@ -1381,8 +1414,8 @@ static void add_metadata_from_renditions(AVFormatContext *s, struct playlist *pl int rend_idx = 0; int i; - for (i = 0; i < pls->ctx->nb_streams; i++) { - AVStream *st = s->streams[pls->stream_offset + i]; + for (i = 0; i < pls->n_main_streams; i++) { + AVStream *st = pls->main_streams[i]; if (st->codecpar->codec_type != type) continue; @@ -1508,7 +1541,8 @@ static int hls_read_header(AVFormatContext *s) { void *u = (s->flags & AVFMT_FLAG_CUSTOM_IO) ? NULL : s->pb; HLSContext *c = s->priv_data; - int ret = 0, i, j, stream_offset = 0; + int ret = 0, i, j; + int highest_cur_seq_no = 0; c->ctx = s; c->interrupt_callback = &s->interrupt_callback; @@ -1583,6 +1617,17 @@ static int hls_read_header(AVFormatContext *s) add_renditions_to_variant(c, var, AVMEDIA_TYPE_SUBTITLE, var->subtitles_group); } + /* Select the starting segments */ + for (i = 0; i < c->n_playlists; i++) { + struct playlist *pls = c->playlists[i]; + + if (pls->n_segments == 0) + continue; + + pls->cur_seq_no = select_cur_seq_no(c, pls); + highest_cur_seq_no = FFMAX(highest_cur_seq_no, pls->cur_seq_no); + } + /* Open the demuxer for each playlist */ for (i = 0; i < c->n_playlists; i++) { struct playlist *pls = c->playlists[i]; @@ -1599,7 +1644,18 @@ static int hls_read_header(AVFormatContext *s) pls->index = i; pls->needed = 1; pls->parent = s; - pls->cur_seq_no = select_cur_seq_no(c, pls); + + /* + * If this is a live stream and this playlist looks like it is one segment + * behind, try to sync it up so that every substream starts at the same + * time position (so e.g. avformat_find_stream_info() will see packets from + * all active streams within the first few seconds). This is not very generic, + * though, as the sequence numbers are technically independent. + */ + if (!pls->finished && pls->cur_seq_no == highest_cur_seq_no - 1 && + highest_cur_seq_no < pls->start_seq_no + pls->n_segments) { + pls->cur_seq_no = highest_cur_seq_no; + } pls->read_buffer = av_malloc(INITIAL_BUFFER_SIZE); if (!pls->read_buffer){ @@ -1625,7 +1681,6 @@ static int hls_read_header(AVFormatContext *s) } pls->ctx->pb = &pls->pb; pls->ctx->io_open = nested_io_open; - pls->stream_offset = stream_offset; if ((ret = ff_copy_whiteblacklists(pls->ctx, s)) < 0) goto fail; @@ -1665,13 +1720,13 @@ static int hls_read_header(AVFormatContext *s) avpriv_set_pts_info(st, 33, 1, MPEG_TIME_BASE); else avpriv_set_pts_info(st, ist->pts_wrap_bits, ist->time_base.num, ist->time_base.den); + + dynarray_add(&pls->main_streams, &pls->n_main_streams, st); } add_metadata_from_renditions(s, pls, AVMEDIA_TYPE_AUDIO); add_metadata_from_renditions(s, pls, AVMEDIA_TYPE_VIDEO); add_metadata_from_renditions(s, pls, AVMEDIA_TYPE_SUBTITLE); - - stream_offset += pls->ctx->nb_streams; } /* Create a program for each variant */ @@ -1689,10 +1744,10 @@ static int hls_read_header(AVFormatContext *s) int is_shared = playlist_in_multiple_variants(c, pls); int k; - for (k = 0; k < pls->ctx->nb_streams; k++) { - struct AVStream *st = s->streams[pls->stream_offset + k]; + for (k = 0; k < pls->n_main_streams; k++) { + struct AVStream *st = pls->main_streams[k]; - av_program_add_stream_index(s, i, pls->stream_offset + k); + av_program_add_stream_index(s, i, st->index); /* Set variant_bitrate for streams unique to this variant */ if (!is_shared && v->bandwidth) @@ -1871,8 +1926,17 @@ static int hls_read_packet(AVFormatContext *s, AVPacket *pkt) /* If we got a packet, return it */ if (minplaylist >= 0) { struct playlist *pls = c->playlists[minplaylist]; + + if (pls->pkt.stream_index >= pls->n_main_streams) { + av_log(s, AV_LOG_ERROR, "stream index inconsistency: index %d, %d main streams, %d subdemuxer streams\n", + pls->pkt.stream_index, pls->n_main_streams, pls->ctx->nb_streams); + av_packet_unref(&pls->pkt); + reset_packet(&pls->pkt); + return AVERROR_BUG; + } + *pkt = pls->pkt; - pkt->stream_index += pls->stream_offset; + pkt->stream_index = pls->main_streams[pls->pkt.stream_index]->index; reset_packet(&c->playlists[minplaylist]->pkt); if (pkt->dts != AV_NOPTS_VALUE) @@ -1904,6 +1968,8 @@ static int hls_read_seek(AVFormatContext *s, int stream_index, HLSContext *c = s->priv_data; struct playlist *seek_pls = NULL; int i, seq_no; + int j; + int stream_subdemuxer_index; int64_t first_timestamp, seek_timestamp, duration; if ((flags & AVSEEK_FLAG_BYTE) || @@ -1927,10 +1993,12 @@ static int hls_read_seek(AVFormatContext *s, int stream_index, /* find the playlist with the specified stream */ for (i = 0; i < c->n_playlists; i++) { struct playlist *pls = c->playlists[i]; - if (stream_index >= pls->stream_offset && - stream_index - pls->stream_offset < pls->ctx->nb_streams) { - seek_pls = pls; - break; + for (j = 0; j < pls->n_main_streams; j++) { + if (pls->main_streams[j] == s->streams[stream_index]) { + seek_pls = pls; + stream_subdemuxer_index = j; + break; + } } } /* check if the timestamp is valid for the playlist with the @@ -1940,7 +2008,7 @@ static int hls_read_seek(AVFormatContext *s, int stream_index, /* set segment now so we do not need to search again below */ seek_pls->cur_seq_no = seq_no; - seek_pls->seek_stream_index = stream_index - seek_pls->stream_offset; + seek_pls->seek_stream_index = stream_subdemuxer_index; for (i = 0; i < c->n_playlists; i++) { /* Reset reading */ @@ -1995,6 +2063,12 @@ static int hls_probe(AVProbeData *p) static const AVOption hls_options[] = { {"live_start_index", "segment index to start live streams at (negative values are from the end)", OFFSET(live_start_index), AV_OPT_TYPE_INT, {.i64 = -3}, INT_MIN, INT_MAX, FLAGS}, + {"allowed_extensions", "List of file extensions that hls is allowed to access", + OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, + {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, + INT_MIN, INT_MAX, FLAGS}, + {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, {NULL} }; diff --git a/libavformat/http.c b/libavformat/http.c index 51275d9960..c5d94038e3 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -62,8 +62,8 @@ typedef struct HTTPContext { int line_count; int http_code; /* Used if "Transfer-Encoding: chunked" otherwise -1. */ - int64_t chunksize; - int64_t off, end_off, filesize; + uint64_t chunksize; + uint64_t off, end_off, filesize; char *location; HTTPAuthState auth_state; HTTPAuthState proxy_auth_state; @@ -92,9 +92,9 @@ typedef struct HTTPContext { AVDictionary *cookie_dict; int icy; /* how much data was read since the last ICY metadata packet */ - int icy_data_read; + uint64_t icy_data_read; /* after how many bytes of read data a new metadata packet will be found */ - int icy_metaint; + uint64_t icy_metaint; char *icy_metadata_headers; char *icy_metadata_packet; AVDictionary *metadata; @@ -480,7 +480,7 @@ static int http_open(URLContext *h, const char *uri, int flags, else h->is_streamed = 1; - s->filesize = -1; + s->filesize = UINT64_MAX; s->location = av_strdup(uri); if (!s->location) return AVERROR(ENOMEM); @@ -607,9 +607,9 @@ static void parse_content_range(URLContext *h, const char *p) if (!strncmp(p, "bytes ", 6)) { p += 6; - s->off = strtoll(p, NULL, 10); + s->off = strtoull(p, NULL, 10); if ((slash = strchr(p, '/')) && strlen(slash) > 0) - s->filesize = strtoll(slash + 1, NULL, 10); + s->filesize = strtoull(slash + 1, NULL, 10); } if (s->seekable == -1 && (!s->is_akamai || s->filesize != 2147483647)) h->is_streamed = 0; /* we _can_ in fact seek */ @@ -799,8 +799,9 @@ static int process_line(URLContext *h, char *line, int line_count, if ((ret = parse_location(s, p)) < 0) return ret; *new_location = 1; - } else if (!av_strcasecmp(tag, "Content-Length") && s->filesize == -1) { - s->filesize = strtoll(p, NULL, 10); + } else if (!av_strcasecmp(tag, "Content-Length") && + s->filesize == UINT64_MAX) { + s->filesize = strtoull(p, NULL, 10); } else if (!av_strcasecmp(tag, "Content-Range")) { parse_content_range(h, p); } else if (!av_strcasecmp(tag, "Accept-Ranges") && @@ -809,7 +810,7 @@ static int process_line(URLContext *h, char *line, int line_count, h->is_streamed = 0; } else if (!av_strcasecmp(tag, "Transfer-Encoding") && !av_strncasecmp(p, "chunked", 7)) { - s->filesize = -1; + s->filesize = UINT64_MAX; s->chunksize = 0; } else if (!av_strcasecmp(tag, "WWW-Authenticate")) { ff_http_auth_handle_header(&s->auth_state, tag, p); @@ -833,7 +834,7 @@ static int process_line(URLContext *h, char *line, int line_count, if (parse_cookie(s, p, &s->cookie_dict)) av_log(h, AV_LOG_WARNING, "Unable to parse '%s'\n", p); } else if (!av_strcasecmp(tag, "Icy-MetaInt")) { - s->icy_metaint = strtoll(p, NULL, 10); + s->icy_metaint = strtoull(p, NULL, 10); } else if (!av_strncasecmp(tag, "Icy-", 4)) { if ((ret = parse_icy(s, tag, p)) < 0) return ret; @@ -963,7 +964,7 @@ static int http_read_header(URLContext *h, int *new_location) char line[MAX_URL_SIZE]; int err = 0; - s->chunksize = -1; + s->chunksize = UINT64_MAX; for (;;) { if ((err = http_get_line(s, line, sizeof(line))) < 0) @@ -997,10 +998,11 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, int post, err; char headers[HTTP_HEADERS_SIZE] = ""; char *authstr = NULL, *proxyauthstr = NULL; - int64_t off = s->off; + uint64_t off = s->off; int len = 0; const char *method; int send_expect_100 = 0; + int ret; /* send http header */ post = h->flags & AVIO_FLAG_WRITE; @@ -1045,7 +1047,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, // server supports seeking by analysing the reply headers. if (!has_header(s->headers, "\r\nRange: ") && !post && (s->off > 0 || s->end_off || s->seekable == -1)) { len += av_strlcatf(headers + len, sizeof(headers) - len, - "Range: bytes=%"PRId64"-", s->off); + "Range: bytes=%"PRIu64"-", s->off); if (s->end_off) len += av_strlcatf(headers + len, sizeof(headers) - len, "%"PRId64, s->end_off - 1); @@ -1091,7 +1093,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, if (s->headers) av_strlcpy(headers + len, s->headers, sizeof(headers) - len); - snprintf(s->buffer, sizeof(s->buffer), + ret = snprintf(s->buffer, sizeof(s->buffer), "%s %s HTTP/1.1\r\n" "%s" "%s" @@ -1107,6 +1109,14 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, av_log(h, AV_LOG_DEBUG, "request: %s\n", s->buffer); + if (strlen(headers) + 1 == sizeof(headers) || + ret >= sizeof(s->buffer)) { + av_log(h, AV_LOG_ERROR, "overlong headers\n"); + err = AVERROR(EINVAL); + goto done; + } + + if ((err = ffurl_write(s->hd, s->buffer, strlen(s->buffer))) < 0) goto done; @@ -1120,7 +1130,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, s->line_count = 0; s->off = 0; s->icy_data_read = 0; - s->filesize = -1; + s->filesize = UINT64_MAX; s->willclose = 0; s->end_chunked_post = 0; s->end_header = 0; @@ -1152,6 +1162,34 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size) { HTTPContext *s = h->priv_data; int len; + + if (s->chunksize != UINT64_MAX) { + if (!s->chunksize) { + char line[32]; + int err; + + do { + if ((err = http_get_line(s, line, sizeof(line))) < 0) + return err; + } while (!*line); /* skip CR LF from last chunk */ + + s->chunksize = strtoull(line, NULL, 16); + + av_log(h, AV_LOG_TRACE, + "Chunked encoding data size: %"PRIu64"'\n", + s->chunksize); + + if (!s->chunksize) + return 0; + else if (s->chunksize == UINT64_MAX) { + av_log(h, AV_LOG_ERROR, "Invalid chunk size %"PRIu64"\n", + s->chunksize); + return AVERROR(EINVAL); + } + } + size = FFMIN(size, s->chunksize); + } + /* read bytes from input buffer first */ len = s->buf_end - s->buf_ptr; if (len > 0) { @@ -1160,15 +1198,13 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size) memcpy(buf, s->buf_ptr, len); s->buf_ptr += len; } else { - int64_t target_end = s->end_off ? s->end_off : s->filesize; - if ((!s->willclose || s->chunksize < 0) && - target_end >= 0 && s->off >= target_end) + uint64_t target_end = s->end_off ? s->end_off : s->filesize; + if ((!s->willclose || s->chunksize == UINT64_MAX) && s->off >= target_end) return AVERROR_EOF; len = ffurl_read(s->hd, buf, size); - if (!len && (!s->willclose || s->chunksize < 0) && - target_end >= 0 && s->off < target_end) { + if (!len && (!s->willclose || s->chunksize == UINT64_MAX) && s->off < target_end) { av_log(h, AV_LOG_ERROR, - "Stream ends prematurely at %"PRId64", should be %"PRId64"\n", + "Stream ends prematurely at %"PRIu64", should be %"PRIu64"\n", s->off, target_end ); return AVERROR(EIO); @@ -1176,8 +1212,10 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size) } if (len > 0) { s->off += len; - if (s->chunksize > 0) + if (s->chunksize > 0) { + av_assert0(s->chunksize >= len); s->chunksize -= len; + } } return len; } @@ -1232,25 +1270,6 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size) return err; } - if (s->chunksize >= 0) { - if (!s->chunksize) { - char line[32]; - - do { - if ((err = http_get_line(s, line, sizeof(line))) < 0) - return err; - } while (!*line); /* skip CR LF from last chunk */ - - s->chunksize = strtoll(line, NULL, 16); - - av_log(NULL, AV_LOG_TRACE, "Chunked encoding data size: %"PRId64"'\n", - s->chunksize); - - if (!s->chunksize) - return 0; - } - size = FFMIN(size, s->chunksize); - } #if CONFIG_ZLIB if (s->compressed) return http_buf_read_compressed(h, buf, size); @@ -1258,17 +1277,17 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size) read_ret = http_buf_read(h, buf, size); if ( (read_ret < 0 && s->reconnect && (!h->is_streamed || s->reconnect_streamed) && s->filesize > 0 && s->off < s->filesize) || (read_ret == 0 && s->reconnect_at_eof && (!h->is_streamed || s->reconnect_streamed))) { - int64_t target = h->is_streamed ? 0 : s->off; + uint64_t target = h->is_streamed ? 0 : s->off; if (s->reconnect_delay > s->reconnect_delay_max) return AVERROR(EIO); - av_log(h, AV_LOG_INFO, "Will reconnect at %"PRId64" error=%s.\n", s->off, av_err2str(read_ret)); + av_log(h, AV_LOG_INFO, "Will reconnect at %"PRIu64" error=%s.\n", s->off, av_err2str(read_ret)); av_usleep(1000U*1000*s->reconnect_delay); s->reconnect_delay = 1 + 2*s->reconnect_delay; seek_ret = http_seek_internal(h, target, SEEK_SET, 1); if (seek_ret != target) { - av_log(h, AV_LOG_ERROR, "Failed to reconnect at %"PRId64".\n", target); + av_log(h, AV_LOG_ERROR, "Failed to reconnect at %"PRIu64".\n", target); return read_ret; } @@ -1323,10 +1342,11 @@ static int store_icy(URLContext *h, int size) { HTTPContext *s = h->priv_data; /* until next metadata packet */ - int remaining = s->icy_metaint - s->icy_data_read; + uint64_t remaining; - if (remaining < 0) + if (s->icy_metaint < s->icy_data_read) return AVERROR_INVALIDDATA; + remaining = s->icy_metaint - s->icy_data_read; if (!remaining) { /* The metadata packet is variable sized. It has a 1 byte header @@ -1440,7 +1460,7 @@ static int64_t http_seek_internal(URLContext *h, int64_t off, int whence, int fo { HTTPContext *s = h->priv_data; URLContext *old_hd = s->hd; - int64_t old_off = s->off; + uint64_t old_off = s->off; uint8_t old_buf[BUFFER_SIZE]; int old_buf_size, ret; AVDictionary *options = NULL; @@ -1451,7 +1471,7 @@ static int64_t http_seek_internal(URLContext *h, int64_t off, int whence, int fo ((whence == SEEK_CUR && off == 0) || (whence == SEEK_SET && off == s->off))) return s->off; - else if ((s->filesize == -1 && whence == SEEK_END)) + else if ((s->filesize == UINT64_MAX && whence == SEEK_END)) return AVERROR(ENOSYS); if (whence == SEEK_CUR) @@ -1606,7 +1626,7 @@ redo: s->buf_ptr = s->buffer; s->buf_end = s->buffer; s->line_count = 0; - s->filesize = -1; + s->filesize = UINT64_MAX; cur_auth_type = s->proxy_auth_state.auth_type; /* Note: This uses buffering, potentially reading more than the diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 8019a35f44..f33fa1195b 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -109,6 +109,10 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 5); ico->images[i].size = avio_rl32(pb); + if (ico->images[i].size <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size); + return AVERROR_INVALIDDATA; + } ico->images[i].offset = avio_rl32(pb); if (avio_seek(pb, ico->images[i].offset, SEEK_SET) < 0) @@ -174,8 +178,10 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) bytestream_put_le16(&buf, 0); bytestream_put_le32(&buf, 0); - if ((ret = avio_read(pb, buf, image->size)) < 0) - return ret; + if ((ret = avio_read(pb, buf, image->size)) != image->size) { + av_packet_unref(pkt); + return ret < 0 ? ret : AVERROR_INVALIDDATA; + } st->codecpar->bits_per_coded_sample = AV_RL16(buf + 14); @@ -197,6 +203,13 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) return 0; } +static int ico_read_close(AVFormatContext * s) +{ + IcoDemuxContext *ico = s->priv_data; + av_freep(&ico->images); + return 0; +} + AVInputFormat ff_ico_demuxer = { .name = "ico", .long_name = NULL_IF_CONFIG_SMALL("Microsoft Windows ICO"), @@ -204,5 +217,6 @@ AVInputFormat ff_ico_demuxer = { .read_probe = probe, .read_header = read_header, .read_packet = read_packet, + .read_close = ico_read_close, .flags = AVFMT_NOTIMESTAMPS, }; diff --git a/libavformat/idroqdec.c b/libavformat/idroqdec.c index b66427968f..83701b59c5 100644 --- a/libavformat/idroqdec.c +++ b/libavformat/idroqdec.c @@ -157,6 +157,9 @@ static int roq_read_packet(AVFormatContext *s, chunk_size = AV_RL32(&preamble[2]) + RoQ_CHUNK_PREAMBLE_SIZE * 2 + codebook_size; + if (chunk_size > INT_MAX) + return AVERROR_INVALIDDATA; + /* rewind */ avio_seek(pb, codebook_offset, SEEK_SET); diff --git a/libavformat/isom.c b/libavformat/isom.c index d412f06259..f6f000be61 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -487,9 +487,14 @@ int ff_mp4_read_dec_config_descr(AVFormatContext *fc, AVStream *st, AVIOContext avio_rb24(pb); /* buffer size db */ v = avio_rb32(pb); - // TODO: fix this - //if (v < INT32_MAX) - // st->codecpar->rc_max_rate = v; + + // TODO: fix this with codecpar +#if FF_API_LAVF_AVCTX +FF_DISABLE_DEPRECATION_WARNINGS + if (v < INT32_MAX) + st->codec->rc_max_rate = v; +FF_ENABLE_DEPRECATION_WARNINGS +#endif st->codecpar->bit_rate = avio_rb32(pb); /* avg bitrate */ diff --git a/libavformat/librtmp.c b/libavformat/librtmp.c index 0fea675b38..146df660ac 100644 --- a/libavformat/librtmp.c +++ b/libavformat/librtmp.c @@ -193,6 +193,8 @@ static int rtmp_open(URLContext *s, const char *uri, int flags) if (sep) p = sep + 1; + else + break; } } if (ctx->playpath) { diff --git a/libavformat/libssh.c b/libavformat/libssh.c index 49e92e7516..9e3d4da45e 100644 --- a/libavformat/libssh.c +++ b/libavformat/libssh.c @@ -103,7 +103,7 @@ static av_cold int libssh_authentication(LIBSSHContext *libssh, const char *user } } - if (!authorized && (auth_methods & SSH_AUTH_METHOD_PASSWORD)) { + if (!authorized && password && (auth_methods & SSH_AUTH_METHOD_PASSWORD)) { if (ssh_userauth_password(libssh->session, NULL, password) == SSH_AUTH_SUCCESS) { av_log(libssh, AV_LOG_DEBUG, "Authentication successful with password.\n"); authorized = 1; diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index f3d701fe4d..8a392c7b9a 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -88,6 +88,7 @@ typedef const struct EbmlSyntax { int list_elem_size; int data_offset; union { + int64_t i; uint64_t u; double f; const char *s; @@ -659,7 +660,7 @@ static const EbmlSyntax matroska_segments[] = { }; static const EbmlSyntax matroska_blockmore[] = { - { MATROSKA_ID_BLOCKADDID, EBML_UINT, 0, offsetof(MatroskaBlock,additional_id) }, + { MATROSKA_ID_BLOCKADDID, EBML_UINT, 0, offsetof(MatroskaBlock,additional_id), { .u = 1 } }, { MATROSKA_ID_BLOCKADDITIONAL, EBML_BIN, 0, offsetof(MatroskaBlock,additional) }, { 0 } }; @@ -675,7 +676,7 @@ static const EbmlSyntax matroska_blockgroup[] = { { MATROSKA_ID_SIMPLEBLOCK, EBML_BIN, 0, offsetof(MatroskaBlock, bin) }, { MATROSKA_ID_BLOCKDURATION, EBML_UINT, 0, offsetof(MatroskaBlock, duration) }, { MATROSKA_ID_DISCARDPADDING, EBML_SINT, 0, offsetof(MatroskaBlock, discard_padding) }, - { MATROSKA_ID_BLOCKREFERENCE, EBML_SINT, 0, offsetof(MatroskaBlock, reference) }, + { MATROSKA_ID_BLOCKREFERENCE, EBML_SINT, 0, offsetof(MatroskaBlock, reference), { .i = INT64_MIN } }, { MATROSKA_ID_CODECSTATE, EBML_NONE }, { 1, EBML_UINT, 0, offsetof(MatroskaBlock, non_simple), { .u = 1 } }, { 0 } @@ -1048,6 +1049,9 @@ static int ebml_parse_nest(MatroskaDemuxContext *matroska, EbmlSyntax *syntax, for (i = 0; syntax[i].id; i++) switch (syntax[i].type) { + case EBML_SINT: + *(int64_t *) ((char *) data + syntax[i].data_offset) = syntax[i].def.i; + break; case EBML_UINT: *(uint64_t *) ((char *) data + syntax[i].data_offset) = syntax[i].def.u; break; @@ -3267,7 +3271,7 @@ static int matroska_parse_cluster_incremental(MatroskaDemuxContext *matroska) matroska->current_cluster_num_blocks = blocks_list->nb_elem; i = blocks_list->nb_elem - 1; if (blocks[i].bin.size > 0 && blocks[i].bin.data) { - int is_keyframe = blocks[i].non_simple ? !blocks[i].reference : -1; + int is_keyframe = blocks[i].non_simple ? blocks[i].reference == INT64_MIN : -1; uint8_t* additional = blocks[i].additional.size > 0 ? blocks[i].additional.data : NULL; if (!blocks[i].non_simple) @@ -3305,7 +3309,7 @@ static int matroska_parse_cluster(MatroskaDemuxContext *matroska) blocks = blocks_list->elem; for (i = 0; i < blocks_list->nb_elem; i++) if (blocks[i].bin.size > 0 && blocks[i].bin.data) { - int is_keyframe = blocks[i].non_simple ? !blocks[i].reference : -1; + int is_keyframe = blocks[i].non_simple ? blocks[i].reference == INT64_MIN : -1; res = matroska_parse_block(matroska, blocks[i].bin.data, blocks[i].bin.size, blocks[i].bin.pos, cluster.timecode, blocks[i].duration, @@ -3749,6 +3753,11 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Failed to read file headers\n"); return -1; } + if (!s->nb_streams) { + matroska_read_close(s); + av_log(s, AV_LOG_ERROR, "No streams found\n"); + return AVERROR_INVALIDDATA; + } if (!matroska->is_live) { buf = av_asprintf("%g", matroska->duration); diff --git a/libavformat/mov.c b/libavformat/mov.c index c7caf80b11..a4474b43b3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -43,6 +43,7 @@ #include "libavutil/sha.h" #include "libavutil/timecode.h" #include "libavcodec/ac3tab.h" +#include "libavcodec/mpegaudiodecheader.h" #include "avformat.h" #include "internal.h" #include "avio_internal.h" @@ -382,11 +383,11 @@ retry: return ret; } else if (!key && c->found_hdlr_mdta && c->meta_keys) { uint32_t index = AV_RB32(&atom.type); - if (index < c->meta_keys_count) { + if (index < c->meta_keys_count && index > 0) { key = c->meta_keys[index]; } else { av_log(c->fc, AV_LOG_WARNING, - "The index of 'data' is out of range: %d >= %d.\n", + "The index of 'data' is out of range: %d < 1 or >= %d.\n", index, c->meta_keys_count); } } @@ -717,6 +718,8 @@ static int mov_read_hdlr(MOVContext *c, AVIOContext *pb, MOVAtom atom) title_size = atom.size - 24; if (title_size > 0) { + if (title_size > FFMIN(INT_MAX, SIZE_MAX-1)) + return AVERROR_INVALIDDATA; title_str = av_malloc(title_size + 1); /* Add null terminator */ if (!title_str) return AVERROR(ENOMEM); @@ -2843,7 +2846,12 @@ static void mov_build_index(MOVContext *mov, AVStream *st) sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample]; if (sc->pseudo_stream_id == -1 || sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) { - AVIndexEntry *e = &st->index_entries[st->nb_index_entries++]; + AVIndexEntry *e; + if (sample_size > 0x3FFFFFFF) { + av_log(mov->fc, AV_LOG_ERROR, "Sample size %u is too large\n", sample_size); + return; + } + e = &st->index_entries[st->nb_index_entries++]; e->pos = current_offset; e->timestamp = current_dts; e->size = sample_size; @@ -2968,6 +2976,10 @@ static void mov_build_index(MOVContext *mov, AVStream *st) av_log(mov->fc, AV_LOG_ERROR, "wrong chunk count %d\n", total); return; } + if (size > 0x3FFFFFFF) { + av_log(mov->fc, AV_LOG_ERROR, "Sample size %u is too large\n", size); + return; + } e = &st->index_entries[st->nb_index_entries++]; e->pos = current_offset; e->timestamp = current_dts; @@ -3233,7 +3245,7 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_skip(pb, 4); count = avio_rb32(pb); - if (count > UINT_MAX / sizeof(*c->meta_keys)) { + if (count > UINT_MAX / sizeof(*c->meta_keys) - 1) { av_log(c->fc, AV_LOG_ERROR, "The 'keys' atom with the invalid key count: %d\n", count); return AVERROR_INVALIDDATA; @@ -3957,7 +3969,7 @@ static int mov_read_uuid(MOVContext *c, AVIOContext *pb, MOVAtom atom) 0x9c, 0x71, 0x99, 0x94, 0x91, 0xe3, 0xaf, 0xac }; - if (atom.size < sizeof(uuid) || atom.size == INT64_MAX) + if (atom.size < sizeof(uuid) || atom.size >= FFMIN(INT_MAX, SIZE_MAX)) return AVERROR_INVALIDDATA; ret = avio_read(pb, uuid, sizeof(uuid)); @@ -4120,8 +4132,8 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb32(pb); /* entries */ - if (atom.size < 8) { - av_log(c->fc, AV_LOG_ERROR, "senc atom size %"PRId64" too small\n", atom.size); + if (atom.size < 8 || atom.size > FFMIN(INT_MAX, SIZE_MAX)) { + av_log(c->fc, AV_LOG_ERROR, "senc atom size %"PRId64" invalid\n", atom.size); return AVERROR_INVALIDDATA; } @@ -4189,6 +4201,11 @@ static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; } + if (atom.size > FFMIN(INT_MAX, SIZE_MAX)) { + av_log(c->fc, AV_LOG_ERROR, "saiz atom auxiliary_info_sizes size %"PRId64" invalid\n", atom.size); + return AVERROR_INVALIDDATA; + } + /* save the auxiliary info sizes as is */ data_size = atom.size - atom_header_size; @@ -4398,7 +4415,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (atom.size < 0) atom.size = INT64_MAX; - while (total_size + 8 <= atom.size && !avio_feof(pb)) { + while (total_size <= atom.size - 8 && !avio_feof(pb)) { int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL; a.size = atom.size; a.type=0; @@ -4845,6 +4862,13 @@ static int read_tfra(MOVContext *mov, AVIOContext *f) } for (i = 0; i < index->item_count; i++) { int64_t time, offset; + + if (avio_feof(f)) { + index->item_count = 0; + av_freep(&index->items); + return AVERROR_INVALIDDATA; + } + if (version == 1) { time = avio_rb64(f); offset = avio_rb64(f); @@ -5213,6 +5237,10 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) return ret; } #endif + if (st->codecpar->codec_id == AV_CODEC_ID_MP3 && !st->need_parsing && pkt->size > 4) { + if (ff_mpa_check_header(AV_RB32(pkt->data)) < 0) + st->need_parsing = AVSTREAM_PARSE_FULL; + } } pkt->stream_index = sc->ffindex; diff --git a/libavformat/movenc.c b/libavformat/movenc.c index d614933dff..a283231791 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -4592,15 +4592,10 @@ static int mov_auto_flush_fragment(AVFormatContext *s, int force) return ret; } -int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) +static int check_pkt(AVFormatContext *s, AVPacket *pkt) { MOVMuxContext *mov = s->priv_data; - AVIOContext *pb = s->pb; MOVTrack *trk = &mov->tracks[pkt->stream_index]; - AVCodecParameters *par = trk->par; - unsigned int samples_in_chunk = 0; - int size = pkt->size, ret = 0; - uint8_t *reformatted_data = NULL; if (trk->entry) { int64_t duration = pkt->dts - trk->cluster[trk->entry - 1].dts; @@ -4612,11 +4607,35 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) pkt->dts = trk->cluster[trk->entry - 1].dts + 1; pkt->pts = AV_NOPTS_VALUE; } + } else if (pkt->dts <= INT_MIN || pkt->dts >= INT_MAX) { + av_log(s, AV_LOG_ERROR, "Application provided initial timestamp: %"PRId64" is out of range for mov/mp4 format\n", + pkt->dts + ); + + pkt->dts = 0; + pkt->pts = AV_NOPTS_VALUE; } if (pkt->duration < 0 || pkt->duration > INT_MAX) { av_log(s, AV_LOG_ERROR, "Application provided duration: %"PRId64" is invalid\n", pkt->duration); return AVERROR(EINVAL); } + return 0; +} + +int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) +{ + MOVMuxContext *mov = s->priv_data; + AVIOContext *pb = s->pb; + MOVTrack *trk = &mov->tracks[pkt->stream_index]; + AVCodecParameters *par = trk->par; + unsigned int samples_in_chunk = 0; + int size = pkt->size, ret = 0; + uint8_t *reformatted_data = NULL; + + ret = check_pkt(s, pkt); + if (ret < 0) + return ret; + if (mov->flags & FF_MOV_FLAG_FRAGMENT) { int ret; if (mov->moov_written || mov->flags & FF_MOV_FLAG_EMPTY_MOOV) { @@ -4882,6 +4901,10 @@ static int mov_write_single_packet(AVFormatContext *s, AVPacket *pkt) int64_t frag_duration = 0; int size = pkt->size; + int ret = check_pkt(s, pkt); + if (ret < 0) + return ret; + if (mov->flags & FF_MOV_FLAG_FRAG_DISCONT) { int i; for (i = 0; i < s->nb_streams; i++) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 56c7f8caee..099ca57d24 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -457,7 +457,8 @@ static int check(AVIOContext *pb, int64_t pos, uint32_t *ret_header) return CHECK_SEEK_FAILED; ret = avio_read(pb, &header_buf[0], 4); - if (ret < 0) + /* We should always find four bytes for a valid mpa header. */ + if (ret < 4) return CHECK_SEEK_FAILED; header = AV_RB32(&header_buf[0]); diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 1c441c54d8..a651cb3eb6 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -112,7 +112,7 @@ static int mpegps_probe(AVProbeData *p) : AVPROBE_SCORE_EXTENSION / 2; // 1 more than .mpg if ((!!vid ^ !!audio) && (audio > 4 || vid > 1) && !sys && !pspack && p->buf_size > 2048 && vid + audio > invalid) /* PES stream */ - return (audio > 12 || vid > 3 + 2 * invalid) ? AVPROBE_SCORE_EXTENSION + 2 + return (audio > 12 || vid > 6 + 2 * invalid) ? AVPROBE_SCORE_EXTENSION + 2 : AVPROBE_SCORE_EXTENSION / 2; // 02-Penguin.flac has sys:0 priv1:0 pspack:0 vid:0 audio:1 @@ -138,7 +138,7 @@ typedef struct MpegDemuxContext { static int mpegps_read_header(AVFormatContext *s) { MpegDemuxContext *m = s->priv_data; - char buffer[7]; + char buffer[7] = { 0 }; int64_t last_pos = avio_tell(s->pb); m->header_state = 0xff; diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index b31d233642..6767b65ec8 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2635,8 +2635,17 @@ static int mpegts_read_header(AVFormatContext *s) packet_count[nb_pcrs] = nb_packets; pcrs[nb_pcrs] = pcr_h * 300 + pcr_l; nb_pcrs++; - if (nb_pcrs >= 2) - break; + if (nb_pcrs >= 2) { + if (pcrs[1] - pcrs[0] > 0) { + /* the difference needs to be positive to make sense for bitrate computation */ + break; + } else { + av_log(ts->stream, AV_LOG_WARNING, "invalid pcr pair %"PRId64" >= %"PRId64"\n", pcrs[0], pcrs[1]); + pcrs[0] = pcrs[1]; + packet_count[0] = packet_count[1]; + nb_pcrs--; + } + } } else { finished_reading_packet(s, ts->raw_packet_size); } diff --git a/libavformat/mux.c b/libavformat/mux.c index a447645198..221ec7ffdc 100644 --- a/libavformat/mux.c +++ b/libavformat/mux.c @@ -697,7 +697,7 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt) av_log(s, AV_LOG_WARNING, "failed to avoid negative " "pts %s in stream %d.\n" "Try -avoid_negative_ts 1 as a possible workaround.\n", - av_ts2str(pkt->dts), + av_ts2str(pkt->pts), pkt->stream_index ); } diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 80ef4b1569..e9e9fab503 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -338,6 +338,8 @@ static int mv_read_header(AVFormatContext *avctx) uint32_t pos = avio_rb32(pb); uint32_t asize = avio_rb32(pb); uint32_t vsize = avio_rb32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 0affca97a2..cbabd4b239 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -383,7 +383,7 @@ static int mxf_get_stream_index(AVFormatContext *s, KLVPacket *klv) for (i = 0; i < s->nb_streams; i++) { MXFTrack *track = s->streams[i]->priv_data; /* SMPTE 379M 7.3 */ - if (!memcmp(klv->key + sizeof(mxf_essence_element_key), track->track_number, sizeof(track->track_number))) + if (track && !memcmp(klv->key + sizeof(mxf_essence_element_key), track->track_number, sizeof(track->track_number))) return i; } /* return 0 if only one stream, for OP Atom files with 0 as track number */ @@ -492,7 +492,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U avpriv_request_sample(pb, "Primer pack item length %d", item_len); return AVERROR_PATCHWELCOME; } - if (item_num > 65536) { + if (item_num > 65536 || item_num < 0) { av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num); return AVERROR_INVALIDDATA; } @@ -827,7 +827,7 @@ static inline int mxf_read_utf16_string(AVIOContext *pb, int size, char** str, i int ret; size_t buf_size; - if (size < 0) + if (size < 0 || size > INT_MAX/2) return AVERROR(EINVAL); buf_size = size + size / 2 + 1; @@ -888,6 +888,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); + if(segment->nb_index_entries && length < 11) + return AVERROR_INVALIDDATA; if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) || !(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) || @@ -898,6 +900,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg } for (i = 0; i < segment->nb_index_entries; i++) { + if(avio_feof(pb)) + return AVERROR_INVALIDDATA; segment->temporal_offset_entries[i] = avio_r8(pb); avio_r8(pb); /* KeyFrameOffset */ segment->flag_entries[i] = avio_r8(pb); @@ -3016,7 +3020,7 @@ static int mxf_read_packet_old(AVFormatContext *s, AVPacket *pkt) if (mxf->nb_index_tables >= 1 && mxf->current_edit_unit < t->nb_ptses) { pkt->dts = mxf->current_edit_unit + t->first_dts; pkt->pts = t->ptses[mxf->current_edit_unit]; - } else if (track->intra_only) { + } else if (track && track->intra_only) { /* intra-only -> PTS = EditUnit. * let utils.c figure out DTS since it can be < PTS if low_delay = 0 (Sony IMX30) */ pkt->pts = mxf->current_edit_unit; diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 507fb396a5..16d2fa59e2 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -350,8 +350,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) if (!nsv->nsvs_file_offset) return AVERROR(ENOMEM); - for(i=0;insvs_file_offset[i] = avio_rl32(pb) + size; + } if(table_entries > table_entries_used && avio_rl32(pb) == MKTAG('T','O','C','2')) { diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 47a0cbae05..e1ef21337c 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -643,6 +643,8 @@ static int ogg_get_length(AVFormatContext *s) int64_t pts; if (i < 0) continue; pts = ogg_calc_pts(s, i, NULL); + if (s->streams[i]->duration == AV_NOPTS_VALUE) + continue; if (pts != AV_NOPTS_VALUE && s->streams[i]->start_time == AV_NOPTS_VALUE && !ogg->streams[i].got_start) { s->streams[i]->duration -= pts; ogg->streams[i].got_start= 1; diff --git a/libavformat/oggdec.h b/libavformat/oggdec.h index d7af1cfabd..4a2b6ddee8 100644 --- a/libavformat/oggdec.h +++ b/libavformat/oggdec.h @@ -162,6 +162,11 @@ ogg_gptopts (AVFormatContext * s, int i, uint64_t gp, int64_t *dts) if (dts) *dts = pts; } + if (pts > INT64_MAX && pts != AV_NOPTS_VALUE) { + // The return type is unsigned, we thus cannot return negative pts + av_log(s, AV_LOG_ERROR, "invalid pts %"PRId64"\n", pts); + pts = AV_NOPTS_VALUE; + } return pts; } diff --git a/libavformat/oggparsecelt.c b/libavformat/oggparsecelt.c index 6d567f988a..9c438a096a 100644 --- a/libavformat/oggparsecelt.c +++ b/libavformat/oggparsecelt.c @@ -65,9 +65,14 @@ static int celt_header(AVFormatContext *s, int idx) st->codecpar->channels = nb_channels; if (sample_rate) avpriv_set_pts_info(st, 64, 1, sample_rate); - priv->extra_headers_left = 1 + extra_headers; - av_free(os->private); + + if (os->private) { + av_free(priv); + priv = os->private; + } os->private = priv; + priv->extra_headers_left = 1 + extra_headers; + AV_WL32(st->codecpar->extradata + 0, overlap); AV_WL32(st->codecpar->extradata + 4, version); return 1; diff --git a/libavformat/oggparsedaala.c b/libavformat/oggparsedaala.c index 89bda58994..a373b41b4c 100644 --- a/libavformat/oggparsedaala.c +++ b/libavformat/oggparsedaala.c @@ -126,6 +126,7 @@ static int daala_header(AVFormatContext *s, int idx) if (hdr->gpshift >= 32) { av_log(s, AV_LOG_ERROR, "Too large gpshift %d (>= 32).\n", hdr->gpshift); + hdr->gpshift = 0; return AVERROR_INVALIDDATA; } hdr->gpmask = (1U << hdr->gpshift) - 1; @@ -232,7 +233,7 @@ static int daala_packet(AVFormatContext *s, int idx) os->lastpts = os->lastdts = daala_gptopts(s, idx, os->granule, NULL) - duration; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; - if (s->streams[idx]->duration) + if (s->streams[idx]->duration != AV_NOPTS_VALUE) s->streams[idx]->duration -= s->streams[idx]->start_time; } } diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index f8e656dcb1..e7a501b5a7 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -108,7 +108,10 @@ ogm_header(AVFormatContext *s, int idx) if (size > 52) { av_assert0(AV_INPUT_BUFFER_PADDING_SIZE <= 52); size -= 52; - ff_alloc_extradata(st->codecpar, size); + if (bytestream2_get_bytes_left(&p) < size) + return AVERROR_INVALIDDATA; + if (ff_alloc_extradata(st->codecpar, size) < 0) + return AVERROR(ENOMEM); bytestream2_get_buffer(&p, st->codecpar->extradata, st->codecpar->extradata_size); } } diff --git a/libavformat/oggparsespeex.c b/libavformat/oggparsespeex.c index 434b0fdab1..2ea58774c8 100644 --- a/libavformat/oggparsespeex.c +++ b/libavformat/oggparsespeex.c @@ -78,6 +78,13 @@ static int speex_header(AVFormatContext *s, int idx) { spxp->packet_size = AV_RL32(p + 56); frames_per_packet = AV_RL32(p + 64); + if (spxp->packet_size < 0 || + frames_per_packet < 0 || + spxp->packet_size * (int64_t)frames_per_packet > INT32_MAX / 256) { + av_log(s, AV_LOG_ERROR, "invalid packet_size, frames_per_packet %d %d\n", spxp->packet_size, frames_per_packet); + spxp->packet_size = 0; + return AVERROR_INVALIDDATA; + } if (frames_per_packet) spxp->packet_size *= frames_per_packet; diff --git a/libavformat/oggparsevp8.c b/libavformat/oggparsevp8.c index d57419e9f0..6716dd2f45 100644 --- a/libavformat/oggparsevp8.c +++ b/libavformat/oggparsevp8.c @@ -82,7 +82,11 @@ static uint64_t vp8_gptopts(AVFormatContext *s, int idx, struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; - uint64_t pts = (granule >> 32); + int invcnt = !((granule >> 30) & 3); + // If page granule is that of an invisible vp8 frame, its pts will be + // that of the end of the next visible frame. We substract 1 for those + // to prevent messing up pts calculations. + uint64_t pts = (granule >> 32) - invcnt; uint32_t dist = (granule >> 3) & 0x07ffffff; if (!dist) diff --git a/libavformat/options.c b/libavformat/options.c index 04d9c454d3..8fbc0d445e 100644 --- a/libavformat/options.c +++ b/libavformat/options.c @@ -102,6 +102,18 @@ static const AVClass av_format_context_class = { static int io_open_default(AVFormatContext *s, AVIOContext **pb, const char *url, int flags, AVDictionary **options) { + int loglevel; + + if (!strcmp(url, s->filename) || + s->iformat && !strcmp(s->iformat->name, "image2") || + s->oformat && !strcmp(s->oformat->name, "image2") + ) { + loglevel = AV_LOG_DEBUG; + } else + loglevel = AV_LOG_INFO; + + av_log(s, loglevel, "Opening \'%s\' for %s\n", url, flags & AVIO_FLAG_WRITE ? "writing" : "reading"); + #if FF_API_OLD_OPEN_CALLBACKS FF_DISABLE_DEPRECATION_WARNINGS if (s->open_cb) diff --git a/libavformat/options_table.h b/libavformat/options_table.h index 3b74d1b2fd..416a0dae1c 100644 --- a/libavformat/options_table.h +++ b/libavformat/options_table.h @@ -103,6 +103,7 @@ static const AVOption avformat_options[] = { {"format_whitelist", "List of demuxers that are allowed to be used", OFFSET(format_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, {"protocol_whitelist", "List of protocols that are allowed to be used", OFFSET(protocol_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, {"protocol_blacklist", "List of protocols that are not allowed to be used", OFFSET(protocol_blacklist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, +{"max_streams", "maximum number of streams", OFFSET(max_streams), AV_OPT_TYPE_INT, { .i64 = 1000 }, 0, INT_MAX, D }, {NULL}, }; diff --git a/libavformat/rl2.c b/libavformat/rl2.c index 0bec8f1d9a..eb1682dfcb 100644 --- a/libavformat/rl2.c +++ b/libavformat/rl2.c @@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s) } /** read offset and size tables */ - for(i=0; i < frame_count;i++) + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_size[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_offset[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; audio_size[i] = avio_rl32(pb) & 0xFFFF; + } /** build the sample index */ for(i=0;isub_packet_cnt = 0; rm->audio_stream_num = st->index; + if (st->codecpar->block_align <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid block alignment %d\n", st->codecpar->block_align); + return AVERROR_INVALIDDATA; + } rm->audio_pkt_cnt = h * w / st->codecpar->block_align; } else if ((ast->deint_id == DEINT_ID_VBRF) || (ast->deint_id == DEINT_ID_VBRS)) { @@ -1231,8 +1235,11 @@ static int ivr_read_header(AVFormatContext *s) av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val); } else if (type == 4) { av_log(s, AV_LOG_DEBUG, "%s = '0x", key); - for (j = 0; j < len; j++) + for (j = 0; j < len; j++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb)); + } av_log(s, AV_LOG_DEBUG, "'\n"); } else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", tlen)) { nb_streams = value = avio_rb32(pb); diff --git a/libavformat/rsd.c b/libavformat/rsd.c index ee6fdfbeb1..5a56e72bb3 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -84,8 +84,10 @@ static int rsd_read_header(AVFormatContext *s) } par->channels = avio_rl32(pb); - if (!par->channels) + if (par->channels <= 0 || par->channels > INT_MAX / 36) { + av_log(s, AV_LOG_ERROR, "Invalid number of channels: %d\n", par->channels); return AVERROR_INVALIDDATA; + } avio_skip(pb, 4); // Bit depth par->sample_rate = avio_rl32(pb); diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 0d693c27f7..ca7838868e 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -235,6 +235,14 @@ static int rtmp_packet_read_one_chunk(URLContext *h, RTMPPacket *p, if (hdr != RTMP_PS_TWELVEBYTES) timestamp += prev_pkt[channel_id].timestamp; + if (prev_pkt[channel_id].read && size != prev_pkt[channel_id].size) { + av_log(NULL, AV_LOG_ERROR, "RTMP packet size mismatch %d != %d\n", + size, + prev_pkt[channel_id].size); + ff_rtmp_packet_destroy(&prev_pkt[channel_id]); + prev_pkt[channel_id].read = 0; + } + if (!prev_pkt[channel_id].read) { if ((ret = ff_rtmp_packet_create(p, channel_id, type, timestamp, size)) < 0) @@ -425,97 +433,142 @@ void ff_rtmp_packet_destroy(RTMPPacket *pkt) pkt->size = 0; } -int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) +static int amf_tag_skip(GetByteContext *gb) { - const uint8_t *base = data; AMFDataType type; unsigned nb = -1; int parse_key = 1; - if (data >= data_end) + if (bytestream2_get_bytes_left(gb) < 1) return -1; - switch ((type = *data++)) { - case AMF_DATA_TYPE_NUMBER: return 9; - case AMF_DATA_TYPE_BOOL: return 2; - case AMF_DATA_TYPE_STRING: return 3 + AV_RB16(data); - case AMF_DATA_TYPE_LONG_STRING: return 5 + AV_RB32(data); - case AMF_DATA_TYPE_NULL: return 1; - case AMF_DATA_TYPE_DATE: return 11; + + type = bytestream2_get_byte(gb); + switch (type) { + case AMF_DATA_TYPE_NUMBER: + bytestream2_get_be64(gb); + return 0; + case AMF_DATA_TYPE_BOOL: + bytestream2_get_byte(gb); + return 0; + case AMF_DATA_TYPE_STRING: + bytestream2_skip(gb, bytestream2_get_be16(gb)); + return 0; + case AMF_DATA_TYPE_LONG_STRING: + bytestream2_skip(gb, bytestream2_get_be32(gb)); + return 0; + case AMF_DATA_TYPE_NULL: + return 0; + case AMF_DATA_TYPE_DATE: + bytestream2_skip(gb, 10); + return 0; case AMF_DATA_TYPE_ARRAY: parse_key = 0; case AMF_DATA_TYPE_MIXEDARRAY: - nb = bytestream_get_be32(&data); + nb = bytestream2_get_be32(gb); case AMF_DATA_TYPE_OBJECT: while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) { int t; if (parse_key) { - int size = bytestream_get_be16(&data); + int size = bytestream2_get_be16(gb); if (!size) { - data++; + bytestream2_get_byte(gb); break; } - if (size < 0 || size >= data_end - data) + if (size < 0 || size >= bytestream2_get_bytes_left(gb)) return -1; - data += size; + bytestream2_skip(gb, size); } - t = ff_amf_tag_size(data, data_end); - if (t < 0 || t >= data_end - data) + t = amf_tag_skip(gb); + if (t < 0 || bytestream2_get_bytes_left(gb) <= 0) return -1; - data += t; } - return data - base; - case AMF_DATA_TYPE_OBJECT_END: return 1; + return 0; + case AMF_DATA_TYPE_OBJECT_END: return 0; default: return -1; } } -int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, +int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) +{ + GetByteContext gb; + int ret; + + if (data >= data_end) + return -1; + + bytestream2_init(&gb, data, data_end - data); + + ret = amf_tag_skip(&gb); + if (ret < 0 || bytestream2_get_bytes_left(&gb) <= 0) + return -1; + av_assert0(bytestream2_tell(&gb) >= 0 && bytestream2_tell(&gb) <= data_end - data); + return bytestream2_tell(&gb); +} + +static int amf_get_field_value2(GetByteContext *gb, const uint8_t *name, uint8_t *dst, int dst_size) { int namelen = strlen(name); int len; - while (*data != AMF_DATA_TYPE_OBJECT && data < data_end) { - len = ff_amf_tag_size(data, data_end); - if (len < 0) - len = data_end - data; - data += len; + while (bytestream2_peek_byte(gb) != AMF_DATA_TYPE_OBJECT && bytestream2_get_bytes_left(gb) > 0) { + int ret = amf_tag_skip(gb); + if (ret < 0) + return -1; } - if (data_end - data < 3) + if (bytestream2_get_bytes_left(gb) < 3) return -1; - data++; + bytestream2_get_byte(gb); + for (;;) { - int size = bytestream_get_be16(&data); + int size = bytestream2_get_be16(gb); if (!size) break; - if (size < 0 || size >= data_end - data) + if (size < 0 || size >= bytestream2_get_bytes_left(gb)) return -1; - data += size; - if (size == namelen && !memcmp(data-size, name, namelen)) { - switch (*data++) { + bytestream2_skip(gb, size); + if (size == namelen && !memcmp(gb->buffer-size, name, namelen)) { + switch (bytestream2_get_byte(gb)) { case AMF_DATA_TYPE_NUMBER: - snprintf(dst, dst_size, "%g", av_int2double(AV_RB64(data))); + snprintf(dst, dst_size, "%g", av_int2double(bytestream2_get_be64(gb))); break; case AMF_DATA_TYPE_BOOL: - snprintf(dst, dst_size, "%s", *data ? "true" : "false"); + snprintf(dst, dst_size, "%s", bytestream2_get_byte(gb) ? "true" : "false"); break; case AMF_DATA_TYPE_STRING: - len = bytestream_get_be16(&data); - av_strlcpy(dst, data, FFMIN(len+1, dst_size)); + len = bytestream2_get_be16(gb); + if (dst_size < 1) + return -1; + if (dst_size < len + 1) + len = dst_size - 1; + bytestream2_get_buffer(gb, dst, len); + dst[len] = 0; break; default: return -1; } return 0; } - len = ff_amf_tag_size(data, data_end); - if (len < 0 || len >= data_end - data) + len = amf_tag_skip(gb); + if (len < 0 || bytestream2_get_bytes_left(gb) <= 0) return -1; - data += len; } return -1; } +int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, + const uint8_t *name, uint8_t *dst, int dst_size) +{ + GetByteContext gb; + + if (data >= data_end) + return -1; + + bytestream2_init(&gb, data, data_end - data); + + return amf_get_field_value2(&gb, name, dst, dst_size); +} + static const char* rtmp_packet_type(int type) { switch (type) { diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c index 8459a513fb..2c09fda10b 100644 --- a/libavformat/rtpdec_asf.c +++ b/libavformat/rtpdec_asf.c @@ -101,7 +101,7 @@ int ff_wms_parse_sdp_a_line(AVFormatContext *s, const char *p) { int ret = 0; if (av_strstart(p, "pgmpu:data:application/vnd.ms.wms-hdr.asfv1;base64,", &p)) { - AVIOContext pb; + AVIOContext pb = { 0 }; RTSPState *rt = s->priv_data; AVDictionary *opts = NULL; int len = strlen(p) * 6 / 8; diff --git a/libavformat/rtpdec_h264.c b/libavformat/rtpdec_h264.c index 8dd56a549e..6f8148ab6d 100644 --- a/libavformat/rtpdec_h264.c +++ b/libavformat/rtpdec_h264.c @@ -166,7 +166,7 @@ static int sdp_parse_fmtp_config_h264(AVFormatContext *s, parse_profile_level_id(s, h264_data, value); } else if (!strcmp(attr, "sprop-parameter-sets")) { int ret; - if (value[strlen(value) - 1] == ',') { + if (*value == 0 || value[strlen(value) - 1] == ',') { av_log(s, AV_LOG_WARNING, "Missing PPS in sprop-parameter-sets, ignoring\n"); return 0; } diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index bb020d7f9a..cbedd120fb 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -927,7 +927,7 @@ static void expand_timestamps(void *log, struct sbg_script *s) } } if (s->start_ts == AV_NOPTS_VALUE) - s->start_ts = s->opt_start_at_first ? s->tseq[0].ts.t : now; + s->start_ts = (s->opt_start_at_first && s->tseq) ? s->tseq[0].ts.t : now; s->end_ts = s->opt_duration ? s->start_ts + s->opt_duration : AV_NOPTS_VALUE; /* may be overridden later by -E option */ cur_ts = now; diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index fa2435e0a0..c6f5fe669e 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -119,10 +119,10 @@ retry: z->avail_out = buf_size; ret = inflate(z, Z_NO_FLUSH); - if (ret < 0) - return AVERROR(EINVAL); if (ret == Z_STREAM_END) return AVERROR_EOF; + if (ret != Z_OK) + return AVERROR(EINVAL); if (buf_size - z->avail_out == 0) goto retry; diff --git a/libavformat/utils.c b/libavformat/utils.c index 6f343f228c..5a35953d24 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -307,7 +307,7 @@ static int set_codec_from_probe_data(AVFormatContext *s, AVStream *st, int score; AVInputFormat *fmt = av_probe_input_format3(pd, 1, &score); - if (fmt && st->request_probe <= score) { + if (fmt) { int i; av_log(s, AV_LOG_DEBUG, "Probe with size=%d, packets=%d detected %s with score=%d\n", @@ -318,6 +318,9 @@ static int set_codec_from_probe_data(AVFormatContext *s, AVStream *st, if (fmt_id_type[i].type != AVMEDIA_TYPE_AUDIO && st->codecpar->sample_rate) continue; + if (st->request_probe > score && + st->codecpar->codec_id != fmt_id_type[i].id) + continue; st->codecpar->codec_id = fmt_id_type[i].id; st->codecpar->codec_type = fmt_id_type[i].type; st->internal->need_context_update = 1; @@ -494,6 +497,7 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, if ((ret = av_opt_set_dict(s, &tmp)) < 0) goto fail; + av_strlcpy(s->filename, filename ? filename : "", sizeof(s->filename)); if ((ret = init_input(s, filename, &tmp)) < 0) goto fail; s->probe_score = ret; @@ -531,7 +535,6 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, } s->duration = s->start_time = AV_NOPTS_VALUE; - av_strlcpy(s->filename, filename ? filename : "", sizeof(s->filename)); /* Allocate private data. */ if (s->iformat->priv_data_size > 0) { @@ -767,7 +770,7 @@ int ff_read_packet(AVFormatContext *s, AVPacket *pkt) return ret; for (i = 0; i < s->nb_streams; i++) { st = s->streams[i]; - if (st->probe_packets) + if (st->probe_packets || st->request_probe > 0) if ((err = probe_codec(s, st, NULL)) < 0) return err; av_assert0(st->request_probe <= 0); @@ -1483,6 +1486,15 @@ static int read_frame_internal(AVFormatContext *s, AVPacket *pkt) if (ret < 0) return ret; +#if FF_API_LAVF_AVCTX +FF_DISABLE_DEPRECATION_WARNINGS + /* update deprecated public codec context */ + ret = avcodec_parameters_to_context(st->codec, st->codecpar); + if (ret < 0) + return ret; +FF_ENABLE_DEPRECATION_WARNINGS +#endif + st->internal->need_context_update = 0; } @@ -2402,6 +2414,7 @@ int avformat_seek_file(AVFormatContext *s, int stream_index, int64_t min_ts, max_ts = av_rescale_rnd(max_ts, time_base.den, time_base.num * (int64_t)AV_TIME_BASE, AV_ROUND_DOWN | AV_ROUND_PASS_MINMAX); + stream_index = 0; } ret = s->iformat->read_seek2(s, stream_index, min_ts, @@ -2491,7 +2504,7 @@ static void update_stream_timings(AVFormatContext *ic) end_time1 = av_rescale_q_rnd(st->duration, st->time_base, AV_TIME_BASE_Q, AV_ROUND_NEAR_INF|AV_ROUND_PASS_MINMAX); - if (end_time1 != AV_NOPTS_VALUE && start_time1 <= INT64_MAX - end_time1) { + if (end_time1 != AV_NOPTS_VALUE && (end_time1 > 0 ? start_time1 <= INT64_MAX - end_time1 : start_time1 >= INT64_MIN - end_time1)) { end_time1 += start_time1; end_time = FFMAX(end_time, end_time1); } @@ -2519,11 +2532,14 @@ static void update_stream_timings(AVFormatContext *ic) if (ic->nb_programs) { for (i = 0; i < ic->nb_programs; i++) { p = ic->programs[i]; - if (p->start_time != AV_NOPTS_VALUE && p->end_time > p->start_time) + if (p->start_time != AV_NOPTS_VALUE && + p->end_time > p->start_time && + p->end_time - (uint64_t)p->start_time <= INT64_MAX) duration = FFMAX(duration, p->end_time - p->start_time); } - } else + } else if (end_time >= start_time && end_time - (uint64_t)start_time <= INT64_MAX) { duration = FFMAX(duration, end_time - start_time); + } } } if (duration != INT64_MIN && duration > 0 && ic->duration == AV_NOPTS_VALUE) { @@ -3281,6 +3297,7 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) int64_t max_subtitle_analyze_duration; int64_t probesize = ic->probesize; int eof_reached = 0; + int *missing_streams = av_opt_ptr(ic->iformat->priv_class, ic->priv_data, "missing_streams"); flush_codecs = probesize > 0; @@ -3315,6 +3332,17 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) if (!avctx->time_base.num) avctx->time_base = st->time_base; } + + /* check if the caller has overridden the codec id */ +#if FF_API_LAVF_AVCTX +FF_DISABLE_DEPRECATION_WARNINGS + if (st->codec->codec_id != st->internal->orig_codec_id) { + st->codecpar->codec_id = st->codec->codec_id; + st->codecpar->codec_type = st->codec->codec_type; + st->internal->orig_codec_id = st->codec->codec_id; + } +FF_ENABLE_DEPRECATION_WARNINGS +#endif // only for the split stuff if (!st->parser && !(ic->flags & AVFMT_FLAG_NOPARSE) && st->request_probe <= 0) { st->parser = av_parser_init(st->codecpar->codec_id); @@ -3331,16 +3359,6 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) } } - /* check if the caller has overridden the codec id */ -#if FF_API_LAVF_AVCTX -FF_DISABLE_DEPRECATION_WARNINGS - if (st->codec->codec_id != st->internal->orig_codec_id) { - st->codecpar->codec_id = st->codec->codec_id; - st->codecpar->codec_type = st->codec->codec_type; - st->internal->orig_codec_id = st->codec->codec_id; - } -FF_ENABLE_DEPRECATION_WARNINGS -#endif if (st->codecpar->codec_id != st->internal->orig_codec_id) st->internal->orig_codec_id = st->codecpar->codec_id; @@ -3433,6 +3451,7 @@ FF_ENABLE_DEPRECATION_WARNINGS break; } analyzed_all_streams = 0; + if (!missing_streams || !*missing_streams) if (i == ic->nb_streams) { analyzed_all_streams = 1; /* NOTE: If the format has no header, then we need to read some @@ -3975,9 +3994,7 @@ static void free_stream(AVStream **pst) av_freep(&st->index_entries); #if FF_API_LAVF_AVCTX FF_DISABLE_DEPRECATION_WARNINGS - av_freep(&st->codec->extradata); - av_freep(&st->codec->subtitle_header); - av_freep(&st->codec); + avcodec_free_context(&st->codec); FF_ENABLE_DEPRECATION_WARNINGS #endif av_freep(&st->priv_data); @@ -4029,8 +4046,8 @@ void avformat_free_context(AVFormatContext *s) av_freep(&s->chapters); av_dict_free(&s->metadata); av_freep(&s->streams); - av_freep(&s->internal); flush_packet_queue(s); + av_freep(&s->internal); av_free(s); } @@ -4068,8 +4085,11 @@ AVStream *avformat_new_stream(AVFormatContext *s, const AVCodec *c) int i; AVStream **streams; - if (s->nb_streams >= INT_MAX/sizeof(*streams)) + if (s->nb_streams >= FFMIN(s->max_streams, INT_MAX/sizeof(*streams))) { + if (s->max_streams < INT_MAX/sizeof(*streams)) + av_log(s, AV_LOG_ERROR, "Number of streams exceeds max_streams parameter (%d), see the documentation if you wish to increase it\n", s->max_streams); return NULL; + } streams = av_realloc_array(s->streams, s->nb_streams + 1, sizeof(*streams)); if (!streams) return NULL; diff --git a/libavformat/version.h b/libavformat/version.h index 544d4363eb..47a8afbb26 100644 --- a/libavformat/version.h +++ b/libavformat/version.h @@ -32,8 +32,8 @@ // Major bumping may affect Ticket5467, 5421, 5451(compatibility with Chromium) // Also please add any ticket numbers that you belive might be affected here #define LIBAVFORMAT_VERSION_MAJOR 57 -#define LIBAVFORMAT_VERSION_MINOR 40 -#define LIBAVFORMAT_VERSION_MICRO 101 +#define LIBAVFORMAT_VERSION_MINOR 41 +#define LIBAVFORMAT_VERSION_MICRO 100 #define LIBAVFORMAT_VERSION_INT AV_VERSION_INT(LIBAVFORMAT_VERSION_MAJOR, \ LIBAVFORMAT_VERSION_MINOR, \ diff --git a/libavformat/vplayerdec.c b/libavformat/vplayerdec.c index 897c4083b6..49943d0d0e 100644 --- a/libavformat/vplayerdec.c +++ b/libavformat/vplayerdec.c @@ -36,8 +36,8 @@ static int vplayer_probe(AVProbeData *p) char c; const unsigned char *ptr = p->buf; - if ((sscanf(ptr, "%*d:%*d:%*d.%*d%c", &c) == 1 || - sscanf(ptr, "%*d:%*d:%*d%c", &c) == 1) && strchr(": =", c)) + if ((sscanf(ptr, "%*3d:%*2d:%*2d.%*2d%c", &c) == 1 || + sscanf(ptr, "%*3d:%*2d:%*2d%c", &c) == 1) && strchr(": =", c)) return AVPROBE_SCORE_MAX; return 0; } diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 7176cd6f2d..8bbb301afc 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -829,6 +829,8 @@ static int w64_read_header(AVFormatContext *s) chunk_key[4] = 0; avio_read(pb, chunk_key, 4); chunk_size = avio_rl32(pb); + if (chunk_size == UINT32_MAX) + return AVERROR_INVALIDDATA; value = av_mallocz(chunk_size + 1); if (!value) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index d4b3146790..9dc9b36d31 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -428,6 +428,10 @@ static int parse_adaptation_sets(AVFormatContext *s) char *p = w->adaptation_sets; char *q; enum { new_set, parsed_id, parsing_streams } state; + if (!w->adaptation_sets) { + av_log(s, AV_LOG_ERROR, "The 'adaptation_sets' option must be set.\n"); + return AVERROR(EINVAL); + } // syntax id=0,streams=0,1,2 id=1,streams=3,4 and so on state = new_set; while (p < w->adaptation_sets + strlen(w->adaptation_sets)) { @@ -458,7 +462,11 @@ static int parse_adaptation_sets(AVFormatContext *s) if (as->streams == NULL) return AVERROR(ENOMEM); as->streams[as->nb_streams - 1] = to_integer(p, q - p + 1); - if (as->streams[as->nb_streams - 1] < 0) return -1; + if (as->streams[as->nb_streams - 1] < 0 || + as->streams[as->nb_streams - 1] >= s->nb_streams) { + av_log(s, AV_LOG_ERROR, "Invalid value for 'streams' in adapation_sets.\n"); + return AVERROR(EINVAL); + } if (*q == '\0') break; if (*q == ' ') state = new_set; p = ++q; diff --git a/libavformat/westwood_aud.c b/libavformat/westwood_aud.c index 4750167f13..9c2d35cb8a 100644 --- a/libavformat/westwood_aud.c +++ b/libavformat/westwood_aud.c @@ -164,6 +164,12 @@ static int wsaud_read_packet(AVFormatContext *s, if (ret != chunk_size) return AVERROR(EIO); + if (st->codecpar->channels <= 0) { + av_log(s, AV_LOG_ERROR, "invalid number of channels %d\n", + st->codecpar->channels); + return AVERROR_INVALIDDATA; + } + /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */ pkt->duration = (chunk_size * 2) / st->codecpar->channels; } diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index bd32d70dcf..3ac4501306 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -1031,7 +1031,7 @@ static int read_header(AVFormatContext *s) while (1) { uint64_t frame_nb = avio_rl64(pb); uint64_t position = avio_rl64(pb); - while (frame_nb > e->size && e <= e_end) { + while (e <= e_end && frame_nb > e->size) { e->pos = last_position; e++; } diff --git a/libavutil/frame.h b/libavutil/frame.h index 44adec4602..2b5c3320c3 100644 --- a/libavutil/frame.h +++ b/libavutil/frame.h @@ -427,12 +427,6 @@ typedef struct AVFrame { enum AVChromaLocation chroma_location; - /** - * For hwaccel-format frames, this should be a reference to the - * AVHWFramesContext describing the frame. - */ - AVBufferRef *hw_frames_ctx; - /** * frame timestamp estimated using various heuristics, in stream time base * Code outside libavutil should access this field using: @@ -524,6 +518,11 @@ typedef struct AVFrame { */ AVBufferRef *qp_table_buf; #endif + /** + * For hwaccel-format frames, this should be a reference to the + * AVHWFramesContext describing the frame. + */ + AVBufferRef *hw_frames_ctx; } AVFrame; /** diff --git a/libavutil/hwcontext_dxva2.c b/libavutil/hwcontext_dxva2.c index e79254bb34..cf926e89f0 100644 --- a/libavutil/hwcontext_dxva2.c +++ b/libavutil/hwcontext_dxva2.c @@ -101,6 +101,13 @@ static void dxva2_frames_uninit(AVHWFramesContext *ctx) } } +static void dxva2_pool_release_dummy(void *opaque, uint8_t *data) +{ + // important not to free anything here--data is a surface object + // associated with the call to CreateSurface(), and these surfaces are + // released in dxva2_frames_uninit() +} + static AVBufferRef *dxva2_pool_alloc(void *opaque, int size) { AVHWFramesContext *ctx = (AVHWFramesContext*)opaque; @@ -110,7 +117,7 @@ static AVBufferRef *dxva2_pool_alloc(void *opaque, int size) if (s->nb_surfaces_used < hwctx->nb_surfaces) { s->nb_surfaces_used++; return av_buffer_create((uint8_t*)s->surfaces_internal[s->nb_surfaces_used - 1], - sizeof(*hwctx->surfaces), NULL, 0, 0); + sizeof(*hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); } return NULL; diff --git a/libavutil/hwcontext_vaapi.c b/libavutil/hwcontext_vaapi.c index 3c1493be9a..92fa23538b 100644 --- a/libavutil/hwcontext_vaapi.c +++ b/libavutil/hwcontext_vaapi.c @@ -115,8 +115,10 @@ static struct { MAP(BGRX, RGB32, BGR0), MAP(RGBA, RGB32, RGBA), MAP(RGBX, RGB32, RGB0), +#ifdef VA_FOURCC_ABGR MAP(ABGR, RGB32, ABGR), MAP(XBGR, RGB32, 0BGR), +#endif MAP(ARGB, RGB32, ARGB), MAP(XRGB, RGB32, 0RGB), }; diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index 37808e53d0..cc410abad1 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -248,19 +248,38 @@ static const AVClass imgutils_class = { .parent_log_context_offset = offsetof(ImgUtils, log_ctx), }; -int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx) +int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enum AVPixelFormat pix_fmt, int log_offset, void *log_ctx) { ImgUtils imgutils = { .class = &imgutils_class, .log_offset = log_offset, .log_ctx = log_ctx, }; + int64_t stride = av_image_get_linesize(pix_fmt, w, 0); + if (stride <= 0) + stride = 8LL*w; + stride += 128*8; - if ((int)w>0 && (int)h>0 && (w+128)*(uint64_t)(h+128) < INT_MAX/8) - return 0; + if ((int)w<=0 || (int)h<=0 || stride >= INT_MAX || stride*(uint64_t)(h+128) >= INT_MAX) { + av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h); + return AVERROR(EINVAL); + } - av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h); - return AVERROR(EINVAL); + if (max_pixels < INT64_MAX) { + if (w*(int64_t)h > max_pixels) { + av_log(&imgutils, AV_LOG_ERROR, + "Picture size %ux%u exceeds specified max pixel count %"PRId64", see the documentation if you wish to increase it\n", + w, h, max_pixels); + return AVERROR(EINVAL); + } + } + + return 0; +} + +int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx) +{ + return av_image_check_size2(w, h, INT64_MAX, AV_PIX_FMT_NONE, log_offset, log_ctx); } int av_image_check_sar(unsigned int w, unsigned int h, AVRational sar) diff --git a/libavutil/imgutils.h b/libavutil/imgutils.h index 23282a38fa..19f34deced 100644 --- a/libavutil/imgutils.h +++ b/libavutil/imgutils.h @@ -191,6 +191,20 @@ int av_image_copy_to_buffer(uint8_t *dst, int dst_size, */ int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx); +/** + * Check if the given dimension of an image is valid, meaning that all + * bytes of the image can be addressed with a signed int. + * + * @param w the width of the picture + * @param h the height of the picture + * @param max_pixels the maximum number of pixels the user wants to accept + * @param pix_fmt the pixel format, can be AV_PIX_FMT_NONE if unknown. + * @param log_offset the offset to sum to the log level for logging with log_ctx + * @param log_ctx the parent logging context, it may be NULL + * @return >= 0 if valid, a negative error code otherwise + */ +int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enum AVPixelFormat pix_fmt, int log_offset, void *log_ctx); + /** * Check if the given sample aspect ratio of an image is valid. * diff --git a/libavutil/internal.h b/libavutil/internal.h index 61784b5128..e4da21b1b5 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -30,6 +30,9 @@ # define NDEBUG #endif +// This can be enabled to allow detection of additional integer overflows with ubsan +//#define CHECKED + #include #include #include @@ -258,6 +261,16 @@ void avpriv_request_sample(void *avc, # define ff_dlog(ctx, ...) do { if (0) av_log(ctx, AV_LOG_DEBUG, __VA_ARGS__); } while (0) #endif +// For debuging we use signed operations so overflows can be detected (by ubsan) +// For production we use unsigned so there are no undefined operations +#ifdef CHECKED +#define SUINT int +#define SUINT32 int32_t +#else +#define SUINT unsigned +#define SUINT32 uint32_t +#endif + /** * Clip and convert a double value into the long long amin-amax range. * This function is needed because conversion of floating point to integers when diff --git a/libavutil/mem.h b/libavutil/mem.h index d25b3229b7..376fd2e07c 100644 --- a/libavutil/mem.h +++ b/libavutil/mem.h @@ -183,7 +183,7 @@ av_alloc_size(2, 3) void *av_realloc_array(void *ptr, size_t nmemb, size_t size) * The situation is undefined according to POSIX and may crash with * some libc implementations. */ -av_alloc_size(2, 3) int av_reallocp_array(void *ptr, size_t nmemb, size_t size); +int av_reallocp_array(void *ptr, size_t nmemb, size_t size); /** * Free a memory block which has been allocated with av_malloc(z)() or diff --git a/libavutil/mips/generic_macros_msa.h b/libavutil/mips/generic_macros_msa.h index b1d18dd9d3..0a59619e7b 100644 --- a/libavutil/mips/generic_macros_msa.h +++ b/libavutil/mips/generic_macros_msa.h @@ -85,12 +85,12 @@ #else // !(__mips == 64) #define LD(psrc) \ ( { \ - uint8_t *psrc_m = (uint8_t *) (psrc); \ + uint8_t *psrc_ld_m = (uint8_t *) (psrc); \ uint32_t val0_m, val1_m; \ uint64_t val_m = 0; \ \ - val0_m = LW(psrc_m); \ - val1_m = LW(psrc_m + 4); \ + val0_m = LW(psrc_ld_m); \ + val1_m = LW(psrc_ld_m + 4); \ \ val_m = (uint64_t) (val1_m); \ val_m = (uint64_t) ((val_m << 32) & 0xFFFFFFFF00000000); \ @@ -172,12 +172,12 @@ #else // !(__mips == 64) #define LD(psrc) \ ( { \ - uint8_t *psrc_m1 = (uint8_t *) (psrc); \ + uint8_t *psrc_ld_m = (uint8_t *) (psrc); \ uint32_t val0_m, val1_m; \ uint64_t val_m = 0; \ \ - val0_m = LW(psrc_m1); \ - val1_m = LW(psrc_m1 + 4); \ + val0_m = LW(psrc_ld_m); \ + val1_m = LW(psrc_ld_m + 4); \ \ val_m = (uint64_t) (val1_m); \ val_m = (uint64_t) ((val_m << 32) & 0xFFFFFFFF00000000); \ diff --git a/libavutil/opt.h b/libavutil/opt.h index 9a76a47f75..9430b989e9 100644 --- a/libavutil/opt.h +++ b/libavutil/opt.h @@ -58,7 +58,7 @@ * The following example illustrates an AVOptions-enabled struct: * @code * typedef struct test_struct { - * AVClass *class; + * const AVClass *class; * int int_opt; * char *str_opt; * uint8_t *bin_opt; @@ -96,7 +96,7 @@ * @code * test_struct *alloc_test_struct(void) * { - * test_struct *ret = av_malloc(sizeof(*ret)); + * test_struct *ret = av_mallocz(sizeof(*ret)); * ret->class = &test_class; * av_opt_set_defaults(ret); * return ret; diff --git a/libavutil/random_seed.c b/libavutil/random_seed.c index d1ded7b509..0cabd1c351 100644 --- a/libavutil/random_seed.c +++ b/libavutil/random_seed.c @@ -67,6 +67,7 @@ static uint32_t get_generic_seed(void) uint8_t tmp[120]; struct AVSHA *sha = (void*)tmp; clock_t last_t = 0; + clock_t last_td = 0; static uint64_t i = 0; static uint32_t buffer[512] = { 0 }; unsigned char digest[20]; @@ -86,11 +87,12 @@ static uint32_t get_generic_seed(void) for (;;) { clock_t t = clock(); - - if (last_t == t) { - buffer[i & 511]++; + if (last_t + 2*last_td + (CLOCKS_PER_SEC > 1000) >= t) { + last_td = t - last_t; + buffer[i & 511] = 1664525*buffer[i & 511] + 1013904223 + (last_td % 3294638521U); } else { - buffer[++i & 511] += (t - last_t) % 3294638521U; + last_td = t - last_t; + buffer[++i & 511] += last_td % 3294638521U; if (last_i && i - last_i > 4 || i - last_i > 64 || TEST && i - last_i > 8) break; } diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index a3b2238585..c50aaf5285 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -27,7 +27,7 @@ #include "avassert.h" #include "softfloat_tables.h" -#define MIN_EXP -126 +#define MIN_EXP -149 #define MAX_EXP 126 #define ONE_BITS 29 @@ -114,8 +114,15 @@ static inline av_const SoftFloat av_mul_sf(SoftFloat a, SoftFloat b){ * @return Will not be more denormalized than a. */ static inline av_const SoftFloat av_div_sf(SoftFloat a, SoftFloat b){ + int64_t temp = (int64_t)a.mant * (1<<(ONE_BITS+1)); + temp /= b.mant; a.exp -= b.exp; - a.mant = ((int64_t)a.mant<<(ONE_BITS+1)) / b.mant; + a.mant = temp; + while (a.mant != temp) { + temp /= 2; + a.exp--; + a.mant = temp; + } a = av_normalize1_sf(a); if (!a.mant || a.exp < MIN_EXP) return FLOAT_0; @@ -170,12 +177,14 @@ static inline av_const SoftFloat av_sub_sf(SoftFloat a, SoftFloat b){ //FIXME log, exp, pow /** - * Converts a mantisse and exponent to a SoftFloat - * @returns a SoftFloat with value v * 2^frac_bits + * Converts a mantisse and exponent to a SoftFloat. + * This converts a fixed point value v with frac_bits fractional bits to a + * SoftFloat. + * @returns a SoftFloat with value v * 2^-frac_bits */ static inline av_const SoftFloat av_int2sf(int v, int frac_bits){ int exp_offset = 0; - if(v == INT_MIN){ + if(v <= INT_MIN + 1){ exp_offset = 1; v>>=1; } @@ -235,12 +244,12 @@ static av_unused void av_sincos_sf(int a, int *s, int *c) int st, ct; idx = a >> 26; - sign = (idx << 27) >> 31; + sign = (int32_t)((unsigned)idx << 27) >> 31; cv = av_costbl_1_sf[idx & 0xf]; cv = (cv ^ sign) - sign; idx -= 8; - sign = (idx << 27) >> 31; + sign = (int32_t)((unsigned)idx << 27) >> 31; sv = av_costbl_1_sf[idx & 0xf]; sv = (sv ^ sign) - sign; diff --git a/libavutil/version.h b/libavutil/version.h index aa10622840..07618fc0bc 100644 --- a/libavutil/version.h +++ b/libavutil/version.h @@ -64,7 +64,7 @@ */ #define LIBAVUTIL_VERSION_MAJOR 55 -#define LIBAVUTIL_VERSION_MINOR 27 +#define LIBAVUTIL_VERSION_MINOR 28 #define LIBAVUTIL_VERSION_MICRO 100 #define LIBAVUTIL_VERSION_INT AV_VERSION_INT(LIBAVUTIL_VERSION_MAJOR, \ diff --git a/libswresample/resample.c b/libswresample/resample.c index b834248167..e7c9e730fb 100644 --- a/libswresample/resample.c +++ b/libswresample/resample.c @@ -298,6 +298,14 @@ fail: return 0; } +static void resample_free(ResampleContext **cc){ + ResampleContext *c = *cc; + if(!c) + return; + av_freep(&c->filter_bank); + av_freep(cc); +} + static ResampleContext *resample_init(ResampleContext *c, int out_rate, int in_rate, int filter_size, int phase_shift, int linear, double cutoff0, enum AVSampleFormat format, enum SwrFilterType filter_type, double kaiser_beta, double precision, int cheby, int exact_rational) @@ -320,6 +328,7 @@ static ResampleContext *resample_init(ResampleContext *c, int out_rate, int in_r if (!c || c->phase_count != phase_count || c->linear!=linear || c->factor != factor || c->filter_length != FFMAX((int)ceil(filter_size/factor), 1) || c->format != format || c->filter_type != filter_type || c->kaiser_beta != kaiser_beta) { + resample_free(&c); c = av_mallocz(sizeof(*c)); if (!c) return NULL; @@ -389,13 +398,6 @@ error: return NULL; } -static void resample_free(ResampleContext **c){ - if(!*c) - return; - av_freep(&(*c)->filter_bank); - av_freep(c); -} - static int rebuild_filter_bank_with_compensation(ResampleContext *c) { uint8_t *new_filter_bank; diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index b231abe7e1..1f99462103 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -352,6 +352,7 @@ static int packed_16bpc_bswap(SwsContext *c, const uint8_t *src[], int min_stride = FFMIN(FFABS(srcstr), FFABS(dststr)); if(!dstPtr || !srcPtr) continue; + dstPtr += (srcSliceY >> c->chrDstVSubSample) * dststr; for (i = 0; i < (srcSliceH >> c->chrDstVSubSample); i++) { for (j = 0; j < min_stride; j++) { dstPtr[j] = av_bswap16(srcPtr[j]); @@ -557,6 +558,8 @@ static int Rgb16ToPlanarRgb16Wrapper(SwsContext *c, const uint8_t *src[], int bpc = dst_format->comp[0].depth; int alpha = src_format->flags & AV_PIX_FMT_FLAG_ALPHA; int swap = 0; + int i; + if ( HAVE_BIGENDIAN && !(src_format->flags & AV_PIX_FMT_FLAG_BE) || !HAVE_BIGENDIAN && src_format->flags & AV_PIX_FMT_FLAG_BE) swap++; @@ -570,6 +573,12 @@ static int Rgb16ToPlanarRgb16Wrapper(SwsContext *c, const uint8_t *src[], src_format->name, dst_format->name); return srcSliceH; } + + for(i=0; i<4; i++) { + dst2013[i] += stride2013[i] * srcSliceY / 2; + dst1023[i] += stride1023[i] * srcSliceY / 2; + } + switch (c->srcFormat) { case AV_PIX_FMT_RGB48LE: case AV_PIX_FMT_RGB48BE: diff --git a/libswscale/tests/swscale.c b/libswscale/tests/swscale.c index 58c211453a..8291ce8359 100644 --- a/libswscale/tests/swscale.c +++ b/libswscale/tests/swscale.c @@ -308,10 +308,10 @@ static int fileTest(uint8_t *ref[4], int refStride[4], int w, int h, FILE *fp, struct Results r; enum AVPixelFormat srcFormat; char srcStr[12]; - int srcW, srcH; + int srcW = 0, srcH = 0; enum AVPixelFormat dstFormat; char dstStr[12]; - int dstW, dstH; + int dstW = 0, dstH = 0; int flags; int ret; diff --git a/tests/checkasm/checkasm.c b/tests/checkasm/checkasm.c index e4ca116b06..5191f83431 100644 --- a/tests/checkasm/checkasm.c +++ b/tests/checkasm/checkasm.c @@ -89,7 +89,7 @@ static const struct { #if CONFIG_JPEG2000_DECODER { "jpeg2000dsp", checkasm_check_jpeg2000dsp }, #endif - #if CONFIG_PIXBLOCKDSP + #if CONFIG_PIXBLOCKDSP && !(ARCH_PPC64 && HAVE_BIGENDIAN) { "pixblockdsp", checkasm_check_pixblockdsp }, #endif #if CONFIG_V210_ENCODER diff --git a/tests/ref/fate/vp5 b/tests/ref/fate/vp5 index 2116fb9b81..2469a3ec21 100644 --- a/tests/ref/fate/vp5 +++ b/tests/ref/fate/vp5 @@ -249,4 +249,4 @@ 0, 243, 243, 1, 233472, 0x6f530ac6 0, 244, 244, 1, 233472, 0x94f7466c 0, 245, 245, 1, 233472, 0xa8c1d365 -0, 246, 246, 1, 233472, 0xedcff050 +0, 246, 246, 1, 233472, 0xbf73f1b7 diff --git a/tools/ismindex.c b/tools/ismindex.c index 5917d42f44..c16e2f2670 100644 --- a/tools/ismindex.c +++ b/tools/ismindex.c @@ -375,7 +375,7 @@ static int read_tfra(struct Tracks *tracks, int start_index, AVIOContext *f) track->duration - track->offsets[track->chunks - 1].time; } - // Now try and read the actual durations from the trun sample data. + // Now try to read the actual durations from the trun sample data. for (i = 0; i < track->chunks; i++) { int64_t duration = read_moof_duration(f, track->offsets[i].offset); if (duration > 0 && llabs(duration - track->offsets[i].duration) > 3) { diff --git a/tools/zmqsend.c b/tools/zmqsend.c index d47bf216b4..6148bd623c 100644 --- a/tools/zmqsend.c +++ b/tools/zmqsend.c @@ -53,7 +53,7 @@ int main(int argc, char **argv) { AVBPrint src; char c, *src_buf, *recv_buf; - int recv_buf_size, ret; + int recv_buf_size, ret = 0; void *zmq_ctx, *socket; const char *bind_address = "tcp://localhost:5555"; const char *infilename = NULL;