From e5d434b840404d84585456e51755e052a0fe0731 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jun 2016 03:43:52 +0200 Subject: [PATCH 001/658] tests/checkasm/checkasm: Disable checkasm_check_pixblockdsp for ppc64be See: Ticket5508 Suggested-by: Carl Signed-off-by: Michael Niedermayer --- tests/checkasm/checkasm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/checkasm/checkasm.c b/tests/checkasm/checkasm.c index e4ca116b06..5191f83431 100644 --- a/tests/checkasm/checkasm.c +++ b/tests/checkasm/checkasm.c @@ -89,7 +89,7 @@ static const struct { #if CONFIG_JPEG2000_DECODER { "jpeg2000dsp", checkasm_check_jpeg2000dsp }, #endif - #if CONFIG_PIXBLOCKDSP + #if CONFIG_PIXBLOCKDSP && !(ARCH_PPC64 && HAVE_BIGENDIAN) { "pixblockdsp", checkasm_check_pixblockdsp }, #endif #if CONFIG_V210_ENCODER From 182cfe4832d8a88d1d213efa6792c23489992fdd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jun 2016 03:57:55 +0200 Subject: [PATCH 002/658] release notes (based on release/3.0) Better release notes are welcome write better ones or do not complain later! Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 RELEASE_NOTES diff --git a/RELEASE_NOTES b/RELEASE_NOTES new file mode 100644 index 0000000000..afa25ae4ee --- /dev/null +++ b/RELEASE_NOTES @@ -0,0 +1,15 @@ + + ┌────────────────────────────────────────┐ + │ RELEASE NOTES for FFmpeg 3.1 "Laplace" │ + └────────────────────────────────────────┘ + + The FFmpeg Project proudly presents FFmpeg 3.1 "Laplace", about 4 + months after the release of FFmpeg 3.0. + + A complete Changelog is available at the root of the project, and the + complete Git history on http://source.ffmpeg.org. + + We hope you will like this release as much as we enjoyed working on it, and + as usual, if you have any questions about it, or any FFmpeg related topic, + feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask + on the mailing-lists. From b2a74dd629c1ab3318ba0123f8814797a4fea3a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jun 2016 11:35:22 +0200 Subject: [PATCH 003/658] Set version to 3.1 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index b889d20d71..8c50098d8a 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.0.git +3.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index 0c1604e007..53f9b25fe4 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 3.1 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 970f2ad966c2701919b208d3c628434906e807bd Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 26 Jun 2016 14:45:54 -0300 Subject: [PATCH 004/658] Update FFmpeg 3.1 cut marker Signed-off-by: James Almer (cherry picked from commit 069fd69662a13eb6a2b3d0497232b841e8f1caf8) --- Changelog | 2 +- doc/APIchanges | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Changelog b/Changelog index 99cfa12a3a..5e48c205da 100644 --- a/Changelog +++ b/Changelog @@ -2,10 +2,10 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version : -- YUY2 Lossless Codec decoder version 3.1: +- YUY2 Lossless Codec decoder - DXVA2-accelerated HEVC Main10 decoding - fieldhint filter - loop video filter and aloop audio filter diff --git a/doc/APIchanges b/doc/APIchanges index e3b7875593..6dd5ad7b0e 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -15,14 +15,14 @@ libavutil: 2015-08-28 API changes, most recent first: -2016-06-26 - xxxxxxx / 1c9e861 - lavu 55.27.100 / 55.13.0 - hwcontext.h +-------- 8< --------- FFmpeg 3.1 was cut here -------- 8< --------- + +2016-06-26 - 481f320 / 1c9e861 - lavu 55.27.100 / 55.13.0 - hwcontext.h Add av_hwdevice_ctx_create(). -2016-06-26 - xxxxxxx / e47b8bb - lavc 57.48.101 / 57.19.1 - avcodec.h +2016-06-26 - b95534b / e47b8bb - lavc 57.48.101 / 57.19.1 - avcodec.h Adjust values for JPEG 2000 profiles. --------- 8< --------- FFmpeg 3.1 was cut here -------- 8< --------- - 2016-06-23 - 5d75e46 / db7968b - lavf 57.40.100 / 57.7.0 - avio.h Add AVIODataMarkerType, write_data_type, ignore_boundary_point and avio_write_marker. From cf09348b9e03502c7051f7d771f22ffd25611e23 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 26 Jun 2016 15:27:47 -0300 Subject: [PATCH 005/658] changelog: fix entry order Signed-off-by: James Almer (cherry picked from commit c6f2d1a21f80ec4f2184c23fe399c2a222d34e24) --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 5e48c205da..4a85925b01 100644 --- a/Changelog +++ b/Changelog @@ -5,7 +5,6 @@ version : version 3.1: -- YUY2 Lossless Codec decoder - DXVA2-accelerated HEVC Main10 decoding - fieldhint filter - loop video filter and aloop audio filter @@ -48,6 +47,7 @@ version 3.1: - CUDA CUVID H264/HEVC decoder - 10-bit depth support in native utvideo decoder - libutvideo wrapper removed +- YUY2 Lossless Codec decoder version 3.0: From 18ce5a4d1b3f87b3b45651401cdf3352de34cfa1 Mon Sep 17 00:00:00 2001 From: Rick Kern Date: Sun, 26 Jun 2016 16:44:40 -0400 Subject: [PATCH 006/658] configure: use c++98 for c++ files Use c++98 standard instead of c++11. Signed-off-by: Rick Kern Signed-off-by: Michael Niedermayer (cherry picked from commit 729d82abae2f9bae3e5152022d2df0bb5bcde98e) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 6aadf9c7c8..3760641385 100755 --- a/configure +++ b/configure @@ -4529,7 +4529,7 @@ fi add_cppflags -D_ISOC99_SOURCE add_cxxflags -D__STDC_CONSTANT_MACROS -add_cxxflags -std=c++11 +add_cxxflags -std=c++98 check_cflags -std=c99 check_cc -D_FILE_OFFSET_BITS=64 < From 36fcb8cc559aa0d8639a01872c82b906f3847572 Mon Sep 17 00:00:00 2001 From: Rick Kern Date: Mon, 27 Jun 2016 11:43:13 -0400 Subject: [PATCH 007/658] Changelog: Add VideoToolbox encoder entry for 3.1 Signed-off-by: Rick Kern (cherry picked from commit d9561718135a6eba8c781fa248679d9280030a0c) --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index 4a85925b01..99cdb80e09 100644 --- a/Changelog +++ b/Changelog @@ -48,6 +48,7 @@ version 3.1: - 10-bit depth support in native utvideo decoder - libutvideo wrapper removed - YUY2 Lossless Codec decoder +- VideoToolbox H.264 encoder version 3.0: From 25f0ea9ece79ddd11f333acde38849e8c46543f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Mon, 27 Jun 2016 17:54:22 +0200 Subject: [PATCH 008/658] lavc/pnm_parser: disable parsing for text based PNMs P1, P2, and P3 are respectively the text versions of PBM, PGM and PPM files. We can not obtain the buffer size using av_imgage_get_buffer_size() as every pixel in the picture will occupy a random size between 16 and 32 bits ("4 " and "231 " are such example). Ideally, we could look for the next header (or EOF) in the bytestream, but this commit is meant to fix a decoding regression introduced by 48ac4532d437790e56b8ed5d0d467dc88685f035. Fix Ticket #5670 (cherry picked from commit c5566f0a944e376b39c8f994659060ca036c441d) --- libavcodec/pnm_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/pnm_parser.c b/libavcodec/pnm_parser.c index a7d70b9931..43dbfc7f27 100644 --- a/libavcodec/pnm_parser.c +++ b/libavcodec/pnm_parser.c @@ -66,6 +66,8 @@ retry: } #endif next = END_NOT_FOUND; + } else if (pnmctx.type < 4) { + next = END_NOT_FOUND; } else { next = pnmctx.bytestream - pnmctx.bytestream_start + av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); From 8fd56690774b7e91ca248e049782db0028c8275e Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Tue, 28 Jun 2016 12:25:27 +0200 Subject: [PATCH 009/658] lavc/mediacodecdec_h264: add missing NAL headers to SPS/PPS buffers Fixes a regression introduced by 0cd5e281df3f69c1ed8f2a72a5bcbf9691e1b5d5. (cherry picked from commit db0af7250a276700a349766c5412eb48ec630f0a) --- libavcodec/mediacodecdec_h264.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/libavcodec/mediacodecdec_h264.c b/libavcodec/mediacodecdec_h264.c index eb63ab5327..0664e4994e 100644 --- a/libavcodec/mediacodecdec_h264.c +++ b/libavcodec/mediacodecdec_h264.c @@ -112,8 +112,25 @@ static av_cold int mediacodec_decode_init(AVCodecContext *avctx) } if (pps && sps) { - ff_AMediaFormat_setBuffer(format, "csd-0", (void*)sps->data, sps->data_size); - ff_AMediaFormat_setBuffer(format, "csd-1", (void*)pps->data, pps->data_size); + static const uint8_t nal_headers[] = { 0x00, 0x00, 0x00, 0x01 }; + + uint8_t *data = NULL; + size_t data_size = sizeof(nal_headers) + FFMAX(sps->data_size, pps->data_size); + + data = av_mallocz(data_size); + if (!data) { + ret = AVERROR(ENOMEM); + goto done; + } + + memcpy(data, nal_headers, sizeof(nal_headers)); + memcpy(data + sizeof(nal_headers), sps->data, sps->data_size); + ff_AMediaFormat_setBuffer(format, "csd-0", (void*)data, sizeof(nal_headers) + sps->data_size); + + memcpy(data + sizeof(nal_headers), pps->data, pps->data_size); + ff_AMediaFormat_setBuffer(format, "csd-1", (void*)data, sizeof(nal_headers) + pps->data_size); + + av_freep(&data); } else { av_log(avctx, AV_LOG_ERROR, "Could not extract PPS/SPS from extradata"); ret = AVERROR_INVALIDDATA; From cd427a9d07e8b08486a33f174e645f4c3051a985 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Wed, 29 Jun 2016 11:15:39 +0200 Subject: [PATCH 010/658] ffplay: Fix usage of private lavfi API Reviewed-by: Michael Niedermayer --- ffplay.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffplay.c b/ffplay.c index f28e0877cd..b0702ebeb0 100644 --- a/ffplay.c +++ b/ffplay.c @@ -2725,7 +2725,7 @@ static int stream_component_open(VideoState *is, int stream_index) goto fail; link = is->out_audio_filter->inputs[0]; sample_rate = link->sample_rate; - nb_channels = link->channels; + nb_channels = avfilter_link_get_channels(link); channel_layout = link->channel_layout; } #else From 0a6d7602308e0f3060d9a6e6b44ae7bf5bbd7841 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Wed, 29 Jun 2016 11:38:14 +0200 Subject: [PATCH 011/658] lavfi: Move new field to the end of AVFilterLink Even though this is not part of the public API, some external applications access fields after it, thus breaking after updating from ffmpeg 3.0 or earlier. Since it is not public, it can be freely moved to the end to avoid that problem in the future. Reviewed-by: Michael Niedermayer --- libavfilter/avfilter.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavfilter/avfilter.h b/libavfilter/avfilter.h index 79227a7ea0..8a7f7916db 100644 --- a/libavfilter/avfilter.h +++ b/libavfilter/avfilter.h @@ -473,12 +473,6 @@ struct AVFilterLink { */ AVRational frame_rate; - /** - * For hwaccel pixel formats, this should be a reference to the - * AVHWFramesContext describing the frames. - */ - AVBufferRef *hw_frames_ctx; - /** * Buffer partially filled with samples to achieve a fixed/minimum size. */ @@ -550,6 +544,12 @@ struct AVFilterLink { * cleared when a frame is filtered. */ int frame_wanted_out; + + /** + * For hwaccel pixel formats, this should be a reference to the + * AVHWFramesContext describing the frames. + */ + AVBufferRef *hw_frames_ctx; }; /** From 1fdf549462449c98acdedd37ac1582bba218b425 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Wed, 29 Jun 2016 11:44:24 +0200 Subject: [PATCH 012/658] lavfi: Move new field to the end of AVFilterContext This fixes an accidental ABI break introduced at 8688d3a. --- doc/APIchanges | 8 ++++++++ libavfilter/avfilter.h | 14 +++++++------- libavfilter/version.h | 4 ++-- 3 files changed, 17 insertions(+), 9 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 6dd5ad7b0e..47106c22e7 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -15,6 +15,14 @@ libavutil: 2015-08-28 API changes, most recent first: +2016-06-29 - xxxxxxx - lavfi 6.47.100 - avfilter.h + Fix accidental ABI breakage in AVFilterContext. + ABI was broken in 8688d3a, lavfi 6.42.100 and released as ffmpeg 3.1. + + Because of this, ffmpeg and ffplay built against lavfi>=6.42.100 will not be + compatible with lavfi>=6.47.100. Potentially also affects other users of + libavfilter if they are using one of the affected fields. + -------- 8< --------- FFmpeg 3.1 was cut here -------- 8< --------- 2016-06-26 - 481f320 / 1c9e861 - lavu 55.27.100 / 55.13.0 - hwcontext.h diff --git a/libavfilter/avfilter.h b/libavfilter/avfilter.h index 8a7f7916db..757b81a610 100644 --- a/libavfilter/avfilter.h +++ b/libavfilter/avfilter.h @@ -344,6 +344,13 @@ struct AVFilterContext { */ AVFilterInternal *internal; + struct AVFilterCommand *command_queue; + + char *enable_str; ///< enable expression string + void *enable; ///< parsed expression (AVExpr*) + double *var_values; ///< variable values for the enable expression + int is_disabled; ///< the enabled state from the last expression evaluation + /** * For filters which will create hardware frames, sets the device the * filter should create them in. All other filters will ignore this field: @@ -352,13 +359,6 @@ struct AVFilterContext { * hardware context information. */ AVBufferRef *hw_device_ctx; - - struct AVFilterCommand *command_queue; - - char *enable_str; ///< enable expression string - void *enable; ///< parsed expression (AVExpr*) - double *var_values; ///< variable values for the enable expression - int is_disabled; ///< the enabled state from the last expression evaluation }; /** diff --git a/libavfilter/version.h b/libavfilter/version.h index 1924cfeffa..6d56dadfa0 100644 --- a/libavfilter/version.h +++ b/libavfilter/version.h @@ -30,8 +30,8 @@ #include "libavutil/version.h" #define LIBAVFILTER_VERSION_MAJOR 6 -#define LIBAVFILTER_VERSION_MINOR 46 -#define LIBAVFILTER_VERSION_MICRO 102 +#define LIBAVFILTER_VERSION_MINOR 47 +#define LIBAVFILTER_VERSION_MICRO 100 #define LIBAVFILTER_VERSION_INT AV_VERSION_INT(LIBAVFILTER_VERSION_MAJOR, \ LIBAVFILTER_VERSION_MINOR, \ From 3e730278f5a8e5ec3f9593700488a940f38dfac1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jun 2016 23:49:36 +0200 Subject: [PATCH 013/658] avformat/mov: Check sample size Fixes integer overflow Fixes: poc.mp4 Found-by: ajax secure Signed-off-by: Michael Niedermayer (cherry picked from commit 8a3221cc67a516dfc1700bdae3566ec52c7ee823) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index c7caf80b11..33ee799a7e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2843,7 +2843,12 @@ static void mov_build_index(MOVContext *mov, AVStream *st) sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample]; if (sc->pseudo_stream_id == -1 || sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) { - AVIndexEntry *e = &st->index_entries[st->nb_index_entries++]; + AVIndexEntry *e; + if (sample_size > 0x3FFFFFFF) { + av_log(mov->fc, AV_LOG_ERROR, "Sample size %u is too large\n", sample_size); + return; + } + e = &st->index_entries[st->nb_index_entries++]; e->pos = current_offset; e->timestamp = current_dts; e->size = sample_size; @@ -2968,6 +2973,10 @@ static void mov_build_index(MOVContext *mov, AVStream *st) av_log(mov->fc, AV_LOG_ERROR, "wrong chunk count %d\n", total); return; } + if (size > 0x3FFFFFFF) { + av_log(mov->fc, AV_LOG_ERROR, "Sample size %u is too large\n", size); + return; + } e = &st->index_entries[st->nb_index_entries++]; e->pos = current_offset; e->timestamp = current_dts; From 37c83b53730aed3205dab3055aefffa642763ea4 Mon Sep 17 00:00:00 2001 From: Martin Vignali Date: Tue, 28 Jun 2016 13:23:43 +0200 Subject: [PATCH 014/658] libavcodec/exr : fix decoding piz float file. fix ticket #5674 the size of data to process in piz_uncompress, is now calc using the pixel type of each channel. the data reorganization, alos take care about the size of each channel Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d9e1e08133234dc4501413f0e3211f3a268049bc) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index c87187c05c..cabe329c7f 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -749,6 +749,9 @@ static int piz_uncompress(EXRContext *s, const uint8_t *src, int ssize, uint16_t *tmp = (uint16_t *)td->tmp; uint8_t *out; int ret, i, j; + int pixel_half_size;/* 1 for half, 2 for float and uint32 */ + EXRChannel *channel; + int tmp_offset; if (!td->bitmap) td->bitmap = av_malloc(BITMAP_SIZE); @@ -781,24 +784,38 @@ static int piz_uncompress(EXRContext *s, const uint8_t *src, int ssize, ptr = tmp; for (i = 0; i < s->nb_channels; i++) { - EXRChannel *channel = &s->channels[i]; - int size = channel->pixel_type; + channel = &s->channels[i]; - for (j = 0; j < size; j++) - wav_decode(ptr + j, td->xsize, size, td->ysize, - td->xsize * size, maxval); - ptr += td->xsize * td->ysize * size; + if (channel->pixel_type == EXR_HALF) + pixel_half_size = 1; + else + pixel_half_size = 2; + + for (j = 0; j < pixel_half_size; j++) + wav_decode(ptr + j, td->xsize, pixel_half_size, td->ysize, + td->xsize * pixel_half_size, maxval); + ptr += td->xsize * td->ysize * pixel_half_size; } apply_lut(td->lut, tmp, dsize / sizeof(uint16_t)); out = td->uncompressed_data; - for (i = 0; i < td->ysize; i++) + for (i = 0; i < td->ysize; i++) { + tmp_offset = 0; for (j = 0; j < s->nb_channels; j++) { - uint16_t *in = tmp + j * td->xsize * td->ysize + i * td->xsize; - memcpy(out, in, td->xsize * 2); - out += td->xsize * 2; + uint16_t *in; + EXRChannel *channel = &s->channels[j]; + if (channel->pixel_type == EXR_HALF) + pixel_half_size = 1; + else + pixel_half_size = 2; + + in = tmp + tmp_offset * td->xsize * td->ysize + i * td->xsize * pixel_half_size; + tmp_offset += pixel_half_size; + memcpy(out, in, td->xsize * 2 * pixel_half_size); + out += td->xsize * 2 * pixel_half_size; } + } return 0; } From 77473002898f1dce18761c8a9bca48a8fe888d2e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Jun 2016 14:02:27 +0200 Subject: [PATCH 015/658] avutil/frame: Move new field to the end of AVFrame This fixes part of Ticket5676 This fixes kodi, mpv, chromium and ffplay build against 3.0 and linked to 3.1 This is a similar ABI fix to 1eb43af1a0e542ad83dcbf327197785d815fc42d Approved-by: BBB Approved-by: jamrial Approved-by: BtbN Approved-by: nevcairiel Signed-off-by: Michael Niedermayer (cherry picked from commit 042fb69deb5303d147b21ab1061387fb6e0c7afc) Signed-off-by: Michael Niedermayer --- libavutil/frame.h | 11 +++++------ libavutil/version.h | 2 +- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/libavutil/frame.h b/libavutil/frame.h index 44adec4602..2b5c3320c3 100644 --- a/libavutil/frame.h +++ b/libavutil/frame.h @@ -427,12 +427,6 @@ typedef struct AVFrame { enum AVChromaLocation chroma_location; - /** - * For hwaccel-format frames, this should be a reference to the - * AVHWFramesContext describing the frame. - */ - AVBufferRef *hw_frames_ctx; - /** * frame timestamp estimated using various heuristics, in stream time base * Code outside libavutil should access this field using: @@ -524,6 +518,11 @@ typedef struct AVFrame { */ AVBufferRef *qp_table_buf; #endif + /** + * For hwaccel-format frames, this should be a reference to the + * AVHWFramesContext describing the frame. + */ + AVBufferRef *hw_frames_ctx; } AVFrame; /** diff --git a/libavutil/version.h b/libavutil/version.h index aa10622840..07618fc0bc 100644 --- a/libavutil/version.h +++ b/libavutil/version.h @@ -64,7 +64,7 @@ */ #define LIBAVUTIL_VERSION_MAJOR 55 -#define LIBAVUTIL_VERSION_MINOR 27 +#define LIBAVUTIL_VERSION_MINOR 28 #define LIBAVUTIL_VERSION_MICRO 100 #define LIBAVUTIL_VERSION_INT AV_VERSION_INT(LIBAVUTIL_VERSION_MAJOR, \ From 79af094b9304676a2bd83a5172fac97f0d964c1a Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Thu, 30 Jun 2016 14:10:42 +0200 Subject: [PATCH 016/658] avformat/utils: update deprecated AVStream->codec when the context is updated This ensures the AVStream->codec entry is kept in sync when new streams are discovered mid-playback or changes to the context occur from other sources. Fixes trac 5678. Signed-off-by: Michael Niedermayer (cherry picked from commit c2e13d2ecd388bab28e743c34ed146c5ed213fc9) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 6f343f228c..d2a709c9a4 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1483,6 +1483,15 @@ static int read_frame_internal(AVFormatContext *s, AVPacket *pkt) if (ret < 0) return ret; +#if FF_API_LAVF_AVCTX +FF_DISABLE_DEPRECATION_WARNINGS + /* update deprecated public codec context */ + ret = avcodec_parameters_to_context(st->codec, st->codecpar); + if (ret < 0) + return ret; +FF_ENABLE_DEPRECATION_WARNINGS +#endif + st->internal->need_context_update = 0; } From f617b94c233fb070810c03478968c3e036787564 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Jun 2016 14:02:26 +0200 Subject: [PATCH 017/658] avformat/avformat: Move new field to the end of AVStream This fixes part of Ticket5676 This fixes kodi, mpv, chromium and ffplay build against 3.0 and linked to 3.1 This is a similar ABI fix to 1eb43af1a0e542ad83dcbf327197785d815fc42d Approved-by: BBB Approved-by: jamrial Approved-by: BtbN Approved-by: nevcairiel Signed-off-by: Michael Niedermayer (cherry picked from commit c1c7e0abb0c513a5f35b29126175b99fc9ca0254) Signed-off-by: Michael Niedermayer --- libavformat/avformat.h | 22 +++++++++++----------- libavformat/version.h | 4 ++-- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/libavformat/avformat.h b/libavformat/avformat.h index 876f1e3ee4..818184e5a8 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -985,17 +985,6 @@ typedef struct AVStream { int event_flags; #define AVSTREAM_EVENT_FLAG_METADATA_UPDATED 0x0001 ///< The call resulted in updated metadata. - /* - * Codec parameters associated with this stream. Allocated and freed by - * libavformat in avformat_new_stream() and avformat_free_context() - * respectively. - * - * - demuxing: filled by libavformat on stream creation or in - * avformat_find_stream_info() - * - muxing: filled by the caller before avformat_write_header() - */ - AVCodecParameters *codecpar; - /***************************************************************** * All fields below this line are not part of the public API. They * may not be used outside of libavformat and can be changed and @@ -1217,6 +1206,17 @@ typedef struct AVStream { * Must not be accessed in any way by callers. */ AVStreamInternal *internal; + + /* + * Codec parameters associated with this stream. Allocated and freed by + * libavformat in avformat_new_stream() and avformat_free_context() + * respectively. + * + * - demuxing: filled by libavformat on stream creation or in + * avformat_find_stream_info() + * - muxing: filled by the caller before avformat_write_header() + */ + AVCodecParameters *codecpar; } AVStream; AVRational av_stream_get_r_frame_rate(const AVStream *s); diff --git a/libavformat/version.h b/libavformat/version.h index 544d4363eb..47a8afbb26 100644 --- a/libavformat/version.h +++ b/libavformat/version.h @@ -32,8 +32,8 @@ // Major bumping may affect Ticket5467, 5421, 5451(compatibility with Chromium) // Also please add any ticket numbers that you belive might be affected here #define LIBAVFORMAT_VERSION_MAJOR 57 -#define LIBAVFORMAT_VERSION_MINOR 40 -#define LIBAVFORMAT_VERSION_MICRO 101 +#define LIBAVFORMAT_VERSION_MINOR 41 +#define LIBAVFORMAT_VERSION_MICRO 100 #define LIBAVFORMAT_VERSION_INT AV_VERSION_INT(LIBAVFORMAT_VERSION_MAJOR, \ LIBAVFORMAT_VERSION_MINOR, \ From 5c695ce90386e7871fabba2219d4076e70a78d01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Jun 2016 18:12:41 +0200 Subject: [PATCH 018/658] doc/APIchanges: document the lavu/lavf field moves Based-on: patch by James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 86fec7a7e861f0ad3c95cb27271267ec143ff754) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/APIchanges b/doc/APIchanges index 47106c22e7..bca899240c 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -15,6 +15,14 @@ libavutil: 2015-08-28 API changes, most recent first: +2016-06-30 - c1c7e0ab - lavf 57.41.100 - avformat.h + Moved codecpar field from AVStream to the end of the struct, so that + the following private fields are in the same location as in FFmpeg 3.0 (lavf 57.25.100). + +2016-06-30 - 042fb69d - lavu 55.28.100 - frame.h + Moved hw_frames_ctx field from AVFrame to the end of the struct, so that + the following private fields are in the same location as in FFmpeg 3.0 (lavu 55.17.103). + 2016-06-29 - xxxxxxx - lavfi 6.47.100 - avfilter.h Fix accidental ABI breakage in AVFilterContext. ABI was broken in 8688d3a, lavfi 6.42.100 and released as ffmpeg 3.1. From fc25481d17bec3c7191d933fcc25e87c0a20a3a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Jul 2016 02:13:51 +0200 Subject: [PATCH 019/658] Update for 3.1.1 Signed-off-by: Michael Niedermayer --- Changelog | 14 ++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 99cdb80e09..2a8791620a 100644 --- a/Changelog +++ b/Changelog @@ -4,6 +4,20 @@ releases are sorted from youngest to oldest. version : +version 3.1.1: +- doc/APIchanges: document the lavu/lavf field moves +- avformat/avformat: Move new field to the end of AVStream +- avformat/utils: update deprecated AVStream->codec when the context is updated +- avutil/frame: Move new field to the end of AVFrame +- libavcodec/exr : fix decoding piz float file. +- avformat/mov: Check sample size +- lavfi: Move new field to the end of AVFilterContext +- lavfi: Move new field to the end of AVFilterLink +- ffplay: Fix usage of private lavfi API +- lavc/mediacodecdec_h264: add missing NAL headers to SPS/PPS buffers +- lavc/pnm_parser: disable parsing for text based PNMs + + version 3.1: - DXVA2-accelerated HEVC Main10 decoding - fieldhint filter diff --git a/RELEASE b/RELEASE index 8c50098d8a..94ff29cc4d 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.1 +3.1.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index 53f9b25fe4..68c067940e 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.1 +PROJECT_NUMBER = 3.1.1 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From ce36e74e75751c721185fbebaa4ee8714b44c5a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Jul 2016 02:42:03 +0200 Subject: [PATCH 020/658] doc/APIchanges: fill in missing git hash Signed-off-by: Michael Niedermayer (cherry picked from commit 2a8dadb38f6b458ffe3ac2037bace7c3892cb282) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/APIchanges b/doc/APIchanges index bca899240c..52cd48ca5d 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -23,7 +23,7 @@ API changes, most recent first: Moved hw_frames_ctx field from AVFrame to the end of the struct, so that the following private fields are in the same location as in FFmpeg 3.0 (lavu 55.17.103). -2016-06-29 - xxxxxxx - lavfi 6.47.100 - avfilter.h +2016-06-29 - 1a751455 - lavfi 6.47.100 - avfilter.h Fix accidental ABI breakage in AVFilterContext. ABI was broken in 8688d3a, lavfi 6.42.100 and released as ffmpeg 3.1. From f9a150fc31c5336a8d51bc51a921d1f9885d5876 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 9 Jul 2016 16:00:06 -0300 Subject: [PATCH 021/658] =?UTF-8?q?Revert=20"configure:=20Enable=20GCC=20v?= =?UTF-8?q?ectorization=20on=20=E2=89=A54.9=20on=20x86"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit cb8646af24bd8e9627cc5e1c62b049a00fe0b07b. This change has brough more issues than benefits, between compilation time failures depending on flags used and code miscompilation causing runtime crashes. See the "[PATCH 2/2] configure: Enable GCC vectorization on ≥4.9" thread in the ffmpeg-devel mailing list for the relevant discussion. (cherry picked from commit fd6dbc53855fbfc9a782095d0ffe11dd3a98905f) --- configure | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/configure b/configure index 3760641385..adb4c27e0f 100755 --- a/configure +++ b/configure @@ -6125,11 +6125,7 @@ elif enabled ccc; then add_cflags -msg_disable nonstandcast add_cflags -msg_disable unsupieee elif enabled gcc; then - case $gcc_basever in - 4.9*) enabled x86 || check_optflags -fno-tree-vectorize ;; - 4.*) check_optflags -fno-tree-vectorize ;; - *) enabled x86 || check_optflags -fno-tree-vectorize ;; - esac + check_optflags -fno-tree-vectorize check_cflags -Werror=format-security check_cflags -Werror=implicit-function-declaration check_cflags -Werror=missing-prototypes From 1410732621ddfeec2908bd1add7f15c0240eccdd Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Sun, 3 Jul 2016 17:34:51 +0200 Subject: [PATCH 022/658] lavc/mediacodecdec_h264: properly convert extradata to annex-b H264ParamSets has its SPS/PPS stored raw (SODB) and needs to be converted to NAL units before sending them to MediaCodec. This patch adds the missing convertion of the SPS/PPS from SOBP to RBSP which makes the resulting NAL units correct. Fixes codec initialization on Nexus 4 and Nexus 7. (cherry picked from commit 88d9c30cf57ec7328f16a241f10c84415e9aef4e) --- libavcodec/mediacodecdec_h264.c | 73 +++++++++++++++++++++++++++------ 1 file changed, 60 insertions(+), 13 deletions(-) diff --git a/libavcodec/mediacodecdec_h264.c b/libavcodec/mediacodecdec_h264.c index 0664e4994e..11fb677d5c 100644 --- a/libavcodec/mediacodecdec_h264.c +++ b/libavcodec/mediacodecdec_h264.c @@ -65,6 +65,58 @@ static av_cold int mediacodec_decode_close(AVCodecContext *avctx) return 0; } +static int h264_ps_to_nalu(const uint8_t *src, int src_size, uint8_t **out, int *out_size) +{ + int i; + int ret = 0; + uint8_t *p = NULL; + static const uint8_t nalu_header[] = { 0x00, 0x00, 0x00, 0x01 }; + + if (!out || !out_size) { + return AVERROR(EINVAL); + } + + p = av_malloc(sizeof(nalu_header) + src_size); + if (!p) { + return AVERROR(ENOMEM); + } + + *out = p; + *out_size = sizeof(nalu_header) + src_size; + + memcpy(p, nalu_header, sizeof(nalu_header)); + memcpy(p + sizeof(nalu_header), src, src_size); + + /* Escape 0x00, 0x00, 0x0{0-3} pattern */ + for (i = 4; i < *out_size; i++) { + if (i < *out_size - 3 && + p[i + 0] == 0 && + p[i + 1] == 0 && + p[i + 2] <= 3) { + uint8_t *new; + + *out_size += 1; + new = av_realloc(*out, *out_size); + if (!new) { + ret = AVERROR(ENOMEM); + goto done; + } + *out = p = new; + + i = i + 3; + memmove(p + i, p + i - 1, *out_size - i); + p[i - 1] = 0x03; + } + } +done: + if (ret < 0) { + av_freep(out); + *out_size = 0; + } + + return ret; +} + static av_cold int mediacodec_decode_init(AVCodecContext *avctx) { int i; @@ -112,24 +164,19 @@ static av_cold int mediacodec_decode_init(AVCodecContext *avctx) } if (pps && sps) { - static const uint8_t nal_headers[] = { 0x00, 0x00, 0x00, 0x01 }; - uint8_t *data = NULL; - size_t data_size = sizeof(nal_headers) + FFMAX(sps->data_size, pps->data_size); + size_t data_size = 0; - data = av_mallocz(data_size); - if (!data) { - ret = AVERROR(ENOMEM); + if ((ret = h264_ps_to_nalu(sps->data, sps->data_size, &data, &data_size)) < 0) { goto done; } + ff_AMediaFormat_setBuffer(format, "csd-0", (void*)data, data_size); + av_freep(&data); - memcpy(data, nal_headers, sizeof(nal_headers)); - memcpy(data + sizeof(nal_headers), sps->data, sps->data_size); - ff_AMediaFormat_setBuffer(format, "csd-0", (void*)data, sizeof(nal_headers) + sps->data_size); - - memcpy(data + sizeof(nal_headers), pps->data, pps->data_size); - ff_AMediaFormat_setBuffer(format, "csd-1", (void*)data, sizeof(nal_headers) + pps->data_size); - + if ((ret = h264_ps_to_nalu(pps->data, pps->data_size, &data, &data_size)) < 0) { + goto done; + } + ff_AMediaFormat_setBuffer(format, "csd-1", (void*)data, data_size); av_freep(&data); } else { av_log(avctx, AV_LOG_ERROR, "Could not extract PPS/SPS from extradata"); From 7da59005bec1ce440355aa384693eaf295f9ca48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Fri, 15 Jul 2016 10:29:14 +0200 Subject: [PATCH 023/658] lavf/vplayerdec: Improve auto-detection. Fixes the incorrect detection of 16_selma_OneFrame_QP39.yuv (gray16le rawvideo) as vplayer format. (cherry picked from commit 77726d32a872ad500434fd8799b289cf56215047) --- libavformat/vplayerdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/vplayerdec.c b/libavformat/vplayerdec.c index 897c4083b6..49943d0d0e 100644 --- a/libavformat/vplayerdec.c +++ b/libavformat/vplayerdec.c @@ -36,8 +36,8 @@ static int vplayer_probe(AVProbeData *p) char c; const unsigned char *ptr = p->buf; - if ((sscanf(ptr, "%*d:%*d:%*d.%*d%c", &c) == 1 || - sscanf(ptr, "%*d:%*d:%*d%c", &c) == 1) && strchr(": =", c)) + if ((sscanf(ptr, "%*3d:%*2d:%*2d.%*2d%c", &c) == 1 || + sscanf(ptr, "%*3d:%*2d:%*2d%c", &c) == 1) && strchr(": =", c)) return AVPROBE_SCORE_MAX; return 0; } From 2e1be2271506c0589ab68583d6b524a4b5acc9be Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 24 Jul 2016 23:50:33 +0200 Subject: [PATCH 024/658] lavc/Makefile: Fix standalone compilation of the svq3 decoder. Regression since 0bf5fd2e (cherry picked from commit 71167f7f8434341b3f76da68a10923b6525e2e87) --- libavcodec/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/Makefile b/libavcodec/Makefile index fd0d1f0afc..bb28aea1e2 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -528,7 +528,8 @@ OBJS-$(CONFIG_SUNRAST_ENCODER) += sunrastenc.o OBJS-$(CONFIG_SVQ1_DECODER) += svq1dec.o svq1.o svq13.o h263data.o OBJS-$(CONFIG_SVQ1_ENCODER) += svq1enc.o svq1.o h263data.o \ h263.o ituh263enc.o -OBJS-$(CONFIG_SVQ3_DECODER) += svq3.o svq13.o mpegutils.o h264_parse.o h264data.o +OBJS-$(CONFIG_SVQ3_DECODER) += svq3.o svq13.o mpegutils.o \ + h264_parse.o h264data.o h264_ps.o h2645_parse.o OBJS-$(CONFIG_TEXT_DECODER) += textdec.o ass.o OBJS-$(CONFIG_TEXT_ENCODER) += srtenc.o ass_split.o OBJS-$(CONFIG_TAK_DECODER) += takdec.o tak.o takdsp.o From 7cab4142c541a721db7cf59d9da6b483e9196b90 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 12 Jul 2016 17:05:42 -0300 Subject: [PATCH 025/658] avformat/oggparsevp8: fix pts calculation on pages ending with an invisible frame Signed-off-by: James Almer (cherry picked from commit 5adfbd391847fcdaea1e9b105fae2dd90af2a733) --- libavformat/oggparsevp8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsevp8.c b/libavformat/oggparsevp8.c index d57419e9f0..6716dd2f45 100644 --- a/libavformat/oggparsevp8.c +++ b/libavformat/oggparsevp8.c @@ -82,7 +82,11 @@ static uint64_t vp8_gptopts(AVFormatContext *s, int idx, struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; - uint64_t pts = (granule >> 32); + int invcnt = !((granule >> 30) & 3); + // If page granule is that of an invisible vp8 frame, its pts will be + // that of the end of the next visible frame. We substract 1 for those + // to prevent messing up pts calculations. + uint64_t pts = (granule >> 32) - invcnt; uint32_t dist = (granule >> 3) & 0x07ffffff; if (!dist) From 86f92287404286d01e6d9e65e63242637f1850d0 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 22 Jun 2016 06:36:31 +0200 Subject: [PATCH 026/658] librtmp: Avoid an infiniloop setting connection arguments The exit condition was missing. Signed-off-by: Timothy Gu (cherry picked from commit e85d38c20a8893cb59d7c86f74481f2497882196) Signed-off-by: Timothy Gu --- libavformat/librtmp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/librtmp.c b/libavformat/librtmp.c index 0fea675b38..146df660ac 100644 --- a/libavformat/librtmp.c +++ b/libavformat/librtmp.c @@ -193,6 +193,8 @@ static int rtmp_open(URLContext *s, const char *uri, int flags) if (sep) p = sep + 1; + else + break; } } if (ctx->playpath) { From e4eab67a0aed7c8962f7be2f482399048062e8a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Jul 2016 03:06:27 +0200 Subject: [PATCH 027/658] avcodec/h264_parser: Set sps/pps_ref Fixes use of freed memory Should fix valgrind failures of fate-h264-skip-nointra Found-by: logan Signed-off-by: Michael Niedermayer (cherry picked from commit febc862b53c090e530b943ebd873747addf5f913) Conflicts: libavcodec/h264_parser.c --- libavcodec/h264_parser.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index ce4bab225e..52c1d41784 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -367,13 +367,26 @@ static inline int parse_nal_units(AVCodecParserContext *s, "non-existing PPS %u referenced\n", pps_id); goto fail; } - p->ps.pps = (const PPS*)p->ps.pps_list[pps_id]->data; + + av_buffer_unref(&p->ps.pps_ref); + av_buffer_unref(&p->ps.sps_ref); + p->ps.pps = NULL; + p->ps.sps = NULL; + p->ps.pps_ref = av_buffer_ref(p->ps.pps_list[pps_id]); + if (!p->ps.pps_ref) + goto fail; + p->ps.pps = (const PPS*)p->ps.pps_ref->data; + if (!p->ps.sps_list[p->ps.pps->sps_id]) { av_log(avctx, AV_LOG_ERROR, "non-existing SPS %u referenced\n", p->ps.pps->sps_id); goto fail; } - p->ps.sps = (SPS*)p->ps.sps_list[p->ps.pps->sps_id]->data; + + p->ps.sps_ref = av_buffer_ref(p->ps.sps_list[p->ps.pps->sps_id]); + if (!p->ps.sps_ref) + goto fail; + p->ps.sps = (SPS*)p->ps.sps_ref->data; sps = p->ps.sps; From 7c01fa962e7fb08754f191a3840af56654fa0841 Mon Sep 17 00:00:00 2001 From: Sasi Inguva Date: Thu, 21 Jul 2016 18:52:41 -0700 Subject: [PATCH 028/658] libx264: Increase x264 opts character limit to 4096 Signed-off-by: Sasi Inguva Signed-off-by: Michael Niedermayer (cherry picked from commit 282477bf4534439ecb06f14d46446a4f1ab82284) Signed-off-by: Michael Niedermayer --- libavcodec/libx264.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index c8f2380d8e..b730c91ef2 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -777,8 +777,8 @@ FF_ENABLE_DEPRECATION_WARNINGS if(x4->x264opts){ const char *p= x4->x264opts; while(p){ - char param[256]={0}, val[256]={0}; - if(sscanf(p, "%255[^:=]=%255[^:]", param, val) == 1){ + char param[4096]={0}, val[4096]={0}; + if(sscanf(p, "%4095[^:=]=%4095[^:]", param, val) == 1){ OPT_STR(param, "1"); }else OPT_STR(param, val); From caf32880fdf9a06c03c65a6abef648d12ba99a1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Sat, 23 Jul 2016 21:43:06 +0200 Subject: [PATCH 029/658] libavutil/opt: Small bugfix in example. Fix const corectness and zero init the struct. This example code would actually crash when initializing string. Signed-off-by: Michael Niedermayer (cherry picked from commit 69630f4d304a4e35d90957d6a170744af87cbf93) Signed-off-by: Michael Niedermayer --- libavutil/opt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/opt.h b/libavutil/opt.h index 9a76a47f75..9430b989e9 100644 --- a/libavutil/opt.h +++ b/libavutil/opt.h @@ -58,7 +58,7 @@ * The following example illustrates an AVOptions-enabled struct: * @code * typedef struct test_struct { - * AVClass *class; + * const AVClass *class; * int int_opt; * char *str_opt; * uint8_t *bin_opt; @@ -96,7 +96,7 @@ * @code * test_struct *alloc_test_struct(void) * { - * test_struct *ret = av_malloc(sizeof(*ret)); + * test_struct *ret = av_mallocz(sizeof(*ret)); * ret->class = &test_class; * av_opt_set_defaults(ret); * return ret; From 87d5146fb7b996a8bb0449ae19339015e02963b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Sat, 23 Jul 2016 23:47:39 +0200 Subject: [PATCH 030/658] libavformat/rtpdec_asf: zero initialize the AVIOContext struct This fixes crash in avformat_open_input() when accessing protocol_whitelist field. Signed-off-by: Michael Niedermayer (cherry picked from commit e947b75b1c76ef6793209c2c445b8c224a28717a) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec_asf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c index 8459a513fb..2c09fda10b 100644 --- a/libavformat/rtpdec_asf.c +++ b/libavformat/rtpdec_asf.c @@ -101,7 +101,7 @@ int ff_wms_parse_sdp_a_line(AVFormatContext *s, const char *p) { int ret = 0; if (av_strstart(p, "pgmpu:data:application/vnd.ms.wms-hdr.asfv1;base64,", &p)) { - AVIOContext pb; + AVIOContext pb = { 0 }; RTSPState *rt = s->priv_data; AVDictionary *opts = NULL; int len = strlen(p) * 6 / 8; From 88e3e6b94305839ca101e8bf2c4dd96700166c2f Mon Sep 17 00:00:00 2001 From: Xinzheng Zhang Date: Wed, 27 Jul 2016 12:21:24 +0800 Subject: [PATCH 031/658] avformat/flvdec: splitting add_keyframes_index() out from parse_keyframes_index() Signed-off-by: Michael Niedermayer (cherry picked from commit cd141e71bd3441ac9b7b720b934b7d4d85a75355) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 76 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 60 insertions(+), 16 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 2bf1e059e1..633cad0f88 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -61,6 +61,11 @@ typedef struct FLVContext { int broken_sizes; int sum_flv_tag_size; + + int last_keyframe_stream_index; + int keyframe_count; + int64_t *keyframe_times; + int64_t *keyframe_filepositions; } FLVContext; static int probe(AVProbeData *p, int live) @@ -92,6 +97,35 @@ static int live_flv_probe(AVProbeData *p) return probe(p, 1); } +static void add_keyframes_index(AVFormatContext *s) +{ + FLVContext *flv = s->priv_data; + AVStream *stream = NULL; + unsigned int i = 0; + + if (flv->last_keyframe_stream_index < 0) { + av_log(s, AV_LOG_DEBUG, "keyframe stream hasn't been created\n"); + return; + } + + av_assert0(flv->last_keyframe_stream_index <= s->nb_streams); + stream = s->streams[flv->last_keyframe_stream_index]; + + if (stream->nb_index_entries == 0) { + for (i = 0; i < flv->keyframe_count; i++) { + av_add_index_entry(stream, flv->keyframe_filepositions[i], + flv->keyframe_times[i] * 1000, 0, 0, AVINDEX_KEYFRAME); + } + } else + av_log(s, AV_LOG_WARNING, "Skipping duplicate index\n"); + + if (stream->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { + av_freep(&flv->keyframe_times); + av_freep(&flv->keyframe_filepositions); + flv->keyframe_count = 0; + } +} + static AVStream *create_stream(AVFormatContext *s, int codec_type) { AVStream *st = avformat_new_stream(s, NULL); @@ -305,8 +339,7 @@ static int amf_get_string(AVIOContext *ioc, char *buffer, int buffsize) return length; } -static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, - AVStream *vstream, int64_t max_pos) +static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t max_pos) { FLVContext *flv = s->priv_data; unsigned int timeslen = 0, fileposlen = 0, i; @@ -316,10 +349,12 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int ret = AVERROR(ENOSYS); int64_t initial_pos = avio_tell(ioc); - if (vstream->nb_index_entries>0) { - av_log(s, AV_LOG_WARNING, "Skipping duplicate index\n"); + if (flv->keyframe_count > 0) { + av_log(s, AV_LOG_DEBUG, "keyframes have been paresed\n"); return 0; } + av_assert0(!flv->keyframe_times); + av_assert0(!flv->keyframe_filepositions); if (s->flags & AVFMT_FLAG_IGNIDX) return 0; @@ -368,15 +403,17 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, } if (timeslen == fileposlen && fileposlen>1 && max_pos <= filepositions[0]) { - for (i = 0; i < fileposlen; i++) { - av_add_index_entry(vstream, filepositions[i], times[i] * 1000, - 0, 0, AVINDEX_KEYFRAME); - if (i < 2) { - flv->validate_index[i].pos = filepositions[i]; - flv->validate_index[i].dts = times[i] * 1000; - flv->validate_count = i + 1; - } + for (i = 0; i < FFMIN(2,fileposlen); i++) { + flv->validate_index[i].pos = filepositions[i]; + flv->validate_index[i].dts = times[i] * 1000; + flv->validate_count = i + 1; } + flv->keyframe_times = times; + flv->keyframe_filepositions = filepositions; + flv->keyframe_count = timeslen; + times = NULL; + filepositions = NULL; + add_keyframes_index(s); } else { invalid: av_log(s, AV_LOG_WARNING, "Invalid keyframes object, skipping.\n"); @@ -421,10 +458,9 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, if ((vstream || astream) && key && ioc->seekable && !strcmp(KEYFRAMES_TAG, key) && depth == 1) - if (parse_keyframes_index(s, ioc, vstream ? vstream : astream, + if (parse_keyframes_index(s, ioc, max_pos) < 0) av_log(s, AV_LOG_ERROR, "Keyframe index parsing failed\n"); - while (avio_tell(ioc) < max_pos - 2 && amf_get_string(ioc, str_val, sizeof(str_val)) > 0) if (amf_parse_object(s, astream, vstream, str_val, max_pos, @@ -574,6 +610,7 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, static int flv_read_metabody(AVFormatContext *s, int64_t next_pos) { + FLVContext *flv = s->priv_data; AMFDataType type; AVStream *stream, *astream, *vstream; AVStream av_unused *dstream; @@ -612,10 +649,14 @@ static int flv_read_metabody(AVFormatContext *s, int64_t next_pos) // the lookup every time it is called. for (i = 0; i < s->nb_streams; i++) { stream = s->streams[i]; - if (stream->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) + if (stream->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { vstream = stream; - else if (stream->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) + flv->last_keyframe_stream_index = i; + } else if (stream->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) { astream = stream; + if (flv->last_keyframe_stream_index == -1) + flv->last_keyframe_stream_index = i; + } else if (stream->codecpar->codec_type == AVMEDIA_TYPE_SUBTITLE) dstream = stream; } @@ -643,6 +684,7 @@ static int flv_read_header(AVFormatContext *s) s->start_time = 0; flv->sum_flv_tag_size = 0; + flv->last_keyframe_stream_index = -1; return 0; } @@ -653,6 +695,8 @@ static int flv_read_close(AVFormatContext *s) FLVContext *flv = s->priv_data; for (i=0; inew_extradata[i]); + av_freep(&flv->keyframe_times); + av_freep(&flv->keyframe_filepositions); return 0; } From b4922daeadd22fd4fe825747ab2acc9574daf99d Mon Sep 17 00:00:00 2001 From: Xinzheng Zhang Date: Wed, 27 Jul 2016 12:21:25 +0800 Subject: [PATCH 032/658] avformat/flvdec: parse keyframe before a\v stream was created add_keyframes_index() when stream created or keyframe parsed Signed-off-by: Michael Niedermayer (cherry picked from commit ad14aab3b4f88cdb6c2a3f8877c578e5a8042f1d) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 633cad0f88..0afeba58ba 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -128,6 +128,7 @@ static void add_keyframes_index(AVFormatContext *s) static AVStream *create_stream(AVFormatContext *s, int codec_type) { + FLVContext *flv = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); if (!st) return NULL; @@ -138,6 +139,8 @@ static AVStream *create_stream(AVFormatContext *s, int codec_type) s->ctx_flags &= ~AVFMTCTX_NOHEADER; avpriv_set_pts_info(st, 32, 1, 1000); /* 32 bit pts in ms */ + flv->last_keyframe_stream_index = s->nb_streams - 1; + add_keyframes_index(s); return st; } @@ -413,7 +416,6 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m flv->keyframe_count = timeslen; times = NULL; filepositions = NULL; - add_keyframes_index(s); } else { invalid: av_log(s, AV_LOG_WARNING, "Invalid keyframes object, skipping.\n"); @@ -455,12 +457,14 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, } break; case AMF_DATA_TYPE_OBJECT: - if ((vstream || astream) && key && + if (key && ioc->seekable && !strcmp(KEYFRAMES_TAG, key) && depth == 1) if (parse_keyframes_index(s, ioc, max_pos) < 0) av_log(s, AV_LOG_ERROR, "Keyframe index parsing failed\n"); + else + add_keyframes_index(s); while (avio_tell(ioc) < max_pos - 2 && amf_get_string(ioc, str_val, sizeof(str_val)) > 0) if (amf_parse_object(s, astream, vstream, str_val, max_pos, From 8f6a95a103b4586bf79034c5c9e9764f7eb19b57 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Aug 2016 13:50:21 +0200 Subject: [PATCH 033/658] avcodec/vp9_parser: Check the input frame sizes for being consistent Suggested-by: BBB Fixed-by: BBB Signed-off-by: Michael Niedermayer (cherry picked from commit 77b0f3f26d33d4f46f274896e0583ad1f5936b7c) Signed-off-by: Michael Niedermayer --- libavcodec/vp9_parser.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/libavcodec/vp9_parser.c b/libavcodec/vp9_parser.c index 2e9235e657..9900e7ab1f 100644 --- a/libavcodec/vp9_parser.c +++ b/libavcodec/vp9_parser.c @@ -28,6 +28,7 @@ typedef struct VP9ParseContext { int n_frames; // 1-8 int size[8]; + int marker_size; int64_t pts; } VP9ParseContext; @@ -88,6 +89,21 @@ static int parse(AVCodecParserContext *ctx, return 0; } + if (s->n_frames > 0) { + int i; + int size_sum = 0; + + for (i = 0; i < s->n_frames ;i++) + size_sum += s->size[i]; + size_sum += s->marker_size; + + if (size_sum != size) { + av_log(avctx, AV_LOG_ERROR, "Inconsistent input frame sizes %d %d\n", + size_sum, size); + s->n_frames = 0; + } + } + if (s->n_frames > 0) { *out_data = data; *out_size = s->size[--s->n_frames]; @@ -131,6 +147,7 @@ static int parse(AVCodecParserContext *ctx, data += sz; \ size -= sz; \ } \ + s->marker_size = size; \ parse_frame(ctx, *out_data, *out_size); \ return s->n_frames > 0 ? *out_size : full_size From 9a345b235fbd6dd48030b192b2292b1806f8d600 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 2 Aug 2016 17:07:41 +0200 Subject: [PATCH 034/658] lavu/hwcontext_vaapi: Fix compilation if VA_FOURCC_ABGR is not defined. Fixes ticket #5484. (cherry picked from commit 5aede051202150a1904c0f07a5c7901f402395a5) --- libavutil/hwcontext_vaapi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavutil/hwcontext_vaapi.c b/libavutil/hwcontext_vaapi.c index 3c1493be9a..92fa23538b 100644 --- a/libavutil/hwcontext_vaapi.c +++ b/libavutil/hwcontext_vaapi.c @@ -115,8 +115,10 @@ static struct { MAP(BGRX, RGB32, BGR0), MAP(RGBA, RGB32, RGBA), MAP(RGBX, RGB32, RGB0), +#ifdef VA_FOURCC_ABGR MAP(ABGR, RGB32, ABGR), MAP(XBGR, RGB32, 0BGR), +#endif MAP(ARGB, RGB32, ARGB), MAP(XRGB, RGB32, 0RGB), }; From 327033d913f782c25a585115a0135842ef8aa5e0 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Tue, 2 Aug 2016 20:47:55 -0700 Subject: [PATCH 035/658] jni: Return ENOSYS on unsupported platforms --- libavcodec/jni.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libavcodec/jni.c b/libavcodec/jni.c index 32456f59fb..85dcf2abaf 100644 --- a/libavcodec/jni.c +++ b/libavcodec/jni.c @@ -20,19 +20,18 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "config.h" + #include -#include "config.h" +#include "libavutil/error.h" #include "jni.h" #if CONFIG_JNI - -#include #include #include #include "libavutil/log.h" -#include "libavutil/error.h" #include "ffjni.h" void *java_vm; @@ -69,7 +68,7 @@ void *av_jni_get_java_vm(void *log_ctx) int av_jni_set_java_vm(void *vm, void *log_ctx) { - return 0; + return AVERROR(ENOSYS); } void *av_jni_get_java_vm(void *log_ctx) From c70b1ae93023831664588726e32f8fcd7db4250b Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 2 Aug 2016 19:02:09 +0200 Subject: [PATCH 036/658] lavc/vaapi_encode_h26x: Fix a crash if "." is not the decimal separator. Fixes Debian bugs #831529, #831909, #832964. Signed-off-by: Mark Thompson (cherry picked from commit 82e53b3cef924f250f928fca6348204e2ace90d8) --- libavcodec/vaapi_encode_h264.c | 8 ++++---- libavcodec/vaapi_encode_h265.c | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/vaapi_encode_h264.c b/libavcodec/vaapi_encode_h264.c index 39e2ec09cd..ece6314d13 100644 --- a/libavcodec/vaapi_encode_h264.c +++ b/libavcodec/vaapi_encode_h264.c @@ -967,10 +967,10 @@ static const AVCodecDefault vaapi_encode_h264_defaults[] = { { "b", "0" }, { "bf", "2" }, { "g", "120" }, - { "i_qfactor", "1.0" }, - { "i_qoffset", "0.0" }, - { "b_qfactor", "1.2" }, - { "b_qoffset", "0.0" }, + { "i_qfactor", "1" }, + { "i_qoffset", "0" }, + { "b_qfactor", "6/5" }, + { "b_qoffset", "0" }, { NULL }, }; diff --git a/libavcodec/vaapi_encode_h265.c b/libavcodec/vaapi_encode_h265.c index c42c08efd4..cb376b194d 100644 --- a/libavcodec/vaapi_encode_h265.c +++ b/libavcodec/vaapi_encode_h265.c @@ -1338,10 +1338,10 @@ static const AVCodecDefault vaapi_encode_h265_defaults[] = { { "b", "0" }, { "bf", "2" }, { "g", "120" }, - { "i_qfactor", "1.0" }, - { "i_qoffset", "0.0" }, - { "b_qfactor", "1.2" }, - { "b_qoffset", "0.0" }, + { "i_qfactor", "1" }, + { "i_qoffset", "0" }, + { "b_qfactor", "6/5" }, + { "b_qoffset", "0" }, { NULL }, }; From 5222f660d7fb52ef447e8b8ee5f92615e9fcf5ec Mon Sep 17 00:00:00 2001 From: Steven Robertson Date: Mon, 1 Aug 2016 23:26:12 -0700 Subject: [PATCH 037/658] libavcodec/dnxhd: Enable 12-bit DNxHR support. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 10- and 12-bit DNxHR use the same DC coefficient decoding process and VLC table, just with a different shift value. From SMPTE 2019-1:2016, 8.2.4 DC Coefficient Decoding: "For 8-bit video sampling, the maximum value of η=11 and for 10-/12-bit video sampling, the maximum value of η=13." A sample file will be uploaded to show that with this patch, things decode correctly: dnxhr_hqx_12bit_1080p_smpte_colorbars_davinci_resolve.mov Signed-off-by: Steven Robertson Signed-off-by: Michael Niedermayer (cherry picked from commit e1be80aa11cca765881d04f21119487db53c4ffa) --- libavcodec/dnxhddec.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 18080803fa..cb1fc798b2 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -118,11 +118,6 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) av_log(ctx->avctx, AV_LOG_ERROR, "bit depth mismatches %d %d\n", ff_dnxhd_cid_table[index].bit_depth, bitdepth); return AVERROR_INVALIDDATA; } - if (bitdepth > 10) { - avpriv_request_sample(ctx->avctx, "DNXHR 12-bit"); - if (ctx->avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) - return AVERROR_PATCHWELCOME; - } ctx->cid_table = &ff_dnxhd_cid_table[index]; av_log(ctx->avctx, AV_LOG_VERBOSE, "Profile cid %d.\n", cid); @@ -133,7 +128,7 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, ctx->cid_table->ac_bits, 1, 1, ctx->cid_table->ac_codes, 2, 2, 0); - init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth + 4, + init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, ctx->cid_table->dc_bits, 1, 1, ctx->cid_table->dc_codes, 1, 1, 0); init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, From 46732e6a55a4fd25dc599073598b15bde1c2be15 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 29 Jul 2016 15:05:52 +0200 Subject: [PATCH 038/658] avcodec/alacenc: allocate bigger packets (cherry picked from commit 82b84c71b009884c8d041361027718b19922c76d) --- libavcodec/alacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alacenc.c b/libavcodec/alacenc.c index 9ac35f1a14..9095611289 100644 --- a/libavcodec/alacenc.c +++ b/libavcodec/alacenc.c @@ -623,7 +623,7 @@ static int alac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, else max_frame_size = s->max_coded_frame_size; - if ((ret = ff_alloc_packet2(avctx, avpkt, 2 * max_frame_size, 0)) < 0) + if ((ret = ff_alloc_packet2(avctx, avpkt, 4 * max_frame_size, 0)) < 0) return ret; /* use verbatim mode for compression_level 0 */ From 67f421fd77ec7ff6bbd6acb6adaa29e9ab477995 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Aug 2016 13:15:14 +0200 Subject: [PATCH 039/658] ffplay: Fix invalid array index Found-by: Thomas Guilbert Fixes: clusterfuzz_usan-2016-08-02 Signed-off-by: Michael Niedermayer (cherry picked from commit 6cd9a8b67a95a136ea15bfe3c3bab6cf5e6d1cc9) Signed-off-by: Michael Niedermayer --- ffplay.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffplay.c b/ffplay.c index b0702ebeb0..651e0cf4f1 100644 --- a/ffplay.c +++ b/ffplay.c @@ -2936,7 +2936,7 @@ static int read_thread(void *arg) AVStream *st = ic->streams[i]; enum AVMediaType type = st->codecpar->codec_type; st->discard = AVDISCARD_ALL; - if (wanted_stream_spec[type] && st_index[type] == -1) + if (type >= 0 && wanted_stream_spec[type] && st_index[type] == -1) if (avformat_match_stream_specifier(ic, st, wanted_stream_spec[type]) > 0) st_index[type] = i; } From 7c9ee83d2f30b88a274d19529d5da0427bf21a96 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Aug 2016 13:34:40 +0200 Subject: [PATCH 040/658] avformat/oggdec: Fix integer overflow with invalid pts If negative pts are possible for some codecs in ogg then the code needs to be changed to use signed values. Found-by: Thomas Guilbert Fixes: clusterfuzz_usan-2016-08-02 Signed-off-by: Michael Niedermayer (cherry picked from commit c5cc3b08e56fc95665977544486bd9f06e4b7a72) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/oggdec.h b/libavformat/oggdec.h index d7af1cfabd..4a2b6ddee8 100644 --- a/libavformat/oggdec.h +++ b/libavformat/oggdec.h @@ -162,6 +162,11 @@ ogg_gptopts (AVFormatContext * s, int i, uint64_t gp, int64_t *dts) if (dts) *dts = pts; } + if (pts > INT64_MAX && pts != AV_NOPTS_VALUE) { + // The return type is unsigned, we thus cannot return negative pts + av_log(s, AV_LOG_ERROR, "invalid pts %"PRId64"\n", pts); + pts = AV_NOPTS_VALUE; + } return pts; } From 43407bde3e47e0539c1cb19a708ffc3b5a03556a Mon Sep 17 00:00:00 2001 From: Burt P Date: Mon, 4 Jul 2016 14:16:54 -0500 Subject: [PATCH 041/658] avfilter/af_hdcd: small fix in af_hdcd.c where gain was not being adjusted for "attenuate slowly" Signed-off-by: Burt P Taken from ba69a81019a2642969b108c39e3bea7d2f8ffbfa Signed-off-by: Michael Niedermayer --- libavfilter/af_hdcd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/af_hdcd.c b/libavfilter/af_hdcd.c index 16bdcb01ea..92f3c9ea89 100644 --- a/libavfilter/af_hdcd.c +++ b/libavfilter/af_hdcd.c @@ -949,6 +949,7 @@ static int hdcd_envelope(int32_t *samples, int count, int stride, int gain, int int len = FFMIN(count, target_gain - gain); /* attenuate slowly */ for (i = 0; i < len; i++) { + ++gain; APPLY_GAIN(*samples, gain); samples += stride; } From 54d48c8e901d849908ff09774d19043106f64157 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Aug 2016 01:53:30 +0200 Subject: [PATCH 042/658] avcodec/ffv1enc: Fix assertion failure with non zero bits per sample Fixes Ticket5736 Signed-off-by: Michael Niedermayer (cherry picked from commit c1bfeda5a34631787e07702f7a3569a41751caeb) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 948a230419..383956bcc9 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -781,14 +781,12 @@ FF_ENABLE_DEPRECATION_WARNINGS s->colorspace = 1; s->transparency = 1; s->chroma_planes = 1; - if (!avctx->bits_per_raw_sample) - s->bits_per_raw_sample = 8; + s->bits_per_raw_sample = 8; break; case AV_PIX_FMT_0RGB32: s->colorspace = 1; s->chroma_planes = 1; - if (!avctx->bits_per_raw_sample) - s->bits_per_raw_sample = 8; + s->bits_per_raw_sample = 8; break; case AV_PIX_FMT_GBRP9: if (!avctx->bits_per_raw_sample) From 456cf87de934e9fff6bd5f070c050062384a1d8f Mon Sep 17 00:00:00 2001 From: Anssi Hannula Date: Tue, 26 Jul 2016 15:18:40 +0300 Subject: [PATCH 043/658] avformat/hls: Fix regression with ranged media segments Commit 81306fd4bdf ("hls: eliminate ffurl_* usage", merged in d0fc5de3a6) changed the hls demuxer to use AVIOContext instead of URLContext for its HTTP requests. HLS demuxer uses the "offset" option of the http demuxer, requesting the initial file offset for the I/O (http URLProtocol uses the "Range:" HTTP header to try to accommodate that). However, the code in libavformat/aviobuf.c seems to be doing its own accounting for the current file offset (AVIOContext.pos), with the assumption that the initial offset is always zero. HLS demuxer does an explicit seek after open_url to account for cases where the "offset" was not effective (due to the URL being a local file or the HTTP server not obeying it), which should be a no-op in case the file offset is already at that position. However, since aviobuf.c code thinks the starting offset is 0, this doesn't work properly. This breaks retrieval of ranged media segments. To fix the regression, just drop the seek call from the HLS demuxer when the HTTP(S) protocol is used. (cherry picked from commit 9cb30f7a880578e995becbd8bf9ffb69788e09a2) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index b962d67abc..66f4550411 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -590,7 +590,7 @@ static void update_options(char **dest, const char *name, void *src) } static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, - AVDictionary *opts, AVDictionary *opts2) + AVDictionary *opts, AVDictionary *opts2, int *is_http) { HLSContext *c = s->priv_data; AVDictionary *tmp = NULL; @@ -631,6 +631,9 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, av_dict_free(&tmp); + if (is_http) + *is_http = av_strstart(proto_name, "http", NULL); + return ret; } @@ -1072,6 +1075,7 @@ static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg) { AVDictionary *opts = NULL; int ret; + int is_http = 0; // broker prior HTTP options that should be consistent across requests av_dict_set(&opts, "user-agent", c->user_agent, 0); @@ -1091,13 +1095,13 @@ static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg) seg->url, seg->url_offset, pls->index); if (seg->key_type == KEY_NONE) { - ret = open_url(pls->parent, &pls->input, seg->url, c->avio_opts, opts); + ret = open_url(pls->parent, &pls->input, seg->url, c->avio_opts, opts, &is_http); } else if (seg->key_type == KEY_AES_128) { AVDictionary *opts2 = NULL; char iv[33], key[33], url[MAX_URL_SIZE]; if (strcmp(seg->key, pls->key_url)) { AVIOContext *pb; - if (open_url(pls->parent, &pb, seg->key, c->avio_opts, opts) == 0) { + if (open_url(pls->parent, &pb, seg->key, c->avio_opts, opts, NULL) == 0) { ret = avio_read(pb, pls->key, sizeof(pls->key)); if (ret != sizeof(pls->key)) { av_log(NULL, AV_LOG_ERROR, "Unable to read key file %s\n", @@ -1122,7 +1126,7 @@ static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg) av_dict_set(&opts2, "key", key, 0); av_dict_set(&opts2, "iv", iv, 0); - ret = open_url(pls->parent, &pls->input, url, opts2, opts); + ret = open_url(pls->parent, &pls->input, url, opts2, opts, &is_http); av_dict_free(&opts2); @@ -1140,8 +1144,15 @@ static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg) /* Seek to the requested position. If this was a HTTP request, the offset * should already be where want it to, but this allows e.g. local testing - * without a HTTP server. */ - if (ret == 0 && seg->key_type == KEY_NONE && seg->url_offset) { + * without a HTTP server. + * + * This is not done for HTTP at all as avio_seek() does internal bookkeeping + * of file offset which is out-of-sync with the actual offset when "offset" + * AVOption is used with http protocol, causing the seek to not be a no-op + * as would be expected. Wrong offset received from the server will not be + * noticed without the call, though. + */ + if (ret == 0 && !is_http && seg->key_type == KEY_NONE && seg->url_offset) { int64_t seekret = avio_seek(pls->input, seg->url_offset, SEEK_SET); if (seekret < 0) { av_log(pls->parent, AV_LOG_ERROR, "Unable to seek to offset %"PRId64" of HLS segment '%s'\n", seg->url_offset, seg->url); From 3586c68687035225451f57c4e422673cbe6d4377 Mon Sep 17 00:00:00 2001 From: Anssi Hannula Date: Wed, 27 Jul 2016 22:52:44 +0300 Subject: [PATCH 044/658] avformat/hls: Sync starting segment across variants on live streams This will avoid a large time difference between variants in the most common case. (cherry picked from commit 4d85069e5dff37e4a9904767242b47e14cf62a9c) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 66f4550411..88402c2284 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -1520,6 +1520,7 @@ static int hls_read_header(AVFormatContext *s) void *u = (s->flags & AVFMT_FLAG_CUSTOM_IO) ? NULL : s->pb; HLSContext *c = s->priv_data; int ret = 0, i, j, stream_offset = 0; + int highest_cur_seq_no = 0; c->ctx = s; c->interrupt_callback = &s->interrupt_callback; @@ -1594,6 +1595,17 @@ static int hls_read_header(AVFormatContext *s) add_renditions_to_variant(c, var, AVMEDIA_TYPE_SUBTITLE, var->subtitles_group); } + /* Select the starting segments */ + for (i = 0; i < c->n_playlists; i++) { + struct playlist *pls = c->playlists[i]; + + if (pls->n_segments == 0) + continue; + + pls->cur_seq_no = select_cur_seq_no(c, pls); + highest_cur_seq_no = FFMAX(highest_cur_seq_no, pls->cur_seq_no); + } + /* Open the demuxer for each playlist */ for (i = 0; i < c->n_playlists; i++) { struct playlist *pls = c->playlists[i]; @@ -1610,7 +1622,18 @@ static int hls_read_header(AVFormatContext *s) pls->index = i; pls->needed = 1; pls->parent = s; - pls->cur_seq_no = select_cur_seq_no(c, pls); + + /* + * If this is a live stream and this playlist looks like it is one segment + * behind, try to sync it up so that every substream starts at the same + * time position (so e.g. avformat_find_stream_info() will see packets from + * all active streams within the first few seconds). This is not very generic, + * though, as the sequence numbers are technically independent. + */ + if (!pls->finished && pls->cur_seq_no == highest_cur_seq_no - 1 && + highest_cur_seq_no < pls->start_seq_no + pls->n_segments) { + pls->cur_seq_no = highest_cur_seq_no; + } pls->read_buffer = av_malloc(INITIAL_BUFFER_SIZE); if (!pls->read_buffer){ From 309fa24f361f1c9d357f8d152c3b78718d2f870d Mon Sep 17 00:00:00 2001 From: Anssi Hannula Date: Wed, 27 Jul 2016 23:29:16 +0300 Subject: [PATCH 045/658] avformat/hls: Use an array instead of stream offset for stream mapping This will be useful when the amount of streams per subdemuxer is not known at hls_read_header time in a following commit. (cherry picked from commit 9884f17e343b37aef442fafa05bd0113cdf47087) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 59 ++++++++++++++++++++++++++++++----------------- 1 file changed, 38 insertions(+), 21 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 88402c2284..59f5e38f9f 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -98,7 +98,11 @@ struct playlist { int index; AVFormatContext *ctx; AVPacket pkt; - int stream_offset; + + /* main demuxer streams associated with this playlist + * indexed by the subdemuxer stream indexes */ + AVStream **main_streams; + int n_main_streams; int finished; enum PlaylistType type; @@ -239,6 +243,7 @@ static void free_playlist_list(HLSContext *c) struct playlist *pls = c->playlists[i]; free_segment_list(pls); free_init_section_list(pls); + av_freep(&pls->main_streams); av_freep(&pls->renditions); av_freep(&pls->id3_buf); av_dict_free(&pls->id3_initial); @@ -1248,13 +1253,13 @@ restart: /* Check that the playlist is still needed before opening a new * segment. */ - if (v->ctx && v->ctx->nb_streams && - v->parent->nb_streams >= v->stream_offset + v->ctx->nb_streams) { + if (v->ctx && v->ctx->nb_streams) { v->needed = 0; - for (i = v->stream_offset; i < v->stream_offset + v->ctx->nb_streams; - i++) { - if (v->parent->streams[i]->discard < AVDISCARD_ALL) + for (i = 0; i < v->n_main_streams; i++) { + if (v->main_streams[i]->discard < AVDISCARD_ALL) { v->needed = 1; + break; + } } } if (!v->needed) { @@ -1392,8 +1397,8 @@ static void add_metadata_from_renditions(AVFormatContext *s, struct playlist *pl int rend_idx = 0; int i; - for (i = 0; i < pls->ctx->nb_streams; i++) { - AVStream *st = s->streams[pls->stream_offset + i]; + for (i = 0; i < pls->n_main_streams; i++) { + AVStream *st = pls->main_streams[i]; if (st->codecpar->codec_type != type) continue; @@ -1519,7 +1524,7 @@ static int hls_read_header(AVFormatContext *s) { void *u = (s->flags & AVFMT_FLAG_CUSTOM_IO) ? NULL : s->pb; HLSContext *c = s->priv_data; - int ret = 0, i, j, stream_offset = 0; + int ret = 0, i, j; int highest_cur_seq_no = 0; c->ctx = s; @@ -1659,7 +1664,6 @@ static int hls_read_header(AVFormatContext *s) } pls->ctx->pb = &pls->pb; pls->ctx->io_open = nested_io_open; - pls->stream_offset = stream_offset; if ((ret = ff_copy_whiteblacklists(pls->ctx, s)) < 0) goto fail; @@ -1699,13 +1703,13 @@ static int hls_read_header(AVFormatContext *s) avpriv_set_pts_info(st, 33, 1, MPEG_TIME_BASE); else avpriv_set_pts_info(st, ist->pts_wrap_bits, ist->time_base.num, ist->time_base.den); + + dynarray_add(&pls->main_streams, &pls->n_main_streams, st); } add_metadata_from_renditions(s, pls, AVMEDIA_TYPE_AUDIO); add_metadata_from_renditions(s, pls, AVMEDIA_TYPE_VIDEO); add_metadata_from_renditions(s, pls, AVMEDIA_TYPE_SUBTITLE); - - stream_offset += pls->ctx->nb_streams; } /* Create a program for each variant */ @@ -1723,10 +1727,10 @@ static int hls_read_header(AVFormatContext *s) int is_shared = playlist_in_multiple_variants(c, pls); int k; - for (k = 0; k < pls->ctx->nb_streams; k++) { - struct AVStream *st = s->streams[pls->stream_offset + k]; + for (k = 0; k < pls->n_main_streams; k++) { + struct AVStream *st = pls->main_streams[k]; - av_program_add_stream_index(s, i, pls->stream_offset + k); + av_program_add_stream_index(s, i, st->index); /* Set variant_bitrate for streams unique to this variant */ if (!is_shared && v->bandwidth) @@ -1905,8 +1909,17 @@ static int hls_read_packet(AVFormatContext *s, AVPacket *pkt) /* If we got a packet, return it */ if (minplaylist >= 0) { struct playlist *pls = c->playlists[minplaylist]; + + if (pls->pkt.stream_index >= pls->n_main_streams) { + av_log(s, AV_LOG_ERROR, "stream index inconsistency: index %d, %d main streams, %d subdemuxer streams\n", + pls->pkt.stream_index, pls->n_main_streams, pls->ctx->nb_streams); + av_packet_unref(&pls->pkt); + reset_packet(&pls->pkt); + return AVERROR_BUG; + } + *pkt = pls->pkt; - pkt->stream_index += pls->stream_offset; + pkt->stream_index = pls->main_streams[pls->pkt.stream_index]->index; reset_packet(&c->playlists[minplaylist]->pkt); if (pkt->dts != AV_NOPTS_VALUE) @@ -1938,6 +1951,8 @@ static int hls_read_seek(AVFormatContext *s, int stream_index, HLSContext *c = s->priv_data; struct playlist *seek_pls = NULL; int i, seq_no; + int j; + int stream_subdemuxer_index; int64_t first_timestamp, seek_timestamp, duration; if ((flags & AVSEEK_FLAG_BYTE) || @@ -1961,10 +1976,12 @@ static int hls_read_seek(AVFormatContext *s, int stream_index, /* find the playlist with the specified stream */ for (i = 0; i < c->n_playlists; i++) { struct playlist *pls = c->playlists[i]; - if (stream_index >= pls->stream_offset && - stream_index - pls->stream_offset < pls->ctx->nb_streams) { - seek_pls = pls; - break; + for (j = 0; j < pls->n_main_streams; j++) { + if (pls->main_streams[j] == s->streams[stream_index]) { + seek_pls = pls; + stream_subdemuxer_index = j; + break; + } } } /* check if the timestamp is valid for the playlist with the @@ -1974,7 +1991,7 @@ static int hls_read_seek(AVFormatContext *s, int stream_index, /* set segment now so we do not need to search again below */ seek_pls->cur_seq_no = seq_no; - seek_pls->seek_stream_index = stream_index - seek_pls->stream_offset; + seek_pls->seek_stream_index = stream_subdemuxer_index; for (i = 0; i < c->n_playlists; i++) { /* Reset reading */ From a75a7feebd42fb1e8a4ce755de4ea2a307e19762 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Jul 2016 23:27:54 +0200 Subject: [PATCH 046/658] avformat/mov: Enable mp3 parsing if a packet needs it Fixes Ticket5689 Signed-off-by: Michael Niedermayer (cherry picked from commit 803c058a6f0c835c3094621d03d6e8c02565f28e) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 33ee799a7e..7266fd09b0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -43,6 +43,7 @@ #include "libavutil/sha.h" #include "libavutil/timecode.h" #include "libavcodec/ac3tab.h" +#include "libavcodec/mpegaudiodecheader.h" #include "avformat.h" #include "internal.h" #include "avio_internal.h" @@ -5222,6 +5223,10 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) return ret; } #endif + if (st->codecpar->codec_id == AV_CODEC_ID_MP3 && !st->need_parsing && pkt->size > 4) { + if (ff_mpa_check_header(AV_RB32(pkt->data)) < 0) + st->need_parsing = AVSTREAM_PARSE_FULL; + } } pkt->stream_index = sc->ffindex; From e160064d39d5f08a1b206660b6ad8855acb8897d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Aug 2016 16:27:31 +0200 Subject: [PATCH 047/658] avcodec/raw: Fix decoding of ilacetest.mov Signed-off-by: Michael Niedermayer (cherry picked from commit bbec14de3126dbc4e1ec2b32ed714dab173386aa) Signed-off-by: Michael Niedermayer --- libavcodec/raw.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/raw.c b/libavcodec/raw.c index bfa2537b5a..d36b68bfae 100644 --- a/libavcodec/raw.c +++ b/libavcodec/raw.c @@ -31,6 +31,7 @@ const PixelFormatTag ff_raw_pix_fmt_tags[] = { { AV_PIX_FMT_YUV420P, MKTAG('I', '4', '2', '0') }, /* Planar formats */ { AV_PIX_FMT_YUV420P, MKTAG('I', 'Y', 'U', 'V') }, + { AV_PIX_FMT_YUV420P, MKTAG('y', 'v', '1', '2') }, { AV_PIX_FMT_YUV420P, MKTAG('Y', 'V', '1', '2') }, { AV_PIX_FMT_YUV410P, MKTAG('Y', 'U', 'V', '9') }, { AV_PIX_FMT_YUV410P, MKTAG('Y', 'V', 'U', '9') }, From 19d2921bbfec13c7a843bdbdb5687cf821b02cff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Aug 2016 12:26:41 +0200 Subject: [PATCH 048/658] avcodec/rawdec: Fix palette handling with changing palettes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes out of array access Fixes: poc.swf Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 6aa39080ccea2b60433e920417844c3a3c0da50b) Signed-off-by: Michael Niedermayer --- libavcodec/rawdec.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 765e567d1f..f97a839f5d 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -365,20 +365,29 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, if (avctx->pix_fmt == AV_PIX_FMT_PAL8) { const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); - if (pal) { - av_buffer_unref(&context->palette); + int ret; + if (!context->palette) context->palette = av_buffer_alloc(AVPALETTE_SIZE); - if (!context->palette) { - av_buffer_unref(&frame->buf[0]); - return AVERROR(ENOMEM); - } + if (!context->palette) { + av_buffer_unref(&frame->buf[0]); + return AVERROR(ENOMEM); + } + ret = av_buffer_make_writable(&context->palette); + if (ret < 0) { + av_buffer_unref(&frame->buf[0]); + return ret; + } + + if (pal) { memcpy(context->palette->data, pal, AVPALETTE_SIZE); frame->palette_has_changed = 1; } else if (context->is_nut_pal8) { int vid_size = avctx->width * avctx->height; - if (avpkt->size - vid_size) { + int pal_size = avpkt->size - vid_size; + + if (avpkt->size > vid_size && pal_size <= AVPALETTE_SIZE) { pal = avpkt->data + vid_size; - memcpy(context->palette->data, pal, avpkt->size - vid_size); + memcpy(context->palette->data, pal, pal_size); frame->palette_has_changed = 1; } } From 9745c5ebf87311657b7ba42eb36a7b05de57cb07 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 8 Aug 2016 15:27:41 +0200 Subject: [PATCH 049/658] cmdutils: remove the current working directory from the DLL search path on win32 Reviewed-by: Matt Oliver Signed-off-by: Michael Niedermayer (cherry picked from commit 3bf142c77337814458ed8e036796934032d9837f) Signed-off-by: Michael Niedermayer --- cmdutils.c | 9 +++++++++ cmdutils.h | 5 +++++ ffmpeg.c | 2 ++ ffplay.c | 2 ++ ffprobe.c | 2 ++ ffserver.c | 1 + 6 files changed, 21 insertions(+) diff --git a/cmdutils.c b/cmdutils.c index 03a4836207..6960f8c99c 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -107,6 +107,15 @@ static void log_callback_report(void *ptr, int level, const char *fmt, va_list v } } +void init_dynload(void) +{ +#ifdef _WIN32 + /* Calling SetDllDirectory with the empty string (but not NULL) removes the + * current working directory from the DLL search path as a security pre-caution. */ + SetDllDirectory(""); +#endif +} + static void (*program_exit)(int ret); void register_exit(void (*cb)(int ret)) diff --git a/cmdutils.h b/cmdutils.h index 83ea4ad39e..67bf4848b7 100644 --- a/cmdutils.h +++ b/cmdutils.h @@ -61,6 +61,11 @@ void register_exit(void (*cb)(int ret)); */ void exit_program(int ret) av_noreturn; +/** + * Initialize dynamic library loading + */ +void init_dynload(void); + /** * Initialize the cmdutils option system, in particular * allocate the *_opts contexts. diff --git a/ffmpeg.c b/ffmpeg.c index 9ffd833a91..b26995deb0 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -4303,6 +4303,8 @@ int main(int argc, char **argv) int ret; int64_t ti; + init_dynload(); + register_exit(ffmpeg_cleanup); setvbuf(stderr,NULL,_IONBF,0); /* win32 runtime needs this */ diff --git a/ffplay.c b/ffplay.c index 651e0cf4f1..adbe9cb4e1 100644 --- a/ffplay.c +++ b/ffplay.c @@ -3776,6 +3776,8 @@ int main(int argc, char **argv) char dummy_videodriver[] = "SDL_VIDEODRIVER=dummy"; char alsa_bufsize[] = "SDL_AUDIO_ALSA_SET_BUFFER_SIZE=1"; + init_dynload(); + av_log_set_flags(AV_LOG_SKIP_REPEATED); parse_loglevel(argc, argv, options); diff --git a/ffprobe.c b/ffprobe.c index b9c3760384..aee9ba982c 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -3241,6 +3241,8 @@ int main(int argc, char **argv) char *w_name = NULL, *w_args = NULL; int ret, i; + init_dynload(); + av_log_set_flags(AV_LOG_SKIP_REPEATED); register_exit(ffprobe_cleanup); diff --git a/ffserver.c b/ffserver.c index 1a27583677..453d790e6c 100644 --- a/ffserver.c +++ b/ffserver.c @@ -3980,6 +3980,7 @@ int main(int argc, char **argv) int cfg_parsed; int ret = EXIT_FAILURE; + init_dynload(); config.filename = av_strdup("/etc/ffserver.conf"); From 4275b27a230008c41c63397871f173952723e2b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Aug 2016 21:42:18 +0200 Subject: [PATCH 050/658] Update for 3.1.2 Signed-off-by: Michael Niedermayer --- Changelog | 31 +++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 33 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 2a8791620a..6100077d2b 100644 --- a/Changelog +++ b/Changelog @@ -4,6 +4,37 @@ releases are sorted from youngest to oldest. version : +version 3.1.2: +- cmdutils: remove the current working directory from the DLL search path on win32 +- avcodec/rawdec: Fix palette handling with changing palettes +- avcodec/raw: Fix decoding of ilacetest.mov +- avformat/mov: Enable mp3 parsing if a packet needs it +- avformat/hls: Use an array instead of stream offset for stream mapping +- avformat/hls: Sync starting segment across variants on live streams +- avformat/hls: Fix regression with ranged media segments +- avcodec/ffv1enc: Fix assertion failure with non zero bits per sample +- avfilter/af_hdcd: small fix in af_hdcd.c where gain was not being adjusted for "attenuate slowly" +- avformat/oggdec: Fix integer overflow with invalid pts +- ffplay: Fix invalid array index +- avcodec/alacenc: allocate bigger packets (cherry picked from commit 82b84c71b009884c8d041361027718b19922c76d) +- libavcodec/dnxhd: Enable 12-bit DNxHR support. +- lavc/vaapi_encode_h26x: Fix a crash if "." is not the decimal separator. +- jni: Return ENOSYS on unsupported platforms +- lavu/hwcontext_vaapi: Fix compilation if VA_FOURCC_ABGR is not defined. +- avcodec/vp9_parser: Check the input frame sizes for being consistent +- avformat/flvdec: parse keyframe before a\v stream was created add_keyframes_index() when stream created or keyframe parsed +- avformat/flvdec: splitting add_keyframes_index() out from parse_keyframes_index() +- libavformat/rtpdec_asf: zero initialize the AVIOContext struct +- libavutil/opt: Small bugfix in example. +- libx264: Increase x264 opts character limit to 4096 +- avcodec/h264_parser: Set sps/pps_ref +- librtmp: Avoid an infiniloop setting connection arguments +- avformat/oggparsevp8: fix pts calculation on pages ending with an invisible frame +- lavc/Makefile: Fix standalone compilation of the svq3 decoder. +- lavf/vplayerdec: Improve auto-detection. +- lavc/mediacodecdec_h264: properly convert extradata to annex-b +- Revert "configure: Enable GCC vectorization on ≥4.9 on x86" + version 3.1.1: - doc/APIchanges: document the lavu/lavf field moves - avformat/avformat: Move new field to the end of AVStream diff --git a/RELEASE b/RELEASE index 94ff29cc4d..ef538c2810 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.1.1 +3.1.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index 68c067940e..20dcf77812 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.1.1 +PROJECT_NUMBER = 3.1.2 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From f4b8892ccbf08ea5b38177bb7ad042921d082eac Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 22 Aug 2016 19:25:50 -0300 Subject: [PATCH 051/658] cmdutils: check for SetDllDirectory() availability It's only available on Windows XP or newer. Should fix compilation with mingw32 using the default OS target. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer --- cmdutils.c | 2 +- configure | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index 6960f8c99c..a725e77531 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -109,7 +109,7 @@ static void log_callback_report(void *ptr, int level, const char *fmt, va_list v void init_dynload(void) { -#ifdef _WIN32 +#if HAVE_SETDLLDIRECTORY /* Calling SetDllDirectory with the empty string (but not NULL) removes the * current working directory from the DLL search path as a security pre-caution. */ SetDllDirectory(""); diff --git a/configure b/configure index adb4c27e0f..5b069eb099 100755 --- a/configure +++ b/configure @@ -1935,6 +1935,7 @@ SYSTEM_FUNCS=" sched_getaffinity SetConsoleTextAttribute SetConsoleCtrlHandler + SetDllDirectory setmode setrlimit Sleep @@ -5475,6 +5476,7 @@ check_func_headers windows.h MapViewOfFile check_func_headers windows.h PeekNamedPipe check_func_headers windows.h SetConsoleTextAttribute check_func_headers windows.h SetConsoleCtrlHandler +check_func_headers windows.h SetDllDirectory check_func_headers windows.h Sleep check_func_headers windows.h VirtualAlloc check_struct windows.h "CONDITION_VARIABLE" Ptr From 905372be8f746ded92023fa92b858599368b2597 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Aug 2016 12:22:15 +0200 Subject: [PATCH 052/658] avfilter/drawutils: Fix single plane with alpha Fixes Ticket5720 Signed-off-by: Michael Niedermayer (cherry picked from commit 369ed11e3c8acc08db39fb2ed4e980a918cab61e) Signed-off-by: Michael Niedermayer --- libavfilter/drawutils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/drawutils.c b/libavfilter/drawutils.c index e533040204..8153fdebb7 100644 --- a/libavfilter/drawutils.c +++ b/libavfilter/drawutils.c @@ -450,6 +450,7 @@ void ff_blend_rectangle(FFDrawContext *draw, FFDrawColor *color, alpha = 0x101 * color->rgba[3] + 0x2; } nb_planes = draw->nb_planes - !!(draw->desc->flags & AV_PIX_FMT_FLAG_ALPHA); + nb_planes += !nb_planes; for (plane = 0; plane < nb_planes; plane++) { nb_comp = draw->pixelstep[plane]; p0 = pointer_at(draw, dst, dst_linesize, plane, x0, y0); @@ -627,6 +628,7 @@ void ff_blend_mask(FFDrawContext *draw, FFDrawColor *color, alpha = (0x101 * color->rgba[3] + 0x2) >> 8; } nb_planes = draw->nb_planes - !!(draw->desc->flags & AV_PIX_FMT_FLAG_ALPHA); + nb_planes += !nb_planes; for (plane = 0; plane < nb_planes; plane++) { nb_comp = draw->pixelstep[plane]; p0 = pointer_at(draw, dst, dst_linesize, plane, x0, y0); From 055e5c80ee07bb7911016a552df35ad25f7eebdd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Aug 2016 20:41:31 +0200 Subject: [PATCH 053/658] avcodec/h2645: Fix NAL unit padding The parser changes have lost the support for the needed padding, this adds it back Fixes out of array reads Fixes: 03ea21d271abc8acf428d42ace51d8b4/asan_heap-oob_3358eef_5692_16f0cc01ab5225e9ce591659e5c20e35.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit cc13bc8c4f0f4afa30d0b94c3f3a369ccd2aaf0b) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 2 +- libavcodec/h264.h | 2 -- libavcodec/h2645_parse.c | 11 ++++++----- libavcodec/h2645_parse.h | 6 ++++-- libavcodec/h264_parse.c | 2 +- libavcodec/h264_parser.c | 2 +- libavcodec/hevc.c | 2 +- libavcodec/hevc_parser.c | 4 ++-- libavcodec/qsvenc_hevc.c | 2 +- 9 files changed, 17 insertions(+), 16 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index a61379cc9f..a56f900a50 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -898,7 +898,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size) } ret = ff_h2645_packet_split(&h->pkt, buf, buf_size, avctx, h->is_avc, - h->nal_length_size, avctx->codec_id); + h->nal_length_size, avctx->codec_id, avctx->flags2 & AV_CODEC_FLAG2_FAST); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Error splitting the input into NAL units.\n"); diff --git a/libavcodec/h264.h b/libavcodec/h264.h index efe3555132..309f91df68 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -57,8 +57,6 @@ #define MAX_DELAYED_PIC_COUNT 16 -#define MAX_MBPAIR_SIZE (256*1024) // a tighter bound could be calculated if someone cares about a few bytes - /* Compiling in interlaced support reduces the speed * of progressive decoding by about 2%. */ #define ALLOW_INTERLACE diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c index 9979b63c3b..d2fa5a09de 100644 --- a/libavcodec/h2645_parse.c +++ b/libavcodec/h2645_parse.c @@ -30,10 +30,11 @@ #include "h2645_parse.h" int ff_h2645_extract_rbsp(const uint8_t *src, int length, - H2645NAL *nal) + H2645NAL *nal, int small_padding) { int i, si, di; uint8_t *dst; + int64_t padding = small_padding ? AV_INPUT_BUFFER_PADDING_SIZE : MAX_MBPAIR_SIZE; nal->skipped_bytes = 0; #define STARTCODE_TEST \ @@ -81,7 +82,7 @@ int ff_h2645_extract_rbsp(const uint8_t *src, int length, } #endif /* HAVE_FAST_UNALIGNED */ - if (i >= length - 1) { // no escaped 0 + if (i >= length - 1 && small_padding) { // no escaped 0 nal->data = nal->raw_data = src; nal->size = @@ -90,7 +91,7 @@ int ff_h2645_extract_rbsp(const uint8_t *src, int length, } av_fast_malloc(&nal->rbsp_buffer, &nal->rbsp_buffer_size, - length + AV_INPUT_BUFFER_PADDING_SIZE); + length + padding); if (!nal->rbsp_buffer) return AVERROR(ENOMEM); @@ -247,7 +248,7 @@ static int h264_parse_nal_header(H2645NAL *nal, void *logctx) int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, void *logctx, int is_nalff, int nal_length_size, - enum AVCodecID codec_id) + enum AVCodecID codec_id, int small_padding) { int consumed, ret = 0; const uint8_t *next_avc = is_nalff ? buf : buf + length; @@ -322,7 +323,7 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, } nal = &pkt->nals[pkt->nb_nals]; - consumed = ff_h2645_extract_rbsp(buf, extract_length, nal); + consumed = ff_h2645_extract_rbsp(buf, extract_length, nal, small_padding); if (consumed < 0) return consumed; diff --git a/libavcodec/h2645_parse.h b/libavcodec/h2645_parse.h index a3c7e1f814..630235994e 100644 --- a/libavcodec/h2645_parse.h +++ b/libavcodec/h2645_parse.h @@ -26,6 +26,8 @@ #include "avcodec.h" #include "get_bits.h" +#define MAX_MBPAIR_SIZE (256*1024) // a tighter bound could be calculated if someone cares about a few bytes + typedef struct H2645NAL { uint8_t *rbsp_buffer; int rbsp_buffer_size; @@ -74,14 +76,14 @@ typedef struct H2645Packet { * Extract the raw (unescaped) bitstream. */ int ff_h2645_extract_rbsp(const uint8_t *src, int length, - H2645NAL *nal); + H2645NAL *nal, int small_padding); /** * Split an input packet into NAL units. */ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, void *logctx, int is_nalff, int nal_length_size, - enum AVCodecID codec_id); + enum AVCodecID codec_id, int small_padding); /** * Free all the allocated memory in the packet. diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c index a63530de58..f50f01b5b7 100644 --- a/libavcodec/h264_parse.c +++ b/libavcodec/h264_parse.c @@ -327,7 +327,7 @@ static int decode_extradata_ps(const uint8_t *data, int size, H264ParamSets *ps, H2645Packet pkt = { 0 }; int i, ret = 0; - ret = ff_h2645_packet_split(&pkt, data, size, logctx, is_avc, 2, AV_CODEC_ID_H264); + ret = ff_h2645_packet_split(&pkt, data, size, logctx, is_avc, 2, AV_CODEC_ID_H264, 1); if (ret < 0) { ret = 0; goto fail; diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index 52c1d41784..2ae9869195 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -316,7 +316,7 @@ static inline int parse_nal_units(AVCodecParserContext *s, } break; } - consumed = ff_h2645_extract_rbsp(buf + buf_index, src_length, &nal); + consumed = ff_h2645_extract_rbsp(buf + buf_index, src_length, &nal, 1); if (consumed < 0) break; diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index b478065db2..cb1263cb43 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2867,7 +2867,7 @@ static int decode_nal_units(HEVCContext *s, const uint8_t *buf, int length) /* split the input packet into NAL units, so we know the upper bound on the * number of slices in the frame */ ret = ff_h2645_packet_split(&s->pkt, buf, length, s->avctx, s->is_nalff, - s->nal_length_size, s->avctx->codec_id); + s->nal_length_size, s->avctx->codec_id, 1); if (ret < 0) { av_log(s->avctx, AV_LOG_ERROR, "Error splitting the input into NAL units.\n"); diff --git a/libavcodec/hevc_parser.c b/libavcodec/hevc_parser.c index b5633f16ef..d93586ba7d 100644 --- a/libavcodec/hevc_parser.c +++ b/libavcodec/hevc_parser.c @@ -90,7 +90,7 @@ static int parse_nal_units(AVCodecParserContext *s, const uint8_t *buf, int ret, i; ret = ff_h2645_packet_split(&ctx->pkt, buf, buf_size, avctx, 0, 0, - AV_CODEC_ID_HEVC); + AV_CODEC_ID_HEVC, 1); if (ret < 0) return ret; @@ -243,7 +243,7 @@ static inline int parse_nal_units(AVCodecParserContext *s, const uint8_t *buf, src_length = 20; } - consumed = ff_h2645_extract_rbsp(buf, src_length, nal); + consumed = ff_h2645_extract_rbsp(buf, src_length, nal, 1); if (consumed < 0) return consumed; diff --git a/libavcodec/qsvenc_hevc.c b/libavcodec/qsvenc_hevc.c index 1d1e801cc6..b775ef1ee6 100644 --- a/libavcodec/qsvenc_hevc.c +++ b/libavcodec/qsvenc_hevc.c @@ -69,7 +69,7 @@ static int generate_fake_vps(QSVEncContext *q, AVCodecContext *avctx) } /* parse the SPS */ - ret = ff_h2645_extract_rbsp(avctx->extradata + 4, avctx->extradata_size - 4, &sps_nal); + ret = ff_h2645_extract_rbsp(avctx->extradata + 4, avctx->extradata_size - 4, &sps_nal, 1); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Error unescaping the SPS buffer\n"); return ret; From 7d42daeea2df35e26dd4d45c3cce693a4d7a788c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Aug 2016 22:23:32 +0200 Subject: [PATCH 054/658] vcodec/h2645_parse: Clear buffer padding Fixes use of uninitialized memory Fixes: 044100cb22845944988a4bd821ff8074/asan_heap-oob_329927a_1366_c3de34ce9217dac820fbb46171031bbb.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 382a68b0088b06b8df20d0133d767d53d8f161ef) Signed-off-by: Michael Niedermayer --- libavcodec/h2645_parse.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c index d2fa5a09de..50837b6742 100644 --- a/libavcodec/h2645_parse.c +++ b/libavcodec/h2645_parse.c @@ -34,7 +34,7 @@ int ff_h2645_extract_rbsp(const uint8_t *src, int length, { int i, si, di; uint8_t *dst; - int64_t padding = small_padding ? AV_INPUT_BUFFER_PADDING_SIZE : MAX_MBPAIR_SIZE; + int64_t padding = small_padding ? 0 : MAX_MBPAIR_SIZE; nal->skipped_bytes = 0; #define STARTCODE_TEST \ @@ -90,8 +90,8 @@ int ff_h2645_extract_rbsp(const uint8_t *src, int length, return length; } - av_fast_malloc(&nal->rbsp_buffer, &nal->rbsp_buffer_size, - length + padding); + av_fast_padded_malloc(&nal->rbsp_buffer, &nal->rbsp_buffer_size, + length + padding); if (!nal->rbsp_buffer) return AVERROR(ENOMEM); From afd57722e1a8b749fc3c753824d26c2d7c0f9106 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Aug 2016 02:07:22 +0200 Subject: [PATCH 055/658] avcodec/rawdec: Fix bits_per_coded_sample checks Fixes assertion failure Fixes: 9eb9cf5b8c26dd0fa7107ed0348dcc1f/signal_sigabrt_7ffff6ae7c37_8926_4609a5c3f071d555d2d557625f9687b1.swf Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 237207645b36fb79759d313c0399ee93ba467b9d) Signed-off-by: Michael Niedermayer --- libavcodec/rawdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index f97a839f5d..5a98258191 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -204,8 +204,9 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, desc = av_pix_fmt_desc_get(avctx->pix_fmt); - if ((avctx->bits_per_coded_sample == 8 || avctx->bits_per_coded_sample == 4 - || avctx->bits_per_coded_sample <= 2) && + if ((avctx->bits_per_coded_sample == 8 || avctx->bits_per_coded_sample == 4 || + avctx->bits_per_coded_sample == 2 || avctx->bits_per_coded_sample == 1 || + (avctx->bits_per_coded_sample == 0 && (context->is_nut_pal8 || context->is_mono)) ) && (context->is_mono || context->is_pal8) && (!avctx->codec_tag || avctx->codec_tag == MKTAG('r','a','w',' ') || context->is_nut_mono || context->is_nut_pal8)) { From 4770eac663da306fc8298ff8b73ebeabdc23489c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Aug 2016 10:28:22 +0200 Subject: [PATCH 056/658] avformat/swfdec: Fix inflate() error code check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes infinite loop Fixes endless.poc Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit a453bbb68f3eec202673728988bba3bc76071761) Signed-off-by: Michael Niedermayer --- libavformat/swfdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index fa2435e0a0..c6f5fe669e 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -119,10 +119,10 @@ retry: z->avail_out = buf_size; ret = inflate(z, Z_NO_FLUSH); - if (ret < 0) - return AVERROR(EINVAL); if (ret == Z_STREAM_END) return AVERROR_EOF; + if (ret != Z_OK) + return AVERROR(EINVAL); if (buf_size - z->avail_out == 0) goto retry; From 77f978996bd55f8ee22ced3accb6264cbbc36859 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Aug 2016 13:07:14 +0200 Subject: [PATCH 057/658] avcodec/indeo2: check ctab Fixes out of array access Fixes: 6b73fa392ac808f02e95a4e0a5770026/asan_static-oob_1b15f9a_1969_e7778535e5f27225fe0d6ded14721430.AVI Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 9ffe44c5c75c485b4cbb12751e228f18da219df3) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 17f236761d..7ad686d50b 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -171,6 +171,12 @@ static int ir2_decode_frame(AVCodecContext *avctx, ltab = buf[0x22] & 3; ctab = buf[0x22] >> 2; + + if (ctab > 3) { + av_log(avctx, AV_LOG_ERROR, "ctab %d is invalid\n", ctab); + return AVERROR_INVALIDDATA; + } + if (s->decode_delta) { /* intraframe */ if ((ret = ir2_decode_plane(s, avctx->width, avctx->height, p->data[0], p->linesize[0], From 22a0c0e7642729db3d3e2820be56a6af38c61f2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Aug 2016 21:34:38 +0200 Subject: [PATCH 058/658] avcodec/cfhd: Increase minimum band dimension to 3 The implementation does not currently support len=2 Fixes out of array accesses Fixes: 29d1b3db5ba2205e82b0b3a533e057a3/asan_heap-oob_12b650c_9254_3b8c4e4d931eb2c32841c18ebb297f1d.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b8b36717217c6f45db71c77ad4e7c65521e7d9ff) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 74facd462d..dfc9ace792 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -320,7 +320,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->plane[s->channel_num].band[0][0].width = data; s->plane[s->channel_num].band[0][0].stride = data; av_log(avctx, AV_LOG_DEBUG, "Lowpass width %"PRIu16"\n", data); - if (data < 2 || data > s->plane[s->channel_num].band[0][0].a_width) { + if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_width) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass width\n"); ret = AVERROR(EINVAL); break; @@ -328,7 +328,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, } else if (tag == 28) { s->plane[s->channel_num].band[0][0].height = data; av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data); - if (data < 2 || data > s->plane[s->channel_num].band[0][0].height) { + if (data < 3 || data > s->plane[s->channel_num].band[0][0].height) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n"); ret = AVERROR(EINVAL); break; @@ -366,7 +366,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->plane[s->channel_num].band[s->level][s->subband_num].width = data; s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); av_log(avctx, AV_LOG_DEBUG, "Highpass width %i channel %i level %i subband %i\n", data, s->channel_num, s->level, s->subband_num); - if (data < 2) { + if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass width\n"); ret = AVERROR(EINVAL); break; @@ -374,7 +374,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, } else if (tag == 42) { s->plane[s->channel_num].band[s->level][s->subband_num].height = data; av_log(avctx, AV_LOG_DEBUG, "Highpass height %i\n", data); - if (data < 2) { + if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass height\n"); ret = AVERROR(EINVAL); break; @@ -383,7 +383,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->plane[s->channel_num].band[s->level][s->subband_num].width = data; s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); av_log(avctx, AV_LOG_DEBUG, "Highpass width2 %i\n", data); - if (data < 2) { + if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass width2\n"); ret = AVERROR(EINVAL); break; @@ -391,7 +391,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, } else if (tag == 50) { s->plane[s->channel_num].band[s->level][s->subband_num].height = data; av_log(avctx, AV_LOG_DEBUG, "Highpass height2 %i\n", data); - if (data < 2) { + if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass height2\n"); ret = AVERROR(EINVAL); break; From 93422bc92e942e71b2435e7dac7dbbad3a32ddcc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Aug 2016 00:36:38 +0200 Subject: [PATCH 059/658] avcodec/h264_parser: Factor get_avc_nalsize() out Signed-off-by: Michael Niedermayer (cherry picked from commit f10ea03df3dd1c15e3a957ca0aba528251438a79) Signed-off-by: Michael Niedermayer --- libavcodec/h2645_parse.h | 20 ++++++++++++++++++++ libavcodec/h264_parser.c | 22 +--------------------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/libavcodec/h2645_parse.h b/libavcodec/h2645_parse.h index 630235994e..3a60f3fb9b 100644 --- a/libavcodec/h2645_parse.h +++ b/libavcodec/h2645_parse.h @@ -90,4 +90,24 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, */ void ff_h2645_packet_uninit(H2645Packet *pkt); +static inline int get_nalsize(int nal_length_size, const uint8_t *buf, + int buf_size, int *buf_index, void *logctx) +{ + int i, nalsize = 0; + + if (*buf_index >= buf_size - nal_length_size) { + // the end of the buffer is reached, refill it + return AVERROR(EAGAIN); + } + + for (i = 0; i < nal_length_size; i++) + nalsize = ((unsigned)nalsize << 8) | buf[(*buf_index)++]; + if (nalsize <= 0 || nalsize > buf_size - *buf_index) { + av_log(logctx, AV_LOG_ERROR, + "Invalid nal size %d\n", nalsize); + return AVERROR_INVALIDDATA; + } + return nalsize; +} + #endif /* AVCODEC_H2645_PARSE_H */ diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index 2ae9869195..abe596146d 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -226,26 +226,6 @@ static int scan_mmco_reset(AVCodecParserContext *s, GetBitContext *gb, return 0; } -static inline int get_avc_nalsize(H264ParseContext *p, const uint8_t *buf, - int buf_size, int *buf_index, void *logctx) -{ - int i, nalsize = 0; - - if (*buf_index >= buf_size - p->nal_length_size) { - // the end of the buffer is reached, refill it - return AVERROR(EAGAIN); - } - - for (i = 0; i < p->nal_length_size; i++) - nalsize = ((unsigned)nalsize << 8) | buf[(*buf_index)++]; - if (nalsize <= 0 || nalsize > buf_size - *buf_index) { - av_log(logctx, AV_LOG_ERROR, - "AVC: nal size %d\n", nalsize); - return AVERROR_INVALIDDATA; - } - return nalsize; -} - /** * Parse NAL units of found picture and decode some basic information. * @@ -286,7 +266,7 @@ static inline int parse_nal_units(AVCodecParserContext *s, int src_length, consumed, nalsize = 0; if (buf_index >= next_avc) { - nalsize = get_avc_nalsize(p, buf, buf_size, &buf_index, avctx); + nalsize = get_nalsize(p->nal_length_size, buf, buf_size, &buf_index, avctx); if (nalsize < 0) break; next_avc = buf_index + nalsize; From 0ad4d4198a40f3907b77390d525bf6fd7868538f Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Thu, 7 Jul 2016 20:19:51 +0200 Subject: [PATCH 060/658] h2645_parse: don't overread AnnexB NALs within an avc stream We know the maximum size of an AnnexB NAL, signaling it as the maximum NAL size allows ff_h2645_extract_rbsp to determine the correct size. (cherry picked from commit 83a940e7fb9640954d631870e2ec6e8b3fc528ed) Signed-off-by: Michael Niedermayer --- libavcodec/h2645_parse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c index 50837b6742..4d18de8b75 100644 --- a/libavcodec/h2645_parse.c +++ b/libavcodec/h2645_parse.c @@ -291,7 +291,7 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, buf += 3; length -= 3; - extract_length = length; + extract_length = FFMIN(length, next_avc - buf); if (buf >= next_avc) { /* skip to the start of the next NAL */ From fabc1c9e567df696c87b557bc156e92420b26fa0 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Thu, 7 Jul 2016 20:18:26 +0200 Subject: [PATCH 061/658] h2645_parse: only read avc length code at the correct position Reading it from any other position would result in a wrong size being read, instead fallback to the re-sync mechanic in the else clause. (cherry picked from commit c3e9b098e12b8932693361625d4a69bc30583d9a) Signed-off-by: Michael Niedermayer --- libavcodec/h2645_parse.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c index 4d18de8b75..e92e38a722 100644 --- a/libavcodec/h2645_parse.c +++ b/libavcodec/h2645_parse.c @@ -259,7 +259,7 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, int extract_length = 0; int skip_trailing_zeros = 1; - if (buf >= next_avc) { + if (buf == next_avc) { int i; for (i = 0; i < nal_length_size; i++) extract_length = (extract_length << 8) | buf[i]; @@ -272,6 +272,9 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, } next_avc = buf + extract_length; } else { + if (buf > next_avc) + av_log(logctx, AV_LOG_WARNING, "Exceeded next NALFF position, re-syncing.\n"); + /* search start code */ while (buf[0] != 0 || buf[1] != 0 || buf[2] != 1) { ++buf; From ec30a498e66a6498c3c5045244aec9a38d41799e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Aug 2016 00:39:07 +0200 Subject: [PATCH 062/658] avcodec/h2645_parse: Use get_nalsize() in ff_h2645_packet_split() This fixes several regressions in h.264 Signed-off-by: Michael Niedermayer (cherry picked from commit 528171ba84b24830b74d9c19dd957ac3609f7270) Signed-off-by: Michael Niedermayer --- libavcodec/h2645_parse.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c index e92e38a722..00594371c0 100644 --- a/libavcodec/h2645_parse.c +++ b/libavcodec/h2645_parse.c @@ -260,16 +260,15 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, int skip_trailing_zeros = 1; if (buf == next_avc) { - int i; - for (i = 0; i < nal_length_size; i++) - extract_length = (extract_length << 8) | buf[i]; + int i = 0; + extract_length = get_nalsize(nal_length_size, + buf, length, &i, logctx); + if (extract_length < 0) + return extract_length; + buf += nal_length_size; length -= nal_length_size; - if (extract_length > length) { - av_log(logctx, AV_LOG_ERROR, "Invalid NAL unit size.\n"); - return AVERROR_INVALIDDATA; - } next_avc = buf + extract_length; } else { if (buf > next_avc) From 8003a5d23792d79187e5f99be55c518e997bc1fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Aug 2016 23:54:28 +0200 Subject: [PATCH 063/658] avcodec/h2645_parse: fix nal size Found-by: Signed-off-by: Michael Niedermayer (cherry picked from commit 15dd56c093be480e719d7bbc39f8dbddb586694d) Signed-off-by: Michael Niedermayer --- libavcodec/h2645_parse.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c index 00594371c0..c3961a5e90 100644 --- a/libavcodec/h2645_parse.c +++ b/libavcodec/h2645_parse.c @@ -88,7 +88,8 @@ int ff_h2645_extract_rbsp(const uint8_t *src, int length, nal->size = nal->raw_size = length; return length; - } + } else if (i > length) + i = length; av_fast_padded_malloc(&nal->rbsp_buffer, &nal->rbsp_buffer_size, length + padding); From 049d7677156af30ea34f5871df88846a8b9bc385 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Aug 2016 19:21:07 +0200 Subject: [PATCH 064/658] avcodec/diracdec: Check numx/y Fixes division by 0 Fixes: 60261c4469ba3e11059890fb2832a515/asan_generic_135e694_2790_beb94eaa0aeb7d11c0437375a8964a99.drc Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a31e08fa1aa5c5f0518b8af850f28eb945268e66) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index c473e8778f..769dac3655 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1153,6 +1153,11 @@ static int dirac_unpack_idwt_params(DiracContext *s) else { s->num_x = get_interleaved_ue_golomb(gb); s->num_y = get_interleaved_ue_golomb(gb); + if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX) { + av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n"); + s->num_x = s->num_y = 0; + return AVERROR_INVALIDDATA; + } if (s->ld_picture) { s->lowdelay.bytes.num = get_interleaved_ue_golomb(gb); s->lowdelay.bytes.den = get_interleaved_ue_golomb(gb); From 8c4a67183b0790735cc4611015a3a66c2616f6f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Aug 2016 22:09:54 +0200 Subject: [PATCH 065/658] avcodec/svq3: fix slice size check Fixes out of array read Fixes: 09f46aa2175cade93e3e3932646a56a9/asan_heap-oob_4a5385_2995_498f6abfdc0248288cefe5f4b7ad316c.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 2624695484cde26baedac10192856ebfd97f2cc7) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index a927063f9f..5e7d1643ad 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1027,7 +1027,7 @@ static int svq3_decode_slice_header(AVCodecContext *avctx) slice_bits = slice_length * 8; slice_bytes = slice_length + length - 1; - if (slice_bytes > get_bits_left(&s->gb)) { + if (8LL*slice_bytes > get_bits_left(&s->gb)) { av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); return -1; } From 4943abe05110562870b9f4d5e0ac85feb9ae2a63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Aug 2016 01:42:20 +0200 Subject: [PATCH 066/658] avcodec/adpcm: Fix adpcm_ima_wav padding Fixes out of array read Fixes: f29f134ea5f5590df554a7733294a587/asan_stack-oob_309d14e_9188_ea01743d6355aff20530f3d4cdaa841a.wav Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f2a9a30fd6a2914197ae42ee67703a1471fac2eb) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 46c63a2752..06ba83e3c3 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -803,7 +803,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, if (avctx->bits_per_coded_sample != 4) { int samples_per_block = ff_adpcm_ima_block_samples[avctx->bits_per_coded_sample - 2]; int block_size = ff_adpcm_ima_block_sizes[avctx->bits_per_coded_sample - 2]; - uint8_t temp[20] = { 0 }; + uint8_t temp[20 + AV_INPUT_BUFFER_PADDING_SIZE] = { 0 }; GetBitContext g; for (n = 0; n < (nb_samples - 1) / samples_per_block; n++) { From 2f07937926e52e328ade0aeb40f61d994b41ed9d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Aug 2016 20:30:34 +0200 Subject: [PATCH 067/658] libavcodec/wmalosslessdec: Check the remaining bits Fixes assertion failure Fixes: 24ebfda03228b5cc1ef792608cfba458/signal_sigabrt_7ffff6ae7c37_6473_3fa8a111dbc752b1a7c411c5ab79aaa4.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 67318187fbba382d887f9581dde48a50842f1bea) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 6b4edfc6fd..7eb7b4cd30 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1271,6 +1271,11 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, } } + if (remaining_bits(s, gb) < 0) { + av_log(avctx, AV_LOG_ERROR, "Overread %d\n", -remaining_bits(s, gb)); + s->packet_loss = 1; + } + if (s->packet_done && !s->packet_loss && remaining_bits(s, gb) > 0) { /* save the rest of the data so that it can be decoded From 596513ca2ce9f140135a75647cf34ea86c8d86ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Aug 2016 21:30:36 +0200 Subject: [PATCH 068/658] avformat/wtvdec: Check pointer before use Fixes out of array read Fixes: 049fdf78565f1ce5665df236d90f8657/asan_heap-oob_10a5a97_1026_42f9d4855547329560f385768de2f3fb.wtv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit cc5e5548df4af48674c7aef518e831b19e99f9fc) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index bd32d70dcf..3ac4501306 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -1031,7 +1031,7 @@ static int read_header(AVFormatContext *s) while (1) { uint64_t frame_nb = avio_rl64(pb); uint64_t position = avio_rl64(pb); - while (frame_nb > e->size && e <= e_end) { + while (e <= e_end && frame_nb > e->size) { e->pos = last_position; e++; } From ae893819620b49f1a04902dca35852139aaa8d36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Aug 2016 11:00:29 +0200 Subject: [PATCH 069/658] avcodec/aacenc: Tighter input checks Fixes occurance of NaN/Inf leading to assertion failures and out of array access Fixes: d1c38a09acc34845c6be3a127a5aacaf/signal_sigsegv_3982225_6121_d18bd5451d4245ee09408f04badd1b83.wmv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 77bf96b04710b98a52aaddb93bfd32da0d506191) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 2653cefaaa..4b80d38c29 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -622,8 +622,8 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } for (k = 0; k < 1024; k++) { - if (!isfinite(cpe->ch[ch].coeffs[k])) { - av_log(avctx, AV_LOG_ERROR, "Input contains NaN/+-Inf\n"); + if (!(fabs(cpe->ch[ch].coeffs[k]) < 1E16)) { // Ensure headroom for energy calculation + av_log(avctx, AV_LOG_ERROR, "Input contains (near) NaN/+-Inf\n"); return AVERROR(EINVAL); } } From 79f52a0dbd484aad111e4bf4a4f7047c7ceb6137 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Aug 2016 21:22:29 +0200 Subject: [PATCH 070/658] avcodec/exr: Check tile positions This also disabled the case of mixed x/ymin with tiles, the code handles these cases inconsistent for the 2 coordinate axis and is unlikely working correctly. Fixes crash Fixes: poc1.exr, poc2.exr Found-by: Yaoguang Chen of Aliapy unLimit Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 01aee8148d4fa439cce678a11f5110656c98de1f) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index cabe329c7f..de46028d18 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1027,8 +1027,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata, uint64_t line_offset, uncompressed_size; uint16_t *ptr_x; uint8_t *ptr; - uint32_t data_size, line, col = 0; - uint32_t tileX, tileY, tileLevelX, tileLevelY; + uint32_t data_size; + uint64_t line, col = 0; + uint64_t tileX, tileY, tileLevelX, tileLevelY; const uint8_t *src; int axmax = (avctx->width - (s->xmax + 1)) * 2 * s->desc->nb_components; /* nb pixel to add at the right of the datawindow */ int bxmin = s->xmin * 2 * s->desc->nb_components; /* nb pixel to add at the left of the datawindow */ @@ -1059,9 +1060,18 @@ static int decode_block(AVCodecContext *avctx, void *tdata, return AVERROR_PATCHWELCOME; } + if (s->xmin || s->ymin) { + avpriv_report_missing_feature(s->avctx, "Tiles with xmin/ymin"); + return AVERROR_PATCHWELCOME; + } + line = s->tile_attr.ySize * tileY; col = s->tile_attr.xSize * tileX; + if (line < s->ymin || line > s->ymax || + col < s->xmin || col > s->xmax) + return AVERROR_INVALIDDATA; + td->ysize = FFMIN(s->tile_attr.ySize, s->ydelta - tileY * s->tile_attr.ySize); td->xsize = FFMIN(s->tile_attr.xSize, s->xdelta - tileX * s->tile_attr.xSize); From 949094a4cdd946a2e38b6fc570e190ac8df1b5ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Aug 2016 03:35:17 +0200 Subject: [PATCH 071/658] Update for 3.1.3 --- Changelog | 22 ++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 6100077d2b..a1bd17d7e5 100644 --- a/Changelog +++ b/Changelog @@ -4,6 +4,28 @@ releases are sorted from youngest to oldest. version : +version 3.1.3: +- avcodec/exr: Check tile positions +- avcodec/aacenc: Tighter input checks +- avformat/wtvdec: Check pointer before use +- libavcodec/wmalosslessdec: Check the remaining bits +- avcodec/adpcm: Fix adpcm_ima_wav padding +- avcodec/svq3: fix slice size check +- avcodec/diracdec: Check numx/y +- avcodec/h2645_parse: fix nal size +- avcodec/h2645_parse: Use get_nalsize() in ff_h2645_packet_split() +- h2645_parse: only read avc length code at the correct position +- h2645_parse: don't overread AnnexB NALs within an avc stream +- avcodec/h264_parser: Factor get_avc_nalsize() out +- avcodec/cfhd: Increase minimum band dimension to 3 +- avcodec/indeo2: check ctab +- avformat/swfdec: Fix inflate() error code check +- avcodec/rawdec: Fix bits_per_coded_sample checks +- vcodec/h2645_parse: Clear buffer padding +- avcodec/h2645: Fix NAL unit padding +- avfilter/drawutils: Fix single plane with alpha +- cmdutils: check for SetDllDirectory() availability + version 3.1.2: - cmdutils: remove the current working directory from the DLL search path on win32 - avcodec/rawdec: Fix palette handling with changing palettes diff --git a/RELEASE b/RELEASE index ef538c2810..ff365e06b9 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.1.2 +3.1.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index 20dcf77812..5c8b2ed10f 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.1.2 +PROJECT_NUMBER = 3.1.3 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 40ab55746e29d27af58a4f78f4bb575813b12965 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 10 Aug 2016 12:31:16 -0300 Subject: [PATCH 072/658] examples/demuxing_decoding: convert to codecpar Signed-off-by: James Almer (cherry picked from commit bba6a03b2816d805d44bce4f9701a71f7d3f8dad) --- doc/examples/demuxing_decoding.c | 33 +++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/doc/examples/demuxing_decoding.c b/doc/examples/demuxing_decoding.c index 59e0ccc986..49fb6afae1 100644 --- a/doc/examples/demuxing_decoding.c +++ b/doc/examples/demuxing_decoding.c @@ -148,11 +148,10 @@ static int decode_packet(int *got_frame, int cached) } static int open_codec_context(int *stream_idx, - AVFormatContext *fmt_ctx, enum AVMediaType type) + AVCodecContext **dec_ctx, AVFormatContext *fmt_ctx, enum AVMediaType type) { int ret, stream_index; AVStream *st; - AVCodecContext *dec_ctx = NULL; AVCodec *dec = NULL; AVDictionary *opts = NULL; @@ -166,17 +165,31 @@ static int open_codec_context(int *stream_idx, st = fmt_ctx->streams[stream_index]; /* find decoder for the stream */ - dec_ctx = st->codec; - dec = avcodec_find_decoder(dec_ctx->codec_id); + dec = avcodec_find_decoder(st->codecpar->codec_id); if (!dec) { fprintf(stderr, "Failed to find %s codec\n", av_get_media_type_string(type)); return AVERROR(EINVAL); } + /* Allocate a codec context for the decoder */ + *dec_ctx = avcodec_alloc_context3(dec); + if (!*dec_ctx) { + fprintf(stderr, "Failed to allocate the %s codec context\n", + av_get_media_type_string(type)); + return AVERROR(ENOMEM); + } + + /* Copy codec parameters from input stream to output codec context */ + if ((ret = avcodec_parameters_to_context(*dec_ctx, st->codecpar)) < 0) { + fprintf(stderr, "Failed to copy %s codec parameters to decoder context\n", + av_get_media_type_string(type)); + return ret; + } + /* Init the decoders, with or without reference counting */ av_dict_set(&opts, "refcounted_frames", refcount ? "1" : "0", 0); - if ((ret = avcodec_open2(dec_ctx, dec, &opts)) < 0) { + if ((ret = avcodec_open2(*dec_ctx, dec, &opts)) < 0) { fprintf(stderr, "Failed to open %s codec\n", av_get_media_type_string(type)); return ret; @@ -255,9 +268,8 @@ int main (int argc, char **argv) exit(1); } - if (open_codec_context(&video_stream_idx, fmt_ctx, AVMEDIA_TYPE_VIDEO) >= 0) { + if (open_codec_context(&video_stream_idx, &video_dec_ctx, fmt_ctx, AVMEDIA_TYPE_VIDEO) >= 0) { video_stream = fmt_ctx->streams[video_stream_idx]; - video_dec_ctx = video_stream->codec; video_dst_file = fopen(video_dst_filename, "wb"); if (!video_dst_file) { @@ -279,9 +291,8 @@ int main (int argc, char **argv) video_dst_bufsize = ret; } - if (open_codec_context(&audio_stream_idx, fmt_ctx, AVMEDIA_TYPE_AUDIO) >= 0) { + if (open_codec_context(&audio_stream_idx, &audio_dec_ctx, fmt_ctx, AVMEDIA_TYPE_AUDIO) >= 0) { audio_stream = fmt_ctx->streams[audio_stream_idx]; - audio_dec_ctx = audio_stream->codec; audio_dst_file = fopen(audio_dst_filename, "wb"); if (!audio_dst_file) { fprintf(stderr, "Could not open destination file %s\n", audio_dst_filename); @@ -369,8 +380,8 @@ int main (int argc, char **argv) } end: - avcodec_close(video_dec_ctx); - avcodec_close(audio_dec_ctx); + avcodec_free_context(&video_dec_ctx); + avcodec_free_context(&audio_dec_ctx); avformat_close_input(&fmt_ctx); if (video_dst_file) fclose(video_dst_file); From c46d22a4a58467bdc7885685b06a2114dd181c43 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 24 Aug 2016 20:43:33 -0300 Subject: [PATCH 073/658] Changelog: update after last commit Signed-off-by: James Almer --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index a1bd17d7e5..6089814113 100644 --- a/Changelog +++ b/Changelog @@ -5,6 +5,7 @@ version : version 3.1.3: +- examples/demuxing_decoding: convert to codecpar - avcodec/exr: Check tile positions - avcodec/aacenc: Tighter input checks - avformat/wtvdec: Check pointer before use From 12320c08221f0eecf6d9af3a6f12f42e656f0674 Mon Sep 17 00:00:00 2001 From: Tobias Rapp Date: Mon, 29 Aug 2016 15:25:58 +0200 Subject: [PATCH 074/658] cmdutils: fix implicit declaration of SetDllDirectory function Pre-processor check changed by commiter. Signed-off-by: James Almer --- cmdutils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cmdutils.c b/cmdutils.c index a725e77531..3bb8bde3e9 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -61,6 +61,9 @@ #include #include #endif +#if HAVE_SETDLLDIRECTORY +#include +#endif static int init_report(const char *env); From 677ea4a49b2e7e9ee28fb5e62f9aec73d7acb272 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Fri, 2 Sep 2016 17:10:57 +0200 Subject: [PATCH 075/658] lavc/mjpegdec: Do not skip reading quantization tables. They may contain 0xFFs, confusing the start code finding algorithm. Fixes ticket #5819. (cherry picked from commit cef5bc0e6e2320d3903cf063d59cef83e91dbc3c) --- libavcodec/mjpegdec.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 633a8f02c0..0645a1d2ac 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -2119,6 +2119,8 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, ret = mjpeg_decode_com(s); if (ret < 0) return ret; + } else if (start_code == DQT) { + ff_mjpeg_decode_dqt(s); } ret = -1; @@ -2151,9 +2153,6 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, s->restart_count = 0; /* nothing to do on SOI */ break; - case DQT: - ff_mjpeg_decode_dqt(s); - break; case DHT: if ((ret = ff_mjpeg_decode_dht(s)) < 0) { av_log(avctx, AV_LOG_ERROR, "huffman table decode error\n"); From 6fc29572fbf82148e39b18d676688af6d9c17e2f Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 22 Sep 2016 01:03:55 +0200 Subject: [PATCH 076/658] lavc/avpacket: Fix undefined behaviour, do not pass a null pointer to memcpy(). Fixes ticket #5857. (cherry picked from commit c54eef46f990722ed65fd1ad1da3d0fc50806eb5) --- libavcodec/avpacket.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index 9218689239..d70ee5d684 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -139,7 +139,8 @@ int av_grow_packet(AVPacket *pkt, int grow_by) pkt->buf = av_buffer_alloc(new_size); if (!pkt->buf) return AVERROR(ENOMEM); - memcpy(pkt->buf->data, pkt->data, pkt->size); + if (pkt->size > 0) + memcpy(pkt->buf->data, pkt->data, pkt->size); pkt->data = pkt->buf->data; } pkt->size += grow_by; From 748a4747da5a9fce15efb95b2d650d647cb98c1d Mon Sep 17 00:00:00 2001 From: Anssi Hannula Date: Sat, 24 Sep 2016 09:29:03 +0300 Subject: [PATCH 077/658] avformat/hls: Fix handling of EXT-X-BYTERANGE streams over 2GB Replace uses of atoi() with strtoll() when trying to read values into int64_t variables. Fixes Kodi trac #16926: http://trac.kodi.tv/ticket/16926 (cherry picked from commit a6f5e25ad989550dff9493311d6ba08d882df079) --- libavformat/hls.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 59f5e38f9f..72415320d4 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -416,10 +416,10 @@ static struct segment *new_init_section(struct playlist *pls, } if (info->byterange[0]) { - sec->size = atoi(info->byterange); + sec->size = strtoll(info->byterange, NULL, 10); ptr = strchr(info->byterange, '@'); if (ptr) - sec->url_offset = atoi(ptr+1); + sec->url_offset = strtoll(ptr+1, NULL, 10); } else { /* the entire file is the init section */ sec->size = -1; @@ -731,7 +731,7 @@ static int parse_playlist(HLSContext *c, const char *url, ret = ensure_playlist(c, &pls, url); if (ret < 0) goto fail; - pls->target_duration = atoi(ptr) * AV_TIME_BASE; + pls->target_duration = strtoll(ptr, NULL, 10) * AV_TIME_BASE; } else if (av_strstart(line, "#EXT-X-MEDIA-SEQUENCE:", &ptr)) { ret = ensure_playlist(c, &pls, url); if (ret < 0) @@ -760,10 +760,10 @@ static int parse_playlist(HLSContext *c, const char *url, is_segment = 1; duration = atof(ptr) * AV_TIME_BASE; } else if (av_strstart(line, "#EXT-X-BYTERANGE:", &ptr)) { - seg_size = atoi(ptr); + seg_size = strtoll(ptr, NULL, 10); ptr = strchr(ptr, '@'); if (ptr) - seg_offset = atoi(ptr+1); + seg_offset = strtoll(ptr+1, NULL, 10); } else if (av_strstart(line, "#", NULL)) { continue; } else if (line[0]) { From 8b21b44e7e312589a6c4dbad1b4214f2a03fb54a Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sat, 24 Sep 2016 13:07:39 +0200 Subject: [PATCH 078/658] lavf/utils: Avoid an overflow for huge negative durations. Fixes ticket #5135. (cherry picked from commit 267da70ea8c36caaa645a3c4f1c5f0ca8bae156a) --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index d2a709c9a4..f470c79079 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2500,7 +2500,7 @@ static void update_stream_timings(AVFormatContext *ic) end_time1 = av_rescale_q_rnd(st->duration, st->time_base, AV_TIME_BASE_Q, AV_ROUND_NEAR_INF|AV_ROUND_PASS_MINMAX); - if (end_time1 != AV_NOPTS_VALUE && start_time1 <= INT64_MAX - end_time1) { + if (end_time1 != AV_NOPTS_VALUE && (end_time1 > 0 ? start_time1 <= INT64_MAX - end_time1 : start_time1 >= INT64_MIN - end_time1)) { end_time1 += start_time1; end_time = FFMAX(end_time, end_time1); } From ba642f031906b89566c60426cd2c0ffcd43072ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Aug 2016 01:12:49 +0200 Subject: [PATCH 079/658] avformat/utils: End probing if the expected codec surpasses AVPROBE_SCORE_STREAM_RETRY Fixes Ticket5800 Signed-off-by: Michael Niedermayer (cherry picked from commit c75273310cf1becffee79bab0e2bba0b1606afb7) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index f470c79079..1711bef6ac 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -307,7 +307,7 @@ static int set_codec_from_probe_data(AVFormatContext *s, AVStream *st, int score; AVInputFormat *fmt = av_probe_input_format3(pd, 1, &score); - if (fmt && st->request_probe <= score) { + if (fmt) { int i; av_log(s, AV_LOG_DEBUG, "Probe with size=%d, packets=%d detected %s with score=%d\n", @@ -318,6 +318,9 @@ static int set_codec_from_probe_data(AVFormatContext *s, AVStream *st, if (fmt_id_type[i].type != AVMEDIA_TYPE_AUDIO && st->codecpar->sample_rate) continue; + if (st->request_probe > score && + st->codecpar->codec_id != fmt_id_type[i].id) + continue; st->codecpar->codec_id = fmt_id_type[i].id; st->codecpar->codec_type = fmt_id_type[i].type; st->internal->need_context_update = 1; From ed38046c5c2e3b310980be32287179895c83e0d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Sep 2016 12:19:29 +0200 Subject: [PATCH 080/658] avformat/avidec: Fix infinite loop in avi_read_nikon() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 360/test.poc Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit e4e4a9cad7f21593d4bcb1f2404ea0d373c36c43) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 38ea86dbb3..858011c8de 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -344,14 +344,14 @@ static void avi_metadata_creation_time(AVDictionary **metadata, char *date) static void avi_read_nikon(AVFormatContext *s, uint64_t end) { - while (avio_tell(s->pb) < end) { + while (avio_tell(s->pb) < end && !avio_feof(s->pb)) { uint32_t tag = avio_rl32(s->pb); uint32_t size = avio_rl32(s->pb); switch (tag) { case MKTAG('n', 'c', 't', 'g'): /* Nikon Tags */ { uint64_t tag_end = avio_tell(s->pb) + size; - while (avio_tell(s->pb) < tag_end) { + while (avio_tell(s->pb) < tag_end && !avio_feof(s->pb)) { uint16_t tag = avio_rl16(s->pb); uint16_t size = avio_rl16(s->pb); const char *name = NULL; From 5aaf7e31829d624803af4290120bc0fd4c34edd8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Sep 2016 20:25:24 +0200 Subject: [PATCH 081/658] swscale/swscale_unscaled: Fix packed_16bpc_bswap() with slices Signed-off-by: Michael Niedermayer (cherry picked from commit 47bc1bdafb0950ccf128eaa491d8fd7cc0978813) Signed-off-by: Michael Niedermayer --- libswscale/swscale_unscaled.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index b231abe7e1..8df0694147 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -352,6 +352,7 @@ static int packed_16bpc_bswap(SwsContext *c, const uint8_t *src[], int min_stride = FFMIN(FFABS(srcstr), FFABS(dststr)); if(!dstPtr || !srcPtr) continue; + dstPtr += (srcSliceY >> c->chrDstVSubSample) * dststr; for (i = 0; i < (srcSliceH >> c->chrDstVSubSample); i++) { for (j = 0; j < min_stride; j++) { dstPtr[j] = av_bswap16(srcPtr[j]); From e91b7852dfae807b1996c30ec77e5bd7eb3a01a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Sep 2016 12:15:24 +0200 Subject: [PATCH 082/658] swscale/swscale_unscaled: Try to fix Rgb16ToPlanarRgb16Wrapper() with slices Signed-off-by: Michael Niedermayer (cherry picked from commit e57d99dd4e0d8fe2992da0d65b563580e35ce728) Signed-off-by: Michael Niedermayer --- libswscale/swscale_unscaled.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index 8df0694147..1f99462103 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -558,6 +558,8 @@ static int Rgb16ToPlanarRgb16Wrapper(SwsContext *c, const uint8_t *src[], int bpc = dst_format->comp[0].depth; int alpha = src_format->flags & AV_PIX_FMT_FLAG_ALPHA; int swap = 0; + int i; + if ( HAVE_BIGENDIAN && !(src_format->flags & AV_PIX_FMT_FLAG_BE) || !HAVE_BIGENDIAN && src_format->flags & AV_PIX_FMT_FLAG_BE) swap++; @@ -571,6 +573,12 @@ static int Rgb16ToPlanarRgb16Wrapper(SwsContext *c, const uint8_t *src[], src_format->name, dst_format->name); return srcSliceH; } + + for(i=0; i<4; i++) { + dst2013[i] += stride2013[i] * srcSliceY / 2; + dst1023[i] += stride1023[i] * srcSliceY / 2; + } + switch (c->srcFormat) { case AV_PIX_FMT_RGB48LE: case AV_PIX_FMT_RGB48BE: From 7a3dc2f7b6c2fbe62aeed7839e736db395a6f76a Mon Sep 17 00:00:00 2001 From: Sergey Volk Date: Wed, 7 Sep 2016 14:05:35 -0700 Subject: [PATCH 083/658] avformat/mov: Fix potential integer overflow in mov_read_keys Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so we need to check that (count + 1) won't cause overflow. Signed-off-by: Michael Niedermayer (cherry picked from commit 347cb14b7cba7560e53f4434b419b9d8800253e7) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7266fd09b0..dd746b4235 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3243,7 +3243,7 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_skip(pb, 4); count = avio_rb32(pb); - if (count > UINT_MAX / sizeof(*c->meta_keys)) { + if (count > UINT_MAX / sizeof(*c->meta_keys) - 1) { av_log(c->fc, AV_LOG_ERROR, "The 'keys' atom with the invalid key count: %d\n", count); return AVERROR_INVALIDDATA; From ed1c6f701a7861c77e89530d081e87da6fb3d3a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Sep 2016 21:15:55 +0200 Subject: [PATCH 084/658] avcodec/svq3: Reintroduce slice_type Fixes out of array read Fixes: 1642cd3962249d6aaf0eec2836023fb6/signal_sigsegv_2557a72_2995_04efaf2ff57a052f609a3b4a2ea4e622.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 2d3099ad8ee67a4612633ea02c7fce10e5537579) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 5e7d1643ad..8c176f625f 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -102,6 +102,7 @@ typedef struct SVQ3Context { int prev_frame_num; enum AVPictureType pict_type; + enum AVPictureType slice_type; int low_delay; int mb_x, mb_y; @@ -1057,7 +1058,7 @@ static int svq3_decode_slice_header(AVCodecContext *avctx) return -1; } - s->pict_type = ff_h264_golomb_to_pict_type[slice_id]; + s->slice_type = ff_h264_golomb_to_pict_type[slice_id]; if ((header & 0x9F) == 2) { i = (s->mb_num < 64) ? 6 : (1 + av_log2(s->mb_num - 1)); @@ -1426,6 +1427,8 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data, if (svq3_decode_slice_header(avctx)) return -1; + s->pict_type = s->slice_type; + if (s->pict_type != AV_PICTURE_TYPE_B) FFSWAP(H264Picture*, s->next_pic, s->last_pic); @@ -1539,6 +1542,9 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data, if (svq3_decode_slice_header(avctx)) return -1; } + if (s->slice_type != s->pict_type) { + avpriv_request_sample(avctx, "non constant slice type\n"); + } /* TODO: support s->mb_skip_run */ } From 65c10f0f5c5212f903feb30a5f65700caa6f0b2e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Sep 2016 10:26:15 +0200 Subject: [PATCH 085/658] avcodec/ccaption_dec: Use simple array instead of AVBuffer This is simpler and fixes an out of array read, fixing it with AVBuffers would be more complex Fixes: e00d9e6e50e5495cc93fea41147b97bb/asan_heap-oob_12dcdbb_8798_b32a97ea722dd37bb5066812cc674552.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 752e6dfa3ea97e7901870bdd9e5a51f860607240) Signed-off-by: Michael Niedermayer --- libavcodec/ccaption_dec.c | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/libavcodec/ccaption_dec.c b/libavcodec/ccaption_dec.c index 3b15149d79..360c6872e1 100644 --- a/libavcodec/ccaption_dec.c +++ b/libavcodec/ccaption_dec.c @@ -247,7 +247,8 @@ typedef struct CCaptionSubContext { int64_t last_real_time; char prev_cmd[2]; /* buffer to store pkt data */ - AVBufferRef *pktbuf; + uint8_t *pktbuf; + int pktbuf_size; int readorder; } CCaptionSubContext; @@ -273,11 +274,7 @@ static av_cold int init_decoder(AVCodecContext *avctx) if (ret < 0) { return ret; } - /* allocate pkt buffer */ - ctx->pktbuf = av_buffer_alloc(128); - if (!ctx->pktbuf) { - ret = AVERROR(ENOMEM); - } + return ret; } @@ -285,7 +282,8 @@ static av_cold int close_decoder(AVCodecContext *avctx) { CCaptionSubContext *ctx = avctx->priv_data; av_bprint_finalize(&ctx->buffer, NULL); - av_buffer_unref(&ctx->pktbuf); + av_freep(&ctx->pktbuf); + ctx->pktbuf_size = 0; return 0; } @@ -729,16 +727,13 @@ static int decode(AVCodecContext *avctx, void *data, int *got_sub, AVPacket *avp int ret = 0; int i; - if (ctx->pktbuf->size < len) { - ret = av_buffer_realloc(&ctx->pktbuf, len); - if (ret < 0) { - av_log(ctx, AV_LOG_WARNING, "Insufficient Memory of %d truncated to %d\n", len, ctx->pktbuf->size); - len = ctx->pktbuf->size; - ret = 0; - } + av_fast_padded_malloc(&ctx->pktbuf, &ctx->pktbuf_size, len); + if (!ctx->pktbuf) { + av_log(ctx, AV_LOG_WARNING, "Insufficient Memory of %d truncated to %d\n", len, ctx->pktbuf_size); + return AVERROR(ENOMEM); } - memcpy(ctx->pktbuf->data, avpkt->data, len); - bptr = ctx->pktbuf->data; + memcpy(ctx->pktbuf, avpkt->data, len); + bptr = ctx->pktbuf; for (i = 0; i < len; i += 3) { uint8_t cc_type = *(bptr + i) & 3; From 21a979773783bb4e1baa2597150f25151328c93f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Sep 2016 13:11:43 +0200 Subject: [PATCH 086/658] avformat/movenc: Check first DTS similar to dts difference Fixes assertion failure Fixes: b84b53855a0b74560e64c6f45f505a13/signal_sigabrt_7ffff6ae7c37_3837_ef4e243ea5b4fa8d0becf4afe9166604.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 68f4c2163ec6d4534ae1756dbcf259845f2e4d2c) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index d614933dff..788ab3c4d9 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -4612,6 +4612,13 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) pkt->dts = trk->cluster[trk->entry - 1].dts + 1; pkt->pts = AV_NOPTS_VALUE; } + } else if (pkt->dts <= INT_MIN || pkt->dts >= INT_MAX) { + av_log(s, AV_LOG_ERROR, "Application provided initial timestamp: %"PRId64" is out of range for mov/mp4 format\n", + pkt->dts + ); + + pkt->dts = 0; + pkt->pts = AV_NOPTS_VALUE; } if (pkt->duration < 0 || pkt->duration > INT_MAX) { av_log(s, AV_LOG_ERROR, "Application provided duration: %"PRId64" is invalid\n", pkt->duration); From c2087fc48b46ac478944b4e6c59ae2a3a05da0e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Sep 2016 13:13:42 +0200 Subject: [PATCH 087/658] avcodec/avpacket: clear side_data_elems MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes null pointer dereference Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 5e1bf9d8c0d2cdbbf17b06a5dfdf87a635b3203b) Signed-off-by: Michael Niedermayer --- libavcodec/avpacket.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index d70ee5d684..bb0fc6c189 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -199,6 +199,7 @@ static int copy_packet_data(AVPacket *pkt, const AVPacket *src, int dup) { pkt->data = NULL; pkt->side_data = NULL; + pkt->side_data_elems = 0; if (pkt->buf) { AVBufferRef *ref = av_buffer_ref(src->buf); if (!ref) @@ -208,9 +209,11 @@ static int copy_packet_data(AVPacket *pkt, const AVPacket *src, int dup) } else { DUP_DATA(pkt->data, src->data, pkt->size, 1, ALLOC_BUF); } - if (pkt->side_data_elems && dup) + if (src->side_data_elems && dup) { pkt->side_data = src->side_data; - if (pkt->side_data_elems && !dup) { + pkt->side_data_elems = src->side_data_elems; + } + if (src->side_data_elems && !dup) { return av_copy_packet_side_data(pkt, src); } return 0; From ac8ac46641adef208485baebc3734463bf0bd266 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Sep 2016 13:06:53 +0200 Subject: [PATCH 088/658] avcodec/g726: Add missing ADDB output mask MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 1.poc Fixes out of array read Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit a5af1240fce845f645440364c1335e0f8e44ee6c) Signed-off-by: Michael Niedermayer --- libavcodec/g726.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g726.c b/libavcodec/g726.c index c7d138e4b5..ca7f856eac 100644 --- a/libavcodec/g726.c +++ b/libavcodec/g726.c @@ -206,7 +206,7 @@ static int16_t g726_decode(G726Context* c, int I) if (I_sig) /* get the sign */ dq = -dq; - re_signal = c->se + dq; + re_signal = (int16_t)(c->se + dq); /* Update second order predictor coefficient A2 and A1 */ pk0 = (c->sez + dq) ? sgn(c->sez + dq) : 0; From c68ce48260cf374480439b8f0d658f02fe9932d4 Mon Sep 17 00:00:00 2001 From: Xinzheng Zhang Date: Wed, 14 Sep 2016 16:13:45 +0800 Subject: [PATCH 089/658] avformat/utils: fix timebase error in avformat_seek_file() When there is only one stream and stream_index has not specified, The ts has been transferd by the timebase of stream0 without modifying the stream_index In this condation it cause seek failure. Signed-off-by: Michael Niedermayer (cherry picked from commit ecc04b4f2f29ac676e6c1d1ebf20ec45f5385f1e) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 1711bef6ac..5be1e869cf 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2414,6 +2414,7 @@ int avformat_seek_file(AVFormatContext *s, int stream_index, int64_t min_ts, max_ts = av_rescale_rnd(max_ts, time_base.den, time_base.num * (int64_t)AV_TIME_BASE, AV_ROUND_DOWN | AV_ROUND_PASS_MINMAX); + stream_index = 0; } ret = s->iformat->read_seek2(s, stream_index, min_ts, From 03f996d1834610bd735406aac3ee6df47a946406 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Sep 2016 23:52:42 +0200 Subject: [PATCH 090/658] avformat/movenc: Factor check_pkt() out Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit deabcd2c05b2b01689d91394bbf3908da17234ed) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 788ab3c4d9..917fdaf5bb 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -4592,15 +4592,10 @@ static int mov_auto_flush_fragment(AVFormatContext *s, int force) return ret; } -int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) +static int check_pkt(AVFormatContext *s, AVPacket *pkt) { MOVMuxContext *mov = s->priv_data; - AVIOContext *pb = s->pb; MOVTrack *trk = &mov->tracks[pkt->stream_index]; - AVCodecParameters *par = trk->par; - unsigned int samples_in_chunk = 0; - int size = pkt->size, ret = 0; - uint8_t *reformatted_data = NULL; if (trk->entry) { int64_t duration = pkt->dts - trk->cluster[trk->entry - 1].dts; @@ -4624,6 +4619,23 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) av_log(s, AV_LOG_ERROR, "Application provided duration: %"PRId64" is invalid\n", pkt->duration); return AVERROR(EINVAL); } + return 0; +} + +int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) +{ + MOVMuxContext *mov = s->priv_data; + AVIOContext *pb = s->pb; + MOVTrack *trk = &mov->tracks[pkt->stream_index]; + AVCodecParameters *par = trk->par; + unsigned int samples_in_chunk = 0; + int size = pkt->size, ret = 0; + uint8_t *reformatted_data = NULL; + + ret = check_pkt(s, pkt); + if (ret < 0) + return ret; + if (mov->flags & FF_MOV_FLAG_FRAGMENT) { int ret; if (mov->moov_written || mov->flags & FF_MOV_FLAG_EMPTY_MOOV) { From 77c9c350930907b5201576573a70ffb8aaaec60f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Sep 2016 23:52:54 +0200 Subject: [PATCH 091/658] avformat/movenc: Check packet in mov_write_single_packet() too Fixes assertion failure Found-by: durandal117 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 28343139330f557e00293933a4697c7d0fc19c56) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 917fdaf5bb..a283231791 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -4901,6 +4901,10 @@ static int mov_write_single_packet(AVFormatContext *s, AVPacket *pkt) int64_t frag_duration = 0; int size = pkt->size; + int ret = check_pkt(s, pkt); + if (ret < 0) + return ret; + if (mov->flags & FF_MOV_FLAG_FRAG_DISCONT) { int i; for (i = 0; i < s->nb_streams; i++) From 9d738e6968757d4e70c8e07e0b720ac0004accc4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Sep 2016 15:25:38 +0200 Subject: [PATCH 092/658] avcodec/cavsdsp: use av_clip_uint8() for idct MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes out of array read Fixes: 1.swf Found-by: 连一汉 Tested-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 0e318f110bcd6bb8e7de9127f2747272e60f48d7) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdsp.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/libavcodec/cavsdsp.c b/libavcodec/cavsdsp.c index 91f6d7350b..df9490ad8f 100644 --- a/libavcodec/cavsdsp.c +++ b/libavcodec/cavsdsp.c @@ -188,7 +188,6 @@ static void cavs_filter_ch_c(uint8_t *d, int stride, int alpha, int beta, int tc static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, int stride) { int i; int16_t (*src)[8] = (int16_t(*)[8])block; - const uint8_t *cm = ff_crop_tab + MAX_NEG_CROP; src[0][0] += 8; @@ -243,14 +242,14 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, int stride) { const int b2 = a5 - a7; const int b3 = a4 - a6; - dst[i + 0*stride] = cm[ dst[i + 0*stride] + ((b0 + b4) >> 7)]; - dst[i + 1*stride] = cm[ dst[i + 1*stride] + ((b1 + b5) >> 7)]; - dst[i + 2*stride] = cm[ dst[i + 2*stride] + ((b2 + b6) >> 7)]; - dst[i + 3*stride] = cm[ dst[i + 3*stride] + ((b3 + b7) >> 7)]; - dst[i + 4*stride] = cm[ dst[i + 4*stride] + ((b3 - b7) >> 7)]; - dst[i + 5*stride] = cm[ dst[i + 5*stride] + ((b2 - b6) >> 7)]; - dst[i + 6*stride] = cm[ dst[i + 6*stride] + ((b1 - b5) >> 7)]; - dst[i + 7*stride] = cm[ dst[i + 7*stride] + ((b0 - b4) >> 7)]; + dst[i + 0*stride] = av_clip_uint8( dst[i + 0*stride] + ((b0 + b4) >> 7)); + dst[i + 1*stride] = av_clip_uint8( dst[i + 1*stride] + ((b1 + b5) >> 7)); + dst[i + 2*stride] = av_clip_uint8( dst[i + 2*stride] + ((b2 + b6) >> 7)); + dst[i + 3*stride] = av_clip_uint8( dst[i + 3*stride] + ((b3 + b7) >> 7)); + dst[i + 4*stride] = av_clip_uint8( dst[i + 4*stride] + ((b3 - b7) >> 7)); + dst[i + 5*stride] = av_clip_uint8( dst[i + 5*stride] + ((b2 - b6) >> 7)); + dst[i + 6*stride] = av_clip_uint8( dst[i + 6*stride] + ((b1 - b5) >> 7)); + dst[i + 7*stride] = av_clip_uint8( dst[i + 7*stride] + ((b0 - b4) >> 7)); } } From 496267f8e9ec218351e4359e1fde48722d4fc804 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Sep 2016 20:25:59 +0200 Subject: [PATCH 093/658] avcodec/ansi: Check dimensions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 1.avi Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 69449da436169e7facaa6d1f3bcbc41cf6ce2754) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index 4808ea7fff..19c88d8d51 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -94,6 +94,9 @@ static av_cold int decode_init(AVCodecContext *avctx) int ret = ff_set_dimensions(avctx, 80 << 3, 25 << 4); if (ret < 0) return ret; + } else if (avctx->width % FONT_WIDTH || avctx->height % s->font_height) { + av_log(avctx, AV_LOG_ERROR, "Invalid dimensions %d %d\n", avctx->width, avctx->height); + return AVERROR(EINVAL); } return 0; } From 39dc26f0c104fb601fbe4fb0e66c3aa4341f3cb7 Mon Sep 17 00:00:00 2001 From: Sasi Inguva Date: Tue, 27 Sep 2016 19:23:20 -0700 Subject: [PATCH 094/658] lavc/movtextdec.c: Avoid infinite loop on invalid data. Signed-off-by: Sasi Inguva (cherry picked from commit 7e9e1b7070242a79fa6e3acd749d7fe76e39ea7b) Signed-off-by: Michael Niedermayer --- libavcodec/movtextdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index abf8711a9c..a33fff7518 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -471,6 +471,10 @@ static int mov_text_decode_frame(AVCodecContext *avctx, tsmb_type = AV_RB32(tsmb); tsmb += 4; + if (tsmb_size == 0) { + return AVERROR_INVALIDDATA; + } + if (tsmb_size == 1) { if (m->tracksize + 16 > avpkt->size) break; From 8834e080c20d3d23c3ffe779371359f9b9b835ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Sep 2016 11:56:11 +0200 Subject: [PATCH 095/658] avformat/avidec: Fix memleak with dv in avi MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit b98dafe04564d5fe3e5bf5073d871dd93a4a62de) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 858011c8de..26b02342a9 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -605,9 +605,13 @@ static int avi_read_header(AVFormatContext *s) ast = s->streams[0]->priv_data; av_freep(&s->streams[0]->codecpar->extradata); av_freep(&s->streams[0]->codecpar); + av_freep(&s->streams[0]->codec); if (s->streams[0]->info) av_freep(&s->streams[0]->info->duration_error); av_freep(&s->streams[0]->info); + if (s->streams[0]->internal) + av_freep(&s->streams[0]->internal->avctx); + av_freep(&s->streams[0]->internal); av_freep(&s->streams[0]); s->nb_streams = 0; if (CONFIG_DV_DEMUXER) { From e6351504dc545aef7c7f87a81f95a4d3172ec55d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Sep 2016 13:44:47 +0200 Subject: [PATCH 096/658] Update for 3.1.4 Signed-off-by: Michael Niedermayer --- Changelog | 22 ++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 6089814113..b6156a0261 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,28 @@ releases are sorted from youngest to oldest. version : +version 3.1.4: +- avformat/avidec: Fix memleak with dv in avi +- lavc/movtextdec.c: Avoid infinite loop on invalid data. +- avcodec/ansi: Check dimensions +- avcodec/cavsdsp: use av_clip_uint8() for idct +- avformat/movenc: Check packet in mov_write_single_packet() too +- avformat/movenc: Factor check_pkt() out +- avformat/utils: fix timebase error in avformat_seek_file() +- avcodec/g726: Add missing ADDB output mask +- avcodec/avpacket: clear side_data_elems +- avformat/movenc: Check first DTS similar to dts difference +- avcodec/ccaption_dec: Use simple array instead of AVBuffer +- avcodec/svq3: Reintroduce slice_type +- avformat/mov: Fix potential integer overflow in mov_read_keys +- swscale/swscale_unscaled: Try to fix Rgb16ToPlanarRgb16Wrapper() with slices +- swscale/swscale_unscaled: Fix packed_16bpc_bswap() with slices +- avformat/avidec: Fix infinite loop in avi_read_nikon() +- lavf/utils: Avoid an overflow for huge negative durations. +- avformat/hls: Fix handling of EXT-X-BYTERANGE streams over 2GB +- lavc/avpacket: Fix undefined behaviour, do not pass a null pointer to memcpy(). +- lavc/mjpegdec: Do not skip reading quantization tables. +- cmdutils: fix implicit declaration of SetDllDirectory function version 3.1.3: - examples/demuxing_decoding: convert to codecpar diff --git a/RELEASE b/RELEASE index ff365e06b9..0aec50e6ed 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.1.3 +3.1.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index 5c8b2ed10f..000498bc17 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.1.3 +PROJECT_NUMBER = 3.1.4 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From e60a00e0cc48930867cc6a9224d406a026f7c081 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Wed, 28 Sep 2016 16:10:49 +0200 Subject: [PATCH 097/658] avcodec/nvenc: fix const options for hevc gpu setting --- libavcodec/nvenc_hevc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/nvenc_hevc.c b/libavcodec/nvenc_hevc.c index 1ce7c89a4b..17a0c2d13d 100644 --- a/libavcodec/nvenc_hevc.c +++ b/libavcodec/nvenc_hevc.c @@ -76,7 +76,7 @@ static const AVOption options[] = { { "surfaces", "Number of concurrent surfaces", OFFSET(nb_surfaces), AV_OPT_TYPE_INT, { .i64 = 32 }, 0, INT_MAX, VE }, { "cbr", "Use cbr encoding mode", OFFSET(cbr), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, VE }, { "2pass", "Use 2pass encoding mode", OFFSET(twopass), AV_OPT_TYPE_BOOL, { .i64 = -1 }, -1, 1, VE }, - { "gpu", "Selects which NVENC capable GPU to use. First GPU is 0, second is 1, and so on.", OFFSET(device), AV_OPT_TYPE_INT, { .i64 = ANY_DEVICE }, -2, INT_MAX, VE }, + { "gpu", "Selects which NVENC capable GPU to use. First GPU is 0, second is 1, and so on.", OFFSET(device), AV_OPT_TYPE_INT, { .i64 = ANY_DEVICE }, -2, INT_MAX, VE, "device" }, { "any", "Pick the first device available", 0, AV_OPT_TYPE_CONST, { .i64 = ANY_DEVICE }, 0, 0, VE, "device" }, { "list", "List the available devices", 0, AV_OPT_TYPE_CONST, { .i64 = LIST_DEVICES }, 0, 0, VE, "device" }, { "delay", "Delay frame output by the given amount of frames", OFFSET(async_depth), AV_OPT_TYPE_INT, { .i64 = INT_MAX }, 0, INT_MAX, VE }, From d0590d93493a3b854e4e2755f0637099ef551b98 Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Tue, 6 Sep 2016 16:30:07 +0200 Subject: [PATCH 098/658] lavc/mediacodecdec_h264: fix SODB escaping Fixes escaping of consecutive 0x00, 0x00, 0x0{0-3} sequences. (cherry picked from commit f574012d5fe922684a5befa16828f22fe9a83ce8) --- libavcodec/mediacodecdec_h264.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/mediacodecdec_h264.c b/libavcodec/mediacodecdec_h264.c index 11fb677d5c..f663267996 100644 --- a/libavcodec/mediacodecdec_h264.c +++ b/libavcodec/mediacodecdec_h264.c @@ -103,9 +103,9 @@ static int h264_ps_to_nalu(const uint8_t *src, int src_size, uint8_t **out, int } *out = p = new; - i = i + 3; - memmove(p + i, p + i - 1, *out_size - i); - p[i - 1] = 0x03; + i = i + 2; + memmove(p + i + 1, p + i, *out_size - (i + 1)); + p[i] = 0x03; } } done: From 2303cea5be08a31a4708b36c8e83150e2a120414 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 28 Sep 2016 17:24:42 -0300 Subject: [PATCH 099/658] avfilter/vf_colorspace: fix range for output colorspace option Rreviewed-by: BBB Signed-off-by: James Almer (cherry picked from commit e4bfc9ecf73d593853ef4e993a5c753f5596aee1) --- libavfilter/vf_colorspace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_colorspace.c b/libavfilter/vf_colorspace.c index 3d39f13d1e..a54369054f 100644 --- a/libavfilter/vf_colorspace.c +++ b/libavfilter/vf_colorspace.c @@ -1008,7 +1008,7 @@ static const AVOption colorspace_options[] = { { "space", "Output colorspace", OFFSET(user_csp), AV_OPT_TYPE_INT, { .i64 = AVCOL_SPC_UNSPECIFIED }, - AVCOL_PRI_RESERVED0, AVCOL_PRI_NB - 1, FLAGS, "csp" }, + AVCOL_SPC_RGB, AVCOL_SPC_NB - 1, FLAGS, "csp"}, ENUM("bt709", AVCOL_SPC_BT709, "csp"), ENUM("fcc", AVCOL_SPC_FCC, "csp"), ENUM("bt470bg", AVCOL_SPC_BT470BG, "csp"), From bc6174d4af76668040c80f20a9a5ae0f7420f187 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 28 Sep 2016 17:42:41 -0300 Subject: [PATCH 100/658] Changelog: update after the last few commits Signed-off-by: James Almer --- Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Changelog b/Changelog index b6156a0261..f464aa4edd 100644 --- a/Changelog +++ b/Changelog @@ -4,6 +4,9 @@ releases are sorted from youngest to oldest. version : version 3.1.4: +- avfilter/vf_colorspace: fix range for output colorspace option +- lavc/mediacodecdec_h264: fix SODB escaping +- avcodec/nvenc: fix const options for hevc gpu setting - avformat/avidec: Fix memleak with dv in avi - lavc/movtextdec.c: Avoid infinite loop on invalid data. - avcodec/ansi: Check dimensions From c8c5f66b42edc37474baa5cb51460cbf6f33075b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Sep 2016 15:47:12 +0200 Subject: [PATCH 101/658] avformat/avidec: Remove ancient assert MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This assert can with crafted files fail, a warning is already printed for this case. Fixes assertion failure Fixes:1/assert.avi Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 14bac7e00d72eac687612d9b125e585011a56d4f) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 26b02342a9..410c2d59df 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1853,7 +1853,6 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, continue; // av_assert1(st2->codecpar->block_align); - av_assert0(fabs(av_q2d(st2->time_base) - ast2->scale / (double)ast2->rate) < av_q2d(st2->time_base) * 0.00000001); index = av_index_search_timestamp(st2, av_rescale_q(timestamp, st->time_base, From 622ccbd8ab894e3ac6cdf607e3d4f39e406786e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Sep 2016 16:14:08 +0200 Subject: [PATCH 102/658] avformat/avidec: Check nb_streams in read_gab2_sub() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes null pointer dereference Fixes: 1/null_point.avi Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 2679ad4773aa356e7c3da5c68bc81f02a194617f) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 410c2d59df..3c5f3ec10c 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1097,6 +1097,8 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) goto error; if (!avformat_open_input(&ast->sub_ctx, "", sub_demuxer, NULL)) { + if (ast->sub_ctx->nb_streams != 1) + goto error; ff_read_packet(ast->sub_ctx, &ast->sub_pkt); avcodec_parameters_copy(st->codecpar, ast->sub_ctx->streams[0]->codecpar); time_base = ast->sub_ctx->streams[0]->time_base; From c2ea70628215ccede53240843b4514a6c339ab27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Oct 2016 02:51:42 +0200 Subject: [PATCH 103/658] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog b/Changelog index f464aa4edd..4f2db19190 100644 --- a/Changelog +++ b/Changelog @@ -4,6 +4,8 @@ releases are sorted from youngest to oldest. version : version 3.1.4: +- avformat/avidec: Check nb_streams in read_gab2_sub() +- avformat/avidec: Remove ancient assert - avfilter/vf_colorspace: fix range for output colorspace option - lavc/mediacodecdec_h264: fix SODB escaping - avcodec/nvenc: fix const options for hevc gpu setting From d89979e86b322210862987ebf1473fbd7cdc4c45 Mon Sep 17 00:00:00 2001 From: Shivraj Patil Date: Wed, 5 Oct 2016 17:52:24 +0530 Subject: [PATCH 104/658] avutil/mips/generic_macros_msa: rename macro variable which causes segfault for mips r6 Signed-off-by: Shivraj Patil Signed-off-by: Michael Niedermayer (cherry picked from commit c1cc13cd2a9b8d6d2810ec42454f328a1a0d5efa) Signed-off-by: Michael Niedermayer --- libavutil/mips/generic_macros_msa.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavutil/mips/generic_macros_msa.h b/libavutil/mips/generic_macros_msa.h index b1d18dd9d3..0a59619e7b 100644 --- a/libavutil/mips/generic_macros_msa.h +++ b/libavutil/mips/generic_macros_msa.h @@ -85,12 +85,12 @@ #else // !(__mips == 64) #define LD(psrc) \ ( { \ - uint8_t *psrc_m = (uint8_t *) (psrc); \ + uint8_t *psrc_ld_m = (uint8_t *) (psrc); \ uint32_t val0_m, val1_m; \ uint64_t val_m = 0; \ \ - val0_m = LW(psrc_m); \ - val1_m = LW(psrc_m + 4); \ + val0_m = LW(psrc_ld_m); \ + val1_m = LW(psrc_ld_m + 4); \ \ val_m = (uint64_t) (val1_m); \ val_m = (uint64_t) ((val_m << 32) & 0xFFFFFFFF00000000); \ @@ -172,12 +172,12 @@ #else // !(__mips == 64) #define LD(psrc) \ ( { \ - uint8_t *psrc_m1 = (uint8_t *) (psrc); \ + uint8_t *psrc_ld_m = (uint8_t *) (psrc); \ uint32_t val0_m, val1_m; \ uint64_t val_m = 0; \ \ - val0_m = LW(psrc_m1); \ - val1_m = LW(psrc_m1 + 4); \ + val0_m = LW(psrc_ld_m); \ + val1_m = LW(psrc_ld_m + 4); \ \ val_m = (uint64_t) (val1_m); \ val_m = (uint64_t) ((val_m << 32) & 0xFFFFFFFF00000000); \ From d2566b124af849d28eaedcba60c3a7ac280070ab Mon Sep 17 00:00:00 2001 From: Shivraj Patil Date: Fri, 5 Aug 2016 13:42:44 +0530 Subject: [PATCH 105/658] Support for MIPS cpu P6600 Signed-off-by: Shivraj Patil Signed-off-by: Michael Niedermayer (cherry picked from commit 6803a298f4338c19c3032d2417c6e857eb6d95be) Signed-off-by: Michael Niedermayer --- configure | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 5b069eb099..64142e700f 100755 --- a/configure +++ b/configure @@ -4336,7 +4336,7 @@ elif enabled mips; then enable mips32r2 disable msa ;; - p5600|i6400) + p5600|i6400|p6600) disable mipsdsp disable mipsdspr2 ;; @@ -4401,6 +4401,10 @@ elif enabled mips; then enable mips64r6 check_cflags "-mtune=i6400 -mabi=64" && check_cflags "-msched-weight -mload-store-pairs -funroll-loops" && check_ldflags "-mabi=64" ;; + p6600) + enable mips64r6 + check_cflags "-mtune=p6600 -mabi=64" && check_cflags "-msched-weight -mload-store-pairs -funroll-loops" && check_ldflags "-mabi=64" + ;; esac else # We do not disable anything. Is up to the user to disable the unwanted features. From 263add4462a4f55496d7b322d71f5f72ab83178c Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Sat, 1 Oct 2016 16:15:45 +0200 Subject: [PATCH 106/658] ffmpeg: remove unused and errorneous AVFrame timestamp check Decoders have previously not used AVFrame.pts, and with the upcoming deprecation of pkt_pts (in favor of pts), this would lead to an errorneous interpration of timestamps. (cherry picked from commit 04a3577263782cd6d70722d4ae18d75fee03dbc4) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index b26995deb0..cdded8673f 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2026,12 +2026,7 @@ static int decode_audio(InputStream *ist, AVPacket *pkt, int *got_output) } } - /* if the decoder provides a pts, use it instead of the last packet pts. - the decoder could be delaying output by a packet or more. */ - if (decoded_frame->pts != AV_NOPTS_VALUE) { - ist->dts = ist->next_dts = ist->pts = ist->next_pts = av_rescale_q(decoded_frame->pts, avctx->time_base, AV_TIME_BASE_Q); - decoded_frame_tb = avctx->time_base; - } else if (decoded_frame->pkt_pts != AV_NOPTS_VALUE) { + if (decoded_frame->pkt_pts != AV_NOPTS_VALUE) { decoded_frame->pts = decoded_frame->pkt_pts; decoded_frame_tb = ist->st->time_base; } else if (pkt->pts != AV_NOPTS_VALUE) { From fc36e692c4ac782f5a0327ead530b37c64e2c4f2 Mon Sep 17 00:00:00 2001 From: Moritz Barsnick Date: Sun, 9 Oct 2016 12:56:58 +0200 Subject: [PATCH 107/658] tools: fix grammar error Signed-off-by: Moritz Barsnick Signed-off-by: Michael Niedermayer (cherry picked from commit f71c98ee12f9a9e950b4a8fb6b1548fee91ba1f8) Signed-off-by: Michael Niedermayer --- tools/ismindex.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ismindex.c b/tools/ismindex.c index 5917d42f44..c16e2f2670 100644 --- a/tools/ismindex.c +++ b/tools/ismindex.c @@ -375,7 +375,7 @@ static int read_tfra(struct Tracks *tracks, int start_index, AVIOContext *f) track->duration - track->offsets[track->chunks - 1].time; } - // Now try and read the actual durations from the trun sample data. + // Now try to read the actual durations from the trun sample data. for (i = 0; i < track->chunks; i++) { int64_t duration = read_moof_duration(f, track->offsets[i].offset); if (duration > 0 && llabs(duration - track->offsets[i].duration) > 3) { From 30c80e81d2a5f50f438a69912ae197beb4fc7716 Mon Sep 17 00:00:00 2001 From: Moritz Barsnick Date: Sun, 9 Oct 2016 12:56:59 +0200 Subject: [PATCH 108/658] lavc: fix typos Signed-off-by: Moritz Barsnick Signed-off-by: Michael Niedermayer (cherry picked from commit 3305f71025289970fb34473adce5d9c65d1af016) Signed-off-by: Michael Niedermayer --- libavcodec/asvenc.c | 2 +- libavcodec/mpeg12dec.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/asvenc.c b/libavcodec/asvenc.c index ec98a0ce35..c4eca2a13d 100644 --- a/libavcodec/asvenc.c +++ b/libavcodec/asvenc.c @@ -61,7 +61,7 @@ static inline void asv2_put_level(ASV1Context *a, PutBitContext *pb, int level) } else { put_bits(pb, ff_asv2_level_tab[31][1], ff_asv2_level_tab[31][0]); if (level < -128 || level > 127) { - av_log(a->avctx, AV_LOG_WARNING, "Cliping level %d, increase qscale\n", level); + av_log(a->avctx, AV_LOG_WARNING, "Clipping level %d, increase qscale\n", level); level = av_clip_int8(level); } asv2_put_bits(pb, 8, level & 0xFF); diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 204a57891e..7e730b80c6 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2389,7 +2389,7 @@ FF_ENABLE_DEPRECATION_WARNINGS #endif s->closed_gop = get_bits1(&s->gb); - /* broken_link indicate that after editing the + /* broken_link indicates that after editing the * reference frames of the first B-Frames after GOP I-Frame * are missing (open gop) */ broken_link = get_bits1(&s->gb); From f12c0da09b04dc8897a6856a34c1d4d58fbf025f Mon Sep 17 00:00:00 2001 From: Moritz Barsnick Date: Sun, 9 Oct 2016 12:57:00 +0200 Subject: [PATCH 109/658] lavfi: fix typos Signed-off-by: Moritz Barsnick Signed-off-by: Michael Niedermayer (cherry picked from commit f4e4bde1f4cff99d4ec59ed361ff9228b2050e6b) Signed-off-by: Michael Niedermayer --- libavfilter/af_pan.c | 4 ++-- libavfilter/vf_blackframe.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 1eb102c10a..7c02f6720d 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -109,7 +109,7 @@ static av_cold int init(AVFilterContext *ctx) if (!pan->args) { av_log(ctx, AV_LOG_ERROR, "pan filter needs a channel layout and a set " - "of channels definitions as parameter\n"); + "of channel definitions as parameter\n"); return AVERROR(EINVAL); } if (!args) @@ -276,7 +276,7 @@ static int config_props(AVFilterLink *link) if (link->channels > MAX_CHANNELS || pan->nb_output_channels > MAX_CHANNELS) { av_log(ctx, AV_LOG_ERROR, - "af_pan support a maximum of %d channels. " + "af_pan supports a maximum of %d channels. " "Feel free to ask for a higher limit.\n", MAX_CHANNELS); return AVERROR_PATCHWELCOME; } diff --git a/libavfilter/vf_blackframe.c b/libavfilter/vf_blackframe.c index ad6d488b3a..9fe2a42942 100644 --- a/libavfilter/vf_blackframe.c +++ b/libavfilter/vf_blackframe.c @@ -104,8 +104,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) #define OFFSET(x) offsetof(BlackFrameContext, x) #define FLAGS AV_OPT_FLAG_VIDEO_PARAM|AV_OPT_FLAG_FILTERING_PARAM static const AVOption blackframe_options[] = { - { "amount", "Percentage of the pixels that have to be below the threshold " - "for the frame to be considered black.", OFFSET(bamount), AV_OPT_TYPE_INT, { .i64 = 98 }, 0, 100, FLAGS }, + { "amount", "percentage of the pixels that have to be below the threshold " + "for the frame to be considered black", OFFSET(bamount), AV_OPT_TYPE_INT, { .i64 = 98 }, 0, 100, FLAGS }, { "threshold", "threshold below which a pixel value is considered black", OFFSET(bthresh), AV_OPT_TYPE_INT, { .i64 = 32 }, 0, 255, FLAGS }, { "thresh", "threshold below which a pixel value is considered black", From 7fefd776682ae9a138d808f8e91e8c74574187db Mon Sep 17 00:00:00 2001 From: Moritz Barsnick Date: Sun, 9 Oct 2016 12:57:02 +0200 Subject: [PATCH 110/658] cmdutils: fix typos Signed-off-by: Moritz Barsnick Signed-off-by: Michael Niedermayer (cherry picked from commit 3e5d27d7a7350e096eac9f8999d02bf48c3b3a69) Signed-off-by: Michael Niedermayer --- cmdutils.c | 4 ++-- cmdutils.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cmdutils.c b/cmdutils.c index 3bb8bde3e9..476c85894c 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -2111,7 +2111,7 @@ static int print_device_sources(AVInputFormat *fmt, AVDictionary *opts) if (!fmt || !fmt->priv_class || !AV_IS_INPUT_DEVICE(fmt->priv_class->category)) return AVERROR(EINVAL); - printf("Audo-detected sources for %s:\n", fmt->name); + printf("Auto-detected sources for %s:\n", fmt->name); if (!fmt->get_device_list) { ret = AVERROR(ENOSYS); printf("Cannot list sources. Not implemented.\n"); @@ -2141,7 +2141,7 @@ static int print_device_sinks(AVOutputFormat *fmt, AVDictionary *opts) if (!fmt || !fmt->priv_class || !AV_IS_OUTPUT_DEVICE(fmt->priv_class->category)) return AVERROR(EINVAL); - printf("Audo-detected sinks for %s:\n", fmt->name); + printf("Auto-detected sinks for %s:\n", fmt->name); if (!fmt->get_device_list) { ret = AVERROR(ENOSYS); printf("Cannot list sinks. Not implemented.\n"); diff --git a/cmdutils.h b/cmdutils.h index 67bf4848b7..1b96aa48d1 100644 --- a/cmdutils.h +++ b/cmdutils.h @@ -450,13 +450,13 @@ int show_devices(void *optctx, const char *opt, const char *arg); #if CONFIG_AVDEVICE /** - * Print a listing containing audodetected sinks of the output device. + * Print a listing containing autodetected sinks of the output device. * Device name with options may be passed as an argument to limit results. */ int show_sinks(void *optctx, const char *opt, const char *arg); /** - * Print a listing containing audodetected sources of the input device. + * Print a listing containing autodetected sources of the input device. * Device name with options may be passed as an argument to limit results. */ int show_sources(void *optctx, const char *opt, const char *arg); From 08eef74a39d73bec80d4a12f0eaca6a3602a2024 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Oct 2016 17:49:10 +0200 Subject: [PATCH 111/658] avformat/utils: Update codec_id before using it in the parser init MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes assertion failure Fixes: input.avi Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 987690799dd86433bf98b897aaa4c8d93ade646d) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 5be1e869cf..8dc287f202 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3328,6 +3328,17 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) if (!avctx->time_base.num) avctx->time_base = st->time_base; } + + /* check if the caller has overridden the codec id */ +#if FF_API_LAVF_AVCTX +FF_DISABLE_DEPRECATION_WARNINGS + if (st->codec->codec_id != st->internal->orig_codec_id) { + st->codecpar->codec_id = st->codec->codec_id; + st->codecpar->codec_type = st->codec->codec_type; + st->internal->orig_codec_id = st->codec->codec_id; + } +FF_ENABLE_DEPRECATION_WARNINGS +#endif // only for the split stuff if (!st->parser && !(ic->flags & AVFMT_FLAG_NOPARSE) && st->request_probe <= 0) { st->parser = av_parser_init(st->codecpar->codec_id); @@ -3344,16 +3355,6 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) } } - /* check if the caller has overridden the codec id */ -#if FF_API_LAVF_AVCTX -FF_DISABLE_DEPRECATION_WARNINGS - if (st->codec->codec_id != st->internal->orig_codec_id) { - st->codecpar->codec_id = st->codec->codec_id; - st->codecpar->codec_type = st->codec->codec_type; - st->internal->orig_codec_id = st->codec->codec_id; - } -FF_ENABLE_DEPRECATION_WARNINGS -#endif if (st->codecpar->codec_id != st->internal->orig_codec_id) st->internal->orig_codec_id = st->codecpar->codec_id; From 6109c10b81d6bc484996e3407046302d3a537575 Mon Sep 17 00:00:00 2001 From: Moritz Barsnick Date: Sun, 9 Oct 2016 20:51:57 +0200 Subject: [PATCH 112/658] doc: fix various typos and grammar errors Signed-off-by: Moritz Barsnick Signed-off-by: Michael Niedermayer (cherry picked from commit 99d68d462fbd777cfd3fe055d4181a6f7c03fac7) Signed-off-by: Michael Niedermayer --- doc/codecs.texi | 2 +- doc/demuxers.texi | 4 ++-- doc/ffmpeg.texi | 2 +- doc/fftools-common-opts.texi | 8 +++---- doc/filters.texi | 42 ++++++++++++++++++------------------ doc/formats.texi | 2 +- doc/indevs.texi | 4 ++-- doc/muxers.texi | 6 +++--- doc/platform.texi | 2 +- doc/protocols.texi | 2 +- 10 files changed, 37 insertions(+), 37 deletions(-) diff --git a/doc/codecs.texi b/doc/codecs.texi index 48fc3bfece..3b197a7245 100644 --- a/doc/codecs.texi +++ b/doc/codecs.texi @@ -1173,7 +1173,7 @@ Set to 1 to disable processing alpha (transparency). This works like the instead of alpha. Default is 0. @item codec_whitelist @var{list} (@emph{input}) -"," separated List of allowed decoders. By default all are allowed. +"," separated list of allowed decoders. By default all are allowed. @item dump_separator @var{string} (@emph{input}) Separator used to separate the fields printed on the command line about the diff --git a/doc/demuxers.texi b/doc/demuxers.texi index e34f8b3fe6..25b12a8977 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -72,7 +72,7 @@ Do not try to resynchronize by looking for a certain optional start code. Virtual concatenation script demuxer. This demuxer reads a list of files and other directives from a text file and -demuxes them one after the other, as if all their packet had been muxed +demuxes them one after the other, as if all their packets had been muxed together. The timestamps in the files are adjusted so that the first file starts at 0 @@ -107,7 +107,7 @@ Identify the script type and version. It also sets the @option{safe} option to 1 if it was -1. To make FFmpeg recognize the format automatically, this directive must -appears exactly as is (no extra space or byte-order-mark) on the very first +appear exactly as is (no extra space or byte-order-mark) on the very first line of the script. @item @code{duration @var{dur}} diff --git a/doc/ffmpeg.texi b/doc/ffmpeg.texi index 7368cdbbbd..3aefc34564 100644 --- a/doc/ffmpeg.texi +++ b/doc/ffmpeg.texi @@ -1008,7 +1008,7 @@ Dump each input packet to stderr. @item -hex (@emph{global}) When dumping packets, also dump the payload. @item -re (@emph{input}) -Read input at native frame rate. Mainly used to simulate a grab device. +Read input at native frame rate. Mainly used to simulate a grab device, or live input stream (e.g. when reading from a file). Should not be used with actual grab devices or live input streams (where it can cause packet loss). diff --git a/doc/fftools-common-opts.texi b/doc/fftools-common-opts.texi index 509c8bca7c..a8e485f43a 100644 --- a/doc/fftools-common-opts.texi +++ b/doc/fftools-common-opts.texi @@ -176,10 +176,10 @@ loglevel will be used. If multiple loglevel parameters are given, using Show nothing at all; be silent. @item panic, 0 Only show fatal errors which could lead the process to crash, such as -and assert failure. This is not currently used for anything. +an assertion failure. This is not currently used for anything. @item fatal, 8 Only show fatal errors. These are errors after which the process absolutely -cannot continue after. +cannot continue. @item error, 16 Show all errors, including ones which can be recovered from. @item warning, 24 @@ -195,13 +195,13 @@ Show everything, including debugging information. @item trace, 56 @end table -By default the program logs to stderr, if coloring is supported by the +By default the program logs to stderr. If coloring is supported by the terminal, colors are used to mark errors and warnings. Log coloring can be disabled setting the environment variable @env{AV_LOG_FORCE_NOCOLOR} or @env{NO_COLOR}, or can be forced setting the environment variable @env{AV_LOG_FORCE_COLOR}. The use of the environment variable @env{NO_COLOR} is deprecated and -will be dropped in a following FFmpeg version. +will be dropped in a future FFmpeg version. @item -report Dump full command line and console output to a file named diff --git a/doc/filters.texi b/doc/filters.texi index 3cf3d7ce89..b482236e10 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -845,14 +845,14 @@ A gate is mainly used to reduce lower parts of a signal. This kind of signal processing reduces disturbing noise between useful signals. Gating is done by detecting the volume below a chosen level @var{threshold} -and divide it by the factor set with @var{ratio}. The bottom of the noise +and dividing it by the factor set with @var{ratio}. The bottom of the noise floor is set via @var{range}. Because an exact manipulation of the signal would cause distortion of the waveform the reduction can be levelled over time. This is done by setting @var{attack} and @var{release}. @var{attack} determines how long the signal has to fall below the threshold before any reduction will occur and @var{release} sets the time the signal -has to raise above the threshold to reduce the reduction again. +has to rise above the threshold to reduce the reduction again. Shorter signals than the chosen attack time will be left untouched. @table @option @@ -869,7 +869,7 @@ If a signal rises above this level the gain reduction is released. Default is 0.125. Allowed range is from 0 to 1. @item ratio -Set a ratio about which the signal is reduced. +Set a ratio by which the signal is reduced. Default is 2. Allowed range is from 1 to 9000. @item attack @@ -892,19 +892,19 @@ Default is 2.828427125. Allowed range is from 1 to 8. @item detection Choose if exact signal should be taken for detection or an RMS like one. -Default is rms. Can be peak or rms. +Default is @code{rms}. Can be @code{peak} or @code{rms}. @item link Choose if the average level between all channels or the louder channel affects the reduction. -Default is average. Can be average or maximum. +Default is @code{average}. Can be @code{average} or @code{maximum}. @end table @section alimiter -The limiter prevents input signal from raising over a desired threshold. +The limiter prevents an input signal from rising over a desired threshold. This limiter uses lookahead technology to prevent your signal from distorting. -It means that there is a small delay after signal is processed. Keep in mind +It means that there is a small delay after the signal is processed. Keep in mind that the delay it produces is the attack time you set. The filter accepts the following options: @@ -1353,7 +1353,7 @@ Set the number of samples per each output audio frame. The last output packet may contain a different number of samples, as the filter will flush all the remaining samples when the input audio -signal its end. +signals its end. The filter accepts the following options: @@ -2445,7 +2445,7 @@ filtering with large delay. Default is disabled. Enable multichannels evaluation on gain. Default is disabled. @item zero_phase -Enable zero phase mode by substracting timestamp to compensate delay. +Enable zero phase mode by subtracting timestamp to compensate delay. Default is disabled. @end table @@ -3216,7 +3216,7 @@ Can be specified in dB (in case "dB" is appended to the specified value) or amplitude ratio. Default value is @code{0}. @item leave_silence -This indicate that @var{stop_duration} length of audio should be left intact +This indicates that @var{stop_duration} length of audio should be left intact at the beginning of each period of silence. For example, if you want to remove long pauses between words but do not want to remove the pauses completely. Default value is @code{0}. @@ -6622,10 +6622,10 @@ This option does not exist, please see the timeline system @item alpha Draw the text applying alpha blending. The value can -be either a number between 0.0 and 1.0 -The expression accepts the same variables @var{x, y} do. +be a number between 0.0 and 1.0. +The expression accepts the same variables @var{x, y} as well. The default value is 1. -Please see fontcolor_expr +Please see @var{fontcolor_expr}. @item fontsize The font size to be used for drawing text. @@ -6808,7 +6808,7 @@ the following expansion mechanism is used. The backslash character @samp{\}, followed by any character, always expands to the second character. -Sequence of the form @code{%@{...@}} are expanded. The text between the +Sequences of the form @code{%@{...@}} are expanded. The text between the braces is a function name, possibly followed by arguments separated by ':'. If the arguments contain special characters or delimiters (':' or '@}'), they should be escaped. @@ -8714,8 +8714,8 @@ value. Detect video interlacing type. -This filter tries to detect if the input frames as interlaced, progressive, -top or bottom field first. It will also try and detect fields that are +This filter tries to detect if the input frames are interlaced, progressive, +top or bottom field first. It will also try to detect fields that are repeated between adjacent frames (a sign of telecine). Single frame detection considers only immediately adjacent frames when classifying each frame. @@ -8782,7 +8782,7 @@ Set progressive threshold. Threshold for repeated field detection. @item half_life Number of frames after which a given frame's contribution to the -statistics is halved (i.e., it contributes only 0.5 to it's +statistics is halved (i.e., it contributes only 0.5 to its classification). The default of 0 means that all frames seen are given full weight of 1.0 forever. @item analyze_interlaced_flag @@ -14281,7 +14281,7 @@ syntax is deprecated: Create a pattern generated by an elementary cellular automaton. The initial state of the cellular automaton can be defined through the -@option{filename}, and @option{pattern} options. If such options are +@option{filename} and @option{pattern} options. If such options are not specified an initial state is created randomly. At each new frame a new row in the video is filled with the result of @@ -15324,7 +15324,7 @@ Temporally interleave frames from several inputs. These filters read frames from several inputs and send the oldest queued frame to the output. -Input streams must have a well defined, monotonically increasing frame +Input streams must have well defined, monotonically increasing frame timestamp values. In order to submit one frame to output, these filters need to enqueue @@ -15332,9 +15332,9 @@ at least one frame for each input, so they cannot work in case one input is not yet terminated and will not receive incoming frames. For example consider the case when one input is a @code{select} filter -which always drop input frames. The @code{interleave} filter will keep +which always drops input frames. The @code{interleave} filter will keep reading from that input, but it will never be able to send new frames -to output until the input will send an end-of-stream signal. +to output until the input sends an end-of-stream signal. Also, depending on inputs synchronization, the filters will drop frames in case one input receives more frames than the other ones, and diff --git a/doc/formats.texi b/doc/formats.texi index f79ebe28ac..2c068c1046 100644 --- a/doc/formats.texi +++ b/doc/formats.texi @@ -195,7 +195,7 @@ delayed bt the time duration specified in @var{offset}. Default value is @code{0} (meaning that no offset is applied). @item format_whitelist @var{list} (@emph{input}) -"," separated List of allowed demuxers. By default all are allowed. +"," separated list of allowed demuxers. By default all are allowed. @item dump_separator @var{string} (@emph{input}) Separator used to separate the fields printed on the command line about the diff --git a/doc/indevs.texi b/doc/indevs.texi index 3fb852b1f8..6cbdf88725 100644 --- a/doc/indevs.texi +++ b/doc/indevs.texi @@ -656,7 +656,7 @@ is an exact value. For HDV, it is not frame exact, since HDV does not have a fixed frame size. @item dvguid -Select the capture device by specifying it's GUID. Capturing will only +Select the capture device by specifying its GUID. Capturing will only be performed from the specified device and fails if no device with the given GUID is found. This is useful to select the input if multiple devices are connected at the same time. @@ -1319,7 +1319,7 @@ ffmpeg -f x11grab -framerate 25 -video_size cif -i :0.0+10,20 out.mpg @table @option @item draw_mouse -Specify whether to draw the mouse pointer. A value of @code{0} specify +Specify whether to draw the mouse pointer. A value of @code{0} specifies not to draw the pointer. Default value is @code{1}. @item follow_mouse diff --git a/doc/muxers.texi b/doc/muxers.texi index c2ca0ba92d..3e77a4beb6 100644 --- a/doc/muxers.texi +++ b/doc/muxers.texi @@ -274,14 +274,14 @@ the loops: ffmpeg -i INPUT -loop 10 -final_delay 500 out.gif @end example -Note 1: if you wish to extract the frames in separate GIF files, you need to +Note 1: if you wish to extract the frames into separate GIF files, you need to force the @ref{image2} muxer: @example ffmpeg -i INPUT -c:v gif -f image2 "out%d.gif" @end example -Note 2: the GIF format has a very small time base: the delay between two frames -can not be smaller than one centi second. +Note 2: the GIF format has a very large time base: the delay between two frames +can therefore not be smaller than one centi second. @anchor{hash} @section hash diff --git a/doc/platform.texi b/doc/platform.texi index 21b135f55d..9ec6ff4733 100644 --- a/doc/platform.texi +++ b/doc/platform.texi @@ -173,7 +173,7 @@ earlier, place @code{c99wrap.exe} and @code{c99conv.exe} somewhere in your Next, make sure any other headers and libs you want to use, such as zlib, are located in a spot that the compiler can see. Do so by modifying the @code{LIB} and @code{INCLUDE} environment variables to include the @strong{Windows-style} -paths to these directories. Alternatively, you can try and use the +paths to these directories. Alternatively, you can try to use the @code{--extra-cflags}/@code{--extra-ldflags} configure options. If using MSVC 2012 or earlier, place @code{inttypes.h} somewhere the compiler can see too. diff --git a/doc/protocols.texi b/doc/protocols.texi index 72b39145ec..0165ff7434 100644 --- a/doc/protocols.texi +++ b/doc/protocols.texi @@ -355,7 +355,7 @@ autodetection in the future. If set to 1 enables experimental HTTP server. This can be used to send data when used as an output option, or read data from a client with HTTP POST when used as an input option. -If set to 2 enables experimental mutli-client HTTP server. This is not yet implemented +If set to 2 enables experimental multi-client HTTP server. This is not yet implemented in ffmpeg.c or ffserver.c and thus must not be used as a command line option. @example # Server side (sending): From 675258764dce6f9f4a6f5fb58c87731714fb964a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Oct 2016 04:43:22 +0200 Subject: [PATCH 113/658] Update for 3.1.5 Signed-off-by: Michael Niedermayer --- Changelog | 11 ++++++++++- RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/Changelog b/Changelog index 4f2db19190..de4b50fb37 100644 --- a/Changelog +++ b/Changelog @@ -1,7 +1,16 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. -version : +version 3.1.5: +- doc: fix various typos and grammar errors +- avformat/utils: Update codec_id before using it in the parser init +- cmdutils: fix typos +- lavfi: fix typos +- lavc: fix typos +- tools: fix grammar error +- ffmpeg: remove unused and errorneous AVFrame timestamp check +- Support for MIPS cpu P6600 +- avutil/mips/generic_macros_msa: rename macro variable which causes segfault for mips r6 version 3.1.4: - avformat/avidec: Check nb_streams in read_gab2_sub() diff --git a/RELEASE b/RELEASE index 0aec50e6ed..3ad0595adc 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.1.4 +3.1.5 diff --git a/doc/Doxyfile b/doc/Doxyfile index 000498bc17..8fa0819b72 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.1.4 +PROJECT_NUMBER = 3.1.5 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 1a43626fdf30ecd348809a1639af896c1c71aba5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 11 Oct 2016 20:28:35 +0200 Subject: [PATCH 114/658] configure: fix detection of libopenjpeg Use check_lib2 to test the header together with the function. This is necessary, because '-DOPJ_STATIC' changes what the included header does. Also add '-DOPJ_STATIC' to CPPFLAGS, so that it isn't necessary to hardcode this in libavcodec/libopenjpeg{dec,enc}.c. Finally, check for non-static openjpeg 2.1, too. Reviewed-by: Michael Bradshaw Signed-off-by: Andreas Cadhalpun (cherry picked from commit 7a65aef00d113a38e0d1a54df49eead9df6aa15c) Signed-off-by: Andreas Cadhalpun --- configure | 9 +++++---- libavcodec/libopenjpegdec.c | 2 -- libavcodec/libopenjpegenc.c | 2 -- 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/configure b/configure index 64142e700f..12158dd9c2 100755 --- a/configure +++ b/configure @@ -5675,10 +5675,11 @@ enabled libopencv && { check_header opencv2/core/core_c.h && require opencv opencv2/core/core_c.h cvCreateImageHeader -lopencv_core -lopencv_imgproc; } || require_pkg_config opencv opencv/cxcore.h cvCreateImageHeader; } enabled libopenh264 && require_pkg_config openh264 wels/codec_api.h WelsGetCodecVersion -enabled libopenjpeg && { check_lib openjpeg-2.1/openjpeg.h opj_version -lopenjp2 -DOPJ_STATIC || - check_lib openjpeg-2.0/openjpeg.h opj_version -lopenjp2 -DOPJ_STATIC || - check_lib openjpeg-1.5/openjpeg.h opj_version -lopenjpeg -DOPJ_STATIC || - check_lib openjpeg.h opj_version -lopenjpeg -DOPJ_STATIC || +enabled libopenjpeg && { { check_lib2 openjpeg-2.1/openjpeg.h opj_version -lopenjp2 -DOPJ_STATIC && add_cppflags -DOPJ_STATIC; } || + check_lib2 openjpeg-2.1/openjpeg.h opj_version -lopenjp2 || + { check_lib2 openjpeg-2.0/openjpeg.h opj_version -lopenjp2 -DOPJ_STATIC && add_cppflags -DOPJ_STATIC; } || + { check_lib2 openjpeg-1.5/openjpeg.h opj_version -lopenjpeg -DOPJ_STATIC && add_cppflags -DOPJ_STATIC; } || + { check_lib2 openjpeg.h opj_version -lopenjpeg -DOPJ_STATIC && add_cppflags -DOPJ_STATIC; } || die "ERROR: libopenjpeg not found"; } enabled libopus && require_pkg_config opus opus_multistream.h opus_multistream_decoder_create enabled libpulse && require_pkg_config libpulse pulse/pulseaudio.h pa_context_new diff --git a/libavcodec/libopenjpegdec.c b/libavcodec/libopenjpegdec.c index 65167e6aee..b4ce834778 100644 --- a/libavcodec/libopenjpegdec.c +++ b/libavcodec/libopenjpegdec.c @@ -24,8 +24,6 @@ * JPEG 2000 decoder using libopenjpeg */ -#define OPJ_STATIC - #include "libavutil/common.h" #include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" diff --git a/libavcodec/libopenjpegenc.c b/libavcodec/libopenjpegenc.c index 14435515bc..5042507ea4 100644 --- a/libavcodec/libopenjpegenc.c +++ b/libavcodec/libopenjpegenc.c @@ -24,8 +24,6 @@ * JPEG 2000 encoder using libopenjpeg */ -#define OPJ_STATIC - #include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/imgutils.h" From a22155dacd935e745c439a8646626c13f7e6aae4 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 13 Oct 2016 21:16:35 +0200 Subject: [PATCH 115/658] libopenjpegenc: stop reusing image data buffer for openjpeg 2 openjpeg 2 sets the data pointers of the image components to NULL, causing segfaults if the image is reused. Reviewed-by: Michael Bradshaw Signed-off-by: Andreas Cadhalpun (cherry picked from commit 69c8505f3bf54f316e9dc8bec1c71dfa1febec63) Signed-off-by: Andreas Cadhalpun --- libavcodec/libopenjpegenc.c | 41 +++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 11 deletions(-) diff --git a/libavcodec/libopenjpegenc.c b/libavcodec/libopenjpegenc.c index 5042507ea4..857ee1adf9 100644 --- a/libavcodec/libopenjpegenc.c +++ b/libavcodec/libopenjpegenc.c @@ -52,7 +52,9 @@ typedef struct LibOpenJPEGContext { AVClass *avclass; +#if OPENJPEG_MAJOR_VERSION == 1 opj_image_t *image; +#endif // OPENJPEG_MAJOR_VERSION == 1 opj_cparameters_t enc_params; #if OPENJPEG_MAJOR_VERSION == 1 opj_event_mgr_t event_mgr; @@ -369,18 +371,22 @@ static av_cold int libopenjpeg_encode_init(AVCodecContext *avctx) cinema_parameters(&ctx->enc_params); } +#if OPENJPEG_MAJOR_VERSION == 1 ctx->image = mj2_create_image(avctx, &ctx->enc_params); if (!ctx->image) { av_log(avctx, AV_LOG_ERROR, "Error creating the mj2 image\n"); err = AVERROR(EINVAL); goto fail; } +#endif // OPENJPEG_MAJOR_VERSION == 1 return 0; fail: +#if OPENJPEG_MAJOR_VERSION == 1 opj_image_destroy(ctx->image); ctx->image = NULL; +#endif // OPENJPEG_MAJOR_VERSION == 1 return err; } @@ -591,19 +597,25 @@ static int libopenjpeg_encode_frame(AVCodecContext *avctx, AVPacket *pkt, const AVFrame *frame, int *got_packet) { LibOpenJPEGContext *ctx = avctx->priv_data; - opj_image_t *image = ctx->image; + int ret; + AVFrame *gbrframe; + int cpyresult = 0; #if OPENJPEG_MAJOR_VERSION == 1 + opj_image_t *image = ctx->image; opj_cinfo_t *compress = NULL; opj_cio_t *stream = NULL; int len; #else // OPENJPEG_MAJOR_VERSION == 2 + PacketWriter writer = { 0 }; opj_codec_t *compress = NULL; opj_stream_t *stream = NULL; - PacketWriter writer = { 0 }; + opj_image_t *image = mj2_create_image(avctx, &ctx->enc_params); + if (!image) { + av_log(avctx, AV_LOG_ERROR, "Error creating the mj2 image\n"); + ret = AVERROR(EINVAL); + goto done; + } #endif // OPENJPEG_MAJOR_VERSION == 1 - int cpyresult = 0; - int ret; - AVFrame *gbrframe; switch (avctx->pix_fmt) { case AV_PIX_FMT_RGB24: @@ -626,8 +638,10 @@ static int libopenjpeg_encode_frame(AVCodecContext *avctx, AVPacket *pkt, case AV_PIX_FMT_GBRP14: case AV_PIX_FMT_GBRP16: gbrframe = av_frame_clone(frame); - if (!gbrframe) - return AVERROR(ENOMEM); + if (!gbrframe) { + ret = AVERROR(ENOMEM); + goto done; + } gbrframe->data[0] = frame->data[2]; // swap to be rgb gbrframe->data[1] = frame->data[0]; gbrframe->data[2] = frame->data[1]; @@ -684,19 +698,21 @@ static int libopenjpeg_encode_frame(AVCodecContext *avctx, AVPacket *pkt, av_log(avctx, AV_LOG_ERROR, "The frame's pixel format '%s' is not supported\n", av_get_pix_fmt_name(avctx->pix_fmt)); - return AVERROR(EINVAL); + ret = AVERROR(EINVAL); + goto done; break; } if (!cpyresult) { av_log(avctx, AV_LOG_ERROR, "Could not copy the frame data to the internal image buffer\n"); - return -1; + ret = -1; + goto done; } #if OPENJPEG_MAJOR_VERSION == 2 if ((ret = ff_alloc_packet2(avctx, pkt, 1024, 0)) < 0) { - return ret; + goto done; } #endif // OPENJPEG_MAJOR_VERSION == 2 @@ -763,7 +779,7 @@ static int libopenjpeg_encode_frame(AVCodecContext *avctx, AVPacket *pkt, #error Missing call to opj_stream_set_user_data #endif - if (!opj_start_compress(compress, ctx->image, stream) || + if (!opj_start_compress(compress, image, stream) || !opj_encode(compress, stream) || !opj_end_compress(compress, stream)) { av_log(avctx, AV_LOG_ERROR, "Error during the opj encode\n"); @@ -782,6 +798,7 @@ done: #if OPENJPEG_MAJOR_VERSION == 2 opj_stream_destroy(stream); opj_destroy_codec(compress); + opj_image_destroy(image); #else opj_cio_close(stream); opj_destroy_compress(compress); @@ -791,10 +808,12 @@ done: static av_cold int libopenjpeg_encode_close(AVCodecContext *avctx) { +#if OPENJPEG_MAJOR_VERSION == 1 LibOpenJPEGContext *ctx = avctx->priv_data; opj_image_destroy(ctx->image); ctx->image = NULL; +#endif // OPENJPEG_MAJOR_VERSION == 1 return 0; } From d391719be19be2f2716dcb1da9f88b0b4214e4c4 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 13 Oct 2016 22:14:46 +0200 Subject: [PATCH 116/658] libopenjpegenc: fix out-of-bounds reads when filling the edges The calculation of width/height should round up, not round down to prevent setting width or height to 0. Also image->comps[compno].w is unsigned (at least in openjpeg2), so the calculation could silently wrap around without the explicit cast to int. Reviewed-by: Michael Bradshaw Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 56706ac0d5723cb549fec2602e798ab1bf6004cd) Signed-off-by: Andreas Cadhalpun --- libavcodec/libopenjpegenc.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/libopenjpegenc.c b/libavcodec/libopenjpegenc.c index 857ee1adf9..1b7e1684af 100644 --- a/libavcodec/libopenjpegenc.c +++ b/libavcodec/libopenjpegenc.c @@ -421,7 +421,7 @@ static int libopenjpeg_copy_packed8(AVCodecContext *avctx, const AVFrame *frame, for (; y < image->comps[compno].h; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; for (x = 0; x < image->comps[compno].w; ++x) { - image_line[x] = image_line[x - image->comps[compno].w]; + image_line[x] = image_line[x - (int)image->comps[compno].w]; } } } @@ -461,7 +461,7 @@ static int libopenjpeg_copy_packed12(AVCodecContext *avctx, const AVFrame *frame for (; y < image->comps[compno].h; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; for (x = 0; x < image->comps[compno].w; ++x) { - image_line[x] = image_line[x - image->comps[compno].w]; + image_line[x] = image_line[x - (int)image->comps[compno].w]; } } } @@ -501,7 +501,7 @@ static int libopenjpeg_copy_packed16(AVCodecContext *avctx, const AVFrame *frame for (; y < image->comps[compno].h; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; for (x = 0; x < image->comps[compno].w; ++x) { - image_line[x] = image_line[x - image->comps[compno].w]; + image_line[x] = image_line[x - (int)image->comps[compno].w]; } } } @@ -528,8 +528,8 @@ static int libopenjpeg_copy_unpacked8(AVCodecContext *avctx, const AVFrame *fram } for (compno = 0; compno < numcomps; ++compno) { - width = avctx->width / image->comps[compno].dx; - height = avctx->height / image->comps[compno].dy; + width = (avctx->width + image->comps[compno].dx - 1) / image->comps[compno].dx; + height = (avctx->height + image->comps[compno].dy - 1) / image->comps[compno].dy; for (y = 0; y < height; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; frame_index = y * frame->linesize[compno]; @@ -542,7 +542,7 @@ static int libopenjpeg_copy_unpacked8(AVCodecContext *avctx, const AVFrame *fram for (; y < image->comps[compno].h; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; for (x = 0; x < image->comps[compno].w; ++x) { - image_line[x] = image_line[x - image->comps[compno].w]; + image_line[x] = image_line[x - (int)image->comps[compno].w]; } } } @@ -570,8 +570,8 @@ static int libopenjpeg_copy_unpacked16(AVCodecContext *avctx, const AVFrame *fra } for (compno = 0; compno < numcomps; ++compno) { - width = avctx->width / image->comps[compno].dx; - height = avctx->height / image->comps[compno].dy; + width = (avctx->width + image->comps[compno].dx - 1) / image->comps[compno].dx; + height = (avctx->height + image->comps[compno].dy - 1) / image->comps[compno].dy; frame_ptr = (uint16_t *)frame->data[compno]; for (y = 0; y < height; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; @@ -585,7 +585,7 @@ static int libopenjpeg_copy_unpacked16(AVCodecContext *avctx, const AVFrame *fra for (; y < image->comps[compno].h; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; for (x = 0; x < image->comps[compno].w; ++x) { - image_line[x] = image_line[x - image->comps[compno].w]; + image_line[x] = image_line[x - (int)image->comps[compno].w]; } } } From a2d3e7392d2de3919e21cdb1ef0685c58b849e09 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 17 Oct 2016 18:13:44 +0200 Subject: [PATCH 117/658] Changelog: update for recent commits Signed-off-by: Andreas Cadhalpun --- Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Changelog b/Changelog index de4b50fb37..9baf711241 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,9 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.1.5: +- libopenjpegenc: fix out-of-bounds reads when filling the edges +- libopenjpegenc: stop reusing image data buffer for openjpeg 2 +- configure: fix detection of libopenjpeg - doc: fix various typos and grammar errors - avformat/utils: Update codec_id before using it in the parser init - cmdutils: fix typos From 2fece989f824a7257066dfd1fd93a058490f68ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Oct 2016 04:23:33 +0200 Subject: [PATCH 118/658] doc/examples/demuxing_decoding: Drop AVFrame->pts use This code is not correct for git master Reviewed-by: Stefano Sabatini Signed-off-by: Michael Niedermayer (cherry picked from commit 2bd99564540a365d5b80d9aad6c19264b15955af) Signed-off-by: Michael Niedermayer --- doc/examples/demuxing_decoding.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/doc/examples/demuxing_decoding.c b/doc/examples/demuxing_decoding.c index 49fb6afae1..b1a216abb4 100644 --- a/doc/examples/demuxing_decoding.c +++ b/doc/examples/demuxing_decoding.c @@ -93,10 +93,9 @@ static int decode_packet(int *got_frame, int cached) return -1; } - printf("video_frame%s n:%d coded_n:%d pts:%s\n", + printf("video_frame%s n:%d coded_n:%d\n", cached ? "(cached)" : "", - video_frame_count++, frame->coded_picture_number, - av_ts2timestr(frame->pts, &video_dec_ctx->time_base)); + video_frame_count++, frame->coded_picture_number); /* copy decoded frame to destination buffer: * this is required since rawvideo expects non aligned data */ From de487cb765ca5e4ecf600942809ca2d61cdbba81 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Oct 2016 13:40:18 +0200 Subject: [PATCH 119/658] avcodec/utils: Clear MMX state before returning from avcodec_default_execute*() Signed-off-by: Michael Niedermayer (cherry picked from commit 4f96f9d1118e073d346d16be157fa5075434e7f2) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index f7adb525f8..17dcf60127 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -991,6 +991,7 @@ int avcodec_default_execute(AVCodecContext *c, int (*func)(AVCodecContext *c2, v if (ret) ret[i] = r; } + emms_c(); return 0; } @@ -1003,6 +1004,7 @@ int avcodec_default_execute2(AVCodecContext *c, int (*func)(AVCodecContext *c2, if (ret) ret[i] = r; } + emms_c(); return 0; } From 6456a7416e8f04f75752ce6174372e2fc6271a80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Oct 2016 14:05:00 +0200 Subject: [PATCH 120/658] avcodec/mpegvideo_enc: Clear mmx state in ff_mpv_reallocate_putbitbuffer() This function must be called from the mb or slice encoding loop and MMX state may not be clean there Signed-off-by: Michael Niedermayer (cherry picked from commit 03ec6b780cfae85b8bf0f32b2eda201063ad061b) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 87d795478a..30d2e2cfde 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -2911,6 +2911,8 @@ int ff_mpv_reallocate_putbitbuffer(MpegEncContext *s, size_t threshold, size_t s return AVERROR(ENOMEM); } + emms_c(); + av_fast_padded_malloc(&new_buffer, &new_buffer_size, s->avctx->internal->byte_buffer_size + size_increase); if (!new_buffer) From 9e6586ceb2f2891730557c7ec8bf5388cc7b0d94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Oct 2016 19:45:21 +0200 Subject: [PATCH 121/658] avformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string() Signed-off-by: Michael Niedermayer (cherry picked from commit fecb3e82a4ba09dc11a51ad0961ab491881a53a1) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 0affca97a2..17ffdf5239 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -827,7 +827,7 @@ static inline int mxf_read_utf16_string(AVIOContext *pb, int size, char** str, i int ret; size_t buf_size; - if (size < 0) + if (size < 0 || size > INT_MAX/2) return AVERROR(EINVAL); buf_size = size + size / 2 + 1; From 2a5c41e3e4a7e763503af59de903d5649dcc071a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Oct 2016 01:37:37 +0200 Subject: [PATCH 122/658] Chagelog: update Signed-off-by: Michael Niedermayer --- Changelog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Changelog b/Changelog index 9baf711241..ccb0799dff 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,10 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.1.5: +- avformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string() +- avcodec/mpegvideo_enc: Clear mmx state in ff_mpv_reallocate_putbitbuffer() +- avcodec/utils: Clear MMX state before returning from avcodec_default_execute*() +- doc/examples/demuxing_decoding: Drop AVFrame->pts use - libopenjpegenc: fix out-of-bounds reads when filling the edges - libopenjpegenc: stop reusing image data buffer for openjpeg 2 - configure: fix detection of libopenjpeg From c3f97bf54496ee15a848683c3ca8772367cba216 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 19 Nov 2016 12:38:44 -0300 Subject: [PATCH 123/658] avcodec/avpacket: fix leak on realloc in av_packet_add_side_data() If realloc fails, the pointer is overwritten and the previously allocated buffer is leaked, which goes against the expected behavior of keeping the packet unchanged in case of error. Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 574929d8b6de32ae712fcca7ab09f01a3e4616be) --- libavcodec/avpacket.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index bb0fc6c189..443a19ad1d 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -295,16 +295,17 @@ FF_ENABLE_DEPRECATION_WARNINGS int av_packet_add_side_data(AVPacket *pkt, enum AVPacketSideDataType type, uint8_t *data, size_t size) { + AVPacketSideData *tmp; int elems = pkt->side_data_elems; if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data)) return AVERROR(ERANGE); - pkt->side_data = av_realloc(pkt->side_data, - (elems + 1) * sizeof(*pkt->side_data)); - if (!pkt->side_data) + tmp = av_realloc(pkt->side_data, (elems + 1) * sizeof(*tmp)); + if (!tmp) return AVERROR(ENOMEM); + pkt->side_data = tmp; pkt->side_data[elems].data = data; pkt->side_data[elems].size = size; pkt->side_data[elems].type = type; From 230c04e3f6d720cc7fa17735b2ef91570417964d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 16 Oct 2016 22:29:13 +0200 Subject: [PATCH 124/658] aiffdec: fix division by zero Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit c143a9c96ff907a8fe4598529664aec7cb156708) Signed-off-by: Andreas Cadhalpun --- libavformat/aiffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index d191bc4c04..bad92a0e2f 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -376,7 +376,7 @@ static int aiff_read_packet(AVFormatContext *s, size = st->codecpar->block_align; break; default: - size = (MAX_SIZE / st->codecpar->block_align) * st->codecpar->block_align; + size = st->codecpar->block_align ? (MAX_SIZE / st->codecpar->block_align) * st->codecpar->block_align : MAX_SIZE; } size = FFMIN(max_size, size); res = av_get_packet(s->pb, pkt, size); From b3991ccd1170d84f5b5d84566b0c78a42724a073 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 16 Oct 2016 22:39:47 +0200 Subject: [PATCH 125/658] astdec: fix division by zero Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9959a52b14bcfa3e5baeb3fc8a86c04bbc0d3d5d) Signed-off-by: Andreas Cadhalpun --- libavformat/astdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/astdec.c b/libavformat/astdec.c index f3ca721ccf..7a53d0bb70 100644 --- a/libavformat/astdec.c +++ b/libavformat/astdec.c @@ -90,7 +90,7 @@ static int ast_read_packet(AVFormatContext *s, AVPacket *pkt) pos = avio_tell(s->pb); type = avio_rl32(s->pb); size = avio_rb32(s->pb); - if (size > INT_MAX / s->streams[0]->codecpar->channels) + if (!s->streams[0]->codecpar->channels || size > INT_MAX / s->streams[0]->codecpar->channels) return AVERROR_INVALIDDATA; size *= s->streams[0]->codecpar->channels; From d4f64a0f545e48224e985b50848153f0b779b8ff Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 16 Oct 2016 22:42:32 +0200 Subject: [PATCH 126/658] westwood_aud: prevent division by zero Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit bc7e128a6e8e2a79d0ff7cab5e8a799b3ea042ea) Signed-off-by: Andreas Cadhalpun --- libavformat/westwood_aud.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/westwood_aud.c b/libavformat/westwood_aud.c index 4750167f13..9c2d35cb8a 100644 --- a/libavformat/westwood_aud.c +++ b/libavformat/westwood_aud.c @@ -164,6 +164,12 @@ static int wsaud_read_packet(AVFormatContext *s, if (ret != chunk_size) return AVERROR(EIO); + if (st->codecpar->channels <= 0) { + av_log(s, AV_LOG_ERROR, "invalid number of channels %d\n", + st->codecpar->channels); + return AVERROR_INVALIDDATA; + } + /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */ pkt->duration = (chunk_size * 2) / st->codecpar->channels; } From d69dc10466e234c0e4ff9cb7e4d0e5d63ceeb357 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 19 Oct 2016 19:23:49 +0200 Subject: [PATCH 127/658] avformat: prevent triggering request_probe assert in ff_read_packet If probe_codec is called with pkt == NULL, it sets probe_packets to 0 and request_probe to -1. However, request_probe can change when calling s->iformat->read_packet and thus a probe_packets value of 0 doesn't guarantee a request_probe value of -1. In that case calling probe_codec again is necessary to prevent triggering the assert. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit a5b4476a602f31e451b11ca0c18bc92be130a50e) Signed-off-by: Andreas Cadhalpun --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 8dc287f202..361744926b 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -770,7 +770,7 @@ int ff_read_packet(AVFormatContext *s, AVPacket *pkt) return ret; for (i = 0; i < s->nb_streams; i++) { st = s->streams[i]; - if (st->probe_packets) + if (st->probe_packets || st->request_probe > 0) if ((err = probe_codec(s, st, NULL)) < 0) return err; av_assert0(st->request_probe <= 0); From 13f032abbb26c7b47d700745f7ace05375eae34f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 19 Oct 2016 23:40:41 +0200 Subject: [PATCH 128/658] rsd: limit number of channels Negative values don't make sense and too large values can cause overflows. For AV_CODEC_ID_ADPCM_THP this leads to a too small extradata buffer being allocated, causing out-of-bounds writes. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ee5f0f1d355fa0fd9194ac97a2c8598c93ed328b) Signed-off-by: Andreas Cadhalpun --- libavformat/rsd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/rsd.c b/libavformat/rsd.c index ee6fdfbeb1..5a56e72bb3 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -84,8 +84,10 @@ static int rsd_read_header(AVFormatContext *s) } par->channels = avio_rl32(pb); - if (!par->channels) + if (par->channels <= 0 || par->channels > INT_MAX / 36) { + av_log(s, AV_LOG_ERROR, "Invalid number of channels: %d\n", par->channels); return AVERROR_INVALIDDATA; + } avio_skip(pb, 4); // Bit depth par->sample_rate = avio_rl32(pb); From 2c52b749801454b041d05f6230abe5a0a3fbfdce Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 20 Oct 2016 20:08:15 +0200 Subject: [PATCH 129/658] aiff: check block_align in aiff_read_packet It can be unset in avcodec_parameters_from_context and a value of 0 causes SIGFPE crashes. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 93c39db5f1544d1220488cfeb93bfe812a52f374) Signed-off-by: Andreas Cadhalpun --- libavformat/aiffdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index bad92a0e2f..f4c13642ff 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -367,6 +367,11 @@ static int aiff_read_packet(AVFormatContext *s, if (max_size <= 0) return AVERROR_EOF; + if (!st->codecpar->block_align) { + av_log(s, AV_LOG_ERROR, "block_align not set\n"); + return AVERROR_INVALIDDATA; + } + /* Now for that packet */ switch (st->codecpar->codec_id) { case AV_CODEC_ID_ADPCM_IMA_QT: From d77684b85305e9dca9d056c50146f43c08268ac2 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 20 Oct 2016 20:13:54 +0200 Subject: [PATCH 130/658] dcstr: fix division by zero Also check for possible overflows. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit b0a043f51b8cc3b420dc3ceaa38fe9aa344799aa) Signed-off-by: Andreas Cadhalpun --- libavformat/dcstr.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/dcstr.c b/libavformat/dcstr.c index 69fae417e8..6035dd4334 100644 --- a/libavformat/dcstr.c +++ b/libavformat/dcstr.c @@ -33,6 +33,7 @@ static int dcstr_probe(AVProbeData *p) static int dcstr_read_header(AVFormatContext *s) { unsigned codec, align; + int mult; AVStream *st; st = avformat_new_stream(s, NULL); @@ -46,7 +47,12 @@ static int dcstr_read_header(AVFormatContext *s) align = avio_rl32(s->pb); avio_skip(s->pb, 4); st->duration = avio_rl32(s->pb); - st->codecpar->channels *= avio_rl32(s->pb); + mult = avio_rl32(s->pb); + if (st->codecpar->channels <= 0 || mult <= 0 || mult > INT_MAX / st->codecpar->channels) { + av_log(s, AV_LOG_ERROR, "invalid number of channels %d x %d\n", st->codecpar->channels, mult); + return AVERROR_INVALIDDATA; + } + st->codecpar->channels *= mult; if (!align || align > INT_MAX / st->codecpar->channels) return AVERROR_INVALIDDATA; st->codecpar->block_align = align * st->codecpar->channels; From 72f1701c92f7f021d00c57f4f928efa719fcd53d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 20 Oct 2016 22:14:22 +0200 Subject: [PATCH 131/658] cavsdec: unref frame before referencing again This fixes asserts (from commit 13aae8) in av_frame_ref and av_frame_move_ref. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 1966ea012fd72abc8003e95dc3c8ad9e9f197913) Signed-off-by: Andreas Cadhalpun --- libavcodec/cavsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 70ac6f8a42..fed7043c12 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1217,6 +1217,8 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, h->got_keyframe = 1; } case PIC_PB_START_CODE: + if (*got_frame) + av_frame_unref(data); *got_frame = 0; if (!h->got_keyframe) break; From facf964d37eae50d1fb5c354e8d4ab897a624e45 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 20 Oct 2016 22:51:55 +0200 Subject: [PATCH 132/658] mpeg12dec: unref discarded picture from extradata Otherwise another frame gets referenced into picture, triggering an assert (from commit 13aae8) in av_frame_ref. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit a92f8edf0c51781e152651cce2e753ad6e359eb2) Signed-off-by: Andreas Cadhalpun --- libavcodec/mpeg12dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 7e730b80c6..24c3182273 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2784,6 +2784,7 @@ static int mpeg_decode_frame(AVCodecContext *avctx, void *data, avctx->extradata, avctx->extradata_size); if (*got_output) { av_log(avctx, AV_LOG_ERROR, "picture in extradata\n"); + av_frame_unref(picture); *got_output = 0; } s->extradata_decoded = 1; From 5ede8a9d8c263ff2741bf6a6c54b76287be2af36 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 30 Oct 2016 20:47:22 +0100 Subject: [PATCH 133/658] interplayacm: check for too large b This fixes out-of-bounds reads. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit 14e4e26559697cfdea584767be4e68474a0a9c7f) Signed-off-by: Andreas Cadhalpun --- libavcodec/interplayacm.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c index a676bcb931..2c23fac494 100644 --- a/libavcodec/interplayacm.c +++ b/libavcodec/interplayacm.c @@ -325,6 +325,10 @@ static int t15(InterplayACMContext *s, unsigned ind, unsigned col) for (i = 0; i < s->rows; i++) { /* b = (x1) + (x2 * 3) + (x3 * 9) */ b = get_bits(gb, 5); + if (b > 26) { + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 26\n", b); + return AVERROR_INVALIDDATA; + } n1 = (mul_3x3[b] & 0x0F) - 1; n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1; @@ -350,6 +354,10 @@ static int t27(InterplayACMContext *s, unsigned ind, unsigned col) for (i = 0; i < s->rows; i++) { /* b = (x1) + (x2 * 5) + (x3 * 25) */ b = get_bits(gb, 7); + if (b > 124) { + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 124\n", b); + return AVERROR_INVALIDDATA; + } n1 = (mul_3x5[b] & 0x0F) - 2; n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2; @@ -374,6 +382,10 @@ static int t37(InterplayACMContext *s, unsigned ind, unsigned col) for (i = 0; i < s->rows; i++) { /* b = (x1) + (x2 * 11) */ b = get_bits(gb, 7); + if (b > 120) { + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 120\n", b); + return AVERROR_INVALIDDATA; + } n1 = (mul_2x11[b] & 0x0F) - 5; n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5; From d6fbc7a2daf0311fa7c093d48bcf19d1cf35936a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 30 Oct 2016 21:41:11 +0100 Subject: [PATCH 134/658] interplayacm: validate number of channels The number of channels is used as divisor in decode_frame, so it must not be zero to avoid SIGFPE crashes. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit 5540d6c1343e6d1e06d6601b7d35884761711e3e) Signed-off-by: Andreas Cadhalpun --- libavcodec/interplayacm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c index 2c23fac494..14cad09cff 100644 --- a/libavcodec/interplayacm.c +++ b/libavcodec/interplayacm.c @@ -61,6 +61,11 @@ static av_cold int decode_init(AVCodecContext *avctx) if (avctx->extradata_size < 14) return AVERROR_INVALIDDATA; + if (avctx->channels <= 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid number of channels: %d\n", avctx->channels); + return AVERROR_INVALIDDATA; + } + s->level = AV_RL16(avctx->extradata + 12) & 0xf; s->rows = AV_RL16(avctx->extradata + 12) >> 4; s->cols = 1 << s->level; From 5a1433b19ab396cfdc7d52d9b479a7828ce5c707 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 30 Oct 2016 21:18:20 +0100 Subject: [PATCH 135/658] interplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE This fixes out-of-bounds reads by the bitstream reader. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit 60178e78f2fe9a7bfb9da0abc985835e2ebfd2f1) Signed-off-by: Andreas Cadhalpun --- libavcodec/interplayacm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c index 14cad09cff..8b340093df 100644 --- a/libavcodec/interplayacm.c +++ b/libavcodec/interplayacm.c @@ -76,7 +76,7 @@ static av_cold int decode_init(AVCodecContext *avctx) s->block = av_calloc(s->block_len, sizeof(int)); s->wrapbuf = av_calloc(s->wrapbuf_len, sizeof(int)); s->ampbuf = av_calloc(0x10000, sizeof(int)); - s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream)); + s->bitstream = av_calloc(s->max_framesize + AV_INPUT_BUFFER_PADDING_SIZE / sizeof(*s->bitstream) + 1, sizeof(*s->bitstream)); if (!s->block || !s->wrapbuf || !s->ampbuf || !s->bitstream) return AVERROR(ENOMEM); From e3f671b1014095cf299180f4f052a4daaec567f6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 2 Nov 2016 21:28:49 +0100 Subject: [PATCH 136/658] ppc: pixblockdsp: do unaligned block accesses correctly again This was broken by the following Libav commit: 4c387c7 ppc: dsputil: do unaligned block accesses correctly The following tests fail due to this: fate-checkasm fate-vsynth1-dnxhd-2k-hr-hq fate-vsynth1-dnxhd-edge1-hr fate-vsynth1-dnxhd-edge2-hr fate-vsynth1-dnxhd-edge3-hr fate-vsynth1-dnxhd-hr-sq-mov fate-vsynth1-dnxhd-hr-hq-mov fate-vsynth2-dnxhd-2k-hr-hq fate-vsynth2-dnxhd-edge1-hr fate-vsynth2-dnxhd-edge2-hr fate-vsynth2-dnxhd-edge3-hr fate-vsynth2-dnxhd-hr-sq-mov fate-vsynth2-dnxhd-hr-hq-mov fate-vsynth3-dnxhd-2k-hr-hq fate-vsynth3-dnxhd-edge1-hr fate-vsynth3-dnxhd-edge2-hr fate-vsynth3-dnxhd-edge3-hr fate-vsynth3-dnxhd-hr-sq-mov fate-vsynth3-dnxhd-hr-hq-mov Fixes trac ticket #5508. Reviewed-by: Carl Eugen Hoyos Signed-off-by: Andreas Cadhalpun (cherry picked from commit 3932ccc472ad4f4d370dcfc1c2f574b0f3acb88c) Signed-off-by: Andreas Cadhalpun --- libavcodec/ppc/pixblockdsp.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/libavcodec/ppc/pixblockdsp.c b/libavcodec/ppc/pixblockdsp.c index 84aa562bb6..f3a5050469 100644 --- a/libavcodec/ppc/pixblockdsp.c +++ b/libavcodec/ppc/pixblockdsp.c @@ -67,10 +67,10 @@ static void get_pixels_altivec(int16_t *restrict block, const uint8_t *pixels, ptrdiff_t line_size) { int i; - vec_u8 perm = vec_lvsl(0, pixels); const vec_u8 zero = (const vec_u8)vec_splat_u8(0); for (i = 0; i < 8; i++) { + vec_u8 perm = vec_lvsl(0, pixels); /* Read potentially unaligned pixels. * We're reading 16 pixels, and actually only want 8, * but we simply ignore the extras. */ @@ -157,8 +157,7 @@ static void diff_pixels_altivec(int16_t *restrict block, const uint8_t *s1, const uint8_t *s2, int stride) { int i; - vec_u8 perm1 = vec_lvsl(0, s1); - vec_u8 perm2 = vec_lvsl(0, s2); + vec_u8 perm; const vec_u8 zero = (const vec_u8)vec_splat_u8(0); vec_s16 shorts1, shorts2; @@ -166,17 +165,19 @@ static void diff_pixels_altivec(int16_t *restrict block, const uint8_t *s1, /* Read potentially unaligned pixels. * We're reading 16 pixels, and actually only want 8, * but we simply ignore the extras. */ + perm = vec_lvsl(0, s1); vec_u8 pixl = vec_ld(0, s1); vec_u8 pixr = vec_ld(15, s1); - vec_u8 bytes = vec_perm(pixl, pixr, perm1); + vec_u8 bytes = vec_perm(pixl, pixr, perm); // Convert the bytes into shorts. shorts1 = (vec_s16)vec_mergeh(zero, bytes); // Do the same for the second block of pixels. + perm = vec_lvsl(0, s2); pixl = vec_ld(0, s2); pixr = vec_ld(15, s2); - bytes = vec_perm(pixl, pixr, perm2); + bytes = vec_perm(pixl, pixr, perm); // Convert the bytes into shorts. shorts2 = (vec_s16)vec_mergeh(zero, bytes); @@ -197,17 +198,19 @@ static void diff_pixels_altivec(int16_t *restrict block, const uint8_t *s1, /* Read potentially unaligned pixels. * We're reading 16 pixels, and actually only want 8, * but we simply ignore the extras. */ + perm = vec_lvsl(0, s1); pixl = vec_ld(0, s1); pixr = vec_ld(15, s1); - bytes = vec_perm(pixl, pixr, perm1); + bytes = vec_perm(pixl, pixr, perm); // Convert the bytes into shorts. shorts1 = (vec_s16)vec_mergeh(zero, bytes); // Do the same for the second block of pixels. + perm = vec_lvsl(0, s2); pixl = vec_ld(0, s2); pixr = vec_ld(15, s2); - bytes = vec_perm(pixl, pixr, perm2); + bytes = vec_perm(pixl, pixr, perm); // Convert the bytes into shorts. shorts2 = (vec_s16)vec_mergeh(zero, bytes); From cb0b8182448cd3888837f8c33cd8686ba0eb04a1 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 4 Nov 2016 19:00:17 +0100 Subject: [PATCH 137/658] diracdec: check return code of get_buffer_with_edge If it fails, buffers aren't allocated, causing NULL pointer dereferencing. Reviewed-by: Rostislav Pehlivanov Signed-off-by: Andreas Cadhalpun (cherry picked from commit db79dedb1ae5dd38432eee3f09155e26f3f2d95a) Signed-off-by: Andreas Cadhalpun --- libavcodec/diracdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 769dac3655..357da97b0d 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1900,7 +1900,9 @@ static int dirac_decode_picture_header(DiracContext *s) for (j = 0; j < MAX_FRAMES; j++) if (!s->all_frames[j].avframe->data[0]) { s->ref_pics[i] = &s->all_frames[j]; - get_buffer_with_edge(s->avctx, s->ref_pics[i]->avframe, AV_GET_BUFFER_FLAG_REF); + ret = get_buffer_with_edge(s->avctx, s->ref_pics[i]->avframe, AV_GET_BUFFER_FLAG_REF); + if (ret < 0) + return ret; break; } From 1af13ea53930963981f929f78c08ca883751fdbe Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 4 Nov 2016 22:58:49 +0100 Subject: [PATCH 138/658] lzf: update pointer p after realloc This fixes heap-use-after-free detected by AddressSanitizer. Reviewed-by: Luca Barbato Signed-off-by: Andreas Cadhalpun (cherry picked from commit bb6a7b6f75ac544c956e3eefee297700ef4d3468) Signed-off-by: Andreas Cadhalpun --- libavcodec/lzf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c index 409a7ffdd3..5b7526ef18 100644 --- a/libavcodec/lzf.c +++ b/libavcodec/lzf.c @@ -53,6 +53,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) ret = av_reallocp(buf, *size); if (ret < 0) return ret; + p = *buf + len; } bytestream2_get_buffer(gb, p, s); @@ -75,6 +76,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) ret = av_reallocp(buf, *size); if (ret < 0) return ret; + p = *buf + len; } av_memcpy_backptr(p, off, l); From 50d34cbf5ac86a42d3273765ce8292a06ae11158 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 5 Nov 2016 00:17:53 +0100 Subject: [PATCH 139/658] mxfdec: fix NULL pointer dereference Metadata streams have priv_data set to NULL. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 0efb6106118c17308b3fdc3190f5e5bf84b01d5c) Signed-off-by: Andreas Cadhalpun --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 17ffdf5239..a7cc9b8eeb 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -383,7 +383,7 @@ static int mxf_get_stream_index(AVFormatContext *s, KLVPacket *klv) for (i = 0; i < s->nb_streams; i++) { MXFTrack *track = s->streams[i]->priv_data; /* SMPTE 379M 7.3 */ - if (!memcmp(klv->key + sizeof(mxf_essence_element_key), track->track_number, sizeof(track->track_number))) + if (track && !memcmp(klv->key + sizeof(mxf_essence_element_key), track->track_number, sizeof(track->track_number))) return i; } /* return 0 if only one stream, for OP Atom files with 0 as track number */ From a40189348710e37fe25fc72ef71a05ec53c138f1 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 7 Nov 2016 01:16:14 +0100 Subject: [PATCH 140/658] mpegaudio_parser: don't return AVERROR_PATCHWELCOME The API does not allow returning AVERROR codes. It triggers an assert in av_parser_parse2. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 5249706e9d2ec5ed1b07d8ffdbb8fb9104261f6d) Signed-off-by: Andreas Cadhalpun --- libavcodec/mpegaudio_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index 873f941237..8c39825792 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -98,7 +98,7 @@ static int mpegaudio_parse(AVCodecParserContext *s1, } else if (codec_id == AV_CODEC_ID_MP3ADU) { avpriv_report_missing_feature(avctx, "MP3ADU full parser"); - return AVERROR_PATCHWELCOME; + return 0; /* parsers must not return error codes */ } break; From c19e9657049d1ac67aee658b2f7ad12ba051b0cd Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 8 Nov 2016 00:42:23 +0100 Subject: [PATCH 141/658] matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header The code assumes that s->streams[0] is valid. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ff100c9dd97d2f1f456ff38b192edf84f9744738) Signed-off-by: Andreas Cadhalpun --- libavformat/matroskadec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index f3d701fe4d..3c7ab1c9c5 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3749,6 +3749,11 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Failed to read file headers\n"); return -1; } + if (!s->nb_streams) { + matroska_read_close(s); + av_log(s, AV_LOG_ERROR, "No streams found\n"); + return AVERROR_INVALIDDATA; + } if (!matroska->is_live) { buf = av_asprintf("%g", matroska->duration); From e1c1cb4aa148d598b5ad163a3dd7e303b3522636 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 7 Nov 2016 23:37:59 +0100 Subject: [PATCH 142/658] mpegts: prevent division by zero Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 1bbb18fe82fc77a10d45fa53bd2738d2c54de6c6) Signed-off-by: Andreas Cadhalpun --- libavformat/mpegts.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index b31d233642..6767b65ec8 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2635,8 +2635,17 @@ static int mpegts_read_header(AVFormatContext *s) packet_count[nb_pcrs] = nb_packets; pcrs[nb_pcrs] = pcr_h * 300 + pcr_l; nb_pcrs++; - if (nb_pcrs >= 2) - break; + if (nb_pcrs >= 2) { + if (pcrs[1] - pcrs[0] > 0) { + /* the difference needs to be positive to make sense for bitrate computation */ + break; + } else { + av_log(ts->stream, AV_LOG_WARNING, "invalid pcr pair %"PRId64" >= %"PRId64"\n", pcrs[0], pcrs[1]); + pcrs[0] = pcrs[1]; + packet_count[0] = packet_count[1]; + nb_pcrs--; + } + } } else { finished_reading_packet(s, ts->raw_packet_size); } From 356e035773aa2208b985521991de125dc49cf603 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 8 Nov 2016 23:53:52 +0100 Subject: [PATCH 143/658] icodec: fix leaking pkt on error Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 467eece1bea5c8325c6974190ba61f1bba88a3f3) Signed-off-by: Andreas Cadhalpun --- libavformat/icodec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 8019a35f44..fa985fb313 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -174,8 +174,10 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) bytestream_put_le16(&buf, 0); bytestream_put_le32(&buf, 0); - if ((ret = avio_read(pb, buf, image->size)) < 0) + if ((ret = avio_read(pb, buf, image->size)) < 0) { + av_packet_unref(pkt); return ret; + } st->codecpar->bits_per_coded_sample = AV_RL16(buf + 14); From 6a7f0585ab195bb90ed2d3938633c4cd5fe4bc09 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 8 Nov 2016 23:54:41 +0100 Subject: [PATCH 144/658] icodec: add ico_read_close to fix leaking ico->images Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit d54c95a1435a8a3fcd599108ec85b7f56a0fcbf9) Signed-off-by: Andreas Cadhalpun --- libavformat/icodec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index fa985fb313..a0e126a390 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -199,6 +199,13 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) return 0; } +static int ico_read_close(AVFormatContext * s) +{ + IcoDemuxContext *ico = s->priv_data; + av_freep(&ico->images); + return 0; +} + AVInputFormat ff_ico_demuxer = { .name = "ico", .long_name = NULL_IF_CONFIG_SMALL("Microsoft Windows ICO"), @@ -206,5 +213,6 @@ AVInputFormat ff_ico_demuxer = { .read_probe = probe, .read_header = read_header, .read_packet = read_packet, + .read_close = ico_read_close, .flags = AVFMT_NOTIMESTAMPS, }; From 1499f65ad42a4f4519f27a7d3b01c55146ce2ad0 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 9 Nov 2016 00:38:50 +0100 Subject: [PATCH 145/658] escape124: reject codebook size 0 It causes a cb_depth of 32, leading to assertion failures in get_bits. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 226d35c84591f1901c2a13819031549909faa1f5) Signed-off-by: Andreas Cadhalpun --- libavcodec/escape124.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 9a51bdaa9c..71e22779f6 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -250,6 +250,10 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This codebook can be cut off at places other than // powers of 2, leaving some of the entries undefined. cb_size = get_bits_long(&gb, 20); + if (!cb_size) { + av_log(avctx, AV_LOG_ERROR, "Invalid codebook size 0.\n"); + return AVERROR_INVALIDDATA; + } cb_depth = av_log2(cb_size - 1) + 1; } else { cb_depth = get_bits(&gb, 4); From 727ec4acc471b167f8af5211e860e2def6d47d02 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 9 Nov 2016 23:49:46 +0100 Subject: [PATCH 146/658] proresdec_lgpl: explicitly check coff[3] against slice_data_size The implicit checks via v_data_size and a_data_size don't work in the case '(hdr_size > 7) && !ctx->alpha_info'. This fixes segmentation faults due to invalid reads. This problem was introduced in commit 547c2f002a87f4412a83c23b0d60364be5e7ce58. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 1e33035ee7a8d9fb7a4b8b6cc54842e72b36ed70) Signed-off-by: Andreas Cadhalpun --- libavcodec/proresdec_lgpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresdec_lgpl.c b/libavcodec/proresdec_lgpl.c index 467a423f23..bc5bdb5a4d 100644 --- a/libavcodec/proresdec_lgpl.c +++ b/libavcodec/proresdec_lgpl.c @@ -625,7 +625,7 @@ static int decode_slice(AVCodecContext *avctx, void *tdata) /* if V or alpha component size is negative that means that previous component sizes are too large */ - if (v_data_size < 0 || a_data_size < 0 || hdr_size < 6) { + if (v_data_size < 0 || a_data_size < 0 || hdr_size < 6 || coff[3] > slice_data_size) { av_log(avctx, AV_LOG_ERROR, "invalid data size\n"); return AVERROR_INVALIDDATA; } From 5c2e26275cb130293691ed0b335db0a67e8abbcf Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 8 Nov 2016 22:32:42 +0100 Subject: [PATCH 147/658] dvbsubdec: fix division by zero in compute_default_clut This problem was introduced in commit 4b90dcb8493552c17a811c8b1e6538dae4061f9d. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit c82b8ef0e4f226423ddd644bfe37e6a15d070924) Signed-off-by: Andreas Cadhalpun --- libavcodec/dvbsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index e9f4765b15..bf3b1a1019 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -810,7 +810,7 @@ static void compute_default_clut(AVSubtitleRect *rect, int w, int h) list_inv[ i ] = bestv; } - count = i - 1; + count = FFMAX(i - 1, 1); for (i--; i>=0; i--) { int v = i*255/count; AV_WN32(rect->data[1] + 4*list_inv[i], RGBA(v/2,v,v/2,v)); From c35a140e71710d815bab9581e928b42177feaf7e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 8 Nov 2016 23:29:28 +0100 Subject: [PATCH 148/658] icodec: correctly check avio_read return value It can read less than the requested amount, in which case buf contains uninitialized data, causing problems like segmentation faults later on. Also make sure that image->size is positive, so that it can't match a negative error code. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 89eb398c7fc4cb9a15e55bdf2ab6435b5332e377) Signed-off-by: Andreas Cadhalpun --- libavformat/icodec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index a0e126a390..f33fa1195b 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -109,6 +109,10 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 5); ico->images[i].size = avio_rl32(pb); + if (ico->images[i].size <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size); + return AVERROR_INVALIDDATA; + } ico->images[i].offset = avio_rl32(pb); if (avio_seek(pb, ico->images[i].offset, SEEK_SET) < 0) @@ -174,9 +178,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) bytestream_put_le16(&buf, 0); bytestream_put_le32(&buf, 0); - if ((ret = avio_read(pb, buf, image->size)) < 0) { + if ((ret = avio_read(pb, buf, image->size)) != image->size) { av_packet_unref(pkt); - return ret; + return ret < 0 ? ret : AVERROR_INVALIDDATA; } st->codecpar->bits_per_coded_sample = AV_RL16(buf + 14); From eaf79ac2d9c18bce3c1990dbf6722e90d9c788b1 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 10 Nov 2016 22:09:03 +0100 Subject: [PATCH 149/658] smvjpegdec: make sure cur_frame is not negative This fixes a heap-buffer-overflow detected by AddressSanitizer. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 360bc0d90aa66cf21e9f488e77d21db18e01ec9c) Signed-off-by: Andreas Cadhalpun --- libavcodec/smvjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smvjpegdec.c b/libavcodec/smvjpegdec.c index 9057e86161..e319e5781b 100644 --- a/libavcodec/smvjpegdec.c +++ b/libavcodec/smvjpegdec.c @@ -152,6 +152,10 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz cur_frame = avpkt->pts % s->frames_per_jpeg; + /* cur_frame is later used to calculate the buffer offset, so it mustn't be negative */ + if (cur_frame < 0) + cur_frame += s->frames_per_jpeg; + /* Are we at the start of a block? */ if (!cur_frame) { av_frame_unref(mjpeg_data); From a5ba9eab44da13bb0683193e2382f1bfd853a47e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 9 Nov 2016 01:09:35 +0100 Subject: [PATCH 150/658] pnmdec: make sure v is capped by maxval Otherwise put_bits can be called with a value that doesn't fit in the sample_len, causing an assertion failure. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit cdb5479c9ddc886f0b8661db585405ebab343e80) Signed-off-by: Andreas Cadhalpun --- libavcodec/pnmdec.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index d4261a4530..4e2045d2b3 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -43,7 +43,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, int buf_size = avpkt->size; PNMContext * const s = avctx->priv_data; AVFrame * const p = data; - int i, j, n, linesize, h, upgrade = 0, is_mono = 0; + int i, j, k, n, linesize, h, upgrade = 0, is_mono = 0; unsigned char *ptr; int components, sample_len, ret; @@ -143,10 +143,14 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, v = (*s->bytestream++)&1; } else { /* read a sequence of digits */ - do { + for (k = 0; k < 5 && c <= 9; k += 1) { v = 10*v + c; c = (*s->bytestream++) - '0'; - } while (c <= 9); + } + if (v > s->maxval) { + av_log(avctx, AV_LOG_ERROR, "value %d larger than maxval %d\n", v, s->maxval); + return AVERROR_INVALIDDATA; + } } if (sample_len == 16) { ((uint16_t*)ptr)[j] = (((1<maxval>>1))/s->maxval; From 52d8c1e474c3e11fed06cf17e22c1e59406a0ce3 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 13 Nov 2016 18:22:12 +0100 Subject: [PATCH 151/658] filmstripdec: correctly check image dimensions This prevents a division by zero in read_packet. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit 25012c56448a48487cdc9699465e640871dbcd60) Signed-off-by: Andreas Cadhalpun --- libavformat/filmstripdec.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavformat/filmstripdec.c b/libavformat/filmstripdec.c index 414e276bfe..0aeb5947b0 100644 --- a/libavformat/filmstripdec.c +++ b/libavformat/filmstripdec.c @@ -25,6 +25,7 @@ */ #include "libavutil/intreadwrite.h" +#include "libavutil/imgutils.h" #include "avformat.h" #include "internal.h" @@ -68,10 +69,8 @@ static int read_header(AVFormatContext *s) st->codecpar->height = avio_rb16(pb); film->leading = avio_rb16(pb); - if (st->codecpar->width * 4LL * st->codecpar->height >= INT_MAX) { - av_log(s, AV_LOG_ERROR, "dimensions too large\n"); - return AVERROR_PATCHWELCOME; - } + if (av_image_check_size(st->codecpar->width, st->codecpar->height, 0, s) < 0) + return AVERROR_INVALIDDATA; avpriv_set_pts_info(st, 64, 1, avio_rb16(pb)); From d000e66c4f2f6275fc24a424ae85f7e092293347 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 13 Nov 2016 20:52:02 +0100 Subject: [PATCH 152/658] softfloat: handle -INT_MAX correctly This is similar to commit 9ac61e73d0843ec4b83f4e3d47eded73234e406e. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 0edd569466eb45b134690b9f4efbb57eda86f58d) Signed-off-by: Andreas Cadhalpun --- libavutil/softfloat.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index a3b2238585..48d0d59fd4 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -175,7 +175,7 @@ static inline av_const SoftFloat av_sub_sf(SoftFloat a, SoftFloat b){ */ static inline av_const SoftFloat av_int2sf(int v, int frac_bits){ int exp_offset = 0; - if(v == INT_MIN){ + if(v <= INT_MIN + 1){ exp_offset = 1; v>>=1; } From 89a22d3fbff3db11a0a09e55778ed0e041210327 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 13 Nov 2016 22:59:47 +0100 Subject: [PATCH 153/658] libschroedingerdec: don't produce empty frames They are not valid and can cause problems/crashes for API users. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit a86ebbf7f641bc797002ddea7fb517759722cd1b) Signed-off-by: Andreas Cadhalpun --- libavcodec/libschroedingerdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libschroedingerdec.c b/libavcodec/libschroedingerdec.c index 152cbe7d47..fe20e9c613 100644 --- a/libavcodec/libschroedingerdec.c +++ b/libavcodec/libschroedingerdec.c @@ -307,7 +307,7 @@ static int libschroedinger_decode_frame(AVCodecContext *avctx, /* Grab next frame to be returned from the top of the queue. */ framewithpts = ff_schro_queue_pop(&p_schro_params->dec_frame_queue); - if (framewithpts && framewithpts->frame) { + if (framewithpts && framewithpts->frame && framewithpts->frame->components[0].stride) { int ret; if ((ret = ff_get_buffer(avctx, avframe, 0)) < 0) From f70e9726dcad6dfe13b64b8878ee12a9e41063ed Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 13 Nov 2016 23:10:06 +0100 Subject: [PATCH 154/658] libschroedingerdec: fix leaking of framewithpts Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 3c0328d58d98664b05efdd377d3fe66a569d385e) Signed-off-by: Andreas Cadhalpun --- libavcodec/libschroedingerdec.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libavcodec/libschroedingerdec.c b/libavcodec/libschroedingerdec.c index fe20e9c613..471077b2fe 100644 --- a/libavcodec/libschroedingerdec.c +++ b/libavcodec/libschroedingerdec.c @@ -218,6 +218,7 @@ static int libschroedinger_decode_frame(AVCodecContext *avctx, int outer = 1; SchroParseUnitContext parse_ctx; LibSchroFrameContext *framewithpts = NULL; + int ret; *got_frame = 0; @@ -308,10 +309,9 @@ static int libschroedinger_decode_frame(AVCodecContext *avctx, framewithpts = ff_schro_queue_pop(&p_schro_params->dec_frame_queue); if (framewithpts && framewithpts->frame && framewithpts->frame->components[0].stride) { - int ret; if ((ret = ff_get_buffer(avctx, avframe, 0)) < 0) - return ret; + goto end; memcpy(avframe->data[0], framewithpts->frame->components[0].data, @@ -332,15 +332,17 @@ static int libschroedinger_decode_frame(AVCodecContext *avctx, avframe->linesize[2] = framewithpts->frame->components[2].stride; *got_frame = 1; - - /* Now free the frame resources. */ - libschroedinger_decode_frame_free(framewithpts->frame); - av_free(framewithpts); } else { data = NULL; *got_frame = 0; } - return buf_size; + ret = buf_size; +end: + /* Now free the frame resources. */ + if (framewithpts && framewithpts->frame) + libschroedinger_decode_frame_free(framewithpts->frame); + av_freep(&framewithpts); + return ret; } From 71378e7937bd458233b75b4d73f0aabc3ac437fa Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 16 Nov 2016 20:46:56 +0100 Subject: [PATCH 155/658] exr: fix out-of-bounds read channel_index can be -1. This problem was introduced in commit 2dd7b46132e2801ef34fe1b5c27e0113cdcfa2f9. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit ffdc5d09e498bee8176c9e35df101c01c546a738) Signed-off-by: Andreas Cadhalpun --- libavcodec/exr.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index de46028d18..f62b0971a7 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1417,8 +1417,7 @@ static int decode_header(EXRContext *s) return AVERROR_PATCHWELCOME; } - if (s->channel_offsets[channel_index] == -1){/* channel have not been previously assign */ - if (channel_index >= 0) { + if (channel_index >= 0 && s->channel_offsets[channel_index] == -1) { /* channel has not been previously assigned */ if (s->pixel_type != EXR_UNKNOWN && s->pixel_type != current_pixel_type) { av_log(s->avctx, AV_LOG_ERROR, @@ -1427,7 +1426,6 @@ static int decode_header(EXRContext *s) } s->pixel_type = current_pixel_type; s->channel_offsets[channel_index] = s->current_channel_offset; - } } s->channels = av_realloc(s->channels, From cb936d62664c25909b320ec230b41b5a2b9c9ed3 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 16 Nov 2016 20:47:35 +0100 Subject: [PATCH 156/658] exr: reindent after previous commit Signed-off-by: Andreas Cadhalpun (cherry picked from commit ce3147eb198770b558acf6c05f33cb807a413707) Signed-off-by: Andreas Cadhalpun --- libavcodec/exr.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index f62b0971a7..a811c02b8a 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1418,14 +1418,14 @@ static int decode_header(EXRContext *s) } if (channel_index >= 0 && s->channel_offsets[channel_index] == -1) { /* channel has not been previously assigned */ - if (s->pixel_type != EXR_UNKNOWN && - s->pixel_type != current_pixel_type) { - av_log(s->avctx, AV_LOG_ERROR, - "RGB channels not of the same depth.\n"); - return AVERROR_INVALIDDATA; - } - s->pixel_type = current_pixel_type; - s->channel_offsets[channel_index] = s->current_channel_offset; + if (s->pixel_type != EXR_UNKNOWN && + s->pixel_type != current_pixel_type) { + av_log(s->avctx, AV_LOG_ERROR, + "RGB channels not of the same depth.\n"); + return AVERROR_INVALIDDATA; + } + s->pixel_type = current_pixel_type; + s->channel_offsets[channel_index] = s->current_channel_offset; } s->channels = av_realloc(s->channels, From b4f42e5c85f589556ed486fc743fbe16f8ed88c8 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 17 Nov 2016 00:04:57 +0100 Subject: [PATCH 157/658] ffmdec: validate codec parameters A negative extradata size for example gets passed to memcpy in avcodec_parameters_from_context causing a segmentation fault. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 1c7da19a4b45f5623cb3955b29b9a581026e3c61) Signed-off-by: Andreas Cadhalpun --- libavformat/ffmdec.c | 43 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 16ba8ecf58..960e793220 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -21,6 +21,7 @@ #include +#include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" #include "libavutil/intfloat.h" @@ -28,6 +29,7 @@ #include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/pixdesc.h" +#include "libavcodec/internal.h" #include "avformat.h" #include "internal.h" #include "ffm.h" @@ -277,6 +279,14 @@ static int ffm_append_recommended_configuration(AVStream *st, char **conf) return 0; } +#define VALIDATE_PARAMETER(parameter, name, check) { \ + if (check) { \ + av_log(codec, AV_LOG_ERROR, "Invalid " name " %d\n", codec->parameter); \ + ret = AVERROR_INVALIDDATA; \ + goto fail; \ + } \ +} + static int ffm2_read_header(AVFormatContext *s) { FFMContext *ffm = s->priv_data; @@ -342,6 +352,7 @@ static int ffm2_read_header(AVFormatContext *s) if (!codec_desc) { av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); codec->codec_id = AV_CODEC_ID_NONE; + ret = AVERROR_INVALIDDATA; goto fail; } codec->codec_type = avio_r8(pb); @@ -350,14 +361,25 @@ static int ffm2_read_header(AVFormatContext *s) codec_desc->type, codec->codec_type); codec->codec_id = AV_CODEC_ID_NONE; codec->codec_type = AVMEDIA_TYPE_UNKNOWN; + ret = AVERROR_INVALIDDATA; goto fail; } codec->bit_rate = avio_rb32(pb); + if (codec->bit_rate < 0) { + av_log(codec, AV_LOG_ERROR, "Invalid bit rate %"PRId64"\n", codec->bit_rate); + ret = AVERROR_INVALIDDATA; + goto fail; + } codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); codec->debug = avio_rb32(pb); if (codec->flags & AV_CODEC_FLAG_GLOBAL_HEADER) { int size = avio_rb32(pb); + if (size < 0 || size >= FF_MAX_EXTRADATA_SIZE) { + av_log(s, AV_LOG_ERROR, "Invalid extradata size %d\n", size); + ret = AVERROR_INVALIDDATA; + goto fail; + } codec->extradata = av_mallocz(size + AV_INPUT_BUFFER_PADDING_SIZE); if (!codec->extradata) return AVERROR(ENOMEM); @@ -380,6 +402,9 @@ static int ffm2_read_header(AVFormatContext *s) } codec->width = avio_rb16(pb); codec->height = avio_rb16(pb); + ret = av_image_check_size(codec->width, codec->height, 0, s); + if (ret < 0) + goto fail; codec->gop_size = avio_rb16(pb); codec->pix_fmt = avio_rb32(pb); if (!av_pix_fmt_desc_get(codec->pix_fmt)) { @@ -432,8 +457,11 @@ static int ffm2_read_header(AVFormatContext *s) goto fail; } codec->sample_rate = avio_rb32(pb); + VALIDATE_PARAMETER(sample_rate, "sample rate", codec->sample_rate < 0) codec->channels = avio_rl16(pb); + VALIDATE_PARAMETER(channels, "number of channels", codec->channels < 0) codec->frame_size = avio_rl16(pb); + VALIDATE_PARAMETER(frame_size, "frame size", codec->frame_size < 0) break; case MKBETAG('C', 'P', 'R', 'V'): if (f_cprv++) { @@ -513,7 +541,7 @@ static int ffm_read_header(AVFormatContext *s) AVIOContext *pb = s->pb; AVCodecContext *codec; const AVCodecDescriptor *codec_desc; - int i, nb_streams; + int i, nb_streams, ret; uint32_t tag; /* header */ @@ -565,6 +593,10 @@ static int ffm_read_header(AVFormatContext *s) goto fail; } codec->bit_rate = avio_rb32(pb); + if (codec->bit_rate < 0) { + av_log(codec, AV_LOG_WARNING, "Invalid bit rate %"PRId64"\n", codec->bit_rate); + goto fail; + } codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); codec->debug = avio_rb32(pb); @@ -580,6 +612,8 @@ static int ffm_read_header(AVFormatContext *s) } codec->width = avio_rb16(pb); codec->height = avio_rb16(pb); + if (av_image_check_size(codec->width, codec->height, 0, s) < 0) + goto fail; codec->gop_size = avio_rb16(pb); codec->pix_fmt = avio_rb32(pb); if (!av_pix_fmt_desc_get(codec->pix_fmt)) { @@ -628,14 +662,21 @@ static int ffm_read_header(AVFormatContext *s) break; case AVMEDIA_TYPE_AUDIO: codec->sample_rate = avio_rb32(pb); + VALIDATE_PARAMETER(sample_rate, "sample rate", codec->sample_rate < 0) codec->channels = avio_rl16(pb); + VALIDATE_PARAMETER(channels, "number of channels", codec->channels < 0) codec->frame_size = avio_rl16(pb); + VALIDATE_PARAMETER(frame_size, "frame size", codec->frame_size < 0) break; default: goto fail; } if (codec->flags & AV_CODEC_FLAG_GLOBAL_HEADER) { int size = avio_rb32(pb); + if (size < 0 || size >= FF_MAX_EXTRADATA_SIZE) { + av_log(s, AV_LOG_ERROR, "Invalid extradata size %d\n", size); + goto fail; + } codec->extradata = av_mallocz(size + AV_INPUT_BUFFER_PADDING_SIZE); if (!codec->extradata) return AVERROR(ENOMEM); From 315f1dea84a3865dfaf949f99c9828a5b8dd4bcc Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 17 Nov 2016 22:53:51 +0100 Subject: [PATCH 158/658] mxfdec: fix NULL pointer dereference in mxf_read_packet_old Metadata streams have priv_data set to NULL. Reviewed-by: Josh de Kock Signed-off-by: Andreas Cadhalpun (cherry picked from commit fdb8c455b637f86e2e85503b7e090fa448164398) Signed-off-by: Andreas Cadhalpun --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index a7cc9b8eeb..5de13cca19 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3016,7 +3016,7 @@ static int mxf_read_packet_old(AVFormatContext *s, AVPacket *pkt) if (mxf->nb_index_tables >= 1 && mxf->current_edit_unit < t->nb_ptses) { pkt->dts = mxf->current_edit_unit + t->first_dts; pkt->pts = t->ptses[mxf->current_edit_unit]; - } else if (track->intra_only) { + } else if (track && track->intra_only) { /* intra-only -> PTS = EditUnit. * let utils.c figure out DTS since it can be < PTS if low_delay = 0 (Sony IMX30) */ pkt->pts = mxf->current_edit_unit; From 53e1493cb5a0977407c7869ec9adf4555ef07c66 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 19 Nov 2016 14:21:11 +0100 Subject: [PATCH 159/658] smacker: limit recursion depth of smacker_decode_bigtree This fixes segmentation faults due to stack-overflow caused by too deep recursion. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 946ecd19ea752399bccc751c9339ff74b815587e) Signed-off-by: Andreas Cadhalpun --- libavcodec/smacker.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index f4fc16c42c..9085a8a427 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -129,8 +129,12 @@ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t pref /** * Decode header tree */ -static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx) +static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx, int length) { + if(length > 500) { // Larger length can cause segmentation faults due to too deep recursion. + av_log(NULL, AV_LOG_ERROR, "length too long\n"); + return AVERROR_INVALIDDATA; + } if (hc->current + 1 >= hc->length) { av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); return AVERROR_INVALIDDATA; @@ -159,12 +163,12 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx int r = 0, r_new, t; t = hc->current++; - r = smacker_decode_bigtree(gb, hc, ctx); + r = smacker_decode_bigtree(gb, hc, ctx, length + 1); if(r < 0) return r; hc->values[t] = SMK_NODE | r; r++; - r_new = smacker_decode_bigtree(gb, hc, ctx); + r_new = smacker_decode_bigtree(gb, hc, ctx, length + 1); if (r_new < 0) return r_new; return r + r_new; @@ -275,7 +279,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int goto error; } - if (smacker_decode_bigtree(gb, &huff, &ctx) < 0) + if (smacker_decode_bigtree(gb, &huff, &ctx, 0) < 0) err = -1; skip_bits1(gb); if(ctx.last[0] == -1) ctx.last[0] = huff.current++; From e2de6f31c0dbc09033f63a94a3795488065d3b6a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 17 Nov 2016 22:46:40 +0100 Subject: [PATCH 160/658] rmdec: validate block alignment This fixes division by zero crashes. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit de4ded06366e5767d0af277a61d9a56b8c8f9c19) Signed-off-by: Andreas Cadhalpun --- libavformat/rmdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index cb0481ed4d..0809b0b251 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -933,6 +933,10 @@ ff_rm_parse_packet (AVFormatContext *s, AVIOContext *pb, ast->sub_packet_cnt = 0; rm->audio_stream_num = st->index; + if (st->codecpar->block_align <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid block alignment %d\n", st->codecpar->block_align); + return AVERROR_INVALIDDATA; + } rm->audio_pkt_cnt = h * w / st->codecpar->block_align; } else if ((ast->deint_id == DEINT_ID_VBRF) || (ast->deint_id == DEINT_ID_VBRS)) { From 312757eb848b96bcc1e0df17312b11a24c4f18d3 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 10 Nov 2016 22:21:20 +0100 Subject: [PATCH 161/658] sbgdec: prevent NULL pointer access Reviewed-by: Josh de Kock Signed-off-by: Andreas Cadhalpun (cherry picked from commit dbefbb61b785cd77810c032f5cdb499d2a92df07) Signed-off-by: Andreas Cadhalpun --- libavformat/sbgdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index bb020d7f9a..cbedd120fb 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -927,7 +927,7 @@ static void expand_timestamps(void *log, struct sbg_script *s) } } if (s->start_ts == AV_NOPTS_VALUE) - s->start_ts = s->opt_start_at_first ? s->tseq[0].ts.t : now; + s->start_ts = (s->opt_start_at_first && s->tseq) ? s->tseq[0].ts.t : now; s->end_ts = s->opt_duration ? s->start_ts + s->opt_duration : AV_NOPTS_VALUE; /* may be overridden later by -E option */ cur_ts = now; From 9b506280dd9b95b944676316ae3f8ea5605a7a10 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 9 Nov 2016 23:23:16 +0100 Subject: [PATCH 162/658] pgssubdec: only set w/h/linesize when allocating data Rects with positive w/h/linesize but no data are invalid. Reviewed-by: Petri Hintukainen Signed-off-by: Andreas Cadhalpun (cherry picked from commit 995512328ed84bb737bc364e4ef6fba1994f062a) Signed-off-by: Andreas Cadhalpun --- libavcodec/pgssubdec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index cef477d8c2..b50b37b206 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -556,12 +556,13 @@ static int display_end_segment(AVCodecContext *avctx, void *data, sub->rects[i]->x = ctx->presentation.objects[i].x; sub->rects[i]->y = ctx->presentation.objects[i].y; - sub->rects[i]->w = object->w; - sub->rects[i]->h = object->h; - - sub->rects[i]->linesize[0] = object->w; if (object->rle) { + sub->rects[i]->w = object->w; + sub->rects[i]->h = object->h; + + sub->rects[i]->linesize[0] = object->w; + if (object->rle_remaining_len) { av_log(avctx, AV_LOG_ERROR, "RLE data length %u is %u bytes shorter than expected\n", object->rle_data_len, object->rle_remaining_len); From d0f8741a5a29e6381894fe5eacbeb9145a965b6c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 4 Nov 2016 21:37:13 +0100 Subject: [PATCH 163/658] flvdec: require need_context_update when changing codec id Otherwise the codec context and codecpar might disagree on the codec id, triggering asserts in av_parser_parse2. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 98b3a7979f2ff64cacfba4d8925faa28fc657c51) Signed-off-by: Andreas Cadhalpun --- libavformat/flvdec.c | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 0afeba58ba..3108488a5b 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -283,7 +283,9 @@ static int flv_same_video_codec(AVCodecParameters *vpar, int flags) static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, int flv_codecid, int read) { + int ret = 0; AVCodecParameters *par = vstream->codecpar; + enum AVCodecID old_codec_id = vstream->codecpar->codec_id; switch (flv_codecid) { case FLV_CODECID_H263: par->codec_id = AV_CODEC_ID_FLV1; @@ -311,20 +313,28 @@ static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, else avio_skip(s->pb, 1); } - return 1; // 1 byte body size adjustment for flv_read_packet() + ret = 1; // 1 byte body size adjustment for flv_read_packet() + break; case FLV_CODECID_H264: par->codec_id = AV_CODEC_ID_H264; vstream->need_parsing = AVSTREAM_PARSE_HEADERS; - return 3; // not 4, reading packet type will consume one byte + ret = 3; // not 4, reading packet type will consume one byte + break; case FLV_CODECID_MPEG4: par->codec_id = AV_CODEC_ID_MPEG4; - return 3; + ret = 3; + break; default: avpriv_request_sample(s, "Video codec (%x)", flv_codecid); par->codec_tag = flv_codecid; } - return 0; + if (!vstream->internal->need_context_update && par->codec_id != old_codec_id) { + avpriv_request_sample(s, "Changing the codec id midstream"); + return AVERROR_PATCHWELCOME; + } + + return ret; } static int amf_get_string(AVIOContext *ioc, char *buffer, int buffsize) @@ -539,7 +549,9 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, st->codecpar->codec_id = AV_CODEC_ID_TEXT; } else if (flv->trust_metadata) { if (!strcmp(key, "videocodecid") && vpar) { - flv_set_video_codec(s, vstream, num_val, 0); + int ret = flv_set_video_codec(s, vstream, num_val, 0); + if (ret < 0) + return ret; } else if (!strcmp(key, "audiocodecid") && apar) { int id = ((int)num_val) << FLV_AUDIO_CODECID_OFFSET; flv_set_audio_codec(s, astream, apar, id); @@ -1087,7 +1099,10 @@ retry_duration: avcodec_parameters_free(&par); } } else if (stream_type == FLV_STREAM_TYPE_VIDEO) { - size -= flv_set_video_codec(s, st, flags & FLV_VIDEO_CODECID_MASK, 1); + int ret = flv_set_video_codec(s, st, flags & FLV_VIDEO_CODECID_MASK, 1); + if (ret < 0) + return ret; + size -= ret; } else if (stream_type == FLV_STREAM_TYPE_DATA) { st->codecpar->codec_id = AV_CODEC_ID_TEXT; } From e70caba38480f11043963bb5eb150cfb2eebd41b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 14 Nov 2016 21:41:45 +0100 Subject: [PATCH 164/658] libopusdec: default to stereo for invalid number of channels This fixes an out-of-bounds read if avc->channels is 0. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 8c8f543b81aa2b50bb6a6cfd370a0061281492a3) Signed-off-by: Andreas Cadhalpun --- libavcodec/libopusdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c index acc62f14d8..e6ca61a78f 100644 --- a/libavcodec/libopusdec.c +++ b/libavcodec/libopusdec.c @@ -47,6 +47,13 @@ static av_cold int libopus_decode_init(AVCodecContext *avc) int ret, channel_map = 0, gain_db = 0, nb_streams, nb_coupled; uint8_t mapping_arr[8] = { 0, 1 }, *mapping; + avc->channels = avc->extradata_size >= 10 ? avc->extradata[9] : (avc->channels == 1) ? 1 : 2; + if (avc->channels <= 0) { + av_log(avc, AV_LOG_WARNING, + "Invalid number of channels %d, defaulting to stereo\n", avc->channels); + avc->channels = 2; + } + avc->sample_rate = 48000; avc->sample_fmt = avc->request_sample_fmt == AV_SAMPLE_FMT_FLT ? AV_SAMPLE_FMT_FLT : AV_SAMPLE_FMT_S16; From 5d1502d4b68c458522e5a6fc446d5b0e5f88bffb Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 25 Nov 2016 00:26:51 +0100 Subject: [PATCH 165/658] softfloat: decrease MIN_EXP to cover full float range floats are not necessarily normalized, so a normalized softfloat needs MIN_EXP lowered by 23 to cover that range. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 2d6f46d801bab990b7e742b8a8e5c5b0cb70a80e) Signed-off-by: Andreas Cadhalpun --- libavutil/softfloat.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index 48d0d59fd4..fa91d1e1cb 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -27,7 +27,7 @@ #include "avassert.h" #include "softfloat_tables.h" -#define MIN_EXP -126 +#define MIN_EXP -149 #define MAX_EXP 126 #define ONE_BITS 29 From 072246993acb9ce22f88e3df697f78dba61fcdd3 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 24 Nov 2016 23:57:46 +0100 Subject: [PATCH 166/658] mss2: only use error correction for matching block counts This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2 with coded_width/coded_height larger than width/height. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 2566ad98b01538ea589e5ee07b69fc566aadc348) Signed-off-by: Andreas Cadhalpun --- libavcodec/mss2.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c index d255dd4337..fdc07168c7 100644 --- a/libavcodec/mss2.c +++ b/libavcodec/mss2.c @@ -422,7 +422,13 @@ static int decode_wmv9(AVCodecContext *avctx, const uint8_t *buf, int buf_size, ff_vc1_decode_blocks(v); - ff_er_frame_end(&s->er); + if (v->end_mb_x == s->mb_width && s->end_mb_y == s->mb_height) { + ff_er_frame_end(&s->er); + } else { + av_log(v->s.avctx, AV_LOG_WARNING, + "disabling error correction due to block count mismatch %dx%d != %dx%d\n", + v->end_mb_x, s->end_mb_y, s->mb_width, s->mb_height); + } ff_mpv_frame_end(s); From 0e3dc45ce81f9c9db5a6a6e2df96670164e82dec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Oct 2016 03:51:17 +0200 Subject: [PATCH 167/658] avcodec/interplayvideo: Check side data size before use Fixes out of array read Found-by: Thomas Garnier using libFuzzer Signed-off-by: Michael Niedermayer (cherry picked from commit 85d23e5cbc9ad6835eef870a5b4247de78febe56) Signed-off-by: Michael Niedermayer --- libavcodec/interplayvideo.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index 88c610d651..899f52cb3c 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -1012,10 +1012,13 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, return ret; if (!s->is_16bpp) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); - if (pal) { + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); + if (pal && size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } } From 2dcc0bce3924ebc96ed7f4956b007d4b84a99750 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 14 Oct 2016 13:01:27 -0400 Subject: [PATCH 168/658] vp9: change order of operations in adapt_prob(). This is intended to workaround bug "665 Integer Divide Instruction May Cause Unpredictable Behavior" on some early AMD CPUs, which causes a div-by-zero in this codepath, such as reported in Mozilla bug #1293996. Note that this isn't guaranteed to fix the bug, since a compiler is free to reorder instructions that don't depend on each other. However, it appears to fix the bug in Firefox, and a similar patch was applied to libvpx also (see Chrome bug #599899). (cherry picked from commit be885da3427c5d9a6fa68229d16318afffe67193) Signed-off-by: Michael Niedermayer --- libavcodec/vp9.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index cb2a4a2921..3b721495d9 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -3705,11 +3705,10 @@ static av_always_inline void adapt_prob(uint8_t *p, unsigned ct0, unsigned ct1, if (!ct) return; + update_factor = FASTDIV(update_factor * FFMIN(ct, max_count), max_count); p1 = *p; - p2 = ((ct0 << 8) + (ct >> 1)) / ct; + p2 = ((((int64_t) ct0) << 8) + (ct >> 1)) / ct; p2 = av_clip(p2, 1, 255); - ct = FFMIN(ct, max_count); - update_factor = FASTDIV(update_factor * ct, max_count); // (p1 * (256 - update_factor) + p2 * update_factor + 128) >> 8 *p = p1 + (((p2 - p1) * update_factor + 128) >> 8); From b7940ecb5a9467066f7c1228b059588f539807bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Oct 2016 16:29:57 +0200 Subject: [PATCH 169/658] avcodec/dvdsubdec: Fix buf_size check Fixes out of array access Found-by: Thomas Garnier using libFuzzer Signed-off-by: Michael Niedermayer (cherry picked from commit 25ab1a65f3acb5ec67b53fb7a2463a7368f1ad16) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 19f25f0e60..783a24fc1a 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -548,7 +548,8 @@ static int append_to_cached_buf(AVCodecContext *avctx, { DVDSubContext *ctx = avctx->priv_data; - if (ctx->buf_size >= sizeof(ctx->buf) - buf_size) { + av_assert0(buf_size >= 0 && ctx->buf_size <= sizeof(ctx->buf)); + if (buf_size >= sizeof(ctx->buf) - ctx->buf_size) { av_log(avctx, AV_LOG_WARNING, "Attempt to reconstruct " "too large SPU packets aborted.\n"); ctx->buf_size = 0; From b6b7034416073f65c00a70448d7c24430e1dc594 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Oct 2016 02:06:12 +0200 Subject: [PATCH 170/658] avformat/isom: Fix old API regression with exporting max bitrate Signed-off-by: Michael Niedermayer (cherry picked from commit d88a6bedb9bc51eff35578a0b08d1088ee53bcda) Signed-off-by: Michael Niedermayer --- libavformat/isom.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavformat/isom.c b/libavformat/isom.c index d412f06259..f6f000be61 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -487,9 +487,14 @@ int ff_mp4_read_dec_config_descr(AVFormatContext *fc, AVStream *st, AVIOContext avio_rb24(pb); /* buffer size db */ v = avio_rb32(pb); - // TODO: fix this - //if (v < INT32_MAX) - // st->codecpar->rc_max_rate = v; + + // TODO: fix this with codecpar +#if FF_API_LAVF_AVCTX +FF_DISABLE_DEPRECATION_WARNINGS + if (v < INT32_MAX) + st->codec->rc_max_rate = v; +FF_ENABLE_DEPRECATION_WARNINGS +#endif st->codecpar->bit_rate = avio_rb32(pb); /* avg bitrate */ From 37ff66d1bde72f7fa89cd5c606d7288fb445852e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Oct 2016 00:11:52 +0200 Subject: [PATCH 171/658] avcodec/dvdsubdec: Fix off by 1 error Fixes out of array read Found-by: Thomas Garnier using libFuzzer Signed-off-by: Michael Niedermayer (cherry picked from commit c92f55847a3d9cd12db60bfcd0831ff7f089c37c) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 783a24fc1a..4ae63b40ac 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -185,7 +185,7 @@ static void guess_palette(DVDSubContext* ctx, for(i = 0; i < 4; i++) { if (alpha[i] != 0) { if (!color_used[colormap[i]]) { - level = level_map[nb_opaque_colors][j]; + level = level_map[nb_opaque_colors - 1][j]; r = (((subtitle_color >> 16) & 0xff) * level) >> 8; g = (((subtitle_color >> 8) & 0xff) * level) >> 8; b = (((subtitle_color >> 0) & 0xff) * level) >> 8; From e90fbc86c1861d6448fa1371eb49adcefed239a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Oct 2016 12:18:35 +0200 Subject: [PATCH 172/658] avformat/flvdec: Fix regression loosing streams Fixes: unknown_video.flv Found-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit 077939626eeaa0c1364065414c18ab9b3a072281) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 12 +++++++++++- libavformat/utils.c | 2 ++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 3108488a5b..b5f0b82461 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -66,6 +66,7 @@ typedef struct FLVContext { int keyframe_count; int64_t *keyframe_times; int64_t *keyframe_filepositions; + int missing_streams; } FLVContext; static int probe(AVProbeData *p, int live) @@ -137,6 +138,11 @@ static AVStream *create_stream(AVFormatContext *s, int codec_type) && s->streams[0]->codecpar->codec_type != AVMEDIA_TYPE_SUBTITLE && s->streams[1]->codecpar->codec_type != AVMEDIA_TYPE_SUBTITLE)) s->ctx_flags &= ~AVFMTCTX_NOHEADER; + if (codec_type == AVMEDIA_TYPE_AUDIO) + flv->missing_streams &= ~FLV_HEADER_FLAG_HASAUDIO; + if (codec_type == AVMEDIA_TYPE_VIDEO) + flv->missing_streams &= ~FLV_HEADER_FLAG_HASVIDEO; + avpriv_set_pts_info(st, 32, 1, 1000); /* 32 bit pts in ms */ flv->last_keyframe_stream_index = s->nb_streams - 1; @@ -686,11 +692,14 @@ static int flv_read_metabody(AVFormatContext *s, int64_t next_pos) static int flv_read_header(AVFormatContext *s) { + int flags; FLVContext *flv = s->priv_data; int offset; avio_skip(s->pb, 4); - avio_r8(s->pb); // flags + flags = avio_r8(s->pb); + + flv->missing_streams = flags & (FLV_HEADER_FLAG_HASVIDEO | FLV_HEADER_FLAG_HASAUDIO); s->ctx_flags |= AVFMTCTX_NOHEADER; @@ -1230,6 +1239,7 @@ static int flv_read_seek(AVFormatContext *s, int stream_index, #define VD AV_OPT_FLAG_VIDEO_PARAM | AV_OPT_FLAG_DECODING_PARAM static const AVOption options[] = { { "flv_metadata", "Allocate streams according to the onMetaData array", OFFSET(trust_metadata), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, VD }, + { "missing_streams", "", OFFSET(missing_streams), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 0xFF, VD | AV_OPT_FLAG_EXPORT | AV_OPT_FLAG_READONLY }, { NULL } }; diff --git a/libavformat/utils.c b/libavformat/utils.c index 361744926b..a11f4adb31 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3294,6 +3294,7 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) int64_t max_subtitle_analyze_duration; int64_t probesize = ic->probesize; int eof_reached = 0; + int64_t *missing_streams = av_opt_ptr(ic->iformat->priv_class, ic->priv_data, "missing_streams"); flush_codecs = probesize > 0; @@ -3447,6 +3448,7 @@ FF_ENABLE_DEPRECATION_WARNINGS break; } analyzed_all_streams = 0; + if (!missing_streams || !*missing_streams) if (i == ic->nb_streams) { analyzed_all_streams = 1; /* NOTE: If the format has no header, then we need to read some From 668e47e9fda181014448d55c6e9c0ac5a8a55abd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 13:44:52 +0100 Subject: [PATCH 173/658] avcodec/8bps: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 042faa847feea820451c474af0034fd3de9cff82) Signed-off-by: Michael Niedermayer --- libavcodec/8bps.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index 46344e0e43..503ad76c0a 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -119,12 +119,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, } if (avctx->bits_per_coded_sample <= 8) { + int size; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, - NULL); - if (pal) { + &size); + if (pal && size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(c->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } memcpy (frame->data[1], c->pal, AVPALETTE_SIZE); From 4f2716da68d97384dcf53835955bc9b59238691b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 13:47:38 +0100 Subject: [PATCH 174/658] avcodec/cinepak: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 121be310607879841d19a34d9f16d4fe9ba7f18c) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index a2190d7598..737462bd9c 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -443,10 +443,13 @@ static int cinepak_decode_frame(AVCodecContext *avctx, return ret; if (s->palette_video) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); - if (pal) { + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); + if (pal && size == AVPALETTE_SIZE) { s->frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } } From e23f86d2fb9db908be7ebf7e467e09e4321159ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 175/658] avcodec/idcinvideo: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit a2b8dde65947bfabf42269e124ef83ecf9c5974a) Signed-off-by: Michael Niedermayer --- libavcodec/idcinvideo.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/idcinvideo.c b/libavcodec/idcinvideo.c index 0870172794..cff9ad31ac 100644 --- a/libavcodec/idcinvideo.c +++ b/libavcodec/idcinvideo.c @@ -214,7 +214,8 @@ static int idcin_decode_frame(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; IdcinContext *s = avctx->priv_data; - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int pal_size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); AVFrame *frame = data; int ret; @@ -227,9 +228,11 @@ static int idcin_decode_frame(AVCodecContext *avctx, if (idcin_decode_vlcs(s, frame)) return AVERROR_INVALIDDATA; - if (pal) { + if (pal && pal_size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); } /* make the palette available on the way out */ memcpy(frame->data[1], s->pal, AVPALETTE_SIZE); From dec89aee89b0ce2963a346cd9948373d865a4b31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 176/658] avcodec/kmvc: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 2d99101d0964f754822fb4af121c4abc69047dba) Signed-off-by: Michael Niedermayer --- libavcodec/kmvc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index 7acaba7d21..ffe6a142e9 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -268,7 +268,8 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame, int i, ret; int header; int blocksize; - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int pal_size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); bytestream2_init(&ctx->g, avpkt->data, avpkt->size); @@ -303,9 +304,11 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame, } } - if (pal) { + if (pal && pal_size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(ctx->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); } if (ctx->setpal) { From d98d006eefb914170c87ee63fea4988f61c1ca4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 177/658] avcodec/msrle: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit a6330119a099840c5279697cf80cb768df97a90a) Signed-off-by: Michael Niedermayer --- libavcodec/msrle.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c index c2f624283d..adb55b1302 100644 --- a/libavcodec/msrle.c +++ b/libavcodec/msrle.c @@ -99,11 +99,14 @@ static int msrle_decode_frame(AVCodecContext *avctx, return ret; if (avctx->bits_per_coded_sample > 1 && avctx->bits_per_coded_sample <= 8) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { s->frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } /* make the palette available */ memcpy(s->frame->data[1], s->pal, AVPALETTE_SIZE); From 1f8452b428f38c2079fa18046cb7b55369465653 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 178/658] avcodec/qtrle: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 7d196f2a5a48faf25fd904b33b1fd239daae9840) Signed-off-by: Michael Niedermayer --- libavcodec/qtrle.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index d9d27f0506..1b0d2016b5 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -506,11 +506,14 @@ static int qtrle_decode_frame(AVCodecContext *avctx, } if(has_palette) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { s->frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } /* make the palette available on the way out */ From 02ac02e2ac0f3550018039c8f589ab5830e08aab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 179/658] avcodec/qpeg: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 16793504dfba44e738655807db3274301b9bc690) Signed-off-by: Michael Niedermayer --- libavcodec/qpeg.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index 9eaf9b8054..9bfecc3a31 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -260,7 +260,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame * const ref = a->ref; uint8_t* outdata; int delta, ret; - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int pal_size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); if (avpkt->size < 0x86) { av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); @@ -287,9 +288,11 @@ static int decode_frame(AVCodecContext *avctx, } /* make the palette available on the way out */ - if (pal) { + if (pal && pal_size == AVPALETTE_SIZE) { p->palette_has_changed = 1; memcpy(a->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); } memcpy(p->data[1], a->pal, AVPALETTE_SIZE); From 6f1ef60d50cfb2d9f87a95d13d4190cbdc4d2718 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 180/658] avcodec/msvideo1: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 161ccdaa06d1d109e8f77d2535bda11ce02720f5) Signed-off-by: Michael Niedermayer --- libavcodec/msvideo1.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/msvideo1.c b/libavcodec/msvideo1.c index 1d141723f6..a49b9be364 100644 --- a/libavcodec/msvideo1.c +++ b/libavcodec/msvideo1.c @@ -305,11 +305,14 @@ static int msvideo1_decode_frame(AVCodecContext *avctx, return ret; if (s->mode_8bit) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { memcpy(s->pal, pal, AVPALETTE_SIZE); s->frame->palette_has_changed = 1; + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } } From a190ca54f438db4d050ab0fce319fb41c3a85b46 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 181/658] avcodec/rawdec: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 5f0bc0215a0f7099a2bcba5dced2e045e70fee61) Signed-off-by: Michael Niedermayer --- libavcodec/rawdec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 5a98258191..2d348daca3 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -364,9 +364,16 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, } if (avctx->pix_fmt == AV_PIX_FMT_PAL8) { + int pal_size; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, - NULL); + &pal_size); int ret; + + if (pal_size != AVPALETTE_SIZE) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); + pal = NULL; + } + if (!context->palette) context->palette = av_buffer_alloc(AVPALETTE_SIZE); if (!context->palette) { From 755d6e41908cb9eb6f8f71171a1e672093694a95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 182/658] avcodec/tscc: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 979bca513424879ed0c653cb1b55fc4156a89576) Signed-off-by: Michael Niedermayer --- libavcodec/tscc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/tscc.c b/libavcodec/tscc.c index bd5fe035cf..cb86b584c1 100644 --- a/libavcodec/tscc.c +++ b/libavcodec/tscc.c @@ -98,11 +98,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, /* make the palette available on the way out */ if (c->avctx->pix_fmt == AV_PIX_FMT_PAL8) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(c->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } memcpy(frame->data[1], c->pal, AVPALETTE_SIZE); } From eaf2f750c35677f16097ceb45a69a6051ac72853 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Nov 2016 19:24:49 +0100 Subject: [PATCH 183/658] avcodec/sunrast: Fix input buffer pointer check Fixes: out of array read Fixes: poc.dat Found-by: Bingchang, Liu @VARAS of IIE Tested-by: bc L Signed-off-by: Michael Niedermayer (cherry picked from commit 37138338ff602803d174b13fecd363a083bc2f9a) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 25e11f6cd2..0af5626e35 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -168,7 +168,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, } } else { for (y = 0; y < h; y++) { - if (buf_end - buf < len) + if (buf_end - buf < alen) break; memcpy(ptr, buf, len); ptr += stride; From 04310c11aa3967156ef1db9f142e459109b734d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2016 14:46:16 +0100 Subject: [PATCH 184/658] avcodec/movtextdec: Fix potential integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 6ea27157682200e5f78cadcabdb009eccd9dd9b1) Signed-off-by: Michael Niedermayer --- libavcodec/movtextdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index a33fff7518..923e58299b 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -485,7 +485,7 @@ static int mov_text_decode_frame(AVCodecContext *avctx, m->size_var = 8; //size_var is equal to 8 or 16 depending on the size of box - if (m->tracksize + tsmb_size > avpkt->size) + if (tsmb_size > avpkt->size - m->tracksize) break; for (size_t i = 0; i < box_count; i++) { From 096aab12a33fb20d760df1534f4c0005c93fa240 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2016 14:52:21 +0100 Subject: [PATCH 185/658] avcodec/movtextdec: Fix tsmb_size check==0 check Fixes: 173/fuzz-3-ffmpeg_SUBTITLE_AV_CODEC_ID_MOV_TEXT_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a609905723c01e356d35146425c3d45c090aae7b) Signed-off-by: Michael Niedermayer --- libavcodec/movtextdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index 923e58299b..0618f375fc 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -471,10 +471,6 @@ static int mov_text_decode_frame(AVCodecContext *avctx, tsmb_type = AV_RB32(tsmb); tsmb += 4; - if (tsmb_size == 0) { - return AVERROR_INVALIDDATA; - } - if (tsmb_size == 1) { if (m->tracksize + 16 > avpkt->size) break; @@ -485,6 +481,10 @@ static int mov_text_decode_frame(AVCodecContext *avctx, m->size_var = 8; //size_var is equal to 8 or 16 depending on the size of box + if (tsmb_size == 0) { + return AVERROR_INVALIDDATA; + } + if (tsmb_size > avpkt->size - m->tracksize) break; From 5f3043e51c5b8fafe377092dc0292eb4bea57f3c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2016 14:54:47 +0100 Subject: [PATCH 186/658] avcodec/movtextdec: Add error message for tsmb_size check Signed-off-by: Michael Niedermayer (cherry picked from commit 0eb319800567b79ca6b4cf0d90904318641b9e50) Signed-off-by: Michael Niedermayer --- libavcodec/movtextdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index 0618f375fc..7b5b161561 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -482,6 +482,7 @@ static int mov_text_decode_frame(AVCodecContext *avctx, //size_var is equal to 8 or 16 depending on the size of box if (tsmb_size == 0) { + av_log(avctx, AV_LOG_ERROR, "tsmb_size is 0\n"); return AVERROR_INVALIDDATA; } From 571d4af28135f2d5d993436757465c95a7c96072 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2016 18:05:33 +0100 Subject: [PATCH 187/658] avcodec/ituh263dec: Avoid spending a long time in slice sync Fixes: 177/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_FLV1_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2baf36caed98cfdc7f6a2086fbf26f1a172f16cf) Signed-off-by: Michael Niedermayer --- libavcodec/ituh263dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index a26244f393..5e3c0eac07 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -167,6 +167,7 @@ static int h263_decode_gob_header(MpegEncContext *s) /* We have a GBSC probably with GSTUFF */ skip_bits(&s->gb, 16); /* Drop the zeros */ left= get_bits_left(&s->gb); + left = FFMIN(left, 32); //MN: we must check the bits left or we might end in an infinite loop (or segfault) for(;left>13; left--){ if(get_bits1(&s->gb)) break; /* Seek the '1' bit */ From 936d07ab2548a0a95f1e8f4dc2f350a360b81537 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2016 22:50:35 +0100 Subject: [PATCH 188/658] avcodec/rv40: Test remaining space in loop of get_dimension() Fixes infinite loop Fixes: 178/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_RV40_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1546d487cf12da37d90a080813f8d57ac33036bf) Signed-off-by: Michael Niedermayer --- libavcodec/rv40.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c index 465011a079..e5ba215b68 100644 --- a/libavcodec/rv40.c +++ b/libavcodec/rv40.c @@ -109,6 +109,8 @@ static int get_dimension(GetBitContext *gb, const int *dim) val = dim[get_bits1(gb) - val]; if(!val){ do{ + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; t = get_bits(gb, 8); val += t << 2; }while(t == 0xFF); From 42a20f1feaab96ece3f8c28944dedbac5c72032e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2016 20:06:42 +0100 Subject: [PATCH 189/658] avformat/mpeg: Adjust vid probe threshold to correct mis-detection Fixes: _ij.mp3 Signed-off-by: Michael Niedermayer (cherry picked from commit 4e5049a2303ae7fe74216a83206239e4de42c965) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 1c441c54d8..423877e94c 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -112,7 +112,7 @@ static int mpegps_probe(AVProbeData *p) : AVPROBE_SCORE_EXTENSION / 2; // 1 more than .mpg if ((!!vid ^ !!audio) && (audio > 4 || vid > 1) && !sys && !pspack && p->buf_size > 2048 && vid + audio > invalid) /* PES stream */ - return (audio > 12 || vid > 3 + 2 * invalid) ? AVPROBE_SCORE_EXTENSION + 2 + return (audio > 12 || vid > 6 + 2 * invalid) ? AVPROBE_SCORE_EXTENSION + 2 : AVPROBE_SCORE_EXTENSION / 2; // 02-Penguin.flac has sys:0 priv1:0 pspack:0 vid:0 audio:1 From ebe104e827717b8ea5dfcb49c6f877e50a33425c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Nov 2016 03:39:20 +0100 Subject: [PATCH 190/658] avformat/utils: Fix type mismatch Signed-off-by: Michael Niedermayer (cherry picked from commit a06e84b56e936ff3ca090f53d81f9cbc3514e0e0) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index a11f4adb31..2eb8190cbe 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3294,7 +3294,7 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) int64_t max_subtitle_analyze_duration; int64_t probesize = ic->probesize; int eof_reached = 0; - int64_t *missing_streams = av_opt_ptr(ic->iformat->priv_class, ic->priv_data, "missing_streams"); + int *missing_streams = av_opt_ptr(ic->iformat->priv_class, ic->priv_data, "missing_streams"); flush_codecs = probesize > 0; From 60ca730d215a99f0e275b3b3f8e09f4d820c16b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Nov 2016 02:58:34 +0100 Subject: [PATCH 191/658] avformat/idroqdec: Check chunk_size for being too large Signed-off-by: Michael Niedermayer (cherry picked from commit 744a0b5206634e5de04d5c31f08cc3640faf800d) Signed-off-by: Michael Niedermayer --- libavformat/idroqdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/idroqdec.c b/libavformat/idroqdec.c index b66427968f..83701b59c5 100644 --- a/libavformat/idroqdec.c +++ b/libavformat/idroqdec.c @@ -157,6 +157,9 @@ static int roq_read_packet(AVFormatContext *s, chunk_size = AV_RL32(&preamble[2]) + RoQ_CHUNK_PREAMBLE_SIZE * 2 + codebook_size; + if (chunk_size > INT_MAX) + return AVERROR_INVALIDDATA; + /* rewind */ avio_seek(pb, codebook_offset, SEEK_SET); From 0d8a17410b2f6ee9524e36a50da5309443cf8394 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Nov 2016 15:29:52 +0100 Subject: [PATCH 192/658] avcodec/flac_parser: Update nb_headers_buffered Fixes infinite loop Fixes: fuzz.flac Found-by: Frank Liberato Reviewed-by: Frank Liberato Signed-off-by: Michael Niedermayer (cherry picked from commit 2475858889cde6221677473b663df6f985add33d) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index f5cc35a4f2..e69f1d72e9 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -586,10 +586,12 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, temp = curr->next; av_freep(&curr->link_penalty); av_free(curr); + fpc->nb_headers_buffered--; } fpc->headers = fpc->best_header->next; av_freep(&fpc->best_header->link_penalty); av_freep(&fpc->best_header); + fpc->nb_headers_buffered--; } /* Find and score new headers. */ From cc27b8e09face7bbc14aa6865d24261f56712f57 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 03:02:41 +0100 Subject: [PATCH 193/658] avformat/utils: Check start/end before computing duration in update_stream_timings() Fixes undefined behavior Fixes: 637428.ogg Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 90da187f1d334422477886a19eca3c1da29c59a7) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 2eb8190cbe..7c53050f03 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2532,11 +2532,14 @@ static void update_stream_timings(AVFormatContext *ic) if (ic->nb_programs) { for (i = 0; i < ic->nb_programs; i++) { p = ic->programs[i]; - if (p->start_time != AV_NOPTS_VALUE && p->end_time > p->start_time) + if (p->start_time != AV_NOPTS_VALUE && + p->end_time > p->start_time && + p->end_time - (uint64_t)p->start_time <= INT64_MAX) duration = FFMAX(duration, p->end_time - p->start_time); } - } else + } else if (end_time >= start_time && end_time - (uint64_t)start_time <= INT64_MAX) { duration = FFMAX(duration, end_time - start_time); + } } } if (duration != INT64_MIN && duration > 0 && ic->duration == AV_NOPTS_VALUE) { From c2e4ced78e61679a74683f1c5f3b7e1d4b27102a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 03:40:55 +0100 Subject: [PATCH 194/658] avformat/oggparsespeex: Check frames_per_packet and packet_size The speex specification does not seem to restrict these values, thus the limits where choosen so as to avoid multiplicative overflow Fixes undefined behavior Fixes: 635422.ogg Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit afcf15b0dbb4b6429be5083e50b296cdca61875e) Signed-off-by: Michael Niedermayer --- libavformat/oggparsespeex.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/oggparsespeex.c b/libavformat/oggparsespeex.c index 434b0fdab1..2ea58774c8 100644 --- a/libavformat/oggparsespeex.c +++ b/libavformat/oggparsespeex.c @@ -78,6 +78,13 @@ static int speex_header(AVFormatContext *s, int idx) { spxp->packet_size = AV_RL32(p + 56); frames_per_packet = AV_RL32(p + 64); + if (spxp->packet_size < 0 || + frames_per_packet < 0 || + spxp->packet_size * (int64_t)frames_per_packet > INT32_MAX / 256) { + av_log(s, AV_LOG_ERROR, "invalid packet_size, frames_per_packet %d %d\n", spxp->packet_size, frames_per_packet); + spxp->packet_size = 0; + return AVERROR_INVALIDDATA; + } if (frames_per_packet) spxp->packet_size *= frames_per_packet; From 4a2f30eeff17532526928456c3e735c1457757a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 16:43:10 +0100 Subject: [PATCH 195/658] avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c Fixes: left shift of negative value Fixes: 668346-media Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit acc163c6ab52d2235767852262c64c7f6b273d1c) Signed-off-by: Michael Niedermayer --- libavcodec/flacdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdsp_template.c b/libavcodec/flacdsp_template.c index 62c0a15ff6..776c78da71 100644 --- a/libavcodec/flacdsp_template.c +++ b/libavcodec/flacdsp_template.c @@ -56,7 +56,7 @@ static void FUNC(flac_decorrelate_indep_c)(uint8_t **out, int32_t **in, for (j = 0; j < len; j++) for (i = 0; i < channels; i++) - S(samples, i, j) = in[i][j] << shift; + S(samples, i, j) = (int)((unsigned)in[i][j] << shift); } static void FUNC(flac_decorrelate_ls_c)(uint8_t **out, int32_t **in, From 140626b386c135ae54baff903a1abe22e5319a97 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 17:05:43 +0100 Subject: [PATCH 196/658] avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed() Fixes undefined behavior Fixes: 640912-media Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 83a75bf6c31b3c0ce2ca7e1426d1f2e3df634239) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index b7237e18f0..5f5802c97f 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -268,7 +268,8 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded, int pred_order, int bps) { const int blocksize = s->blocksize; - int av_uninit(a), av_uninit(b), av_uninit(c), av_uninit(d), i; + unsigned av_uninit(a), av_uninit(b), av_uninit(c), av_uninit(d); + int i; int ret; /* warm up samples */ From a7c7543a3dc7dd0edf7cacd7878c73aa1c6f8e37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 13:39:56 +0100 Subject: [PATCH 197/658] avformat/ffmdec: Check media type for chunks Signed-off-by: Michael Niedermayer (cherry picked from commit e706e2e775730db5dfa9103628cd70704dd13cef) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 960e793220..08f1fbe9b7 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -388,7 +388,7 @@ static int ffm2_read_header(AVFormatContext *s) } break; case MKBETAG('S', 'T', 'V', 'I'): - if (f_stvi++) { + if (f_stvi++ || codec->codec_type != AVMEDIA_TYPE_VIDEO) { ret = AVERROR(EINVAL); goto fail; } @@ -452,7 +452,7 @@ static int ffm2_read_header(AVFormatContext *s) codec->refs = avio_rb32(pb); break; case MKBETAG('S', 'T', 'A', 'U'): - if (f_stau++) { + if (f_stau++ || codec->codec_type != AVMEDIA_TYPE_AUDIO) { ret = AVERROR(EINVAL); goto fail; } @@ -481,7 +481,7 @@ static int ffm2_read_header(AVFormatContext *s) } break; case MKBETAG('S', '2', 'V', 'I'): - if (f_stvi++ || !size) { + if (f_stvi++ || !size || codec->codec_type != AVMEDIA_TYPE_VIDEO) { ret = AVERROR(EINVAL); goto fail; } @@ -496,7 +496,7 @@ static int ffm2_read_header(AVFormatContext *s) goto fail; break; case MKBETAG('S', '2', 'A', 'U'): - if (f_stau++ || !size) { + if (f_stau++ || !size || codec->codec_type != AVMEDIA_TYPE_AUDIO) { ret = AVERROR(EINVAL); goto fail; } From 5c1540553db04a1256d97a1992088e8fd8c0a6ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 23:44:56 +0100 Subject: [PATCH 198/658] avcodec/get_bits: Fix get_sbits_long(0) Fixes undefined behavior Fixes: 640889-media Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit c72fa432349881d5a445cd110abf698cc94d490d) Signed-off-by: Michael Niedermayer --- libavcodec/get_bits.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 0f183e0358..e8888419b5 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -369,6 +369,10 @@ static inline uint64_t get_bits64(GetBitContext *s, int n) */ static inline int get_sbits_long(GetBitContext *s, int n) { + // sign_extend(x, 0) is undefined + if (!n) + return 0; + return sign_extend(get_bits_long(s, n), n); } From f788507607ad9719c158c94cc58704048ac83f89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Dec 2016 00:11:17 +0100 Subject: [PATCH 199/658] avcodec/flacdec: Fix undefined shift in decode_subframe() Fixes undefined behavior Fixes: 639961-media Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 1f5630af51f24d79053b6bef5b8b3ba93d637306) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 5f5802c97f..4dde0e0591 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -448,7 +448,7 @@ static inline int decode_subframe(FLACContext *s, int channel) if (wasted) { int i; for (i = 0; i < s->blocksize; i++) - decoded[i] <<= wasted; + decoded[i] = (unsigned)decoded[i] << wasted; } return 0; From a1d9c17368706e8a6293782b70dc7398a72b842a Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 3 Nov 2016 22:34:58 -0300 Subject: [PATCH 200/658] avcodec/rawdec: check for side data before checking its size Fixes valgrind warnings about usage of uninitialized values. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 51e329918dc1826de7451541cb15bef3b9bfe138) --- libavcodec/rawdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 2d348daca3..ca0927ca1b 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -369,7 +369,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, &pal_size); int ret; - if (pal_size != AVPALETTE_SIZE) { + if (pal && pal_size != AVPALETTE_SIZE) { av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); pal = NULL; } From 540a4433bd35fda61562e04a2a2aa3fa358c5a24 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Mon, 5 Dec 2016 10:04:57 -0800 Subject: [PATCH 201/658] zmqsend: Initialize ret to 0 Fixes CID1396857. (cherry picked from commit d903b4e3ad4a81b3dd79f12c2f3b9cb16e511173) Signed-off-by: Michael Niedermayer --- tools/zmqsend.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/zmqsend.c b/tools/zmqsend.c index d47bf216b4..6148bd623c 100644 --- a/tools/zmqsend.c +++ b/tools/zmqsend.c @@ -53,7 +53,7 @@ int main(int argc, char **argv) { AVBPrint src; char c, *src_buf, *recv_buf; - int recv_buf_size, ret; + int recv_buf_size, ret = 0; void *zmq_ctx, *socket; const char *bind_address = "tcp://localhost:5555"; const char *infilename = NULL; From b0ebef0578fd88fe3efd66086c43a5b43fbc9f6a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Dec 2016 11:14:51 +0100 Subject: [PATCH 202/658] avformat/rtmppkt: Check for packet size mismatches Fixes out of array access Found-by: Paul Cher Reviewed-by: Paul Cher Signed-off-by: Michael Niedermayer (cherry picked from commit 7d57ca4d9a75562fa32e40766211de150f8b3ee7) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 0d693c27f7..cde0da78ce 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -235,6 +235,14 @@ static int rtmp_packet_read_one_chunk(URLContext *h, RTMPPacket *p, if (hdr != RTMP_PS_TWELVEBYTES) timestamp += prev_pkt[channel_id].timestamp; + if (prev_pkt[channel_id].read && size != prev_pkt[channel_id].size) { + av_log(NULL, AV_LOG_ERROR, "RTMP packet size mismatch %d != %d\n", + size, + prev_pkt[channel_id].size); + ff_rtmp_packet_destroy(&prev_pkt[channel_id]); + prev_pkt[channel_id].read = 0; + } + if (!prev_pkt[channel_id].read) { if ((ret = ff_rtmp_packet_create(p, channel_id, type, timestamp, size)) < 0) From 518934b5f1db715262b7a012fe5ba0d4ea8370f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Dec 2016 12:54:21 +0100 Subject: [PATCH 203/658] Avoid using the term "file" and prefer "url" in some docs and comments This should make it less ambigous that these are URLs Signed-off-by: Michael Niedermayer (cherry picked from commit a5f27a9c3aa973c543bd8bbf2a78363700bbc03e) Signed-off-by: Michael Niedermayer --- doc/ffmpeg.texi | 18 +++++++++--------- doc/ffplay.texi | 6 +++--- doc/ffprobe.texi | 10 +++++----- ffmpeg_opt.c | 4 ++-- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/doc/ffmpeg.texi b/doc/ffmpeg.texi index 3aefc34564..40eda6e6d2 100644 --- a/doc/ffmpeg.texi +++ b/doc/ffmpeg.texi @@ -12,7 +12,7 @@ @chapter Synopsis -ffmpeg [@var{global_options}] @{[@var{input_file_options}] -i @file{input_file}@} ... @{[@var{output_file_options}] @file{output_file}@} ... +ffmpeg [@var{global_options}] @{[@var{input_file_options}] -i @file{input_url}@} ... @{[@var{output_file_options}] @file{output_url}@} ... @chapter Description @c man begin DESCRIPTION @@ -24,10 +24,10 @@ rates and resize video on the fly with a high quality polyphase filter. @command{ffmpeg} reads from an arbitrary number of input "files" (which can be regular files, pipes, network streams, grabbing devices, etc.), specified by the @code{-i} option, and writes to an arbitrary number of output "files", which are -specified by a plain output filename. Anything found on the command line which -cannot be interpreted as an option is considered to be an output filename. +specified by a plain output url. Anything found on the command line which +cannot be interpreted as an option is considered to be an output url. -Each input or output file can, in principle, contain any number of streams of +Each input or output url can, in principle, contain any number of streams of different types (video/audio/subtitle/attachment/data). The allowed number and/or types of streams may be limited by the container format. Selecting which streams from which inputs will go into which output is either done automatically @@ -243,8 +243,8 @@ Force input or output file format. The format is normally auto detected for inpu files and guessed from the file extension for output files, so this option is not needed in most cases. -@item -i @var{filename} (@emph{input}) -input file name +@item -i @var{url} (@emph{input}) +input file url @item -y (@emph{global}) Overwrite output files without asking. @@ -281,7 +281,7 @@ libx264, and the 138th audio, which will be encoded with libvorbis. When used as an input option (before @code{-i}), limit the @var{duration} of data read from the input file. -When used as an output option (before an output filename), stop writing the +When used as an output option (before an output url), stop writing the output after its duration reaches @var{duration}. @var{duration} must be a time duration specification, @@ -310,7 +310,7 @@ extra segment between the seek point and @var{position} will be decoded and discarded. When doing stream copy or when @option{-noaccurate_seek} is used, it will be preserved. -When used as an output option (before an output filename), decodes but discards +When used as an output option (before an output url), decodes but discards input until the timestamps reach @var{position}. @var{position} must be a time duration specification, @@ -1129,7 +1129,7 @@ may be reassigned to a different value. For example, to set the stream 0 PID to 33 and the stream 1 PID to 36 for an output mpegts file: @example -ffmpeg -i infile -streamid 0:33 -streamid 1:36 out.ts +ffmpeg -i inurl -streamid 0:33 -streamid 1:36 out.ts @end example @item -bsf[:@var{stream_specifier}] @var{bitstream_filters} (@emph{output,per-stream}) diff --git a/doc/ffplay.texi b/doc/ffplay.texi index 4bc3ced39a..073b457256 100644 --- a/doc/ffplay.texi +++ b/doc/ffplay.texi @@ -12,7 +12,7 @@ @chapter Synopsis -ffplay [@var{options}] [@file{input_file}] +ffplay [@var{options}] [@file{input_url}] @chapter Description @c man begin DESCRIPTION @@ -106,8 +106,8 @@ the input audio. Use the option "-filters" to show all the available filters (including sources and sinks). -@item -i @var{input_file} -Read @var{input_file}. +@item -i @var{input_url} +Read @var{input_url}. @end table @section Advanced options diff --git a/doc/ffprobe.texi b/doc/ffprobe.texi index 2024eed4e5..26530a9962 100644 --- a/doc/ffprobe.texi +++ b/doc/ffprobe.texi @@ -12,7 +12,7 @@ @chapter Synopsis -ffprobe [@var{options}] [@file{input_file}] +ffprobe [@var{options}] [@file{input_url}] @chapter Description @c man begin DESCRIPTION @@ -24,8 +24,8 @@ For example it can be used to check the format of the container used by a multimedia stream and the format and type of each media stream contained in it. -If a filename is specified in input, ffprobe will try to open and -probe the file content. If the file cannot be opened or recognized as +If a url is specified in input, ffprobe will try to open and +probe the url content. If the url cannot be opened or recognized as a multimedia file, a positive exit code is returned. ffprobe may be employed both as a standalone application or in @@ -332,8 +332,8 @@ with name "PIXEL_FORMAT". Force bitexact output, useful to produce output which is not dependent on the specific build. -@item -i @var{input_file} -Read @var{input_file}. +@item -i @var{input_url} +Read @var{input_url}. @end table @c man end diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index 7785a304cb..7f3ff1ad11 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -3009,8 +3009,8 @@ enum OptGroup { }; static const OptionGroupDef groups[] = { - [GROUP_OUTFILE] = { "output file", NULL, OPT_OUTPUT }, - [GROUP_INFILE] = { "input file", "i", OPT_INPUT }, + [GROUP_OUTFILE] = { "output url", NULL, OPT_OUTPUT }, + [GROUP_INFILE] = { "input url", "i", OPT_INPUT }, }; static int open_files(OptionGroupList *l, const char *inout, From 37904d11779482f375b13da24f33f75daf13638f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Dec 2016 17:27:45 +0100 Subject: [PATCH 204/658] ffserver: Check chunk size Fixes out of array access Fixes: poc_ffserver.py Found-by: Paul Cher Signed-off-by: Michael Niedermayer (cherry picked from commit a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156) Signed-off-by: Michael Niedermayer --- ffserver.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ffserver.c b/ffserver.c index 453d790e6c..aec808e78c 100644 --- a/ffserver.c +++ b/ffserver.c @@ -2702,8 +2702,10 @@ static int http_receive_data(HTTPContext *c) } else if (c->buffer_ptr - c->buffer >= 2 && !memcmp(c->buffer_ptr - 1, "\r\n", 2)) { c->chunk_size = strtol(c->buffer, 0, 16); - if (c->chunk_size == 0) // end of stream + if (c->chunk_size <= 0) { // end of stream or invalid chunk size + c->chunk_size = 0; goto fail; + } c->buffer_ptr = c->buffer; break; } else if (++loop_run > 10) @@ -2725,6 +2727,7 @@ static int http_receive_data(HTTPContext *c) /* end of connection : close it */ goto fail; else { + av_assert0(len <= c->chunk_size); c->chunk_size -= len; c->buffer_ptr += len; c->data_count += len; From 18e3e322b36a85b6f69662e1d5fa7c245638ab86 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 5 Dec 2016 08:02:33 -0500 Subject: [PATCH 205/658] http: make length/offset-related variables unsigned. Fixes #5992, reported and found by Paul Cher . (cherry picked from commit 2a05c8f813de6f2278827734bf8102291e7484aa) --- libavformat/http.c | 70 +++++++++++++++++++++++++--------------------- 1 file changed, 38 insertions(+), 32 deletions(-) diff --git a/libavformat/http.c b/libavformat/http.c index 51275d9960..2185dd0e57 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -62,8 +62,8 @@ typedef struct HTTPContext { int line_count; int http_code; /* Used if "Transfer-Encoding: chunked" otherwise -1. */ - int64_t chunksize; - int64_t off, end_off, filesize; + uint64_t chunksize; + uint64_t off, end_off, filesize; char *location; HTTPAuthState auth_state; HTTPAuthState proxy_auth_state; @@ -92,9 +92,9 @@ typedef struct HTTPContext { AVDictionary *cookie_dict; int icy; /* how much data was read since the last ICY metadata packet */ - int icy_data_read; + uint64_t icy_data_read; /* after how many bytes of read data a new metadata packet will be found */ - int icy_metaint; + uint64_t icy_metaint; char *icy_metadata_headers; char *icy_metadata_packet; AVDictionary *metadata; @@ -480,7 +480,7 @@ static int http_open(URLContext *h, const char *uri, int flags, else h->is_streamed = 1; - s->filesize = -1; + s->filesize = UINT64_MAX; s->location = av_strdup(uri); if (!s->location) return AVERROR(ENOMEM); @@ -607,9 +607,9 @@ static void parse_content_range(URLContext *h, const char *p) if (!strncmp(p, "bytes ", 6)) { p += 6; - s->off = strtoll(p, NULL, 10); + s->off = strtoull(p, NULL, 10); if ((slash = strchr(p, '/')) && strlen(slash) > 0) - s->filesize = strtoll(slash + 1, NULL, 10); + s->filesize = strtoull(slash + 1, NULL, 10); } if (s->seekable == -1 && (!s->is_akamai || s->filesize != 2147483647)) h->is_streamed = 0; /* we _can_ in fact seek */ @@ -799,8 +799,9 @@ static int process_line(URLContext *h, char *line, int line_count, if ((ret = parse_location(s, p)) < 0) return ret; *new_location = 1; - } else if (!av_strcasecmp(tag, "Content-Length") && s->filesize == -1) { - s->filesize = strtoll(p, NULL, 10); + } else if (!av_strcasecmp(tag, "Content-Length") && + s->filesize == UINT64_MAX) { + s->filesize = strtoull(p, NULL, 10); } else if (!av_strcasecmp(tag, "Content-Range")) { parse_content_range(h, p); } else if (!av_strcasecmp(tag, "Accept-Ranges") && @@ -809,7 +810,7 @@ static int process_line(URLContext *h, char *line, int line_count, h->is_streamed = 0; } else if (!av_strcasecmp(tag, "Transfer-Encoding") && !av_strncasecmp(p, "chunked", 7)) { - s->filesize = -1; + s->filesize = UINT64_MAX; s->chunksize = 0; } else if (!av_strcasecmp(tag, "WWW-Authenticate")) { ff_http_auth_handle_header(&s->auth_state, tag, p); @@ -833,7 +834,7 @@ static int process_line(URLContext *h, char *line, int line_count, if (parse_cookie(s, p, &s->cookie_dict)) av_log(h, AV_LOG_WARNING, "Unable to parse '%s'\n", p); } else if (!av_strcasecmp(tag, "Icy-MetaInt")) { - s->icy_metaint = strtoll(p, NULL, 10); + s->icy_metaint = strtoull(p, NULL, 10); } else if (!av_strncasecmp(tag, "Icy-", 4)) { if ((ret = parse_icy(s, tag, p)) < 0) return ret; @@ -963,7 +964,7 @@ static int http_read_header(URLContext *h, int *new_location) char line[MAX_URL_SIZE]; int err = 0; - s->chunksize = -1; + s->chunksize = UINT64_MAX; for (;;) { if ((err = http_get_line(s, line, sizeof(line))) < 0) @@ -997,7 +998,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, int post, err; char headers[HTTP_HEADERS_SIZE] = ""; char *authstr = NULL, *proxyauthstr = NULL; - int64_t off = s->off; + uint64_t off = s->off; int len = 0; const char *method; int send_expect_100 = 0; @@ -1045,7 +1046,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, // server supports seeking by analysing the reply headers. if (!has_header(s->headers, "\r\nRange: ") && !post && (s->off > 0 || s->end_off || s->seekable == -1)) { len += av_strlcatf(headers + len, sizeof(headers) - len, - "Range: bytes=%"PRId64"-", s->off); + "Range: bytes=%"PRIu64"-", s->off); if (s->end_off) len += av_strlcatf(headers + len, sizeof(headers) - len, "%"PRId64, s->end_off - 1); @@ -1120,7 +1121,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, s->line_count = 0; s->off = 0; s->icy_data_read = 0; - s->filesize = -1; + s->filesize = UINT64_MAX; s->willclose = 0; s->end_chunked_post = 0; s->end_header = 0; @@ -1160,15 +1161,13 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size) memcpy(buf, s->buf_ptr, len); s->buf_ptr += len; } else { - int64_t target_end = s->end_off ? s->end_off : s->filesize; - if ((!s->willclose || s->chunksize < 0) && - target_end >= 0 && s->off >= target_end) + uint64_t target_end = s->end_off ? s->end_off : s->filesize; + if ((!s->willclose || s->chunksize == UINT64_MAX) && s->off >= target_end) return AVERROR_EOF; len = ffurl_read(s->hd, buf, size); - if (!len && (!s->willclose || s->chunksize < 0) && - target_end >= 0 && s->off < target_end) { + if (!len && (!s->willclose || s->chunksize == UINT64_MAX) && s->off < target_end) { av_log(h, AV_LOG_ERROR, - "Stream ends prematurely at %"PRId64", should be %"PRId64"\n", + "Stream ends prematurely at %"PRIu64", should be %"PRIu64"\n", s->off, target_end ); return AVERROR(EIO); @@ -1232,7 +1231,7 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size) return err; } - if (s->chunksize >= 0) { + if (s->chunksize != UINT64_MAX) { if (!s->chunksize) { char line[32]; @@ -1241,13 +1240,19 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size) return err; } while (!*line); /* skip CR LF from last chunk */ - s->chunksize = strtoll(line, NULL, 16); + s->chunksize = strtoull(line, NULL, 16); - av_log(NULL, AV_LOG_TRACE, "Chunked encoding data size: %"PRId64"'\n", + av_log(h, AV_LOG_TRACE, + "Chunked encoding data size: %"PRIu64"'\n", s->chunksize); if (!s->chunksize) return 0; + else if (s->chunksize == UINT64_MAX) { + av_log(h, AV_LOG_ERROR, "Invalid chunk size %"PRIu64"\n", + s->chunksize); + return AVERROR(EINVAL); + } } size = FFMIN(size, s->chunksize); } @@ -1258,17 +1263,17 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size) read_ret = http_buf_read(h, buf, size); if ( (read_ret < 0 && s->reconnect && (!h->is_streamed || s->reconnect_streamed) && s->filesize > 0 && s->off < s->filesize) || (read_ret == 0 && s->reconnect_at_eof && (!h->is_streamed || s->reconnect_streamed))) { - int64_t target = h->is_streamed ? 0 : s->off; + uint64_t target = h->is_streamed ? 0 : s->off; if (s->reconnect_delay > s->reconnect_delay_max) return AVERROR(EIO); - av_log(h, AV_LOG_INFO, "Will reconnect at %"PRId64" error=%s.\n", s->off, av_err2str(read_ret)); + av_log(h, AV_LOG_INFO, "Will reconnect at %"PRIu64" error=%s.\n", s->off, av_err2str(read_ret)); av_usleep(1000U*1000*s->reconnect_delay); s->reconnect_delay = 1 + 2*s->reconnect_delay; seek_ret = http_seek_internal(h, target, SEEK_SET, 1); if (seek_ret != target) { - av_log(h, AV_LOG_ERROR, "Failed to reconnect at %"PRId64".\n", target); + av_log(h, AV_LOG_ERROR, "Failed to reconnect at %"PRIu64".\n", target); return read_ret; } @@ -1323,10 +1328,11 @@ static int store_icy(URLContext *h, int size) { HTTPContext *s = h->priv_data; /* until next metadata packet */ - int remaining = s->icy_metaint - s->icy_data_read; + uint64_t remaining; - if (remaining < 0) + if (s->icy_metaint < s->icy_data_read) return AVERROR_INVALIDDATA; + remaining = s->icy_metaint - s->icy_data_read; if (!remaining) { /* The metadata packet is variable sized. It has a 1 byte header @@ -1440,7 +1446,7 @@ static int64_t http_seek_internal(URLContext *h, int64_t off, int whence, int fo { HTTPContext *s = h->priv_data; URLContext *old_hd = s->hd; - int64_t old_off = s->off; + uint64_t old_off = s->off; uint8_t old_buf[BUFFER_SIZE]; int old_buf_size, ret; AVDictionary *options = NULL; @@ -1451,7 +1457,7 @@ static int64_t http_seek_internal(URLContext *h, int64_t off, int whence, int fo ((whence == SEEK_CUR && off == 0) || (whence == SEEK_SET && off == s->off))) return s->off; - else if ((s->filesize == -1 && whence == SEEK_END)) + else if ((s->filesize == UINT64_MAX && whence == SEEK_END)) return AVERROR(ENOSYS); if (whence == SEEK_CUR) @@ -1606,7 +1612,7 @@ redo: s->buf_ptr = s->buffer; s->buf_end = s->buffer; s->line_count = 0; - s->filesize = -1; + s->filesize = UINT64_MAX; cur_auth_type = s->proxy_auth_state.auth_type; /* Note: This uses buffering, potentially reading more than the From ce44100cb02a5576b0d389fa486a84cfc21af386 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 5 Dec 2016 10:18:10 -0500 Subject: [PATCH 206/658] http: move chunk handling from http_read_stream() to http_buf_read(). (cherry picked from commit 845bb401781ef04e342bd558df16a8dbf5f800f9) --- libavformat/http.c | 57 +++++++++++++++++++++++++--------------------- 1 file changed, 31 insertions(+), 26 deletions(-) diff --git a/libavformat/http.c b/libavformat/http.c index 2185dd0e57..7e109ddb5b 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -1153,6 +1153,34 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size) { HTTPContext *s = h->priv_data; int len; + + if (s->chunksize != UINT64_MAX) { + if (!s->chunksize) { + char line[32]; + int err; + + do { + if ((err = http_get_line(s, line, sizeof(line))) < 0) + return err; + } while (!*line); /* skip CR LF from last chunk */ + + s->chunksize = strtoull(line, NULL, 16); + + av_log(h, AV_LOG_TRACE, + "Chunked encoding data size: %"PRIu64"'\n", + s->chunksize); + + if (!s->chunksize) + return 0; + else if (s->chunksize == UINT64_MAX) { + av_log(h, AV_LOG_ERROR, "Invalid chunk size %"PRIu64"\n", + s->chunksize); + return AVERROR(EINVAL); + } + } + size = FFMIN(size, s->chunksize); + } + /* read bytes from input buffer first */ len = s->buf_end - s->buf_ptr; if (len > 0) { @@ -1175,8 +1203,10 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size) } if (len > 0) { s->off += len; - if (s->chunksize > 0) + if (s->chunksize > 0) { + av_assert0(s->chunksize >= len); s->chunksize -= len; + } } return len; } @@ -1231,31 +1261,6 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size) return err; } - if (s->chunksize != UINT64_MAX) { - if (!s->chunksize) { - char line[32]; - - do { - if ((err = http_get_line(s, line, sizeof(line))) < 0) - return err; - } while (!*line); /* skip CR LF from last chunk */ - - s->chunksize = strtoull(line, NULL, 16); - - av_log(h, AV_LOG_TRACE, - "Chunked encoding data size: %"PRIu64"'\n", - s->chunksize); - - if (!s->chunksize) - return 0; - else if (s->chunksize == UINT64_MAX) { - av_log(h, AV_LOG_ERROR, "Invalid chunk size %"PRIu64"\n", - s->chunksize); - return AVERROR(EINVAL); - } - } - size = FFMIN(size, s->chunksize); - } #if CONFIG_ZLIB if (s->compressed) return http_buf_read_compressed(h, buf, size); From e08b1cf2df8cfdb3394aa5ab0320739f8b5a1c4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Dec 2016 22:55:41 +0100 Subject: [PATCH 207/658] Update for 3.1.6 Signed-off-by: Michael Niedermayer --- Changelog | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 88 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index ccb0799dff..27fb1b9d41 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,92 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.1.6: +- http: move chunk handling from http_read_stream() to http_buf_read(). +- http: make length/offset-related variables unsigned. +- ffserver: Check chunk size +- Avoid using the term "file" and prefer "url" in some docs and comments +- avformat/rtmppkt: Check for packet size mismatches +- zmqsend: Initialize ret to 0 +- avcodec/rawdec: check for side data before checking its size +- avcodec/flacdec: Fix undefined shift in decode_subframe() +- avcodec/get_bits: Fix get_sbits_long(0) +- avformat/ffmdec: Check media type for chunks +- avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed() +- avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c +- avformat/oggparsespeex: Check frames_per_packet and packet_size +- avformat/utils: Check start/end before computing duration in update_stream_timings() +- avcodec/flac_parser: Update nb_headers_buffered +- avformat/idroqdec: Check chunk_size for being too large +- avformat/utils: Fix type mismatch +- avformat/mpeg: Adjust vid probe threshold to correct mis-detection +- avcodec/rv40: Test remaining space in loop of get_dimension() +- avcodec/ituh263dec: Avoid spending a long time in slice sync +- avcodec/movtextdec: Add error message for tsmb_size check +- avcodec/movtextdec: Fix tsmb_size check==0 check +- avcodec/movtextdec: Fix potential integer overflow +- avcodec/sunrast: Fix input buffer pointer check +- avcodec/tscc: Check side data size before use +- avcodec/rawdec: Check side data size before use +- avcodec/msvideo1: Check side data size before use +- avcodec/qpeg: Check side data size before use +- avcodec/qtrle: Check side data size before use +- avcodec/msrle: Check side data size before use +- avcodec/kmvc: Check side data size before use +- avcodec/idcinvideo: Check side data size before use +- avcodec/cinepak: Check side data size before use +- avcodec/8bps: Check side data size before use +- avformat/flvdec: Fix regression losing streams +- avcodec/dvdsubdec: Fix off by 1 error +- avformat/isom: Fix old API regression with exporting max bitrate +- avcodec/dvdsubdec: Fix buf_size check +- vp9: change order of operations in adapt_prob(). +- avcodec/interplayvideo: Check side data size before use +- mss2: only use error correction for matching block counts +- softfloat: decrease MIN_EXP to cover full float range +- libopusdec: default to stereo for invalid number of channels +- flvdec: require need_context_update when changing codec id +- pgssubdec: only set w/h/linesize when allocating data +- sbgdec: prevent NULL pointer access +- rmdec: validate block alignment +- smacker: limit recursion depth of smacker_decode_bigtree +- mxfdec: fix NULL pointer dereference in mxf_read_packet_old +- ffmdec: validate codec parameters +- exr: reindent after previous commit +- exr: fix out-of-bounds read +- libschroedingerdec: fix leaking of framewithpts +- libschroedingerdec: don't produce empty frames +- softfloat: handle -INT_MAX correctly +- filmstripdec: correctly check image dimensions +- pnmdec: make sure v is capped by maxval +- smvjpegdec: make sure cur_frame is not negative +- icodec: correctly check avio_read return value +- dvbsubdec: fix division by zero in compute_default_clut +- proresdec_lgpl: explicitly check coff[3] against slice_data_size +- escape124: reject codebook size 0 +- icodec: add ico_read_close to fix leaking ico->images +- icodec: fix leaking pkt on error +- mpegts: prevent division by zero +- matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header +- mpegaudio_parser: don't return AVERROR_PATCHWELCOME +- mxfdec: fix NULL pointer dereference +- lzf: update pointer p after realloc +- diracdec: check return code of get_buffer_with_edge +- ppc: pixblockdsp: do unaligned block accesses correctly again +- interplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE +- interplayacm: validate number of channels +- interplayacm: check for too large b +- mpeg12dec: unref discarded picture from extradata +- cavsdec: unref frame before referencing again +- dcstr: fix division by zero +- aiff: check block_align in aiff_read_packet +- rsd: limit number of channels +- avformat: prevent triggering request_probe assert in ff_read_packet +- westwood_aud: prevent division by zero +- astdec: fix division by zero +- aiffdec: fix division by zero +- avcodec/avpacket: fix leak on realloc in av_packet_add_side_data() + version 3.1.5: - avformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string() - avcodec/mpegvideo_enc: Clear mmx state in ff_mpv_reallocate_putbitbuffer() diff --git a/RELEASE b/RELEASE index 3ad0595adc..9cec7165ab 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.1.5 +3.1.6 diff --git a/doc/Doxyfile b/doc/Doxyfile index 8fa0819b72..435efba711 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.1.5 +PROJECT_NUMBER = 3.1.6 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From a57b701bdc2083c2d5da85ed6b90ce644cd0f385 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 5 Dec 2016 13:07:10 -0300 Subject: [PATCH 208/658] configure: check for strtoull on msvc Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit b52d3574d466e745834d1283b55570dee1e2d4cd) --- Changelog | 1 + configure | 1 + 2 files changed, 2 insertions(+) diff --git a/Changelog b/Changelog index 27fb1b9d41..058ba375d5 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,7 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.1.6: +- configure: check for strtoull on msvc - http: move chunk handling from http_read_stream() to http_buf_read(). - http: make length/offset-related variables unsigned. - ffserver: Check chunk size diff --git a/configure b/configure index 12158dd9c2..5eb11e4421 100755 --- a/configure +++ b/configure @@ -6197,6 +6197,7 @@ __declspec($_restrict) void* foo(int); EOF fi check_func strtoll || add_cflags -Dstrtoll=_strtoi64 + check_func strtoull || add_cflags -Dstrtoull=_strtoui64 fi for pfx in "" host_; do From 8a4b18c639b536d08926c96810a4d9628f422c9d Mon Sep 17 00:00:00 2001 From: Srinath K R Date: Sat, 3 Dec 2016 17:08:40 +0530 Subject: [PATCH 209/658] avfilter/vf_hwupload_cuda: Add min/max limits for the 'device' option Signed-off-by: Timo Rothenpieler --- libavfilter/vf_hwupload_cuda.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_hwupload_cuda.c b/libavfilter/vf_hwupload_cuda.c index c22221c699..0a6d031e00 100644 --- a/libavfilter/vf_hwupload_cuda.c +++ b/libavfilter/vf_hwupload_cuda.c @@ -191,7 +191,7 @@ fail: #define OFFSET(x) offsetof(CudaUploadContext, x) #define FLAGS (AV_OPT_FLAG_FILTERING_PARAM | AV_OPT_FLAG_VIDEO_PARAM) static const AVOption cudaupload_options[] = { - { "device", "Number of the device to use", OFFSET(device_idx), AV_OPT_TYPE_INT, { .i64 = 0 }, .flags = FLAGS }, + { "device", "Number of the device to use", OFFSET(device_idx), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, INT_MAX, FLAGS }, { NULL }, }; From 0c2d6a219f2831fd46557bbfb5a2c4c7da6f90b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Dec 2016 00:19:19 +0100 Subject: [PATCH 210/658] avcodec/ffv1enc: Fix size of first slice Signed-off-by: Michael Niedermayer (cherry picked from commit cff1c0edaa797eca96663d9b83e4b8c1b609ff19) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 383956bcc9..d13cea1226 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -1223,7 +1223,6 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, FFV1Context *f = avctx->priv_data; RangeCoder *const c = &f->slice_context[0]->c; AVFrame *const p = f->picture.f; - int used_count = 0; uint8_t keystate = 128; uint8_t *buf_p; int i, ret; @@ -1312,11 +1311,17 @@ FF_ENABLE_DEPRECATION_WARNINGS } } - for (i = 1; i < f->slice_count; i++) { + for (i = 0; i < f->slice_count; i++) { FFV1Context *fs = f->slice_context[i]; - uint8_t *start = pkt->data + (pkt->size - used_count) * (int64_t)i / f->slice_count; + uint8_t *start = pkt->data + pkt->size * (int64_t)i / f->slice_count; int len = pkt->size / f->slice_count; - ff_init_range_encoder(&fs->c, start, len); + if (i) { + ff_init_range_encoder(&fs->c, start, len); + } else { + av_assert0(fs->c.bytestream_end >= fs->c.bytestream_start + len); + av_assert0(fs->c.bytestream < fs->c.bytestream_start + len); + fs->c.bytestream_end = fs->c.bytestream_start + len; + } } avctx->execute(avctx, encode_slice, &f->slice_context[0], NULL, f->slice_count, sizeof(void *)); From 119301d3129ef53f3ce698a062edb6fafdc715b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Dec 2016 17:01:14 +0100 Subject: [PATCH 211/658] avformat/oggdec: Skip streams in duration correction that did not had their duration set. Fixes: part of 670190.ogg Fixes integer overflow Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit ee2a6f5df8c6a151c3e3826872f1b0a07401c62a) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 47a0cbae05..e1ef21337c 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -643,6 +643,8 @@ static int ogg_get_length(AVFormatContext *s) int64_t pts; if (i < 0) continue; pts = ogg_calc_pts(s, i, NULL); + if (s->streams[i]->duration == AV_NOPTS_VALUE) + continue; if (pts != AV_NOPTS_VALUE && s->streams[i]->start_time == AV_NOPTS_VALUE && !ogg->streams[i].got_start) { s->streams[i]->duration -= pts; ogg->streams[i].got_start= 1; From 255e61c25b830b1e84d919027106ff85868099bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Dec 2016 17:01:14 +0100 Subject: [PATCH 212/658] avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory() Fixes: part of 670190.ogg Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 8258e363851434ad5662c19d036fddb3e3f27683) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 3adf28d2f8..a19b374670 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -315,13 +315,13 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g min_ab = FFMIN(alpha, beta); w3 = w2 >> min_ab; h3 = h2 >> min_ab; - s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + beta + rho - min_ab)) + + s->sprite_offset[0][0] = (sprite_ref[0][0] * (1<<(alpha + beta + rho - min_ab))) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-vop_ref[0][0]) + (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-vop_ref[0][1]) + (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + beta + rho - min_ab)) + + s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-vop_ref[0][0]) + (-r * sprite_ref[0][1] + virtual_ref[1][1]) * @@ -368,10 +368,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; for (i = 0; i < 2; i++) { - s->sprite_offset[0][i] <<= shift_y; - s->sprite_offset[1][i] <<= shift_c; - s->sprite_delta[0][i] <<= shift_y; - s->sprite_delta[1][i] <<= shift_y; + s->sprite_offset[0][i] *= 1 << shift_y; + s->sprite_offset[1][i] *= 1 << shift_c; + s->sprite_delta[0][i] *= 1 << shift_y; + s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; } s->real_sprite_warping_points = ctx->num_sprite_warping_points; From 0131f5c3769981c1e36ff124a50011702c491329 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Dec 2016 23:51:45 +0100 Subject: [PATCH 213/658] avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated We are checking during encoding if there is enough space as version 4 needs that check. Fixes Ticket6005 Signed-off-by: Michael Niedermayer (cherry picked from commit 38a7834bbb24ef62466b076715e0add60e1d6962) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index d13cea1226..fec3e928cb 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -1278,6 +1278,11 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, if (f->version > 3) maxsize = AV_INPUT_BUFFER_MIN_SIZE + avctx->width*avctx->height*3LL*4; + if (maxsize > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - 32) { + av_log(avctx, AV_LOG_WARNING, "Cannot allocate worst case packet size, the encoding could fail\n"); + maxsize = INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - 32; + } + if ((ret = ff_alloc_packet2(avctx, pkt, maxsize, 0)) < 0) return ret; From b18a571e2355a6fb0dcb7ff7de18d36694eb65bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Nov 2016 17:00:30 +0100 Subject: [PATCH 214/658] avformat: Add max_streams option This allows user apps to stop OOM due to excessive number of streams Signed-off-by: Michael Niedermayer (cherry picked from commit 1296f844955e513d19051c962656f829479d4fb9) Signed-off-by: Michael Niedermayer --- doc/formats.texi | 4 ++++ libavformat/avformat.h | 7 +++++++ libavformat/options_table.h | 1 + libavformat/utils.c | 2 +- 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/doc/formats.texi b/doc/formats.texi index 2c068c1046..a2d72e6572 100644 --- a/doc/formats.texi +++ b/doc/formats.texi @@ -205,6 +205,10 @@ For example to separate the fields with newlines and indention: ffprobe -dump_separator " " -i ~/videos/matrixbench_mpeg2.mpg @end example + +@item max_streams @var{integer} (@emph{input}) +Specifies the maximum number of streams. This can be used to reject files that +would require too many resources due to a large number of streams. @end table @c man end FORMAT OPTIONS diff --git a/libavformat/avformat.h b/libavformat/avformat.h index 818184e5a8..4e7c615d33 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -1884,6 +1884,13 @@ typedef struct AVFormatContext { * - decoding: set by user through AVOptions (NO direct access) */ char *protocol_blacklist; + + /** + * The maximum number of streams. + * - encoding: unused + * - decoding: set by user through AVOptions (NO direct access) + */ + int max_streams; } AVFormatContext; int av_format_get_probe_score(const AVFormatContext *s); diff --git a/libavformat/options_table.h b/libavformat/options_table.h index 3b74d1b2fd..930813a9d1 100644 --- a/libavformat/options_table.h +++ b/libavformat/options_table.h @@ -103,6 +103,7 @@ static const AVOption avformat_options[] = { {"format_whitelist", "List of demuxers that are allowed to be used", OFFSET(format_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, {"protocol_whitelist", "List of protocols that are allowed to be used", OFFSET(protocol_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, {"protocol_blacklist", "List of protocols that are not allowed to be used", OFFSET(protocol_blacklist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, +{"max_streams", "maximum number of streams", OFFSET(max_streams), AV_OPT_TYPE_INT, { .i64 = INT_MAX }, 0, INT_MAX, D }, {NULL}, }; diff --git a/libavformat/utils.c b/libavformat/utils.c index 7c53050f03..f1198c0079 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4087,7 +4087,7 @@ AVStream *avformat_new_stream(AVFormatContext *s, const AVCodec *c) int i; AVStream **streams; - if (s->nb_streams >= INT_MAX/sizeof(*streams)) + if (s->nb_streams >= FFMIN(s->max_streams, INT_MAX/sizeof(*streams))) return NULL; streams = av_realloc_array(s->streams, s->nb_streams + 1, sizeof(*streams)); if (!streams) From 6c96200ceb0fbf736ad5080e46779888521a687f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Dec 2016 21:05:14 +0100 Subject: [PATCH 215/658] avutil: Add av_image_check_size2() Signed-off-by: Michael Niedermayer (cherry picked from commit f542b152aa2086b30d1089162d79f5c136905c0c) Signed-off-by: Michael Niedermayer --- libavutil/imgutils.c | 29 ++++++++++++++++++++++++----- libavutil/imgutils.h | 14 ++++++++++++++ 2 files changed, 38 insertions(+), 5 deletions(-) diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index 37808e53d0..cc410abad1 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -248,19 +248,38 @@ static const AVClass imgutils_class = { .parent_log_context_offset = offsetof(ImgUtils, log_ctx), }; -int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx) +int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enum AVPixelFormat pix_fmt, int log_offset, void *log_ctx) { ImgUtils imgutils = { .class = &imgutils_class, .log_offset = log_offset, .log_ctx = log_ctx, }; + int64_t stride = av_image_get_linesize(pix_fmt, w, 0); + if (stride <= 0) + stride = 8LL*w; + stride += 128*8; - if ((int)w>0 && (int)h>0 && (w+128)*(uint64_t)(h+128) < INT_MAX/8) - return 0; + if ((int)w<=0 || (int)h<=0 || stride >= INT_MAX || stride*(uint64_t)(h+128) >= INT_MAX) { + av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h); + return AVERROR(EINVAL); + } - av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h); - return AVERROR(EINVAL); + if (max_pixels < INT64_MAX) { + if (w*(int64_t)h > max_pixels) { + av_log(&imgutils, AV_LOG_ERROR, + "Picture size %ux%u exceeds specified max pixel count %"PRId64", see the documentation if you wish to increase it\n", + w, h, max_pixels); + return AVERROR(EINVAL); + } + } + + return 0; +} + +int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx) +{ + return av_image_check_size2(w, h, INT64_MAX, AV_PIX_FMT_NONE, log_offset, log_ctx); } int av_image_check_sar(unsigned int w, unsigned int h, AVRational sar) diff --git a/libavutil/imgutils.h b/libavutil/imgutils.h index 23282a38fa..19f34deced 100644 --- a/libavutil/imgutils.h +++ b/libavutil/imgutils.h @@ -191,6 +191,20 @@ int av_image_copy_to_buffer(uint8_t *dst, int dst_size, */ int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx); +/** + * Check if the given dimension of an image is valid, meaning that all + * bytes of the image can be addressed with a signed int. + * + * @param w the width of the picture + * @param h the height of the picture + * @param max_pixels the maximum number of pixels the user wants to accept + * @param pix_fmt the pixel format, can be AV_PIX_FMT_NONE if unknown. + * @param log_offset the offset to sum to the log level for logging with log_ctx + * @param log_ctx the parent logging context, it may be NULL + * @return >= 0 if valid, a negative error code otherwise + */ +int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enum AVPixelFormat pix_fmt, int log_offset, void *log_ctx); + /** * Check if the given sample aspect ratio of an image is valid. * From f77bb85b08dea6bdde091c8570aa5b12987f7f8c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 31 Jan 2017 01:55:44 +0100 Subject: [PATCH 216/658] pgssubdec: reset rle_data_len/rle_remaining_len on allocation error The code relies on their validity and otherwise can try to access a NULL object->rle pointer, causing segmentation faults. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 842e98b4d83d8cf297e2bc2761f1f47eb89e49e4) Signed-off-by: Andreas Cadhalpun --- libavcodec/pgssubdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index b50b37b206..b897d72aab 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -300,8 +300,11 @@ static int parse_object_segment(AVCodecContext *avctx, av_fast_padded_malloc(&object->rle, &object->rle_buffer_size, rle_bitmap_len); - if (!object->rle) + if (!object->rle) { + object->rle_data_len = 0; + object->rle_remaining_len = 0; return AVERROR(ENOMEM); + } memcpy(object->rle, buf, buf_size); object->rle_data_len = buf_size; From 5b8ee8f0134c48ff3b09bf4e0e35819c4435541d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Dec 2016 20:15:12 +0100 Subject: [PATCH 217/658] avformat/options_table: Set the default maximum number of streams to 1000 Fixes CVE-2016-9561, Note the security relevance of this is disputed as running out of memory can happen with valid files Suggested-by: Andreas Cadhalpun Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 30581c51e72a7a7ea1572c1c6039f6e4c590a55c) Signed-off-by: Michael Niedermayer --- libavformat/options_table.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/options_table.h b/libavformat/options_table.h index 930813a9d1..416a0dae1c 100644 --- a/libavformat/options_table.h +++ b/libavformat/options_table.h @@ -103,7 +103,7 @@ static const AVOption avformat_options[] = { {"format_whitelist", "List of demuxers that are allowed to be used", OFFSET(format_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, {"protocol_whitelist", "List of protocols that are allowed to be used", OFFSET(protocol_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, {"protocol_blacklist", "List of protocols that are not allowed to be used", OFFSET(protocol_blacklist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, -{"max_streams", "maximum number of streams", OFFSET(max_streams), AV_OPT_TYPE_INT, { .i64 = INT_MAX }, 0, INT_MAX, D }, +{"max_streams", "maximum number of streams", OFFSET(max_streams), AV_OPT_TYPE_INT, { .i64 = 1000 }, 0, INT_MAX, D }, {NULL}, }; From 3d9c007b6116df30bfa179ae8e9fa54e4b9db2d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Dec 2016 20:15:13 +0100 Subject: [PATCH 218/658] avformat/utils: Print verbose error message if stream count exceeds max_streams Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit f0bdd538712d8ed34120ab2b7bd1409fcc99fb45) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index f1198c0079..17bbdb44be 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4087,8 +4087,11 @@ AVStream *avformat_new_stream(AVFormatContext *s, const AVCodec *c) int i; AVStream **streams; - if (s->nb_streams >= FFMIN(s->max_streams, INT_MAX/sizeof(*streams))) + if (s->nb_streams >= FFMIN(s->max_streams, INT_MAX/sizeof(*streams))) { + if (s->max_streams < INT_MAX/sizeof(*streams)) + av_log(s, AV_LOG_ERROR, "Number of streams exceeds max_streams parameter (%d), see the documentation if you wish to increase it\n", s->max_streams); return NULL; + } streams = av_realloc_array(s->streams, s->nb_streams + 1, sizeof(*streams)); if (!streams) return NULL; From 693288c3445a66e3b707dd93b173be164e4b5b3c Mon Sep 17 00:00:00 2001 From: Chris Cunningham Date: Tue, 22 Nov 2016 13:54:50 -0800 Subject: [PATCH 219/658] avformat/mp3dec: fix msan warning when verifying mpa header MPEG Audio frame header must be 4 bytes. If we fail to read 4 bytes bail early to avoid Use-of-uninitialized-value msan error. Reference https://crbug.com/666874. Signed-off-by: Michael Niedermayer (cherry picked from commit ab87df9a47cd31bfcae9acd84c04705a149dfc14) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 56c7f8caee..099ca57d24 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -457,7 +457,8 @@ static int check(AVIOContext *pb, int64_t pos, uint32_t *ret_header) return CHECK_SEEK_FAILED; ret = avio_read(pb, &header_buf[0], 4); - if (ret < 0) + /* We should always find four bytes for a valid mpa header. */ + if (ret < 4) return CHECK_SEEK_FAILED; header = AV_RB32(&header_buf[0]); From f0862b18c5c7d8439621f0eeaa9d064d72632afe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Dec 2016 03:59:03 +0100 Subject: [PATCH 220/658] avutil/random_seed: Improve get_generic_seed() with higher precission clock() Tested-by: Thomas Turner Signed-off-by: Michael Niedermayer (cherry picked from commit da73d95bad4736c5e0a6b4b1a811f4dd4525bb4c) Signed-off-by: Michael Niedermayer --- libavutil/random_seed.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavutil/random_seed.c b/libavutil/random_seed.c index d1ded7b509..bb3f7bef7f 100644 --- a/libavutil/random_seed.c +++ b/libavutil/random_seed.c @@ -67,6 +67,7 @@ static uint32_t get_generic_seed(void) uint8_t tmp[120]; struct AVSHA *sha = (void*)tmp; clock_t last_t = 0; + clock_t last_td = 0; static uint64_t i = 0; static uint32_t buffer[512] = { 0 }; unsigned char digest[20]; @@ -86,11 +87,12 @@ static uint32_t get_generic_seed(void) for (;;) { clock_t t = clock(); - - if (last_t == t) { - buffer[i & 511]++; + if (last_t + 2*last_td + 1 >= t) { + last_td = t - last_t; + buffer[i & 511] = 1664525*buffer[i & 511] + 1013904223 + (last_td % 3294638521U); } else { - buffer[++i & 511] += (t - last_t) % 3294638521U; + last_td = t - last_t; + buffer[++i & 511] += last_td % 3294638521U; if (last_i && i - last_i > 4 || i - last_i > 64 || TEST && i - last_i > 8) break; } From 8c3e90f5edd13e667030101d56e34635b2252706 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Dec 2016 14:26:41 +0100 Subject: [PATCH 221/658] avutil/random_seed: Reduce the time needed on systems with very low precission clock() This should fix issues on BSD CLOCKS_PER_SEC is 128 on BSD while SUSv2 requires it to be a million Signed-off-by: Michael Niedermayer (cherry picked from commit c4152fc42e480c41efb7f761b1bbe5f0bc43d5bc) Signed-off-by: Michael Niedermayer --- libavutil/random_seed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/random_seed.c b/libavutil/random_seed.c index bb3f7bef7f..0cabd1c351 100644 --- a/libavutil/random_seed.c +++ b/libavutil/random_seed.c @@ -87,7 +87,7 @@ static uint32_t get_generic_seed(void) for (;;) { clock_t t = clock(); - if (last_t + 2*last_td + 1 >= t) { + if (last_t + 2*last_td + (CLOCKS_PER_SEC > 1000) >= t) { last_td = t - last_t; buffer[i & 511] = 1664525*buffer[i & 511] + 1013904223 + (last_td % 3294638521U); } else { From d5948243f51efea08bf27ac8f68845df79d55f57 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Dec 2016 03:08:33 +0100 Subject: [PATCH 222/658] avcodec/mjpegdec: Check for rgb before flipping Fixes assertion failure due to unsupported case Fixes: 356/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 25d9643f1172ae6a210c671195ba3135895abaf3) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 0645a1d2ac..059c1c6fe9 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -2383,7 +2383,7 @@ the_end: } } } - if (s->flipped) { + if (s->flipped && !s->rgb) { int j; avcodec_get_chroma_sub_sample(s->avctx->pix_fmt, &hshift, &vshift); av_assert0(s->nb_components == av_pix_fmt_count_planes(s->picture_ptr->format)); From c26cbe6c2e00515063e3b069398e9628a815929b Mon Sep 17 00:00:00 2001 From: Tobias Rapp Date: Fri, 23 Dec 2016 14:50:16 +0100 Subject: [PATCH 223/658] avformat/avidec: skip odml master index chunks in avi_sync Fixes pts gaps when reading AVI files > 256GiB generated by FFmpeg. Signed-off-by: Tobias Rapp Signed-off-by: Michael Niedermayer (cherry picked from commit 6d579d7c1bdc4126955cae7f385208e455685986) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 3c5f3ec10c..ebb21bd937 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1193,7 +1193,8 @@ start_sync: if ((d[0] == 'i' && d[1] == 'x' && n < s->nb_streams) || // parse JUNK (d[0] == 'J' && d[1] == 'U' && d[2] == 'N' && d[3] == 'K') || - (d[0] == 'i' && d[1] == 'd' && d[2] == 'x' && d[3] == '1')) { + (d[0] == 'i' && d[1] == 'd' && d[2] == 'x' && d[3] == '1') || + (d[0] == 'i' && d[1] == 'n' && d[2] == 'd' && d[3] == 'x')) { avio_skip(pb, size); goto start_sync; } From 25778b2692cdb1e954a793bbed9a0120a6a28d2e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Dec 2016 02:19:27 +0100 Subject: [PATCH 224/658] avcodec/omx: Do not pass negative value into av_malloc() Fixes CID1396849 Signed-off-by: Michael Niedermayer (cherry picked from commit bd83c295fc1b7f8001e5d134b912af86cd62c3f2) Signed-off-by: Michael Niedermayer --- libavcodec/omx.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/omx.c b/libavcodec/omx.c index 1b2ae0d997..375dd1969c 100644 --- a/libavcodec/omx.c +++ b/libavcodec/omx.c @@ -761,7 +761,10 @@ static int omx_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } else { // If not, we need to allocate a new buffer with the right // size and copy the input frame into it. - uint8_t *buf = av_malloc(av_image_get_buffer_size(avctx->pix_fmt, s->stride, s->plane_size, 1)); + uint8_t *buf = NULL; + int image_buffer_size = av_image_get_buffer_size(avctx->pix_fmt, s->stride, s->plane_size, 1); + if (image_buffer_size >= 0) + buf = av_malloc(image_buffer_size); if (!buf) { // Return the buffer to the queue so it's not lost append_buffer(&s->input_mutex, &s->input_cond, &s->num_free_in_buffers, s->free_in_buffers, buffer); From 00bbf3063c9ef8033c23612dc25a9928beb3aa3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Jan 2017 01:25:27 +0100 Subject: [PATCH 225/658] avcodec/pngdec: Fix off by 1 size in decode_zbuf() Fixes out of array access Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e371f031b942d73e02c090170975561fabd5c264) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 36275ae43f..7ade0cee66 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -437,13 +437,13 @@ static int decode_zbuf(AVBPrint *bp, const uint8_t *data, av_bprint_init(bp, 0, -1); while (zstream.avail_in > 0) { - av_bprint_get_buffer(bp, 1, &buf, &buf_size); - if (!buf_size) { + av_bprint_get_buffer(bp, 2, &buf, &buf_size); + if (buf_size < 2) { ret = AVERROR(ENOMEM); goto fail; } zstream.next_out = buf; - zstream.avail_out = buf_size; + zstream.avail_out = buf_size - 1; ret = inflate(&zstream, Z_PARTIAL_FLUSH); if (ret != Z_OK && ret != Z_STREAM_END) { ret = AVERROR_EXTERNAL; From 777f8b9fe1a0cf85beba1bbb0f0dd0ebb3073bae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2017 16:13:05 +0100 Subject: [PATCH 226/658] avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan() Fixes timeout Fixes: 445/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer Fixes: 456/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_JPEGLS_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 755933cb5cd17decd1838d3d64e07d4157de5638) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 059c1c6fe9..bc3798d90d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1082,6 +1082,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, for (mb_y = 0; mb_y < s->mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { + if (get_bits_left(&s->gb) < 1) { + av_log(s->avctx, AV_LOG_ERROR, "bitstream end in yuv_scan\n"); + return AVERROR_INVALIDDATA; + } if (s->restart_interval && !s->restart_count){ s->restart_count = s->restart_interval; resync_mb_x = mb_x; From c4a0b84b5886e49e63fd5ac83122697ecb991fb5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2017 22:21:25 +0100 Subject: [PATCH 227/658] avcodec/vp56: Check for the bitstream end, pass error codes on Fixes timeout Fixes: 446/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_VP6_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e6a2427558a718be0c1fffacffd935f630a7a8d) Signed-off-by: Michael Niedermayer --- libavcodec/vp5.c | 8 +++++++- libavcodec/vp56.c | 14 ++++++++++---- libavcodec/vp56.h | 2 +- libavcodec/vp6.c | 17 ++++++++++++----- 4 files changed, 30 insertions(+), 11 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 5bcf9b6217..4ec85ebde7 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -171,7 +171,7 @@ static int vp5_parse_coeff_models(VP56Context *s) return 0; } -static void vp5_parse_coeff(VP56Context *s) +static int vp5_parse_coeff(VP56Context *s) { VP56RangeCoder *c = &s->c; VP56Model *model = s->modelp; @@ -181,6 +181,11 @@ static void vp5_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx, ctx_last; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ + if (c->end >= c->buffer && c->bits >= 0) { + av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n"); + return AVERROR_INVALIDDATA; + } + for (b=0; b<6; b++) { int ct = 1; /* code type */ @@ -246,6 +251,7 @@ static void vp5_parse_coeff(VP56Context *s) s->coeff_ctx[ff_vp56_b6to4[b]][i] = 5; s->above_blocks[s->above_block_idx[b]].not_null_dc = s->coeff_ctx[ff_vp56_b6to4[b]][0]; } + return 0; } static void vp5_default_models_init(VP56Context *s) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 631924828d..d8fe994b8c 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -381,12 +381,13 @@ static void vp56_mc(VP56Context *s, int b, int plane, uint8_t *src, } } -static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) { AVFrame *frame_current, *frame_ref; VP56mb mb_type; VP56Frame ref_frame; int b, ab, b_max, plane, off; + int ret; if (s->frames[VP56_FRAME_CURRENT]->key_frame) mb_type = VP56_MB_INTRA; @@ -394,14 +395,16 @@ static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) mb_type = vp56_decode_mv(s, row, col); ref_frame = ff_vp56_reference_frame[mb_type]; - s->parse_coeff(s); + ret = s->parse_coeff(s); + if (ret < 0) + return ret; vp56_add_predictors_dc(s, ref_frame); frame_current = s->frames[VP56_FRAME_CURRENT]; frame_ref = s->frames[ref_frame]; if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) - return; + return 0; ab = 6*is_alpha; b_max = 6 - 2*is_alpha; @@ -451,6 +454,7 @@ static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) s->block_coeff[4][0] = 0; s->block_coeff[5][0] = 0; } + return 0; } static int vp56_size_changed(VP56Context *s) @@ -653,7 +657,9 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, s->block_offset[5] = s->block_offset[4]; for (mb_col=0; mb_colmb_width; mb_col++) { - vp56_decode_mb(s, mb_row, mb_col, is_alpha); + int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); + if (ret < 0) + return ret; for (y=0; y<4; y++) { s->above_block_idx[y] += 2; diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 56c30919b7..34d48228fd 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -74,7 +74,7 @@ typedef void (*VP56ParseVectorAdjustment)(VP56Context *s, typedef void (*VP56Filter)(VP56Context *s, uint8_t *dst, uint8_t *src, int offset1, int offset2, int stride, VP56mv mv, int mask, int select, int luma); -typedef void (*VP56ParseCoeff)(VP56Context *s); +typedef int (*VP56ParseCoeff)(VP56Context *s); typedef void (*VP56DefaultModelsInit)(VP56Context *s); typedef void (*VP56ParseVectorModels)(VP56Context *s); typedef int (*VP56ParseCoeffModels)(VP56Context *s); diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index a2bb4578d5..7f0a9b7d5d 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -40,8 +40,8 @@ #define VP6_MAX_HUFF_SIZE 12 -static void vp6_parse_coeff(VP56Context *s); -static void vp6_parse_coeff_huffman(VP56Context *s); +static int vp6_parse_coeff(VP56Context *s); +static int vp6_parse_coeff_huffman(VP56Context *s); static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) { @@ -380,7 +380,7 @@ static unsigned vp6_get_nb_null(VP56Context *s) return val; } -static void vp6_parse_coeff_huffman(VP56Context *s) +static int vp6_parse_coeff_huffman(VP56Context *s) { VP56Model *model = s->modelp; uint8_t *permute = s->idct_scantable; @@ -402,7 +402,7 @@ static void vp6_parse_coeff_huffman(VP56Context *s) break; } else { if (get_bits_left(&s->gb) <= 0) - return; + return AVERROR_INVALIDDATA; coeff = get_vlc2(&s->gb, vlc_coeff->table, FF_HUFFMAN_BITS, 3); if (coeff == 0) { if (coeff_idx) { @@ -437,9 +437,10 @@ static void vp6_parse_coeff_huffman(VP56Context *s) vlc_coeff = &s->ract_vlc[pt][ct][cg]; } } + return 0; } -static void vp6_parse_coeff(VP56Context *s) +static int vp6_parse_coeff(VP56Context *s) { VP56RangeCoder *c = s->ccp; VP56Model *model = s->modelp; @@ -449,6 +450,11 @@ static void vp6_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ + if (c->end >= c->buffer && c->bits >= 0) { + av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n"); + return AVERROR_INVALIDDATA; + } + for (b=0; b<6; b++) { int ct = 1; /* code type */ int run = 1; @@ -512,6 +518,7 @@ static void vp6_parse_coeff(VP56Context *s) s->left_block[ff_vp56_b6to4[b]].not_null_dc = s->above_blocks[s->above_block_idx[b]].not_null_dc = !!s->block_coeff[b][0]; } + return 0; } static int vp6_block_variance(uint8_t *src, int stride) From e6b3f3ff81035ec538a25baf8b95bec7ea732a3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Jan 2017 00:20:19 +0100 Subject: [PATCH 228/658] avcodec/utils: correct align value for interplay Fixes out of array access Fixes: 452/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_INTERPLAY_VIDEO_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2080bc33717955a0e4268e738acf8c1eeddbf8cb) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 17dcf60127..fc1b2555e8 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -376,6 +376,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 4; h_align = 4; } + if (s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) { + w_align = 8; + h_align = 8; + } break; case AV_PIX_FMT_PAL8: case AV_PIX_FMT_BGR8: @@ -385,7 +389,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 4; h_align = 4; } - if (s->codec_id == AV_CODEC_ID_JV) { + if (s->codec_id == AV_CODEC_ID_JV || + s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) { w_align = 8; h_align = 8; } From 197e4693f634d9e61eb61851e217d1b15a9d481b Mon Sep 17 00:00:00 2001 From: Frank Liberato Date: Tue, 24 Jan 2017 10:58:17 -0800 Subject: [PATCH 229/658] avformat/flacdec: Check avio_read result when reading flac block header. Return AVERROR_INVALIDDATA if all four bytes aren't present. Signed-off-by: Michael Niedermayer (cherry picked from commit 95bde49982a82bc10470c0adab5969ffe635d064) Signed-off-by: Michael Niedermayer --- libavformat/flacdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index 3060dc45fd..66baba5922 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -65,7 +65,8 @@ static int flac_read_header(AVFormatContext *s) /* process metadata blocks */ while (!avio_feof(s->pb) && !metadata_last) { - avio_read(s->pb, header, 4); + if (avio_read(s->pb, header, 4) != 4) + return AVERROR(AVERROR_INVALIDDATA); flac_parse_block_header(header, &metadata_last, &metadata_type, &metadata_size); switch (metadata_type) { From e23768b8ffc3d17af1c0cac33ea9c8b3a6a50437 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Feb 2017 01:32:37 +0100 Subject: [PATCH 230/658] avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac() Fixes timeout Fixes: 496/clusterfuzz-testcase-5805083497332736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3782656631fa8262528c07794acf7e9c2aab000d) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index bc3798d90d..76b36402d7 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1397,6 +1397,10 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, int block_idx = mb_y * s->block_stride[c]; int16_t (*block)[64] = &s->blocks[c][block_idx]; uint8_t *last_nnz = &s->last_nnz[c][block_idx]; + if (get_bits_left(&s->gb) <= 0) { + av_log(s->avctx, AV_LOG_ERROR, "bitstream truncated in mjpeg_decode_scan_progressive_ac\n"); + return AVERROR_INVALIDDATA; + } for (mb_x = 0; mb_x < s->mb_width; mb_x++, block++, last_nnz++) { int ret; if (s->restart_interval && !s->restart_count) From c26c8bb23a51cf6392b3a825ca48b8bd4c87b582 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Feb 2017 15:23:31 +0100 Subject: [PATCH 231/658] avcodec/dca_lbr: Fix off by 1 error in freq check Fixes out of array read Fixes: 510/clusterfuzz-testcase-5737865715646464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 61f70416f8542cc86c84ae6e0342ba10a35d7cba) Signed-off-by: Michael Niedermayer --- libavcodec/dca_lbr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dca_lbr.c b/libavcodec/dca_lbr.c index 342603c7d4..56c5f40982 100644 --- a/libavcodec/dca_lbr.c +++ b/libavcodec/dca_lbr.c @@ -310,7 +310,7 @@ static int parse_tonal(DCALbrDecoder *s, int group) break; // End of subframe freq += diff - 2; - if (freq >> (5 - group) > s->nsubbands * 4 - 5) { + if (freq >> (5 - group) > s->nsubbands * 4 - 6) { av_log(s->avctx, AV_LOG_ERROR, "Invalid spectral line offset\n"); return -1; } From 1f35ea813d6cc831a99ab340016cb7b38d8f7f36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Feb 2017 02:45:02 +0100 Subject: [PATCH 232/658] avcodec/interplayvideo: Move parameter change check up Fixes out of array read Fixes: 544/clusterfuzz-testcase-5936536407244800.f8bd9b24_8ba77916_70c2c7be_3df6a2ea_96cd9f14 Signed-off-by: Michael Niedermayer (cherry picked from commit b1e2192007d7026049237c9ab11e05ae71bf4f42) Signed-off-by: Michael Niedermayer --- libavcodec/interplayvideo.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index 899f52cb3c..2b78c69200 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -988,6 +988,11 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, AVFrame *frame = data; int ret; + if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) { + av_frame_unref(s->last_frame); + av_frame_unref(s->second_last_frame); + } + if (buf_size < 2) return AVERROR_INVALIDDATA; @@ -999,10 +1004,6 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, if (buf_size < s->decoding_map_size + 2) return buf_size; - if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) { - av_frame_unref(s->last_frame); - av_frame_unref(s->second_last_frame); - } s->decoding_map = buf + 2; bytestream2_init(&s->stream_ptr, buf + 2 + s->decoding_map_size, From 9115acb32680e4298c516a16e9a4482debfb6a80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Feb 2017 12:24:14 +0100 Subject: [PATCH 233/658] avcodec/pngdec: Check trns more completely Fixes out of array access Fixes: 546/clusterfuzz-testcase-4809433909559296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e477f09d0b3619f3d29173b2cd593e17e2d1978e) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 7ade0cee66..bf8f27f64b 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -772,6 +772,16 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s, { int v, i; + if (!(s->state & PNG_IHDR)) { + av_log(avctx, AV_LOG_ERROR, "trns before IHDR\n"); + return AVERROR_INVALIDDATA; + } + + if (s->state & PNG_IDAT) { + av_log(avctx, AV_LOG_ERROR, "trns after IDAT\n"); + return AVERROR_INVALIDDATA; + } + if (s->color_type == PNG_COLOR_TYPE_PALETTE) { if (length > 256 || !(s->state & PNG_PLTE)) return AVERROR_INVALIDDATA; @@ -782,7 +792,8 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s, } } else if (s->color_type == PNG_COLOR_TYPE_GRAY || s->color_type == PNG_COLOR_TYPE_RGB) { if ((s->color_type == PNG_COLOR_TYPE_GRAY && length != 2) || - (s->color_type == PNG_COLOR_TYPE_RGB && length != 6)) + (s->color_type == PNG_COLOR_TYPE_RGB && length != 6) || + s->bit_depth == 1) return AVERROR_INVALIDDATA; for (i = 0; i < length / 2; i++) { @@ -1241,6 +1252,8 @@ exit_loop: size_t raw_bpp = s->bpp - byte_depth; unsigned x, y; + av_assert0(s->bit_depth > 1); + for (y = 0; y < s->height; ++y) { uint8_t *row = &s->image_buf[s->image_linesize * y]; From ff7a4df8acc84810cf895ca5778d2948ab994631 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 2 Jan 2017 01:38:03 -0300 Subject: [PATCH 234/658] configure: bump year Happy new year! (cherry picked from commit d800d48fc67208819c2a4ae5eb214ca5e3ad7e82) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 5eb11e4421..592df195ac 100755 --- a/configure +++ b/configure @@ -6624,7 +6624,7 @@ cat > $TMPH < Date: Fri, 3 Feb 2017 14:42:44 -0800 Subject: [PATCH 235/658] lavf/matroskadec: fix is_keyframe for early Blocks Blocks are marked as key frames whenever the "reference" field is zero. This breaks for non-keyframe Blocks with a reference timestamp of zero. The likelihood of reference timestamp being zero is increased by a longstanding bug in muxing that encodes reference timestamp as the absolute time of the referenced frame (rather than relative to the current Block timestamp, as described in MKV spec). Now using INT64_MIN to denote "no reference". Reported to chromium at http://crbug.com/497889 (contains sample) (cherry picked from commit ac25840ee32888f0c13118edeb9404a123cd3a79) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 3c7ab1c9c5..1d83068f88 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -88,6 +88,7 @@ typedef const struct EbmlSyntax { int list_elem_size; int data_offset; union { + int64_t i; uint64_t u; double f; const char *s; @@ -675,7 +676,7 @@ static const EbmlSyntax matroska_blockgroup[] = { { MATROSKA_ID_SIMPLEBLOCK, EBML_BIN, 0, offsetof(MatroskaBlock, bin) }, { MATROSKA_ID_BLOCKDURATION, EBML_UINT, 0, offsetof(MatroskaBlock, duration) }, { MATROSKA_ID_DISCARDPADDING, EBML_SINT, 0, offsetof(MatroskaBlock, discard_padding) }, - { MATROSKA_ID_BLOCKREFERENCE, EBML_SINT, 0, offsetof(MatroskaBlock, reference) }, + { MATROSKA_ID_BLOCKREFERENCE, EBML_SINT, 0, offsetof(MatroskaBlock, reference), { .i = INT64_MIN } }, { MATROSKA_ID_CODECSTATE, EBML_NONE }, { 1, EBML_UINT, 0, offsetof(MatroskaBlock, non_simple), { .u = 1 } }, { 0 } @@ -1048,6 +1049,9 @@ static int ebml_parse_nest(MatroskaDemuxContext *matroska, EbmlSyntax *syntax, for (i = 0; syntax[i].id; i++) switch (syntax[i].type) { + case EBML_SINT: + *(int64_t *) ((char *) data + syntax[i].data_offset) = syntax[i].def.i; + break; case EBML_UINT: *(uint64_t *) ((char *) data + syntax[i].data_offset) = syntax[i].def.u; break; @@ -3267,7 +3271,7 @@ static int matroska_parse_cluster_incremental(MatroskaDemuxContext *matroska) matroska->current_cluster_num_blocks = blocks_list->nb_elem; i = blocks_list->nb_elem - 1; if (blocks[i].bin.size > 0 && blocks[i].bin.data) { - int is_keyframe = blocks[i].non_simple ? !blocks[i].reference : -1; + int is_keyframe = blocks[i].non_simple ? blocks[i].reference == INT64_MIN : -1; uint8_t* additional = blocks[i].additional.size > 0 ? blocks[i].additional.data : NULL; if (!blocks[i].non_simple) @@ -3305,7 +3309,7 @@ static int matroska_parse_cluster(MatroskaDemuxContext *matroska) blocks = blocks_list->elem; for (i = 0; i < blocks_list->nb_elem; i++) if (blocks[i].bin.size > 0 && blocks[i].bin.data) { - int is_keyframe = blocks[i].non_simple ? !blocks[i].reference : -1; + int is_keyframe = blocks[i].non_simple ? blocks[i].reference == INT64_MIN : -1; res = matroska_parse_block(matroska, blocks[i].bin.data, blocks[i].bin.size, blocks[i].bin.pos, cluster.timecode, blocks[i].duration, From 6c1a2e6bc3f0a23b629827f141a644fc646c667e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Feb 2017 11:17:10 +0100 Subject: [PATCH 236/658] avcodec/movtextdec: Fix decode_styl() cleanup Fixes: null pointer dereference Fixes: 555/clusterfuzz-testcase-5986646595993600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e248522d1b0d6dd8641f382cd5c4338d0ecd98e5) Signed-off-by: Michael Niedermayer --- libavcodec/movtextdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index 7b5b161561..81fd1d6deb 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -116,6 +116,8 @@ static void mov_text_cleanup(MovTextContext *m) av_freep(&m->s[i]); } av_freep(&m->s); + m->count_s = 0; + m->style_entries = 0; } } @@ -279,12 +281,14 @@ static int decode_hclr(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) { int i; - m->style_entries = AV_RB16(tsmb); + int style_entries = AV_RB16(tsmb); tsmb += 2; // A single style record is of length 12 bytes. - if (m->tracksize + m->size_var + 2 + m->style_entries * 12 > avpkt->size) + if (m->tracksize + m->size_var + 2 + style_entries * 12 > avpkt->size) return -1; + m->style_entries = style_entries; + m->box_flags |= STYL_BOX; for(i = 0; i < m->style_entries; i++) { m->s_temp = av_malloc(sizeof(*m->s_temp)); From e34cbd1d2b1dabda733cbc64a82532bf17a84e97 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Nov 2016 18:48:40 +0100 Subject: [PATCH 237/658] ffserver_config: Setup codecpar in add_codec() fixes segfault in the status page code Signed-off-by: Michael Niedermayer (cherry picked from commit 472fee91bcf9b7bae81fd4c00bbe5151ca458a7c) --- ffserver_config.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ffserver_config.c b/ffserver_config.c index 0ec93b5fda..e0fc6876e0 100644 --- a/ffserver_config.c +++ b/ffserver_config.c @@ -323,6 +323,8 @@ done: av_dict_free(&recommended); av_stream_set_recommended_encoder_configuration(st, enc_config); st->codec = av; + st->codecpar = avcodec_parameters_alloc(); + avcodec_parameters_from_context(st->codecpar, av); stream->streams[stream->nb_streams++] = st; } From 68e9caf16f4421478634c1c2ffc4706393304db3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Feb 2017 15:49:09 +0100 Subject: [PATCH 238/658] avcodec/pictordec: Fix logic error Fixes: 559/clusterfuzz-testcase-6424225917173760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c2ea3030af7b40a3c4275696fb5c76cdb80950a) Signed-off-by: Michael Niedermayer --- libavcodec/pictordec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index ff6eb7f4fc..0cfc785832 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -142,7 +142,7 @@ static int decode_frame(AVCodecContext *avctx, if (av_image_check_size(s->width, s->height, 0, avctx) < 0) return -1; - if (s->width != avctx->width && s->height != avctx->height) { + if (s->width != avctx->width || s->height != avctx->height) { ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret; From b6efd022b77349f2797afe756b791e82ec4a1d96 Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Wed, 14 Dec 2016 15:24:42 -0800 Subject: [PATCH 239/658] lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr Core of patch is from paul@paulmehta.com Reference https://crbug.com/643950 Signed-off-by: Michael Niedermayer Check value reduced as the code does not support larger lengths (cherry picked from commit fd30e4d57fe5841385f845440688505b88c0f4a9) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index dd746b4235..e4e00ac992 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -718,6 +718,8 @@ static int mov_read_hdlr(MOVContext *c, AVIOContext *pb, MOVAtom atom) title_size = atom.size - 24; if (title_size > 0) { + if (title_size > FFMIN(INT_MAX, SIZE_MAX-1)) + return AVERROR_INVALIDDATA; title_str = av_malloc(title_size + 1); /* Add null terminator */ if (!title_str) return AVERROR(ENOMEM); From 02a5e88ebc725b09f675bfcbbd4db1133e41708e Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Wed, 14 Dec 2016 15:26:19 -0800 Subject: [PATCH 240/658] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid Core of patch is from paul@paulmehta.com Reference https://crbug.com/643951 Signed-off-by: Michael Niedermayer Check value reduced as the code does not support values beyond INT_MAX Also the check is moved to a more common place and before integer truncation (cherry picked from commit 2d453188c2303da641dafb048dc1806790526dfd) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index e4e00ac992..268cd2785a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3969,7 +3969,7 @@ static int mov_read_uuid(MOVContext *c, AVIOContext *pb, MOVAtom atom) 0x9c, 0x71, 0x99, 0x94, 0x91, 0xe3, 0xaf, 0xac }; - if (atom.size < sizeof(uuid) || atom.size == INT64_MAX) + if (atom.size < sizeof(uuid) || atom.size >= FFMIN(INT_MAX, SIZE_MAX)) return AVERROR_INVALIDDATA; ret = avio_read(pb, uuid, sizeof(uuid)); From d20200d3035eaca615ef3e2aeaba0017ae4e87a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Feb 2017 17:55:41 +0100 Subject: [PATCH 241/658] avcodec/h264_slice: Clear ref_counts on redundant slices Fixes reading freed memory Fixes: 568/clusterfuzz-testcase-6107186067406848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c03029a835949fc0e68b4c6558ebcdc3ae137087) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index a56f900a50..40c4ea1efe 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1023,7 +1023,8 @@ again: #endif } else context_count++; - } + } else + sl->ref_count[0] = sl->ref_count[1] = 0; break; case NAL_DPA: case NAL_DPB: From 384d90f26800521440a1d64d7c6967e9b552a690 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Feb 2017 20:58:51 +0100 Subject: [PATCH 242/658] Update for 3.1.7 Signed-off-by: Michael Niedermayer --- Changelog | 36 ++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 058ba375d5..960beb4447 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,42 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.1.7: +- avcodec/h264_slice: Clear ref_counts on redundant slices +- lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid +- lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr +- avcodec/pictordec: Fix logic error +- ffserver_config: Setup codecpar in add_codec() +- avcodec/movtextdec: Fix decode_styl() cleanup +- lavf/matroskadec: fix is_keyframe for early Blocks +- configure: bump year +- avcodec/pngdec: Check trns more completely +- avcodec/interplayvideo: Move parameter change check up +- avcodec/dca_lbr: Fix off by 1 error in freq check +- avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac() +- avformat/flacdec: Check avio_read result when reading flac block header. +- avcodec/utils: correct align value for interplay +- avcodec/vp56: Check for the bitstream end, pass error codes on +- avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan() +- avcodec/pngdec: Fix off by 1 size in decode_zbuf() +- avcodec/omx: Do not pass negative value into av_malloc() +- avformat/avidec: skip odml master index chunks in avi_sync +- avcodec/mjpegdec: Check for rgb before flipping +- avutil/random_seed: Reduce the time needed on systems with very low precision clock() +- avutil/random_seed: Improve get_generic_seed() with higher precision clock() +- avformat/mp3dec: fix msan warning when verifying mpa header +- avformat/utils: Print verbose error message if stream count exceeds max_streams +- avformat/options_table: Set the default maximum number of streams to 1000 +- pgssubdec: reset rle_data_len/rle_remaining_len on allocation error +- avutil: Add av_image_check_size2() +- avformat: Add max_streams option +- avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated +- avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory() +- avformat/oggdec: Skip streams in duration correction that did not had their duration set. +- avcodec/ffv1enc: Fix size of first slice +- avfilter/vf_hwupload_cuda: Add min/max limits for the 'device' option +- configure: check for strtoull on msvc + version 3.1.6: - configure: check for strtoull on msvc - http: move chunk handling from http_read_stream() to http_buf_read(). diff --git a/RELEASE b/RELEASE index 9cec7165ab..23887f6eba 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.1.6 +3.1.7 diff --git a/doc/Doxyfile b/doc/Doxyfile index 435efba711..6fdabbe62b 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.1.6 +PROJECT_NUMBER = 3.1.7 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 401a3ae2cb33309d3bc8e9bb8e6b5861deb90d93 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Fri, 17 Feb 2017 00:46:14 +0100 Subject: [PATCH 243/658] lavc/avpacket: Initialize a variable in error path. Fixes ticket #6153. Tested-by: Tyson Smith (cherry picked from commit 1d54be215309b8aa71a51826e4b0a1660fef9f93) --- libavcodec/avpacket.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index 443a19ad1d..e8b2959541 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -348,6 +348,8 @@ uint8_t *av_packet_get_side_data(AVPacket *pkt, enum AVPacketSideDataType type, return pkt->side_data[i].data; } } + if (size) + *size = 0; return NULL; } From 007cf1786c8bb74297b9b0c4be0987aef608134e Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 19 Feb 2017 16:15:34 +0100 Subject: [PATCH 244/658] lavf/mpeg: Initialize a stack variable used by memcmp(). Silence a valgrind warning. Fixes ticket #6160. (cherry picked from commit a5c1c7a8b3d13c86b453558628951c3f52054ab4) --- libavformat/mpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 423877e94c..a651cb3eb6 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -138,7 +138,7 @@ typedef struct MpegDemuxContext { static int mpegps_read_header(AVFormatContext *s) { MpegDemuxContext *m = s->priv_data; - char buffer[7]; + char buffer[7] = { 0 }; int64_t last_pos = avio_tell(s->pb); m->header_state = 0xff; From e1ed2291ecba48984a5227e3d426127427c75b7c Mon Sep 17 00:00:00 2001 From: Rostislav Pehlivanov Date: Tue, 21 Feb 2017 06:51:46 +0000 Subject: [PATCH 245/658] lavfi/buffersrc: fix directly setting channel layout When setting the channel layout directly using AVBufferSrcParameters the channel layout was correctly set however the init function still expected the old string format to set the number of channels (when it hadn't already been specified). Signed-off-by: Rostislav Pehlivanov (cherry picked from commit 42959044ac7dc40d5593cca2386d26257a615e5b) Signed-off-by: Rostislav Pehlivanov --- libavfilter/buffersrc.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c index 9294811d36..ba87211272 100644 --- a/libavfilter/buffersrc.c +++ b/libavfilter/buffersrc.c @@ -316,14 +316,16 @@ static av_cold int init_audio(AVFilterContext *ctx) return AVERROR(EINVAL); } - if (s->channel_layout_str) { + if (s->channel_layout_str || s->channel_layout) { int n; - s->channel_layout = av_get_channel_layout(s->channel_layout_str); if (!s->channel_layout) { - av_log(ctx, AV_LOG_ERROR, "Invalid channel layout %s.\n", - s->channel_layout_str); - return AVERROR(EINVAL); + s->channel_layout = av_get_channel_layout(s->channel_layout_str); + if (!s->channel_layout) { + av_log(ctx, AV_LOG_ERROR, "Invalid channel layout %s.\n", + s->channel_layout_str); + return AVERROR(EINVAL); + } } n = av_get_channel_layout_nb_channels(s->channel_layout); if (s->channels) { From f9083dec0c2ef79ab44d7511f86bd0bf7fe45978 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 21 Mar 2017 12:02:35 -0300 Subject: [PATCH 246/658] swresample/resample: move resample_free() higher in the file Also make it more readable while at it. Signed-off-by: James Almer (cherry picked from commit 2a8a8a2e98136c22f6e07ff669251afb8a033676) --- libswresample/resample.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/libswresample/resample.c b/libswresample/resample.c index b834248167..2e161b19ce 100644 --- a/libswresample/resample.c +++ b/libswresample/resample.c @@ -298,6 +298,14 @@ fail: return 0; } +static void resample_free(ResampleContext **cc){ + ResampleContext *c = *cc; + if(!c) + return; + av_freep(&c->filter_bank); + av_freep(cc); +} + static ResampleContext *resample_init(ResampleContext *c, int out_rate, int in_rate, int filter_size, int phase_shift, int linear, double cutoff0, enum AVSampleFormat format, enum SwrFilterType filter_type, double kaiser_beta, double precision, int cheby, int exact_rational) @@ -389,13 +397,6 @@ error: return NULL; } -static void resample_free(ResampleContext **c){ - if(!*c) - return; - av_freep(&(*c)->filter_bank); - av_freep(c); -} - static int rebuild_filter_bank_with_compensation(ResampleContext *c) { uint8_t *new_filter_bank; From 8e4abfbb9dbc6ff192926e4d6befef40897a5479 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 21 Mar 2017 12:03:44 -0300 Subject: [PATCH 247/658] swresample/resample: free existing ResampleContext on reinit Fixes memleak. Reviewed-by: wm4 Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit db7a05dab0652d4ec6d89394c9024d02f44494a7) --- libswresample/resample.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswresample/resample.c b/libswresample/resample.c index 2e161b19ce..e7c9e730fb 100644 --- a/libswresample/resample.c +++ b/libswresample/resample.c @@ -328,6 +328,7 @@ static ResampleContext *resample_init(ResampleContext *c, int out_rate, int in_r if (!c || c->phase_count != phase_count || c->linear!=linear || c->factor != factor || c->filter_length != FFMAX((int)ceil(filter_size/factor), 1) || c->format != format || c->filter_type != filter_type || c->kaiser_beta != kaiser_beta) { + resample_free(&c); c = av_mallocz(sizeof(*c)); if (!c) return NULL; From b014fa21d4a36eb65e61b530bdafbcdc63d79795 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 20 Mar 2017 22:53:00 -0300 Subject: [PATCH 248/658] avformat/apng: fix setting frame delay when max_fps is set to no limit Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 874eb012f75bc18bb6d79ad4bc0912afa21751f3) --- libavformat/apngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c index bb17896ee5..7a284e32c2 100644 --- a/libavformat/apngdec.c +++ b/libavformat/apngdec.c @@ -269,7 +269,7 @@ static int decode_fctl_chunk(AVFormatContext *s, APNGDemuxContext *ctx, AVPacket /* default is hundredths of seconds */ if (!delay_den) delay_den = 100; - if (!delay_num || delay_den / delay_num > ctx->max_fps) { + if (!delay_num || (ctx->max_fps && delay_den / delay_num > ctx->max_fps)) { delay_num = 1; delay_den = ctx->default_fps; } From 0abc88f0fdb829a88e0a147a119d1ed59b89a49e Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Wed, 8 Feb 2017 15:40:46 -0800 Subject: [PATCH 249/658] lavf/mov.c: Avoid OOB in mov_read_udta_string() Core of patch is from paul@paulmehta.com Reference https://crbug.com/643952 (udta_string portion) Signed-off-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 9bbdf5d921ef57e1698f64981e4ea04db7c56fb5) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 268cd2785a..2d9447eda0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -383,11 +383,11 @@ retry: return ret; } else if (!key && c->found_hdlr_mdta && c->meta_keys) { uint32_t index = AV_RB32(&atom.type); - if (index < c->meta_keys_count) { + if (index < c->meta_keys_count && index > 0) { key = c->meta_keys[index]; } else { av_log(c->fc, AV_LOG_WARNING, - "The index of 'data' is out of range: %d >= %d.\n", + "The index of 'data' is out of range: %d < 1 or >= %d.\n", index, c->meta_keys_count); } } From 5cd2fcd0a72334d4b3beb32247df3ebd93a7ded9 Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Wed, 14 Dec 2016 15:27:49 -0800 Subject: [PATCH 250/658] lavf/mov.c: Avoid heap allocation wraps in mov_read_{senc,saiz}() Core of patch is from paul@paulmehta.com Reference https://crbug.com/643952 (senc,saiz portions) Signed-off-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 36aba43bd5fae8595dd9a566fbcfbbea63f0fca3) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 2d9447eda0..a77d6908e3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4132,8 +4132,8 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb32(pb); /* entries */ - if (atom.size < 8) { - av_log(c->fc, AV_LOG_ERROR, "senc atom size %"PRId64" too small\n", atom.size); + if (atom.size < 8 || atom.size > FFMIN(INT_MAX, SIZE_MAX)) { + av_log(c->fc, AV_LOG_ERROR, "senc atom size %"PRId64" invalid\n", atom.size); return AVERROR_INVALIDDATA; } @@ -4201,6 +4201,11 @@ static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; } + if (atom.size > FFMIN(INT_MAX, SIZE_MAX)) { + av_log(c->fc, AV_LOG_ERROR, "saiz atom auxiliary_info_sizes size %"PRId64" invalid\n", atom.size); + return AVERROR_INVALIDDATA; + } + /* save the auxiliary info sizes as is */ data_size = atom.size - atom_header_size; From 3364c8c53a4b49dfc9b7a075d88f688e52c3c453 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Feb 2017 12:47:49 +0100 Subject: [PATCH 251/658] avformat/http: Check for truncated buffers in http_connect() Reported-by: SleepProgger Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit 8fa18e042ad2c078f759692f1db5629d16d70595) Signed-off-by: Michael Niedermayer --- libavformat/http.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavformat/http.c b/libavformat/http.c index 7e109ddb5b..c5d94038e3 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -1002,6 +1002,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, int len = 0; const char *method; int send_expect_100 = 0; + int ret; /* send http header */ post = h->flags & AVIO_FLAG_WRITE; @@ -1092,7 +1093,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, if (s->headers) av_strlcpy(headers + len, s->headers, sizeof(headers) - len); - snprintf(s->buffer, sizeof(s->buffer), + ret = snprintf(s->buffer, sizeof(s->buffer), "%s %s HTTP/1.1\r\n" "%s" "%s" @@ -1108,6 +1109,14 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, av_log(h, AV_LOG_DEBUG, "request: %s\n", s->buffer); + if (strlen(headers) + 1 == sizeof(headers) || + ret >= sizeof(s->buffer)) { + av_log(h, AV_LOG_ERROR, "overlong headers\n"); + err = AVERROR(EINVAL); + goto done; + } + + if ((err = ffurl_write(s->hd, s->buffer, strlen(s->buffer))) < 0) goto done; From a6b5e670f49e561254395d57fbedd719f1b3c715 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 15:09:34 +0100 Subject: [PATCH 252/658] avcodec/wavpacl: Fix runtime error: left shift of negative value -1 Fixes: 607/clusterfuzz-testcase-5108792465293312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 12eebb845a7fe1ced91606547352cbdd93a2726d) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index b6022f0fa5..16fdfa158c 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -682,7 +682,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->hybrid_bitrate = s->frame_flags & WV_HYBRID_BITRATE; s->post_shift = bpp * 8 - orig_bpp + ((s->frame_flags >> 13) & 0x1f); s->hybrid_maxclip = ((1LL << (orig_bpp - 1)) - 1); - s->hybrid_minclip = ((-1LL << (orig_bpp - 1))); + s->hybrid_minclip = ((-1UL << (orig_bpp - 1))); s->CRC = bytestream2_get_le32(&gb); // parse metadata blocks From eb322e44eaa24d39c55ce86a42410bf5945fe31e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 18:47:13 +0100 Subject: [PATCH 253/658] avcodec/mpeg12dec: Fix runtime error: left shift of negative value Fixes: 608/clusterfuzz-testcase-603978286392934 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 706757d26dd5e606c1745a4bb53fe45f6d6493cf) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 24c3182273..f098438342 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -865,8 +865,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) s->last_mv[i][0][1]); /* full_pel: only for MPEG-1 */ if (s->full_pel[i]) { - s->mv[i][0][0] <<= 1; - s->mv[i][0][1] <<= 1; + s->mv[i][0][0] *= 2; + s->mv[i][0][1] *= 2; } } } From 65494204513789ac487a0d2137559d7f22a3007f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 19:12:25 +0100 Subject: [PATCH 254/658] avcodec/pngdec: Check bit depth for validity Fixes: runtime error: shift exponent 132 is too large for 32-bit type 'int' Fixes: 609/clusterfuzz-testcase-4825202619842560 See 11.2.2 IHDR Image header Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4279613a2652cdf2bee564f4b7244567e5ba91ba) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index bf8f27f64b..98727c7796 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -559,6 +559,11 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } s->bit_depth = bytestream2_get_byte(&s->gb); + if (s->bit_depth != 1 && s->bit_depth != 2 && s->bit_depth != 4 && + s->bit_depth != 8 && s->bit_depth != 16) { + av_log(avctx, AV_LOG_ERROR, "Invalid bit depth\n"); + goto error; + } s->color_type = bytestream2_get_byte(&s->gb); s->compression_type = bytestream2_get_byte(&s->gb); s->filter_type = bytestream2_get_byte(&s->gb); @@ -572,6 +577,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, s->compression_type, s->filter_type, s->interlace_type); return 0; +error: + s->cur_w = s->cur_h = s->width = s->height = 0; + s->bit_depth = 8; + return AVERROR_INVALIDDATA; } static int decode_phys_chunk(AVCodecContext *avctx, PNGDecContext *s) From ad2f9874b5cccf553dbbcced23799c941dd77c8f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 23:37:53 +0100 Subject: [PATCH 255/658] avcodec/srtdec: Fix signed integer overflow: 1811992524 * 384 cannot be represented in type 'int' Fixes: 617/clusterfuzz-testcase-6413875723370496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c11d3634b07b4aa71f75478aa1bcb63b0c22e030) Signed-off-by: Michael Niedermayer --- libavcodec/srtdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/srtdec.c b/libavcodec/srtdec.c index 30930c8e74..862ab47645 100644 --- a/libavcodec/srtdec.c +++ b/libavcodec/srtdec.c @@ -38,13 +38,13 @@ static void srt_to_ass(AVCodecContext *avctx, AVBPrint *dst, /* text rectangle defined, write the text at the center of the rectangle */ const int cx = x1 + (x2 - x1)/2; const int cy = y1 + (y2 - y1)/2; - const int scaled_x = cx * ASS_DEFAULT_PLAYRESX / 720; - const int scaled_y = cy * ASS_DEFAULT_PLAYRESY / 480; + const int scaled_x = cx * (int64_t)ASS_DEFAULT_PLAYRESX / 720; + const int scaled_y = cy * (int64_t)ASS_DEFAULT_PLAYRESY / 480; av_bprintf(dst, "{\\an5}{\\pos(%d,%d)}", scaled_x, scaled_y); } else { /* only the top left corner, assume the text starts in that corner */ - const int scaled_x = x1 * ASS_DEFAULT_PLAYRESX / 720; - const int scaled_y = y1 * ASS_DEFAULT_PLAYRESY / 480; + const int scaled_x = x1 * (int64_t)ASS_DEFAULT_PLAYRESX / 720; + const int scaled_y = y1 * (int64_t)ASS_DEFAULT_PLAYRESY / 480; av_bprintf(dst, "{\\an1}{\\pos(%d,%d)}", scaled_x, scaled_y); } } From 5fcb98f34f5a5f8ce4d92d32362f20c12347364a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Feb 2017 12:31:43 +0100 Subject: [PATCH 256/658] avcodec/pictordec: Do not read more than nb_planes Fixes undefined behavior Fixes: 622/clusterfuzz-testcase-5745722022428672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01d196a67dc55eb01cf3e06d6338c5d096a29b1c) Signed-off-by: Michael Niedermayer --- libavcodec/pictordec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index 0cfc785832..a3d72e3f25 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -80,7 +80,7 @@ static void picmemset(PicContext *s, AVFrame *frame, int value, int run, value <<= bits_per_plane; mask <<= bits_per_plane; if (*plane >= s->nb_planes) - break; + return; } } } @@ -236,7 +236,7 @@ static int decode_frame(AVCodecContext *avctx, } } - if (x < avctx->width) { + if (plane < s->nb_planes && x < avctx->width) { int run = (y + 1) * avctx->width - x; if (bits_per_plane == 8) picmemset_8bpp(s, frame, val, run, &x, &y); From aa5e396d42f938d23a8c6fa94217ba226cc5a214 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Feb 2017 12:46:28 +0100 Subject: [PATCH 257/658] avcodec/rv34: Simplify and factor get_slice_offset() code This also fixes several integer overflows by checking each value before use. Fixes: 662/clusterfuzz-testcase-4898131432964096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8696f254444c2ec24daa570f26feadbd3df911e4) Signed-off-by: Michael Niedermayer --- libavcodec/rv34.c | 42 +++++++++++++++++++----------------------- 1 file changed, 19 insertions(+), 23 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index aca8382f20..06acdc50c9 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1585,10 +1585,13 @@ int ff_rv34_decode_update_thread_context(AVCodecContext *dst, const AVCodecConte return ff_mpeg_update_thread_context(dst, src); } -static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n) +static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n, int slice_count, int buf_size) { - if(avctx->slice_count) return avctx->slice_offset[n]; - else return AV_RL32(buf + n*8 - 4) == 1 ? AV_RL32(buf + n*8) : AV_RB32(buf + n*8); + if (n < slice_count) { + if(avctx->slice_count) return avctx->slice_offset[n]; + else return AV_RL32(buf + n*8 - 4) == 1 ? AV_RL32(buf + n*8) : AV_RB32(buf + n*8); + } else + return buf_size; } static int finish_frame(AVCodecContext *avctx, AVFrame *pict) @@ -1646,6 +1649,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, const uint8_t *slices_hdr = NULL; int last = 0; int faulty_b = 0; + int offset; /* no supplementary picture */ if (buf_size == 0) { @@ -1668,13 +1672,13 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, }else slice_count = avctx->slice_count; + offset = get_slice_offset(avctx, slices_hdr, 0, slice_count, buf_size); //parse first slice header to check whether this frame can be decoded - if(get_slice_offset(avctx, slices_hdr, 0) < 0 || - get_slice_offset(avctx, slices_hdr, 0) > buf_size){ + if(offset < 0 || offset > buf_size){ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); return AVERROR_INVALIDDATA; } - init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); + init_get_bits(&s->gb, buf+offset, (buf_size-offset)*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){ av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n"); return AVERROR_INVALIDDATA; @@ -1777,40 +1781,32 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; for(i = 0; i < slice_count; i++){ - int offset = get_slice_offset(avctx, slices_hdr, i); + int offset = get_slice_offset(avctx, slices_hdr, i , slice_count, buf_size); + int offset1 = get_slice_offset(avctx, slices_hdr, i+1, slice_count, buf_size); int size; - if(i+1 == slice_count) - size = buf_size - offset; - else - size = get_slice_offset(avctx, slices_hdr, i+1) - offset; - if(offset < 0 || offset > buf_size){ + if(offset < 0 || offset > offset1 || offset1 > buf_size){ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } + size = offset1 - offset; r->si.end = s->mb_width * s->mb_height; s->mb_num_left = r->s.mb_x + r->s.mb_y*r->s.mb_width - r->si.start; if(i+1 < slice_count){ - if (get_slice_offset(avctx, slices_hdr, i+1) < 0 || - get_slice_offset(avctx, slices_hdr, i+1) > buf_size) { + int offset2 = get_slice_offset(avctx, slices_hdr, i+2, slice_count, buf_size); + if (offset2 < offset1 || offset2 > buf_size) { av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } - init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8); + init_get_bits(&s->gb, buf+offset1, (buf_size-offset1)*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0){ - if(i+2 < slice_count) - size = get_slice_offset(avctx, slices_hdr, i+2) - offset; - else - size = buf_size - offset; + size = offset2 - offset; }else r->si.end = si.start; } - if (size < 0 || size > buf_size - offset) { - av_log(avctx, AV_LOG_ERROR, "Slice size is invalid\n"); - break; - } + av_assert0 (size >= 0 && size <= buf_size - offset); last = rv34_decode_slice(r, r->si.end, buf + offset, size); if(last) break; From 751f3f4f5ab116b95a611b3e067069d330746adf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Feb 2017 19:04:12 +0100 Subject: [PATCH 258/658] avcodec/mpegaudiodec_template: Correct return code on id3 tag discarding Fixes: 665/clusterfuzz-testcase-4863789881098240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d81616be332cca99304d0b747c2c8e2d719f349) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudiodec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index 1114428f33..ffd680b34f 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -1665,7 +1665,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, header = AV_RB32(buf); if (header>>8 == AV_RB32("TAG")>>8) { av_log(avctx, AV_LOG_DEBUG, "discarding ID3 tag\n"); - return buf_size; + return buf_size + skipped; } ret = avpriv_mpegaudio_decode_header((MPADecodeHeader *)s, header); if (ret < 0) { From c0b9d223902a7fcd963acbf5ef6240d6f36f1f83 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Feb 2017 21:05:33 +0100 Subject: [PATCH 259/658] avcodec/vp56: Fix sign typo Fixes: 664/clusterfuzz-testcase-4917047475568640 The change to fate is due to a truncated last frames which is now detected as damaged. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 513a3494396d0a20233273b3cadcb5ee86485d5c) Signed-off-by: Michael Niedermayer --- libavcodec/vp5.c | 2 +- libavcodec/vp6.c | 2 +- tests/ref/fate/vp5 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 4ec85ebde7..108f16131d 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -181,7 +181,7 @@ static int vp5_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx, ctx_last; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end >= c->buffer && c->bits >= 0) { + if (c->end <= c->buffer && c->bits >= 0) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 7f0a9b7d5d..662126ca70 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -450,7 +450,7 @@ static int vp6_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end >= c->buffer && c->bits >= 0) { + if (c->end <= c->buffer && c->bits >= 0) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff --git a/tests/ref/fate/vp5 b/tests/ref/fate/vp5 index 2116fb9b81..da510fc995 100644 --- a/tests/ref/fate/vp5 +++ b/tests/ref/fate/vp5 @@ -249,4 +249,4 @@ 0, 243, 243, 1, 233472, 0x6f530ac6 0, 244, 244, 1, 233472, 0x94f7466c 0, 245, 245, 1, 233472, 0xa8c1d365 -0, 246, 246, 1, 233472, 0xedcff050 +0, 246, 246, 1, 233472, 0x8843293b From eee75451e1172e77bef9edc1bdbb4e6609985ae3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 01:43:16 +0100 Subject: [PATCH 260/658] avcodec/pngdec: Fix runtime error: left shift of 152 by 24 places cannot be represented in type 'int' Fixes: 666/clusterfuzz-testcase-6581447227867136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 310d2af319d9113263f75e94f5a1b211c05260b5) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 98727c7796..c72f34f961 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -796,7 +796,7 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; for (i = 0; i < length; i++) { - v = bytestream2_get_byte(&s->gb); + unsigned v = bytestream2_get_byte(&s->gb); s->palette[i] = (s->palette[i] & 0x00ffffff) | (v << 24); } } else if (s->color_type == PNG_COLOR_TYPE_GRAY || s->color_type == PNG_COLOR_TYPE_RGB) { From fccbd911fb09d7d11c4b5e3a8c47607709acba27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 02:19:43 +0100 Subject: [PATCH 261/658] avcodec/amrwbdec: Fix 2 runtime errors: left shift of negative value -1 Fixes: 669/clusterfuzz-testcase-4847965409640448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6bd79ba59f46a8b3133f28faae53b75540469803) Signed-off-by: Michael Niedermayer --- libavcodec/amrwbdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 7d0c135c5e..999bfb99dc 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -292,7 +292,7 @@ static void decode_pitch_lag_low(int *lag_int, int *lag_frac, int pitch_index, if (subframe == 0 || (subframe == 2 && mode != MODE_6k60)) { if (pitch_index < 116) { *lag_int = (pitch_index + 69) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1) + 68) << 1; + *lag_frac = (pitch_index - (*lag_int << 1) + 68) * 2; } else { *lag_int = pitch_index - 24; *lag_frac = 0; @@ -302,7 +302,7 @@ static void decode_pitch_lag_low(int *lag_int, int *lag_frac, int pitch_index, AMRWB_P_DELAY_MIN, AMRWB_P_DELAY_MAX - 15); } else { *lag_int = (pitch_index + 1) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1)) << 1; + *lag_frac = (pitch_index - (*lag_int << 1)) * 2; *lag_int += *base_lag_int; } } From eca3cfe9c4bd2d83d47d03f295523f8ae57e0a37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 12:37:32 +0100 Subject: [PATCH 262/658] avcodec/vp56: Implement very basic error concealment This should fix the fate failure due to a truncated last frame. Alternatively the frame could be dropped. Signed-off-by: Michael Niedermayer (cherry picked from commit d34bf886e963445350c4987f7a9ed77bd9c9a5c7) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 81 ++++++++++++++++++++++++++++++++++++++++++++-- tests/ref/fate/vp5 | 2 +- 2 files changed, 79 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index d8fe994b8c..b36c99fd33 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -261,6 +261,25 @@ static VP56mb vp56_decode_mv(VP56Context *s, int row, int col) return s->mb_type; } +static VP56mb vp56_conceal_mv(VP56Context *s, int row, int col) +{ + VP56mv *mv, vect = {0,0}; + int b; + + s->mb_type = VP56_MB_INTER_NOVEC_PF; + s->macroblocks[row * s->mb_width + col].type = s->mb_type; + + mv = &vect; + + s->macroblocks[row*s->mb_width + col].mv = *mv; + + /* same vector for all blocks */ + for (b=0; b<6; b++) + s->mv[b] = *mv; + + return s->mb_type; +} + static void vp56_add_predictors_dc(VP56Context *s, VP56Frame ref_frame) { int idx = s->idct_scantable[0]; @@ -457,6 +476,57 @@ static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) return 0; } +static int vp56_conceal_mb(VP56Context *s, int row, int col, int is_alpha) +{ + AVFrame *frame_current, *frame_ref; + VP56mb mb_type; + VP56Frame ref_frame; + int b, ab, b_max, plane, off; + + if (s->frames[VP56_FRAME_CURRENT]->key_frame) + mb_type = VP56_MB_INTRA; + else + mb_type = vp56_conceal_mv(s, row, col); + ref_frame = ff_vp56_reference_frame[mb_type]; + + frame_current = s->frames[VP56_FRAME_CURRENT]; + frame_ref = s->frames[ref_frame]; + if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) + return 0; + + ab = 6*is_alpha; + b_max = 6 - 2*is_alpha; + + switch (mb_type) { + case VP56_MB_INTRA: + for (b=0; bvp3dsp.idct_put(frame_current->data[plane] + s->block_offset[b], + s->stride[plane], s->block_coeff[b]); + } + break; + + case VP56_MB_INTER_NOVEC_PF: + case VP56_MB_INTER_NOVEC_GF: + for (b=0; bblock_offset[b]; + s->hdsp.put_pixels_tab[1][0](frame_current->data[plane] + off, + frame_ref->data[plane] + off, + s->stride[plane], 8); + s->vp3dsp.idct_add(frame_current->data[plane] + off, + s->stride[plane], s->block_coeff[b]); + } + break; + } + + if (is_alpha) { + s->block_coeff[4][0] = 0; + s->block_coeff[5][0] = 0; + } + return 0; +} + static int vp56_size_changed(VP56Context *s) { AVCodecContext *avctx = s->avctx; @@ -593,6 +663,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, int block, y, uv; ptrdiff_t stride_y, stride_uv; int res; + int damaged = 0; if (p->key_frame) { p->pict_type = AV_PICTURE_TYPE_I; @@ -657,9 +728,13 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, s->block_offset[5] = s->block_offset[4]; for (mb_col=0; mb_colmb_width; mb_col++) { - int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); - if (ret < 0) - return ret; + if (!damaged) { + int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); + if (ret < 0) + damaged = 1; + } + if (damaged) + vp56_conceal_mb(s, mb_row, mb_col, is_alpha); for (y=0; y<4; y++) { s->above_block_idx[y] += 2; diff --git a/tests/ref/fate/vp5 b/tests/ref/fate/vp5 index da510fc995..2469a3ec21 100644 --- a/tests/ref/fate/vp5 +++ b/tests/ref/fate/vp5 @@ -249,4 +249,4 @@ 0, 243, 243, 1, 233472, 0x6f530ac6 0, 244, 244, 1, 233472, 0x94f7466c 0, 245, 245, 1, 233472, 0xa8c1d365 -0, 246, 246, 1, 233472, 0x8843293b +0, 246, 246, 1, 233472, 0xbf73f1b7 From b541a79c99b8ff86229a3cf3e71a479e99a393b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Mar 2017 04:28:23 +0100 Subject: [PATCH 263/658] avcodec/vp56: Clear dimensions in case of failure in the middle of a resolution change Similar code is used elsewhere in vp56 to force a more complete reinit in the future. Fixes null pointer dereference Fixes: 707/clusterfuzz-testcase-4717453097566208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4bed06637729ab000b79250c67d53078300e37c4) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index b36c99fd33..52f2a7dae8 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -603,13 +603,18 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } ret = ff_get_buffer(avctx, p, AV_GET_BUFFER_FLAG_REF); - if (ret < 0) + if (ret < 0) { + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(avctx, 0, 0); return ret; + } if (avctx->pix_fmt == AV_PIX_FMT_YUVA420P) { av_frame_unref(s->alpha_context->frames[VP56_FRAME_CURRENT]); if ((ret = av_frame_ref(s->alpha_context->frames[VP56_FRAME_CURRENT], p)) < 0) { av_frame_unref(p); + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(avctx, 0, 0); return ret; } } From 38c7a1ef5cb0a18e48b8a6a12687c7f679b01094 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Mar 2017 03:04:04 +0100 Subject: [PATCH 264/658] avcodec/mpeg12dec: Fix runtime error: left shift of negative value -1 Fixes: 764/clusterfuzz-testcase-6273034652483584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a720b854b0d3f0fae2b1eac644dd39e5821cacb1) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index f098438342..c585ec612f 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -994,7 +994,7 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) cbp = get_vlc2(&s->gb, ff_mb_pat_vlc.table, MB_PAT_VLC_BITS, 1); if (mb_block_count > 6) { - cbp <<= mb_block_count - 6; + cbp *= 1 << mb_block_count - 6; cbp |= get_bits(&s->gb, mb_block_count - 6); s->bdsp.clear_blocks(s->block[6]); } From 2015c109ac93a104c9ee4d9ce7ba3ef39b76d935 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Feb 2017 19:34:54 +0100 Subject: [PATCH 265/658] Add CHECK/SUINT code Signed-off-by: Michael Niedermayer (cherry picked from commit 4614bf2caf67a89c2d833b3368f325eab54582bc) (cherry picked from commit e8d4eacc07c61ae24f48451073a2620d8d257d33) Signed-off-by: Michael Niedermayer (cherry picked from commit 3f2a09a43f6fade53227804459e6babb1c7248b3) Signed-off-by: Michael Niedermayer --- libavutil/internal.h | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/libavutil/internal.h b/libavutil/internal.h index 61784b5128..cc2d97dc52 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -30,6 +30,10 @@ # define NDEBUG #endif +#if defined(DEBUG) && !defined(CHECKED) +# define CHECKED +#endif + #include #include #include @@ -258,6 +262,16 @@ void avpriv_request_sample(void *avc, # define ff_dlog(ctx, ...) do { if (0) av_log(ctx, AV_LOG_DEBUG, __VA_ARGS__); } while (0) #endif +// For debuging we use signed operations so overflows can be detected (by ubsan) +// For production we use unsigned so there are no undefined operations +#ifdef CHECKED +#define SUINT int +#define SUINT32 int32_t +#else +#define SUINT unsigned +#define SUINT32 uint32_t +#endif + /** * Clip and convert a double value into the long long amin-amax range. * This function is needed because conversion of floating point to integers when From aff4b91b8df0a9683776306375e56f4f8ddd8324 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Feb 2017 13:11:43 +0100 Subject: [PATCH 266/658] avcodec/vp3dsp: Fix multiple signed integer overflow: 46341 * 47523 cannot be represented in type 'int' Fixes: 664/clusterfuzz-testcase-4917047475568640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b8b7921c55a93049a86cfeb2fda9423d16f8ebe) Signed-off-by: Michael Niedermayer --- libavcodec/vp3dsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp3dsp.c b/libavcodec/vp3dsp.c index 814c78e34a..4b6c838b70 100644 --- a/libavcodec/vp3dsp.c +++ b/libavcodec/vp3dsp.c @@ -41,7 +41,7 @@ #define xC6S2 25080 #define xC7S1 12785 -#define M(a, b) (((a) * (b)) >> 16) +#define M(a, b) ((int)((SUINT)(a) * (b)) >> 16) static av_always_inline void idct(uint8_t *dst, int stride, int16_t *input, int type) From 0db93a9d403de9c53b3b431a06e089a66c600989 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 21:07:22 +0100 Subject: [PATCH 267/658] avcodec/vp56: Factorize vp56_render_mb() out Signed-off-by: Michael Niedermayer (cherry picked from commit 4c0139463c8f0a6f28e7b193c2a85608a7635bbd) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 77 ++++++++++++++--------------------------------- 1 file changed, 23 insertions(+), 54 deletions(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 52f2a7dae8..5ea365375b 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -400,30 +400,18 @@ static void vp56_mc(VP56Context *s, int b, int plane, uint8_t *src, } } -static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +static av_always_inline void vp56_render_mb(VP56Context *s, int row, int col, int is_alpha, VP56mb mb_type) { - AVFrame *frame_current, *frame_ref; - VP56mb mb_type; - VP56Frame ref_frame; int b, ab, b_max, plane, off; - int ret; - - if (s->frames[VP56_FRAME_CURRENT]->key_frame) - mb_type = VP56_MB_INTRA; - else - mb_type = vp56_decode_mv(s, row, col); - ref_frame = ff_vp56_reference_frame[mb_type]; - - ret = s->parse_coeff(s); - if (ret < 0) - return ret; + AVFrame *frame_current, *frame_ref; + VP56Frame ref_frame = ff_vp56_reference_frame[mb_type]; vp56_add_predictors_dc(s, ref_frame); frame_current = s->frames[VP56_FRAME_CURRENT]; frame_ref = s->frames[ref_frame]; if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) - return 0; + return; ab = 6*is_alpha; b_max = 6 - 2*is_alpha; @@ -473,57 +461,38 @@ static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) s->block_coeff[4][0] = 0; s->block_coeff[5][0] = 0; } +} + +static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +{ + VP56mb mb_type; + int ret; + + if (s->frames[VP56_FRAME_CURRENT]->key_frame) + mb_type = VP56_MB_INTRA; + else + mb_type = vp56_decode_mv(s, row, col); + + ret = s->parse_coeff(s); + if (ret < 0) + return ret; + + vp56_render_mb(s, row, col, is_alpha, mb_type); + return 0; } static int vp56_conceal_mb(VP56Context *s, int row, int col, int is_alpha) { - AVFrame *frame_current, *frame_ref; VP56mb mb_type; - VP56Frame ref_frame; - int b, ab, b_max, plane, off; if (s->frames[VP56_FRAME_CURRENT]->key_frame) mb_type = VP56_MB_INTRA; else mb_type = vp56_conceal_mv(s, row, col); - ref_frame = ff_vp56_reference_frame[mb_type]; - frame_current = s->frames[VP56_FRAME_CURRENT]; - frame_ref = s->frames[ref_frame]; - if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) - return 0; + vp56_render_mb(s, row, col, is_alpha, mb_type); - ab = 6*is_alpha; - b_max = 6 - 2*is_alpha; - - switch (mb_type) { - case VP56_MB_INTRA: - for (b=0; bvp3dsp.idct_put(frame_current->data[plane] + s->block_offset[b], - s->stride[plane], s->block_coeff[b]); - } - break; - - case VP56_MB_INTER_NOVEC_PF: - case VP56_MB_INTER_NOVEC_GF: - for (b=0; bblock_offset[b]; - s->hdsp.put_pixels_tab[1][0](frame_current->data[plane] + off, - frame_ref->data[plane] + off, - s->stride[plane], 8); - s->vp3dsp.idct_add(frame_current->data[plane] + off, - s->stride[plane], s->block_coeff[b]); - } - break; - } - - if (is_alpha) { - s->block_coeff[4][0] = 0; - s->block_coeff[5][0] = 0; - } return 0; } From e587594741c86a54e87009551fa8a3f488d2b0a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Feb 2017 03:55:02 +0100 Subject: [PATCH 268/658] avcodec/vp8: Check for bitsteam end in decode_mb_row_no_filter() Fixes timeout with 686/clusterfuzz-testcase-5853946876788736 this shortcuts (i.e. speeds up) the error and return-to-user when decoding a truncated frame Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Previous version reviewed by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 7b5ff7d57355dc608f0fd86e3ab32a2fda65e752) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 20 ++++++++++++++------ libavcodec/vp8.h | 2 +- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index c1c3eb7072..cc158528ef 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2275,7 +2275,7 @@ static void vp8_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *cur_frame, #define update_pos(td, mb_y, mb_x) while(0) #endif -static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr, int is_vp7) { VP8Context *s = avctx->priv_data; @@ -2291,6 +2291,10 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void curframe->tf.f->data[1] + 8 * mb_y * s->uvlinesize, curframe->tf.f->data[2] + 8 * mb_y * s->uvlinesize }; + + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; + if (mb_y == 0) prev_td = td; else @@ -2394,18 +2398,19 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void update_pos(td, mb_y, mb_x); } } + return 0; } -static void vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static int vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr) { - decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1); + return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1); } -static void vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static int vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr) { - decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0); + return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0); } static av_always_inline void filter_mb_row(AVCodecContext *avctx, void *tdata, @@ -2488,13 +2493,16 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr, VP8ThreadData *next_td = NULL, *prev_td = NULL; VP8Frame *curframe = s->curframe; int mb_y, num_jobs = s->num_jobs; + int ret; td->thread_nr = threadnr; for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) { if (mb_y >= s->mb_height) break; td->thread_mb_pos = mb_y << 16; - s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); + ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); + if (ret < 0) + return ret; if (s->deblock_filter) s->filter_mb_row(avctx, tdata, jobnr, threadnr); update_pos(td, mb_y, INT_MAX & 0xFFFF); diff --git a/libavcodec/vp8.h b/libavcodec/vp8.h index 374e1388e2..6218fe0567 100644 --- a/libavcodec/vp8.h +++ b/libavcodec/vp8.h @@ -275,7 +275,7 @@ typedef struct VP8Context { */ int mb_layout; - void (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); + int (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); void (*filter_mb_row)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); int vp7; From a7e924324e7c5c01db5643975c2083778793f3a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Dec 2016 21:08:48 +0100 Subject: [PATCH 269/658] avcodec/vp3: Do not return random positive values but the buf size Signed-off-by: Michael Niedermayer (cherry picked from commit d8094a303ba36344015a44d629bafc6d7094b4ac) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index fa749be0b7..86e5852e32 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2022,8 +2022,9 @@ static int vp3_decode_frame(AVCodecContext *avctx, ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); + return ret; } - return ret; + return buf_size; } else if (type == 2) { vp3_decode_end(avctx); ret = theora_decode_tables(avctx, &gb); @@ -2031,8 +2032,9 @@ static int vp3_decode_frame(AVCodecContext *avctx, ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); + return ret; } - return ret; + return buf_size; } av_log(avctx, AV_LOG_ERROR, From 17444379696d8dbf825c2e6b88d4b198da345559 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Mar 2017 03:02:06 +0100 Subject: [PATCH 270/658] avcodec/vp56: Require a correctly decoded frame before using vp56_conceal_mb() Fixes timeout with 700/clusterfuzz-testcase-5660909504561152 Fixes timeout with 702/clusterfuzz-testcase-4553541576294400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ce4f28431623cdde4aa496fd10430f6c7bdef63) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 14 +++++++++++++- libavcodec/vp56.h | 3 +++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 5ea365375b..0010408847 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -617,8 +617,12 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } } + s->discard_frame = 0; avctx->execute2(avctx, ff_vp56_decode_mbs, 0, 0, (avctx->pix_fmt == AV_PIX_FMT_YUVA420P) + 1); + if (s->discard_frame) + return AVERROR_INVALIDDATA; + if ((res = av_frame_ref(data, p)) < 0) return res; *got_frame = 1; @@ -704,8 +708,13 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, for (mb_col=0; mb_colmb_width; mb_col++) { if (!damaged) { int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); - if (ret < 0) + if (ret < 0) { damaged = 1; + if (!s->have_undamaged_frame) { + s->discard_frame = 1; + return AVERROR_INVALIDDATA; + } + } } if (damaged) vp56_conceal_mb(s, mb_row, mb_col, is_alpha); @@ -722,6 +731,9 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, } } + if (!damaged) + s->have_undamaged_frame = 1; + next: if (p->key_frame || s->golden_frame) { av_frame_unref(s->frames[VP56_FRAME_GOLDEN]); diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 34d48228fd..e5c5bea963 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -203,6 +203,9 @@ struct vp56_context { VLC runv_vlc[2]; VLC ract_vlc[2][3][6]; unsigned int nb_null[2][2]; /* number of consecutive NULL DC/AC */ + + int have_undamaged_frame; + int discard_frame; }; From b6cbbd22739cfc3d399d337aa795c77b82ff9c46 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Mar 2017 00:53:52 +0100 Subject: [PATCH 271/658] avcodec/vp8: remove redundant check Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5098a6f6275a57f122cd8f03e7ffbe5dd090b8e0) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index cc158528ef..fb17ff114d 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2497,8 +2497,6 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr, td->thread_nr = threadnr; for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) { - if (mb_y >= s->mb_height) - break; td->thread_mb_pos = mb_y << 16; ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); if (ret < 0) From 7ba15a6315019832c30415249c9dd00d6167af92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Mar 2017 19:09:38 +0100 Subject: [PATCH 272/658] avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder() Fixes: timeout in 730/clusterfuzz-testcase-5265113739165696 (part 1 of 2) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: BBB Signed-off-by: Michael Niedermayer (cherry picked from commit 55d7371fe0c44c025eb0e75215e0685870f31874) Signed-off-by: Michael Niedermayer --- libavcodec/vp5.c | 5 ++++- libavcodec/vp56.h | 2 +- libavcodec/vp56rac.c | 5 ++++- libavcodec/vp6.c | 15 +++++++++++---- libavcodec/vp8.c | 21 ++++++++++++++------- libavcodec/vp9.c | 9 +++++++-- 6 files changed, 41 insertions(+), 16 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 108f16131d..7100bb455d 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -39,8 +39,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) { VP56RangeCoder *c = &s->c; int rows, cols; + int ret; - ff_vp56_init_range_decoder(&s->c, buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->c, buf, buf_size); + if (ret < 0) + return ret; s->frames[VP56_FRAME_CURRENT]->key_frame = !vp56_rac_get(c); vp56_rac_get(c); ff_vp56_init_dequant(s, vp56_rac_gets(c, 6)); diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index e5c5bea963..c049399df8 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -224,7 +224,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, */ extern const uint8_t ff_vp56_norm_shift[256]; -void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size); +int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size); static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c) { diff --git a/libavcodec/vp56rac.c b/libavcodec/vp56rac.c index 6061b7ee72..e70302bf85 100644 --- a/libavcodec/vp56rac.c +++ b/libavcodec/vp56rac.c @@ -37,11 +37,14 @@ const uint8_t ff_vp56_norm_shift[256]= { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, }; -void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size) +int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size) { c->high = 255; c->bits = -16; c->buffer = buf; c->end = buf + buf_size; + if (buf_size < 1) + return AVERROR_INVALIDDATA; c->code_word = bytestream_get_be24(&c->buffer); + return 0; } diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 662126ca70..f0e60a3822 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -52,6 +52,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) int sub_version; int rows, cols; int res = 0; + int ret; int separated_coeff = buf[0] & 1; s->frames[VP56_FRAME_CURRENT]->key_frame = !(buf[0] & 0x80); @@ -93,7 +94,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) s->avctx->coded_width = 16 * cols; s->avctx->coded_height = 16 * rows; } else { - int ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows); + ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows); if (ret < 0) return ret; @@ -105,7 +106,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) res = VP56_SIZE_CHANGE; } - ff_vp56_init_range_decoder(c, buf+6, buf_size-6); + ret = ff_vp56_init_range_decoder(c, buf+6, buf_size-6); + if (ret < 0) + return ret; vp56_rac_gets(c, 2); parse_filter_info = s->filter_header; @@ -122,7 +125,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) buf += 2; buf_size -= 2; } - ff_vp56_init_range_decoder(c, buf+1, buf_size-1); + ret = ff_vp56_init_range_decoder(c, buf+1, buf_size-1); + if (ret < 0) + return ret; s->golden_frame = vp56_rac_get(c); if (s->filter_header) { @@ -165,7 +170,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) s->parse_coeff = vp6_parse_coeff_huffman; init_get_bits(&s->gb, buf, buf_size<<3); } else { - ff_vp56_init_range_decoder(&s->cc, buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->cc, buf, buf_size); + if (ret < 0) + return ret; s->ccp = &s->cc; } } else { diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index fb17ff114d..a3d057d62e 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -261,6 +261,7 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size) { const uint8_t *sizes = buf; int i; + int ret; s->num_coeff_partitions = 1 << vp8_rac_get_uint(&s->c, 2); @@ -274,13 +275,13 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size) if (buf_size - size < 0) return -1; - ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size); + ret = ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size); + if (ret < 0) + return ret; buf += size; buf_size -= size; } - ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size); - - return 0; + return ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size); } static void vp7_get_quants(VP8Context *s) @@ -518,7 +519,9 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si memcpy(s->put_pixels_tab, s->vp8dsp.put_vp8_epel_pixels_tab, sizeof(s->put_pixels_tab)); - ff_vp56_init_range_decoder(c, buf, part1_size); + ret = ff_vp56_init_range_decoder(c, buf, part1_size); + if (ret < 0) + return ret; buf += part1_size; buf_size -= part1_size; @@ -570,7 +573,9 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si s->lf_delta.enabled = 0; s->num_coeff_partitions = 1; - ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size); + if (ret < 0) + return ret; if (!s->macroblocks_base || /* first frame */ width != s->avctx->width || height != s->avctx->height || @@ -699,7 +704,9 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si memset(&s->lf_delta, 0, sizeof(s->lf_delta)); } - ff_vp56_init_range_decoder(c, buf, header_size); + ret = ff_vp56_init_range_decoder(c, buf, header_size); + if (ret < 0) + return ret; buf += header_size; buf_size -= header_size; diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 3b721495d9..9118b05fcd 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -844,7 +844,10 @@ static int decode_frame_header(AVCodecContext *ctx, av_log(ctx, AV_LOG_ERROR, "Invalid compressed header size\n"); return AVERROR_INVALIDDATA; } - ff_vp56_init_range_decoder(&s->c, data2, size2); + res = ff_vp56_init_range_decoder(&s->c, data2, size2); + if (res < 0) + return res; + if (vp56_rac_get_prob_branchy(&s->c, 128)) { // marker bit av_log(ctx, AV_LOG_ERROR, "Marker bit was set\n"); return AVERROR_INVALIDDATA; @@ -4128,7 +4131,9 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame, ff_thread_report_progress(&s->s.frames[CUR_FRAME].tf, INT_MAX, 0); return AVERROR_INVALIDDATA; } - ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size); + res = ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size); + if (res < 0) + return res; if (vp56_rac_get_prob_branchy(&s->c_b[tile_col], 128)) { // marker bit ff_thread_report_progress(&s->s.frames[CUR_FRAME].tf, INT_MAX, 0); return AVERROR_INVALIDDATA; From e365921419e191f0a1aa34d8904f36d7b5bc98ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Mar 2017 19:09:39 +0100 Subject: [PATCH 273/658] avcodec/vp8: Check for the bitstream end per MB in decode_mb_row_no_filter() Fixes: timeout in 730/clusterfuzz-testcase-5265113739165696 (part 2 of 2) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: BBB Signed-off-by: Michael Niedermayer (cherry picked from commit 1afd246960202917e244c844c534e9c1e3c323f5) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index a3d057d62e..6759b310f0 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2330,6 +2330,8 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void s->mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; // Wait for previous thread to read mb_x+2, and reach mb_y-1. if (prev_td != td) { if (threadnr != 0) { From 4c66ead5b7a84c068381a63a2b7a07af8d5cf238 Mon Sep 17 00:00:00 2001 From: Thomas Guilbert Date: Fri, 10 Mar 2017 00:15:39 +0100 Subject: [PATCH 274/658] avcodec/vp8: Fix hang with slice threads Fixes: 447860.webm Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 9bbc73ae9fdedc8789b2b6be65279e9a0ecd7090) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 6759b310f0..068223920e 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2508,8 +2508,10 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr, for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) { td->thread_mb_pos = mb_y << 16; ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); - if (ret < 0) + if (ret < 0) { + update_pos(td, s->mb_height, INT_MAX & 0xFFFF); return ret; + } if (s->deblock_filter) s->filter_mb_row(avctx, tdata, jobnr, threadnr); update_pos(td, mb_y, INT_MAX & 0xFFFF); From b8814515c63fddd48e4b9e57b6d805505490941d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Mar 2017 17:55:32 +0100 Subject: [PATCH 275/658] avcodec/vp56: Reset have_undamaged_frame on resolution changes Fixes: timeout in 758/clusterfuzz-testcase-4720832028868608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e913f212907048d7009cf2f15551781c69b9985) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 0010408847..9d4162bb96 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -507,6 +507,8 @@ static int vp56_size_changed(VP56Context *s) s->plane_height[0] = s->plane_height[3] = avctx->coded_height; s->plane_height[1] = s->plane_height[2] = avctx->coded_height/2; + s->have_undamaged_frame = 0; + for (i=0; i<4; i++) s->stride[i] = s->flip * s->frames[VP56_FRAME_CURRENT]->linesize[i]; From 8c36b7ab360d11c3509ac8dfd697975aefc33a89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Mar 2017 03:04:06 +0100 Subject: [PATCH 276/658] avcodec/vp6: clear dimensions on failed resolution change in vp6_parse_header() Fixes: 807/clusterfuzz-testcase-6470061042696192 Fixes null pointer dereference Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 967feea5ebb744dce97ab327d33502b43fca0c7f) Signed-off-by: Michael Niedermayer --- libavcodec/vp6.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index f0e60a3822..4afd67b3a4 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -108,7 +108,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) ret = ff_vp56_init_range_decoder(c, buf+6, buf_size-6); if (ret < 0) - return ret; + goto fail; vp56_rac_gets(c, 2); parse_filter_info = s->filter_header; @@ -162,9 +162,8 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) buf += coeff_offset; buf_size -= coeff_offset; if (buf_size < 0) { - if (s->frames[VP56_FRAME_CURRENT]->key_frame) - ff_set_dimensions(s->avctx, 0, 0); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (s->use_huffman) { s->parse_coeff = vp6_parse_coeff_huffman; @@ -172,7 +171,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) } else { ret = ff_vp56_init_range_decoder(&s->cc, buf, buf_size); if (ret < 0) - return ret; + goto fail; s->ccp = &s->cc; } } else { @@ -180,6 +179,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) } return res; +fail: + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(s->avctx, 0, 0); + return ret; } static void vp6_coeff_order_table_init(VP56Context *s) From 77ffc7596cb723c0a8d66b90a5cfdc0326aad860 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Nov 2016 02:25:42 +0100 Subject: [PATCH 277/658] avcodec/htmlsubtitles: Fix reading one byte beyond the array Fixes: fuzz-2-ffmpeg_SUBTITLE_AV_CODEC_ID_SUBRIP_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 04bd1b38ee6b8df410d0ab8d4949546b6c4af26a) Signed-off-by: Michael Niedermayer --- libavcodec/htmlsubtitles.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index a2cd40fad3..8b57febd26 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -146,7 +146,7 @@ void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) if (stack[sptr].param[i][0]) av_bprintf(dst, "%s", stack[sptr].param[i]); } - } else if (!tagname[1] && strspn(tagname, "bisu") == 1) { + } else if (tagname[0] && !tagname[1] && strspn(tagname, "bisu") == 1) { av_bprintf(dst, "{\\%c%d}", tagname[0], !tag_close); } else { unknown = 1; From e82cddfd05ac5700a6a0dbcf6f636b574c26774d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 20:32:48 +0100 Subject: [PATCH 278/658] avcodec/eac3dec: Fix runtime error: left shift of negative value Fixes: 610/clusterfuzz-testcase-4831030085156864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 067485b673f6ac4b1207d6fc975d1fd968edc68e) Signed-off-by: Michael Niedermayer --- libavcodec/eac3dec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index 47e5aa6587..a406a45a03 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -252,7 +252,7 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) /* Vector Quantization */ int v = get_bits(gbc, bits); for (blk = 0; blk < 6; blk++) { - s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] << 8; + s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] * (1 << 8); } } else { /* Gain Adaptive Quantization */ @@ -271,12 +271,12 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) int b; int mbits = bits - (2 - log_gain); mant = get_sbits(gbc, mbits); - mant <<= (23 - (mbits - 1)); + mant = ((unsigned)mant) << (23 - (mbits - 1)); /* remap mantissa value to correct for asymmetric quantization */ if (mant >= 0) b = 1 << (23 - log_gain); else - b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] << 8; + b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] * (1 << 8); mant += ((ff_eac3_gaq_remap_2_4_a[hebap-8][log_gain-1] * (int64_t)mant) >> 15) + b; } else { /* small mantissa, no GAQ, or Gk=1 */ From f03df423ab023123dbcc6ae2016a1e1131f8788b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 20:39:13 +0100 Subject: [PATCH 279/658] avcodec/mjpegdec: Fix runtime error: left shift of negative value -507 Fixes: 611/clusterfuzz-testcase-5613455820193792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c91bdd4524815125e1f7d8dee22ee7a73173c39a) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 76b36402d7..032ed577b5 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1137,7 +1137,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, if (s->interlaced && s->bottom_field) ptr += linesize >> 1; pred &= mask; - *ptr= pred + (dc << point_transform); + *ptr= pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap if(y==0 && toprow){ From 535c1411d7467567b9982c9c4772b8bf92a838a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 21:33:27 +0100 Subject: [PATCH 280/658] avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative Fixes: 612/clusterfuzz-testcase-4707817137111040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa2b75263e17651187b1475551a02aa2f4ff65fe) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index a19b374670..f7f7ac21d4 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -367,6 +367,12 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g } else { int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; + + if (shift_c < 0 || shift_y < 0) { + avpriv_request_sample(s->avctx, "Too large sprite shift"); + return AVERROR_PATCHWELCOME; + } + for (i = 0; i < 2; i++) { s->sprite_offset[0][i] *= 1 << shift_y; s->sprite_offset[1][i] *= 1 << shift_c; From 11c2a96c23061ff054d61644a83dbec6aceb6ceb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 22:40:29 +0100 Subject: [PATCH 281/658] avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int' Fixes: 614/clusterfuzz-testcase-4931860079575040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 258763ad0e1efff82bbe2beb97527d3c19f40932) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 68d7282717..d23b4fc6f1 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1744,7 +1744,7 @@ decode_cabac_residual_internal(const H264Context *h, H264SliceContext *sl, while( j-- ) { \ coeff_abs += coeff_abs + get_cabac_bypass( CC ); \ } \ - coeff_abs+= 14; \ + coeff_abs+= 14U; \ } \ \ if( is_dc ) { \ From d837140eb4e0d81ca737b4dc379b579cec9ebe62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Feb 2017 03:05:32 +0100 Subject: [PATCH 282/658] avcodec/rv40: Fix runtime error: left shift of negative value Fixes: 630/clusterfuzz-testcase-6608718928019456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 956472a3236cc8eaeba5147c55b51bde6005c898) Signed-off-by: Michael Niedermayer --- libavcodec/rv40.c | 2 +- libavcodec/rv40dsp.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c index e5ba215b68..dfeebda838 100644 --- a/libavcodec/rv40.c +++ b/libavcodec/rv40.c @@ -189,7 +189,7 @@ static int rv40_decode_intra_types(RV34DecContext *r, GetBitContext *gb, int8_t A = ptr[-r->intra_types_stride + 1]; // it won't be used for the last coefficient in a row B = ptr[-r->intra_types_stride]; C = ptr[-1]; - pattern = A + (B << 4) + (C << 8); + pattern = A + B * (1 << 4) + C * (1 << 8); for(k = 0; k < MODE2_PATTERNS_NUM; k++) if(pattern == rv40_aic_table_index[k]) break; diff --git a/libavcodec/rv40dsp.c b/libavcodec/rv40dsp.c index 19b0e93696..95ba0a9259 100644 --- a/libavcodec/rv40dsp.c +++ b/libavcodec/rv40dsp.c @@ -449,7 +449,7 @@ static av_always_inline void rv40_weak_loop_filter(uint8_t *src, if (u > 3 - (filter_p1 && filter_q1)) continue; - t <<= 2; + t *= 1 << 2; if (filter_p1 && filter_q1) t += src[-2*step] - src[1*step]; From f0f4b66dff89fc3a26fd2e2cfa69d7f597636be5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Feb 2017 17:32:56 +0100 Subject: [PATCH 283/658] avcodec/ituh263dec: Fix runtime error: left shift of negative value -22 Fixes: 639/clusterfuzz-testcase-5143866241974272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 631f7484918a9e7260377c3cea878be708609e64) Signed-off-by: Michael Niedermayer --- libavcodec/ituh263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 5e3c0eac07..228f6ace49 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -524,7 +524,7 @@ retry: }else{ level = SHOW_UBITS(re, &s->gb, 5); SKIP_CACHE(re, &s->gb, 5); - level |= SHOW_SBITS(re, &s->gb, 6)<<5; + level |= SHOW_SBITS(re, &s->gb, 6) * (1<<5); SKIP_COUNTER(re, &s->gb, 5 + 6); } } From cae07dd27fc6fb2cc1ee713d52175140a38750b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Feb 2017 01:22:24 +0100 Subject: [PATCH 284/658] avcodec/mpeg4video: Fix runtime error: left shift of negative value Fixes: 644/clusterfuzz-testcase-4726434209726464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6179dc8aa7e5fc5358b9614306f93f1adadf22a4) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- libavcodec/mpegvideo_motion.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index f7f7ac21d4..9cd91b3ad0 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -510,7 +510,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) if (ctx->divx_version == 500 && ctx->divx_build == 413) sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample)); else - sum = RSHIFT(s->sprite_offset[0][n] << s->quarter_sample, a); + sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a); } else { dx = s->sprite_delta[n][0]; dy = s->sprite_delta[n][1]; diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c index c29810f598..ef32757780 100644 --- a/libavcodec/mpegvideo_motion.c +++ b/libavcodec/mpegvideo_motion.c @@ -48,8 +48,8 @@ static void gmc1_motion(MpegEncContext *s, motion_y = s->sprite_offset[0][1]; src_x = s->mb_x * 16 + (motion_x >> (s->sprite_warping_accuracy + 1)); src_y = s->mb_y * 16 + (motion_y >> (s->sprite_warping_accuracy + 1)); - motion_x <<= (3 - s->sprite_warping_accuracy); - motion_y <<= (3 - s->sprite_warping_accuracy); + motion_x *= 1 << (3 - s->sprite_warping_accuracy); + motion_y *= 1 << (3 - s->sprite_warping_accuracy); src_x = av_clip(src_x, -16, s->width); if (src_x == s->width) motion_x = 0; @@ -95,8 +95,8 @@ static void gmc1_motion(MpegEncContext *s, motion_y = s->sprite_offset[1][1]; src_x = s->mb_x * 8 + (motion_x >> (s->sprite_warping_accuracy + 1)); src_y = s->mb_y * 8 + (motion_y >> (s->sprite_warping_accuracy + 1)); - motion_x <<= (3 - s->sprite_warping_accuracy); - motion_y <<= (3 - s->sprite_warping_accuracy); + motion_x *= 1 << (3 - s->sprite_warping_accuracy); + motion_y *= 1 << (3 - s->sprite_warping_accuracy); src_x = av_clip(src_x, -8, s->width >> 1); if (src_x == s->width >> 1) motion_x = 0; From 0df55b0ffc2ecf82c097cd9d97c82fb92dd5362c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Feb 2017 21:57:49 +0100 Subject: [PATCH 285/658] avcodec/mpeg4videodec: Check sprite_offset in addition to shifts Fixes: 651/clusterfuzz-testcase-5710668915277824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6871df02d973c9ffc1aa4f6d08fb4b1b63d411be) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 9cd91b3ad0..f35e892487 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -368,8 +368,13 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; - if (shift_c < 0 || shift_y < 0) { - avpriv_request_sample(s->avctx, "Too large sprite shift"); + if (shift_c < 0 || shift_y < 0 || + FFABS(s->sprite_offset[0][0]) >= INT_MAX >> shift_y || + FFABS(s->sprite_offset[1][0]) >= INT_MAX >> shift_c || + FFABS(s->sprite_offset[0][1]) >= INT_MAX >> shift_y || + FFABS(s->sprite_offset[1][1]) >= INT_MAX >> shift_c + ) { + avpriv_request_sample(s->avctx, "Too large sprite shift or offset"); return AVERROR_PATCHWELCOME; } From 72d01d4c14f73a46e7879d547d42ffe0c4382b5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Feb 2017 22:33:16 +0100 Subject: [PATCH 286/658] avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows This is not necessarily specific to fuzzed files Fixes: Multiple integer overflows Fixes: 656/clusterfuzz-testcase-6463814516080640 Fixes: 658/clusterfuzz-testcase-6691260146384896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 76ba09d18245a2a41dc5f93a60fd00cdf358cb1f) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index f35e892487..fa32e31f5a 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -384,6 +384,13 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[0][i] *= 1 << shift_y; s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; + + if (llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w) >= INT_MAX || + llabs(s->sprite_offset[i][0] + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX || + llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX) { + avpriv_request_sample(s->avctx, "Overflow on sprite points"); + return AVERROR_PATCHWELCOME; + } } s->real_sprite_warping_points = ctx->num_sprite_warping_points; } From b8883af656eb7613d7b0f4bb850efb205d91ff9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 21:07:24 +0100 Subject: [PATCH 287/658] avcodec/mpeg12dec: Fix runtime error: left shift of negative value -2 671/clusterfuzz-testcase-4990381827555328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit aff8cf18cb0b1fa4f2e3d163c3da2f25aa6d1906) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index c585ec612f..3ae4d09a84 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -948,8 +948,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) dmy = get_dmv(s); - s->last_mv[i][0][1] = my << my_shift; - s->last_mv[i][1][1] = my << my_shift; + s->last_mv[i][0][1] = my * (1 << my_shift); + s->last_mv[i][1][1] = my * (1 << my_shift); s->mv[i][0][0] = mx; s->mv[i][0][1] = my; From fc5b7e10921733a8f073970b113d86e0f1196d05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 21:07:25 +0100 Subject: [PATCH 288/658] avcodec/eac3dec: Fix runtime error: left shift of negative value -3 Fixes: 672/clusterfuzz-testcase-5595018867769344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 87eb3749708c0eb2978f4812c7be2a4af667fdb7) Signed-off-by: Michael Niedermayer --- libavcodec/eac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index a406a45a03..939c06d4df 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -280,7 +280,7 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) mant += ((ff_eac3_gaq_remap_2_4_a[hebap-8][log_gain-1] * (int64_t)mant) >> 15) + b; } else { /* small mantissa, no GAQ, or Gk=1 */ - mant <<= 24 - bits; + mant *= (1 << 24 - bits); if (!log_gain) { /* remap mantissa value for no GAQ or Gk=1 */ mant += (ff_eac3_gaq_remap_1[hebap-8] * (int64_t)mant) >> 15; From 0456e2f3e0503082a5966a2cfb84da19a5b12cf5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Feb 2017 20:27:59 +0100 Subject: [PATCH 289/658] avcodec/mpeg4videodec: Fix runtime error: left shift of negative value -2650 Fixes: 674/clusterfuzz-testcase-6713275880308736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 25e93aacc2142f3b57f1e63c67ca46d304f154ef) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index fa32e31f5a..b8d4393779 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -283,12 +283,12 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 2: - s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + rho)) + + s->sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-vop_ref[0][0]) + (r * sprite_ref[0][1] - virtual_ref[0][1]) * (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + rho)) + + s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) + (-r * sprite_ref[0][1] + virtual_ref[0][1]) * (-vop_ref[0][0]) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * From a0366ef7e74f32f72d4611019fefd14076f4b5bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Feb 2017 20:28:00 +0100 Subject: [PATCH 290/658] avcodec/pictordec: Check plane value before doing value/mask computations Fixes integer overflow Fixes: 675/clusterfuzz-testcase-6722971232108544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 63e400a8807dca7b0ffa3841df2e31f7419abb8d) Signed-off-by: Michael Niedermayer --- libavcodec/pictordec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index a3d72e3f25..a09ee379c0 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -77,10 +77,10 @@ static void picmemset(PicContext *s, AVFrame *frame, int value, int run, if (*y < 0) { *y = s->height - 1; *plane += 1; - value <<= bits_per_plane; - mask <<= bits_per_plane; if (*plane >= s->nb_planes) return; + value <<= bits_per_plane; + mask <<= bits_per_plane; } } } From a72b17ca403d6ec0624ffc368297bf5e7fca3549 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Feb 2017 03:13:24 +0100 Subject: [PATCH 291/658] avcodec/h264_direct: Fix runtime error: left shift of negative value -14 Fixes: 682/clusterfuzz-testcase-4799120021651456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4bd3f1ce3e68a9348e97ec07a247048ea72ed808) Signed-off-by: Michael Niedermayer --- libavcodec/h264_direct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c index e137ff9227..e9570b8eb2 100644 --- a/libavcodec/h264_direct.c +++ b/libavcodec/h264_direct.c @@ -613,7 +613,7 @@ single_col: { const int16_t *mv_col = l1mv[x8 * 3 + y8 * b4_stride]; - int my_col = (mv_col[1] << y_shift) / 2; + int my_col = (mv_col[1] * (1 << y_shift)) / 2; int mx = (scale * mv_col[0] + 128) >> 8; int my = (scale * my_col + 128) >> 8; fill_rectangle(&sl->mv_cache[0][scan8[i8 * 4]], 2, 2, 8, From cd09ad190f03dfe5fa2e7d1baed4cd75db12df17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Mar 2017 16:32:09 +0100 Subject: [PATCH 292/658] avcodec/mjpegdec: Fix runtime error: left shift of negative value -511 Fixes: 693/clusterfuzz-testcase-6109776066904064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4b72d5cd6f9341dcafdbc1b9030166aa987b8304) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 032ed577b5..7a83383441 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1157,7 +1157,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, if (s->interlaced && s->bottom_field) ptr16 += linesize >> 1; pred &= mask; - *ptr16= pred + (dc << point_transform); + *ptr16= pred + ((unsigned)dc << point_transform); } if (++x == h) { x = 0; From e34feaf93e9f07a8668e3d70d64abde3a5263354 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Mar 2017 03:02:07 +0100 Subject: [PATCH 293/658] avcodec/mpeg4videodec: Improve the overflow checks in mpeg4_decode_sprite_trajectory() Also clear the state on errors Fixes integer overflows in 701/clusterfuzz-testcase-6594719951880192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eb41956636fc264fe2077b78ef00591d83bbbace) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index b8d4393779..bb878569e9 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -375,7 +375,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g FFABS(s->sprite_offset[1][1]) >= INT_MAX >> shift_c ) { avpriv_request_sample(s->avctx, "Too large sprite shift or offset"); - return AVERROR_PATCHWELCOME; + goto overflow; } for (i = 0; i < 2; i++) { @@ -385,17 +385,23 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; - if (llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w) >= INT_MAX || - llabs(s->sprite_offset[i][0] + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX || - llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX) { + } + for (i = 0; i < 2; i++) { + if (llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(s->sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX) { avpriv_request_sample(s->avctx, "Overflow on sprite points"); - return AVERROR_PATCHWELCOME; + goto overflow; } } s->real_sprite_warping_points = ctx->num_sprite_warping_points; } return 0; +overflow: + memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); + memset(s->sprite_delta, 0, sizeof(s->sprite_delta)); + return AVERROR_PATCHWELCOME; } static int decode_new_pred(Mpeg4DecContext *ctx, GetBitContext *gb) { From b69f97933126daa169a5430a15fa8eb0d65e9240 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Mar 2017 04:39:04 +0100 Subject: [PATCH 294/658] avcodec/adxdec: Fix runtime error: left shift of negative value -1 Fixes: 705/clusterfuzz-testcase-5129572590813184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d23727e0420b9f77f0d4cb28b43819b402f702e5) Signed-off-by: Michael Niedermayer --- libavcodec/adxdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adxdec.c b/libavcodec/adxdec.c index 32cc0f005a..178ea99dcf 100644 --- a/libavcodec/adxdec.c +++ b/libavcodec/adxdec.c @@ -81,7 +81,7 @@ static int adx_decode(ADXContext *c, int16_t *out, int offset, s2 = prev->s2; for (i = 0; i < BLOCK_SAMPLES; i++) { d = get_sbits(&gb, 4); - s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; + s0 = ((d * (1 << COEFF_BITS)) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; s2 = s1; s1 = av_clip_int16(s0); *out++ = s1; From 67d84d2c48a61c6009fb4bcc08f0c196c6d6115e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Mar 2017 04:39:06 +0100 Subject: [PATCH 295/658] avcodec/h264_mvpred: Fix multiple runtime error: left shift of negative value Fixes: 710/clusterfuzz-testcase-5091051431788544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ab998f4c7faf90d0e46b6ead38a1df1f6a31e2eb) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mvpred.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mvpred.h b/libavcodec/h264_mvpred.h index be02e5af9b..d73d0066dd 100644 --- a/libavcodec/h264_mvpred.h +++ b/libavcodec/h264_mvpred.h @@ -248,7 +248,7 @@ static av_always_inline void pred_8x16_motion(const H264Context *const h, if (IS_INTERLACED(type)) { \ refn >>= 1; \ AV_COPY32(mvbuf[idx], mvn); \ - mvbuf[idx][1] <<= 1; \ + mvbuf[idx][1] *= 2; \ mvn = mvbuf[idx]; \ } \ } \ From ce54743d828050c14cbe4ccc39e67de557b46731 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Mar 2017 04:39:05 +0100 Subject: [PATCH 296/658] avcodec/mpeg12dec: Fix runtime error: left shift of negative value -13 Fixes: 709/clusterfuzz-testcase-4789836449841152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d757ddbaab8f03b3664788e620314b70ac791319) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 3ae4d09a84..eb90af2143 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -497,7 +497,7 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, dc = s->last_dc[component]; dc += diff; s->last_dc[component] = dc; - block[0] = dc << (3 - s->intra_dc_precision); + block[0] = dc * (1 << (3 - s->intra_dc_precision)); ff_tlog(s->avctx, "dc=%d\n", block[0]); mismatch = block[0] ^ 1; i = 0; From 49697df49c72e36dc423c2aad0d2078c16234143 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Mar 2017 20:12:20 +0100 Subject: [PATCH 297/658] avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 134527392 * 16 cannot be represented in type 'int' This checks the sprite delta intermediates for overflow Fixes: 716/clusterfuzz-testcase-4890287480504320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fab13bbbcdf92da165f1a6be94fbb8f87fac639a) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index bb878569e9..2bf4342adf 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -389,7 +389,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g for (i = 0; i < 2; i++) { if (llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || llabs(s->sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX) { + llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX + ) { avpriv_request_sample(s->avctx, "Overflow on sprite points"); goto overflow; } From e92e587ceeb08af30ac5589f064cf5ab70ab2047 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Mar 2017 04:55:15 +0100 Subject: [PATCH 298/658] avcodec/wavpack: Fix runtime error: left shift of negative value -2 Fixes: 723/clusterfuzz-testcase-6471394663596032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ba150051322c02e24c004bd5309468886e1e5ab6) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 16fdfa158c..40601d9036 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -736,13 +736,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, } for (i = 0; i < weights; i++) { t = (int8_t)bytestream2_get_byte(&gb); - s->decorr[s->terms - i - 1].weightA = t << 3; + s->decorr[s->terms - i - 1].weightA = t * (1 << 3); if (s->decorr[s->terms - i - 1].weightA > 0) s->decorr[s->terms - i - 1].weightA += (s->decorr[s->terms - i - 1].weightA + 64) >> 7; if (s->stereo_in) { t = (int8_t)bytestream2_get_byte(&gb); - s->decorr[s->terms - i - 1].weightB = t << 3; + s->decorr[s->terms - i - 1].weightB = t * (1 << 3); if (s->decorr[s->terms - i - 1].weightB > 0) s->decorr[s->terms - i - 1].weightB += (s->decorr[s->terms - i - 1].weightB + 64) >> 7; From 9beb60855bebcc25d342d680c4991a49a7fa8d5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Mar 2017 21:52:36 +0100 Subject: [PATCH 299/658] avcodec/wavpack: Fix runtime error: left shift of negative value -5 Fixes: 729/clusterfuzz-testcase-5154831595470848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3016e919d4e1d90da98af19ce2a9d4979506eaf3) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 40601d9036..046abe272c 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -267,7 +267,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, int bit; if (s->extra_bits) { - S <<= s->extra_bits; + S *= 1 << s->extra_bits; if (s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits) { From 90c408fa65f36893811d81c8509fe7814cc48ebe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Mar 2017 21:41:34 +0100 Subject: [PATCH 300/658] avcodec/mjpegdec: Fix runtime error: left shift of negative value -127 Fixes: 733/clusterfuzz-testcase-4682158096515072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 800d02abe041deacab5585bf41c1bc2ae5f4b922) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 7a83383441..a073c0967e 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1196,13 +1196,13 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor); pred &= mask; - *ptr = pred + (dc << point_transform); + *ptr = pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap PREDICT(pred, ptr16[-linesize-1], ptr16[-linesize], ptr16[-1], predictor); pred &= mask; - *ptr16= pred + (dc << point_transform); + *ptr16= pred + ((unsigned)dc << point_transform); } if (++x == h) { From f487f9bfdfa7a9aafceb87e55b6df36291579dac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Mar 2017 21:53:15 +0100 Subject: [PATCH 301/658] avcodec/h264_mvpred: Fix runtime error: left shift of negative value -1 Fixes: 734/clusterfuzz-testcase-4821293192970240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 222c9f031de3315af62be6d7a99c71105e516088) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mvpred.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mvpred.h b/libavcodec/h264_mvpred.h index d73d0066dd..cb7faa68f9 100644 --- a/libavcodec/h264_mvpred.h +++ b/libavcodec/h264_mvpred.h @@ -68,7 +68,7 @@ static av_always_inline int fetch_diagonal_mv(const H264Context *h, H264SliceCon } if (MB_FIELD(sl) && !IS_INTERLACED(sl->left_type[0])) { // left shift will turn LIST_NOT_USED into PART_NOT_AVAILABLE, but that's OK. - SET_DIAG_MV(/ 2, << 1, sl->left_mb_xy[i >= 36], ((i >> 2)) & 3); + SET_DIAG_MV(/ 2, *2, sl->left_mb_xy[i >= 36], ((i >> 2)) & 3); } } #undef SET_DIAG_MV From d9e54c335d56958d22843c4f67a675229a325554 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Mar 2017 22:25:08 +0100 Subject: [PATCH 302/658] avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: -135088512 * 16 cannot be represented in type 'int' Fixes: 736/clusterfuzz-testcase-5580263943831552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e2a4f1a9eb2c1ef3feed4a4f04db7629f2b61084) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 2bf4342adf..50efe2ed9c 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -387,11 +387,21 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g } for (i = 0; i < 2; i++) { + int64_t sd[2] = { + s->sprite_delta[i][0] - a * (1LL<<16), + s->sprite_delta[i][1] - a * (1LL<<16) + }; + if (llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || llabs(s->sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || - llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX + llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX || + llabs(sd[0]) >= INT_MAX || + llabs(sd[1]) >= INT_MAX || + llabs(s->sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || + llabs(s->sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX || + llabs(s->sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX ) { avpriv_request_sample(s->avctx, "Overflow on sprite points"); goto overflow; From 92d6b2b9342d12aea84ed9099d086e99137acf36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 Mar 2017 03:55:39 +0100 Subject: [PATCH 303/658] avcodec/amrwbdec: Fix runtime error: left shift of negative value -1 Fixes: 763/clusterfuzz-testcase-6007567320875008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44e2105189ac66637f34c764febc349238250b1d) Signed-off-by: Michael Niedermayer --- libavcodec/amrwbdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 999bfb99dc..57aed874cc 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -262,7 +262,7 @@ static void decode_pitch_lag_high(int *lag_int, int *lag_frac, int pitch_index, *lag_frac = pitch_index - (*lag_int << 2) + 136; } else if (pitch_index < 440) { *lag_int = (pitch_index + 257 - 376) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) << 1; + *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) * 2; /* the actual resolution is 1/2 but expressed as 1/4 */ } else { *lag_int = pitch_index - 280; From 025dc25ecbf1baae48927abca2fa6f2271bed47c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Mar 2017 03:04:05 +0100 Subject: [PATCH 304/658] avcodec/rv34: Fix runtime error: signed integer overflow: 36880 * 66288 cannot be represented in type 'int' Fixes: 768/clusterfuzz-testcase-4807444305805312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a66c6e28b543804f50df1c6083a204219b6b1daa) Signed-off-by: Michael Niedermayer --- libavcodec/rv34.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 06acdc50c9..c9cedfe8b2 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1630,7 +1630,7 @@ static AVRational update_sar(int old_w, int old_h, AVRational sar, int new_w, in if (!sar.num) sar = (AVRational){1, 1}; - sar = av_mul_q(sar, (AVRational){new_h * old_w, new_w * old_h}); + sar = av_mul_q(sar, av_mul_q((AVRational){new_h, new_w}, (AVRational){old_w, old_h})); return sar; } From bafec54a93288a534c2fd8d4a6debbfab425a769 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Mar 2017 02:51:15 +0100 Subject: [PATCH 305/658] avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' Fixes: 822/clusterfuzz-testcase-4873433189974016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7cebc5a9ccba0de7bddf7900ae85652ebc66141c) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 046abe272c..f828fc725b 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -837,7 +837,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, continue; } bytestream2_get_buffer(&gb, val, 4); - if (val[0] > 32) { + if (val[0] > 31) { av_log(avctx, AV_LOG_ERROR, "Invalid INT32INFO, extra_bits = %d (> 32)\n", val[0]); continue; From 139a5390623b01453ce6fe9aab913200844a25a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Mar 2017 20:45:08 +0100 Subject: [PATCH 306/658] avcodec/tiff: Check for multiple geo key directories Fixes memleak Fixes: 826/clusterfuzz-testcase-5316921379520512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 108b02e5471c1dae248200db694aba9b7b8555a8) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 4be587d569..ecafd2ddf1 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1035,6 +1035,10 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) ADD_METADATA(count, "ModelTiepointTag", NULL); break; case TIFF_GEO_KEY_DIRECTORY: + if (s->geotag_count) { + avpriv_request_sample(s->avctx, "Multiple geo key directories\n"); + return AVERROR_INVALIDDATA; + } ADD_METADATA(1, "GeoTIFF_Version", NULL); ADD_METADATA(2, "GeoTIFF_Key_Revision", "."); s->geotag_count = ff_tget_short(&s->gb, s->le); From f4b8e7f2c692f8d9d06d107e8f042a8523c3be6c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Mar 2017 20:45:09 +0100 Subject: [PATCH 307/658] avcodec/mpegaudiodec_template: Make l3_unscale() work with e=0 Fixes undefined behavior Fixes: 830/clusterfuzz-testcase-6253175327686656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ebed703f153e979edb2156754c8bdac4d5d6266) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudiodec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index ffd680b34f..37b1af9bd9 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -253,7 +253,7 @@ static inline int l3_unscale(int value, int exponent) #endif if (e > 31) return 0; - m = (m + (1 << (e - 1))) >> e; + m = (m + ((1U << e)>>1)) >> e; return m; } From 91f821ed5d55e150c64d2b9b07800ba180668bb5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Mar 2017 02:00:17 +0100 Subject: [PATCH 308/658] avcodec/tiff: Check stripsize strippos for overflow Fixes: 861/clusterfuzz-testcase-5688284384591872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d996b56499f00f80b02a41bab3d6b7349e36e9d) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index ecafd2ddf1..70e34b469d 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -904,6 +904,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_STRIP_OFFS: if (count == 1) { + if (value > INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, + "strippos %u too large\n", value); + return AVERROR_INVALIDDATA; + } s->strippos = 0; s->stripoff = value; } else @@ -915,6 +920,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_STRIP_SIZE: if (count == 1) { + if (value > INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, + "stripsize %u too large\n", value); + return AVERROR_INVALIDDATA; + } s->stripsizesoff = 0; s->stripsize = value; s->strips = 1; From 184d957b5401b209fcaf0efecf0f7e973e4f78d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Mar 2017 11:20:46 +0100 Subject: [PATCH 309/658] avcodec/vp56: Check avctx->error_concealment before enabling EC Fixes timeout with 847/clusterfuzz-testcase-5291877358108672 Fixes timeout with 850/clusterfuzz-testcase-5721296509861888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 98da63b3f5f5a277c5c3a16860db9a9f6741e54c) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 9d4162bb96..bfc3d3bc7c 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -712,7 +712,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); if (ret < 0) { damaged = 1; - if (!s->have_undamaged_frame) { + if (!s->have_undamaged_frame || !avctx->error_concealment) { s->discard_frame = 1; return AVERROR_INVALIDDATA; } From 8fc7fd63f21fc7c6c25b13805864626e15a886c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Mar 2017 01:55:01 +0100 Subject: [PATCH 310/658] avcodec/tiff: Check geotag count for being non zero Fixes memleak Fixes: 874/clusterfuzz-testcase-5252796175613952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3182e19c1c29eef60208a67ad8ecad1d9a2d0694) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 70e34b469d..3bc31a4545 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1056,7 +1056,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->geotag_count = count / 4 - 1; av_log(s->avctx, AV_LOG_WARNING, "GeoTIFF key directory buffer shorter than specified\n"); } - if (bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4) { + if ( bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4 + || s->geotag_count == 0) { s->geotag_count = 0; return -1; } From 840d5bf994d9249ad6050d889ed0157498bbe2c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Mar 2017 00:17:05 +0100 Subject: [PATCH 311/658] avcodec/h264_ps: Fix runtime error: signed integer overflow: 2147483647 + 26 cannot be represented in type 'int' Fixes: 902/clusterfuzz-testcase-4561155144024064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 4f727fbc7330e726d003e2961fa676ddaf86f994) Signed-off-by: Michael Niedermayer --- libavcodec/h264_ps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 943d953645..1aa5532e15 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -803,8 +803,8 @@ int ff_h264_decode_picture_parameter_set(GetBitContext *gb, AVCodecContext *avct pps->weighted_pred = get_bits1(gb); pps->weighted_bipred_idc = get_bits(gb, 2); - pps->init_qp = get_se_golomb(gb) + 26 + qp_bd_offset; - pps->init_qs = get_se_golomb(gb) + 26 + qp_bd_offset; + pps->init_qp = get_se_golomb(gb) + 26U + qp_bd_offset; + pps->init_qs = get_se_golomb(gb) + 26U + qp_bd_offset; pps->chroma_qp_index_offset[0] = get_se_golomb(gb); pps->deblocking_filter_parameters_present = get_bits1(gb); pps->constrained_intra_pred = get_bits1(gb); From 987675ba0d942ff5cbb1a7c7486c0553006c6890 Mon Sep 17 00:00:00 2001 From: Philip Langdale Date: Wed, 30 Nov 2016 16:13:14 -0800 Subject: [PATCH 312/658] avcodec/vdpau_hevc: Fix potential out-of-bounds write The maximum number of references is 16, so the index value cannot exceed 15. Fixes Coverity CID 1348139, 1348140, 1348141 (cherry picked from commit 4e6d1c1f4ec83000a067ff14452b34c1f2d2a43a) Signed-off-by: Michael Niedermayer --- libavcodec/vdpau_hevc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vdpau_hevc.c b/libavcodec/vdpau_hevc.c index 03c61dc6cc..ce2610f67f 100644 --- a/libavcodec/vdpau_hevc.c +++ b/libavcodec/vdpau_hevc.c @@ -234,7 +234,7 @@ static int vdpau_hevc_start_frame(AVCodecContext *avctx, const HEVCFrame *frame = &h->DPB[i]; if (frame != h->ref && (frame->flags & (HEVC_FRAME_FLAG_LONG_REF | HEVC_FRAME_FLAG_SHORT_REF))) { - if (j > 16) { + if (j > 15) { av_log(avctx, AV_LOG_WARNING, "VDPAU only supports up to 16 references in the DPB. " "This frame may not be decoded correctly.\n"); From 6522a5dcf09fe680342ee573fc1945ab622c7698 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Mon, 5 Dec 2016 09:24:47 -0800 Subject: [PATCH 313/658] omx: Fix OOM check Also use av_mallocz_array(). Fixes CID1396839. (cherry picked from commit 16a75304fe42d3a007c78126b6370c94ccf891f6) Signed-off-by: Michael Niedermayer --- libavcodec/omx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/omx.c b/libavcodec/omx.c index 375dd1969c..1dabbbbf3f 100644 --- a/libavcodec/omx.c +++ b/libavcodec/omx.c @@ -352,12 +352,12 @@ static av_cold int find_component(OMXContext *omx_context, void *logctx, av_log(logctx, AV_LOG_WARNING, "No component for role %s found\n", role); return AVERROR_ENCODER_NOT_FOUND; } - components = av_mallocz(sizeof(char*) * num); + components = av_mallocz_array(num, sizeof(*components)); if (!components) return AVERROR(ENOMEM); for (i = 0; i < num; i++) { components[i] = av_mallocz(OMX_MAX_STRINGNAME_SIZE); - if (!components) { + if (!components[i]) { ret = AVERROR(ENOMEM); goto end; } From d4aea81f2cce69a54f9a7bc4b5106982b7bd6f10 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Jan 2017 16:37:56 +0100 Subject: [PATCH 314/658] avcodec/tiff: Perform multiply in tiff_unpack_lzma() as 64bit This should make no difference as the value should not be able to be that large but its more correct this way Fixes CID1348138 Signed-off-by: Michael Niedermayer (cherry picked from commit f48b6b8b91d63148ef50d096688ed7226cd6ddf4) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 3bc31a4545..af433d9a4e 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -408,7 +408,7 @@ static int tiff_unpack_lzma(TiffContext *s, AVFrame *p, uint8_t *dst, int stride const uint8_t *src, int size, int width, int lines, int strip_start, int is_yuv) { - uint64_t outlen = width * lines; + uint64_t outlen = width * (uint64_t)lines; int ret, line; uint8_t *buf = av_malloc(outlen); if (!buf) From 8c54c2934371214c1dcff24fb62af05f39070cae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Jan 2017 01:35:52 +0100 Subject: [PATCH 315/658] avfilter/avfiltergraph: Add assert to write down in machine readable form what is assumed about sample rates in swap_samplerates_on_filter() Fixes CID1397292 Signed-off-by: Michael Niedermayer (cherry picked from commit 5f2b360fc05bbb4f21e1247d1d9af303113d6c25) Signed-off-by: Michael Niedermayer --- libavfilter/avfiltergraph.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index 42751132af..64e12524eb 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -863,6 +863,8 @@ static void swap_samplerates_on_filter(AVFilterContext *filter) for (j = 0; j < outlink->in_samplerates->nb_formats; j++) { int diff = abs(sample_rate - outlink->in_samplerates->formats[j]); + av_assert0(diff < INT_MAX); // This would lead to the use of uninitialized best_diff but is only possible with invalid sample rates + if (diff < best_diff) { best_diff = diff; best_idx = j; From 2f8356df12af7d1b00c664d8f2b4d012efd648d8 Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 7 Mar 2017 09:56:42 +0100 Subject: [PATCH 316/658] avcodec: fix uninitialized variable read This cna happen if the user tries to call the new decode API for subtitles. Fixes CID 1402071. (cherry picked from commit b4b8ca24f62473528949fe047085eb084364124b) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index fc1b2555e8..01d61597a8 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -2719,7 +2719,7 @@ void avsubtitle_free(AVSubtitle *sub) static int do_decode(AVCodecContext *avctx, AVPacket *pkt) { - int got_frame; + int got_frame = 0; int ret; av_assert0(!avctx->internal->buffer_frame->buf[0]); From e80a525934ab97b01bb9057e69b2893672024e77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2017 22:15:21 +0200 Subject: [PATCH 317/658] avfilter/af_sofalizer: Fix bad shift Fixes CID1396835 Signed-off-by: Michael Niedermayer (cherry picked from commit 4064f3f0dfe71f6d378b9252a390f89c4315bf54) Signed-off-by: Michael Niedermayer --- libavfilter/af_sofalizer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_sofalizer.c b/libavfilter/af_sofalizer.c index 7558f57eb9..f41972508a 100644 --- a/libavfilter/af_sofalizer.c +++ b/libavfilter/af_sofalizer.c @@ -448,7 +448,7 @@ static int get_speaker_pos(AVFilterContext *ctx, /* set speaker positions according to input channel configuration: */ for (m = 0, ch = 0; ch < n_conv && m < 64; m++) { - uint64_t mask = channels_layout & (1 << m); + uint64_t mask = channels_layout & (1ULL << m); switch (mask) { case AV_CH_FRONT_LEFT: azim[ch] = 30; break; From dc4fc2520072535bbaaa7cfdfa3cda8078cc1627 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Apr 2017 19:18:34 +0200 Subject: [PATCH 318/658] avformat/oggparsedaala: Check duration for AV_NOPTS_VALUE This avoids an integer overflow the solution matches oggparsevorbis.c and 45581ed15d2ad5955e24d809820c1675da68f500 Fixes: 700242 Found-by: Thomas Guilbert Reviewed-by: Rostislav Pehlivanov Signed-off-by: Michael Niedermayer (cherry picked from commit 679a315424e6ffaafd21ebf7a86108bd4e743793) Signed-off-by: Michael Niedermayer --- libavformat/oggparsedaala.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparsedaala.c b/libavformat/oggparsedaala.c index 89bda58994..ce65b2bd7a 100644 --- a/libavformat/oggparsedaala.c +++ b/libavformat/oggparsedaala.c @@ -232,7 +232,7 @@ static int daala_packet(AVFormatContext *s, int idx) os->lastpts = os->lastdts = daala_gptopts(s, idx, os->granule, NULL) - duration; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; - if (s->streams[idx]->duration) + if (s->streams[idx]->duration != AV_NOPTS_VALUE) s->streams[idx]->duration -= s->streams[idx]->start_time; } } From 0a966b056fd6106e352dab97e5fd6f17d47ebbbc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Apr 2017 19:18:35 +0200 Subject: [PATCH 319/658] avformat/oggparsedaala: Do not leave an invalid value in gpshift Fixes: undefined behavior Fixes: 702974 Found-by: Thomas Guilbert Reviewed-by: Rostislav Pehlivanov Signed-off-by: Michael Niedermayer (cherry picked from commit 23ae3cc822915ede2bb4e85047ab46cc5bc71268) Signed-off-by: Michael Niedermayer --- libavformat/oggparsedaala.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/oggparsedaala.c b/libavformat/oggparsedaala.c index ce65b2bd7a..a373b41b4c 100644 --- a/libavformat/oggparsedaala.c +++ b/libavformat/oggparsedaala.c @@ -126,6 +126,7 @@ static int daala_header(AVFormatContext *s, int idx) if (hdr->gpshift >= 32) { av_log(s, AV_LOG_ERROR, "Too large gpshift %d (>= 32).\n", hdr->gpshift); + hdr->gpshift = 0; return AVERROR_INVALIDDATA; } hdr->gpmask = (1U << hdr->gpshift) - 1; From da25519aff843ad4c585336310625ef126649161 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Apr 2017 03:36:17 +0200 Subject: [PATCH 320/658] avcodec/dvdsubdec: Fixes 2 runtime error: left shift of 170 by 24 places cannot be represented in type 'int' Fixes: 619/clusterfuzz-testcase-5803914534322176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 61ee2ca7758672128e30b3e87908b6845e006d71) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 4ae63b40ac..ed80b718d5 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -189,12 +189,12 @@ static void guess_palette(DVDSubContext* ctx, r = (((subtitle_color >> 16) & 0xff) * level) >> 8; g = (((subtitle_color >> 8) & 0xff) * level) >> 8; b = (((subtitle_color >> 0) & 0xff) * level) >> 8; - rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17) << 24); + rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17U) << 24); color_used[colormap[i]] = (i + 1); j++; } else { rgba_palette[i] = (rgba_palette[color_used[colormap[i]] - 1] & 0x00ffffff) | - ((alpha[i] * 17) << 24); + ((alpha[i] * 17U) << 24); } } } From 500212310944a689115f15169dc21c3cd03617c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Apr 2017 15:06:21 +0200 Subject: [PATCH 321/658] avformat/oggparseogm: Check available data before reading global header Fixes use of uninitialized data Found-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 170d864d2c508ca8111b1d108e1e964007dab712) Signed-off-by: Michael Niedermayer --- libavformat/oggparseogm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index f8e656dcb1..cdbdfd66e0 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -108,6 +108,8 @@ ogm_header(AVFormatContext *s, int idx) if (size > 52) { av_assert0(AV_INPUT_BUFFER_PADDING_SIZE <= 52); size -= 52; + if (bytestream2_get_bytes_left(&p) < size) + return AVERROR_INVALIDDATA; ff_alloc_extradata(st->codecpar, size); bytestream2_get_buffer(&p, st->codecpar->extradata, st->codecpar->extradata_size); } From a46e0879b9acbcf38c2a25a4c1c1db027ab78081 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Apr 2017 15:08:07 +0200 Subject: [PATCH 322/658] avformat/oggparseogm: Check ff_alloc_extradata() for failure Signed-off-by: Michael Niedermayer (cherry picked from commit 9eff4b0d2b5013e1ede86cf1a152dce164217d52) Signed-off-by: Michael Niedermayer --- libavformat/oggparseogm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index cdbdfd66e0..e7a501b5a7 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -110,7 +110,8 @@ ogm_header(AVFormatContext *s, int idx) size -= 52; if (bytestream2_get_bytes_left(&p) < size) return AVERROR_INVALIDDATA; - ff_alloc_extradata(st->codecpar, size); + if (ff_alloc_extradata(st->codecpar, size) < 0) + return AVERROR(ENOMEM); bytestream2_get_buffer(&p, st->codecpar->extradata, st->codecpar->extradata_size); } } From a1d740ff098efd2dd75e2b5e83f474e1355f02d4 Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Thu, 20 Apr 2017 13:14:42 +0100 Subject: [PATCH 323/658] avformat/webmdashenc: Require the 'adaptation_sets' option to be set This seems to be non-optional, and if the muxer is run without it, strlen() is run on NULL, causing a segfault. Signed-off-by: Michael Niedermayer (cherry picked from commit cbd3a68f3e1c2d1679370301eb5e1a32a2df64fe) Signed-off-by: Michael Niedermayer --- libavformat/webmdashenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index d4b3146790..740fd8eb01 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -428,6 +428,10 @@ static int parse_adaptation_sets(AVFormatContext *s) char *p = w->adaptation_sets; char *q; enum { new_set, parsed_id, parsing_streams } state; + if (!w->adaptation_sets) { + av_log(s, AV_LOG_ERROR, "The 'adaptation_sets' option must be set.\n"); + return AVERROR(EINVAL); + } // syntax id=0,streams=0,1,2 id=1,streams=3,4 and so on state = new_set; while (p < w->adaptation_sets + strlen(w->adaptation_sets)) { From 82e5f2c76b6fbb4118066462b1e94306630cd91e Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Thu, 20 Apr 2017 16:17:44 +0100 Subject: [PATCH 324/658] avformat/webmdashenc: Validate the 'streams' adaptation sets parameter It should not be a value larger than the number of streams we have, or it will cause invalid reads and/or SIGSEGV. Signed-off-by: Michael Niedermayer (cherry picked from commit ec07efa70012845e8642df67a4a773f510a17088) Signed-off-by: Michael Niedermayer --- libavformat/webmdashenc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 740fd8eb01..9dc9b36d31 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -462,7 +462,11 @@ static int parse_adaptation_sets(AVFormatContext *s) if (as->streams == NULL) return AVERROR(ENOMEM); as->streams[as->nb_streams - 1] = to_integer(p, q - p + 1); - if (as->streams[as->nb_streams - 1] < 0) return -1; + if (as->streams[as->nb_streams - 1] < 0 || + as->streams[as->nb_streams - 1] >= s->nb_streams) { + av_log(s, AV_LOG_ERROR, "Invalid value for 'streams' in adapation_sets.\n"); + return AVERROR(EINVAL); + } if (*q == '\0') break; if (*q == ' ') state = new_set; p = ++q; From b391e4c8f4fe08a1fbeb04df794230c0dfb0fd6e Mon Sep 17 00:00:00 2001 From: Martin Vignali Date: Tue, 25 Apr 2017 22:52:50 +0200 Subject: [PATCH 325/658] libavcodec/exr : fix float to uint16 conversion for negative float value Signed-off-by: Michael Niedermayer (cherry picked from commit e46d63745215c04637e7797228bad36bce49d881) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index a811c02b8a..0a7475fcb3 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -216,9 +216,9 @@ static union av_intfloat32 exr_half2float(uint16_t hf) * * @return normalized 16-bit unsigned int */ -static inline uint16_t exr_flt2uint(uint32_t v) +static inline uint16_t exr_flt2uint(int32_t v) { - unsigned int exp = v >> 23; + int32_t exp = v >> 23; // "HACK": negative values result in exp< 0, so clipping them to 0 // is also handled by this condition, avoids explicit check for sign bit. if (exp <= 127 + 7 - 24) // we would shift out all bits anyway From 52d07518a32dbc015882ab73bc5f70f4079f83ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 02:08:54 +0200 Subject: [PATCH 326/658] avcodec/x86/vc1dsp_init: Fix build failure with --disable-optimizations and clang compilers doing DCE at -O0 do not necessarily understand "complex" boolean expressions Build succeeds with this change, this was the only failure Signed-off-by: Michael Niedermayer (cherry picked from commit fa8fd0808f1086fc85abba5cf123faf41da49305) Signed-off-by: Michael Niedermayer --- libavcodec/x86/vc1dsp_init.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/x86/vc1dsp_init.c b/libavcodec/x86/vc1dsp_init.c index c8943fa2f7..c53a1328f2 100644 --- a/libavcodec/x86/vc1dsp_init.c +++ b/libavcodec/x86/vc1dsp_init.c @@ -106,10 +106,12 @@ av_cold void ff_vc1dsp_init_x86(VC1DSPContext *dsp) { int cpu_flags = av_get_cpu_flags(); - if (HAVE_6REGS && INLINE_MMX(cpu_flags) && EXTERNAL_MMX(cpu_flags)) + if (HAVE_6REGS && INLINE_MMX(cpu_flags)) + if (EXTERNAL_MMX(cpu_flags)) ff_vc1dsp_init_mmx(dsp); - if (HAVE_6REGS && INLINE_MMXEXT(cpu_flags) && EXTERNAL_MMXEXT(cpu_flags)) + if (HAVE_6REGS && INLINE_MMXEXT(cpu_flags)) + if (EXTERNAL_MMXEXT(cpu_flags)) ff_vc1dsp_init_mmxext(dsp); #define ASSIGN_LF(EXT) \ From 388ef988f8ff579d306882272f3e686067fffbd2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 02:27:16 +0200 Subject: [PATCH 327/658] avcodec/mdec: Fix runtime error: left shift of negative value -127 Fixes undefined behavior Fixes: 1275/clusterfuzz-testcase-minimized-6718162017976320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ca82975b7a8eaf676a52738ec8e7e36732327cc) Signed-off-by: Michael Niedermayer --- libavcodec/mdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c index 1cc4ca4742..42bd561cd7 100644 --- a/libavcodec/mdec.c +++ b/libavcodec/mdec.c @@ -73,7 +73,7 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) if (diff >= 0xffff) return AVERROR_INVALIDDATA; a->last_dc[component] += diff; - block[0] = a->last_dc[component] << 3; + block[0] = a->last_dc[component] * (1 << 3); } i = 0; From f3d300497fc7be87933b9623e03cc1ee7a99224f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Apr 2017 02:50:42 +0200 Subject: [PATCH 328/658] doc/developer: Add terse documentation of assumed C implementation defined behavior Suggested-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit b706ddbae3f4a11c58560b914807931556108b55) Signed-off-by: Michael Niedermayer --- doc/developer.texi | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/developer.texi b/doc/developer.texi index 4d3a7aef94..acb9dc83a2 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -131,6 +131,11 @@ designated struct initializers (@samp{struct s x = @{ .i = 17 @};}); @item compound literals (@samp{x = (struct s) @{ 17, 23 @};}). + +@item +Implementation defined behavior for signed integers is assumed to match the +expected behavior for two's complement. Non representable values in integer +casts are binary truncated. Shift right of signed values uses sign extension. @end itemize These features are supported by all compilers we care about, so we will not From 2b733acce9e00718dcf4ee46733797c66473ae78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 May 2017 18:46:27 +0200 Subject: [PATCH 329/658] avcodec/vp3: Check remaining bits in unpack_dct_coeffs() Decreases the time spend decoding junk. May fix: 1283/clusterfuzz-testcase-minimized-6221126759874560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f00300b779e7b247c85db0d7daef448225105ff) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 86e5852e32..b10cb39f8a 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1071,6 +1071,9 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) s->dct_tokens[0][0] = s->dct_tokens_base; + if (get_bits_left(gb) < 16) + return AVERROR_INVALIDDATA; + /* fetch the DC table indexes */ dc_y_table = get_bits(gb, 4); dc_c_table = get_bits(gb, 4); @@ -1080,6 +1083,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) 0, residual_eob_run); if (residual_eob_run < 0) return residual_eob_run; + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; /* reverse prediction of the Y-plane DC coefficients */ reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]); @@ -1102,6 +1107,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) s->fragment_width[1], s->fragment_height[1]); } + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; /* fetch the AC table indexes */ ac_y_table = get_bits(gb, 4); ac_c_table = get_bits(gb, 4); From 132796f1d15f3194a5819e805d527b01cfee2446 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 May 2017 18:53:52 +0200 Subject: [PATCH 330/658] avcodec/indeo2: Check remaining bits in ir2_decode_plane() Fixes: 1290/clusterfuzz-testcase-minimized-5815578902134784 Fixes: timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b29feec9829cfab2523c8d95e35bd69e689ea4af) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 7ad686d50b..f12d6d00d1 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -76,6 +76,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (j = 1; j < height; j++) { out = 0; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; while (out < width) { int c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ @@ -115,6 +117,8 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_ for (j = 0; j < height; j++) { out = 0; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; while (out < width) { c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ From 44fd56337616261f4eab19ac8ba5f92daf2797c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 15:10:25 +0200 Subject: [PATCH 331/658] avcodec/svq3: Increase offsets to prevent integer overflows Fixes: 1280/clusterfuzz-testcase-minimized-6102353767825408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 382b4fc9b5f3102f59743bf9c8619b31dd8ede1b) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 8c176f625f..3a754a639a 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -549,8 +549,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, int fx, fy; mx = (mx + 1 >> 1) + dx; my = (my + 1 >> 1) + dy; - fx = (unsigned)(mx + 0x3000) / 3 - 0x1000; - fy = (unsigned)(my + 0x3000) / 3 - 0x1000; + fx = (unsigned)(mx + 0x30000) / 3 - 0x10000; + fy = (unsigned)(my + 0x30000) / 3 - 0x10000; dxy = (mx - 3 * fx) + 4 * (my - 3 * fy); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -558,8 +558,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, mx += mx; my += my; } else if (mode == HALFPEL_MODE || mode == PREDICT_MODE) { - mx = (unsigned)(mx + 1 + 0x3000) / 3 + dx - 0x1000; - my = (unsigned)(my + 1 + 0x3000) / 3 + dy - 0x1000; + mx = (unsigned)(mx + 1 + 0x30000) / 3 + dx - 0x10000; + my = (unsigned)(my + 1 + 0x30000) / 3 + dy - 0x10000; dxy = (mx & 1) + 2 * (my & 1); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -567,8 +567,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, mx *= 3; my *= 3; } else { - mx = (unsigned)(mx + 3 + 0x6000) / 6 + dx - 0x1000; - my = (unsigned)(my + 3 + 0x6000) / 6 + dy - 0x1000; + mx = (unsigned)(mx + 3 + 0x60000) / 6 + dx - 0x10000; + my = (unsigned)(my + 3 + 0x60000) / 6 + dy - 0x10000; svq3_mc_dir_part(s, x, y, part_width, part_height, mx, my, 0, 0, dir, avg); From 2cfd230759e71f322d136229a5351b69e92856a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 15:10:26 +0200 Subject: [PATCH 332/658] avcodec/svq3: Reject dx/dy beyond 16bit The code does use 16bit sized arrays later so larger deltas would not work Signed-off-by: Michael Niedermayer (cherry picked from commit 48b3117844177d8442bc9fa3ede1d31ce82ae6fc) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 3a754a639a..53f56df58d 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -538,7 +538,7 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, dy = get_interleaved_se_golomb(&s->gb_slice); dx = get_interleaved_se_golomb(&s->gb_slice); - if (dx == INVALID_VLC || dy == INVALID_VLC) { + if (dx != (int16_t)dx || dy != (int16_t)dy) { av_log(s->avctx, AV_LOG_ERROR, "invalid MV vlc\n"); return -1; } From cfc85cead9e9795dd1a0ad6512c7245b055f16d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Apr 2017 22:27:50 +0200 Subject: [PATCH 333/658] avcodec/dcadsp: Fix runtime error: signed integer overflow Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9244b839b788e4677019041907ff5a4378a23490) Signed-off-by: Michael Niedermayer --- libavcodec/dcadsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dcadsp.c b/libavcodec/dcadsp.c index 1cd2e4eddf..4cb7fab9ac 100644 --- a/libavcodec/dcadsp.c +++ b/libavcodec/dcadsp.c @@ -320,7 +320,7 @@ static void dmix_sub_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t le int i; for (i = 0; i < len; i++) - dst[i] -= mul15(src[i], coeff); + dst[i] -= (unsigned)mul15(src[i], coeff); } static void dmix_add_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t len) From 6798f9c551b4c602b3c9d7cac681979f025630cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Apr 2017 21:59:29 +0200 Subject: [PATCH 334/658] avcodec/h264_cavlc: Fix undefined behavior on qscale overflow Fixes: 1214/clusterfuzz-testcase-minimized-6130606599569408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fc8cff96ed45dfdb91ed03e9942845f28be0e770) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cavlc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 3293c66816..0e366d97b0 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -1112,7 +1112,7 @@ decode_intra_mb: dquant= get_se_golomb(&sl->gb); - sl->qscale += dquant; + sl->qscale += (unsigned)dquant; if (((unsigned)sl->qscale) > max_qp){ if (sl->qscale < 0) sl->qscale += max_qp + 1; From d4f008557ae7f030023ee1366e85aa08f1dcfb14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 May 2017 15:24:46 +0200 Subject: [PATCH 335/658] avcodec/msvideo1: Check buffer size before re-getting the frame Fixes timeout Fixes: 1306/clusterfuzz-testcase-minimized-6152296217968640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cabfed6895fcc679cd6a6244a12d800e0f3f2d20) Signed-off-by: Michael Niedermayer --- libavcodec/msvideo1.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/msvideo1.c b/libavcodec/msvideo1.c index a49b9be364..29700f54b6 100644 --- a/libavcodec/msvideo1.c +++ b/libavcodec/msvideo1.c @@ -301,6 +301,12 @@ static int msvideo1_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; + // Discard frame if its smaller than the minimum frame size + if (buf_size < (avctx->width/4) * (avctx->height/4) / 512) { + av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); + return AVERROR_INVALIDDATA; + } + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; From 55d8fd38d66e8e43eff94beda9a250f659a731fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 May 2017 18:40:46 +0200 Subject: [PATCH 336/658] avcodec/pngdec: Use ff_set_dimensions() Fixes OOM Fixes: 1314/clusterfuzz-testcase-minimized-4621997222920192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0296fc056f0d86943c697c505a181744b07dd45) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index c72f34f961..52b872a06a 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -611,8 +611,9 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, } if (!(s->state & PNG_IDAT)) { /* init image info */ - avctx->width = s->width; - avctx->height = s->height; + ret = ff_set_dimensions(avctx, s->width, s->height); + if (ret < 0) + return ret; s->channels = ff_png_get_nb_channels(s->color_type); s->bits_per_pixel = s->bit_depth * s->channels; From cbc471d1b3234d9816bbb53a9770df057a268765 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 May 2017 05:21:51 +0200 Subject: [PATCH 337/658] libavcodec/mpeg4videodec: Convert sprite_offset to 64bit This avoids intermediates from overflowing (the final values are checked) Fixes: runtime error: signed integer overflow: -167712 + -2147352576 cannot be represented in type 'int' Fixes: 1298/clusterfuzz-testcase-minimized-5955580877340672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c1c3a14073b33f790075f2884ea5c64451a6c876) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 102 ++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 52 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 50efe2ed9c..523f63bda5 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -178,6 +178,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int min_ab, i, w2, h2, w3, h3; int sprite_ref[4][2]; int virtual_ref[2][2]; + int64_t sprite_offset[2][2]; // only true for rectangle shapes const int vop_ref[4][2] = { { 0, 0 }, { s->width, 0 }, @@ -257,10 +258,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g switch (ctx->num_sprite_warping_points) { case 0: - s->sprite_offset[0][0] = - s->sprite_offset[0][1] = - s->sprite_offset[1][0] = - s->sprite_offset[1][1] = 0; + sprite_offset[0][0] = + sprite_offset[0][1] = + sprite_offset[1][0] = + sprite_offset[1][1] = 0; s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = s->sprite_delta[1][0] = 0; @@ -269,11 +270,11 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 1: // GMC only - s->sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0]; - s->sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1]; - s->sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) - + sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0]; + sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1]; + sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) - a * (vop_ref[0][0] / 2); - s->sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - + sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - a * (vop_ref[0][1] / 2); s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = @@ -283,22 +284,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 2: - s->sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) + + sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-vop_ref[0][0]) + (r * sprite_ref[0][1] - virtual_ref[0][1]) * (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) + + sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) + (-r * sprite_ref[0][1] + virtual_ref[0][1]) * (-vop_ref[0][0]) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * + sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-2 * vop_ref[0][0] + 1) + (r * sprite_ref[0][1] - virtual_ref[0][1]) * (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); - s->sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * + sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * (-2 * vop_ref[0][0] + 1) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * @@ -315,30 +316,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g min_ab = FFMIN(alpha, beta); w3 = w2 >> min_ab; h3 = h2 >> min_ab; - s->sprite_offset[0][0] = (sprite_ref[0][0] * (1<<(alpha + beta + rho - min_ab))) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - h3 * (-vop_ref[0][0]) + - (-r * sprite_ref[0][0] + virtual_ref[1][0]) * - w3 * (-vop_ref[0][1]) + - (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + - (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - h3 * (-vop_ref[0][0]) + - (-r * sprite_ref[0][1] + virtual_ref[1][1]) * - w3 * (-vop_ref[0][1]) + - (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[1][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - h3 * (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][0] + virtual_ref[1][0]) * - w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 * - r * sprite_ref[0][0] - 16 * w2 * h3 + - (1 << (alpha + beta + rho - min_ab + 1)); - s->sprite_offset[1][1] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - h3 * (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][1] + virtual_ref[1][1]) * - w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 * - r * sprite_ref[0][1] - 16 * w2 * h3 + - (1 << (alpha + beta + rho - min_ab + 1)); + sprite_offset[0][0] = ((int64_t)sprite_ref[0][0] * (1 << (alpha + beta + rho - min_ab))) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-vop_ref[0][0]) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-vop_ref[0][1]) + + ((int64_t)1 << (alpha + beta + rho - min_ab - 1)); + sprite_offset[0][1] = ((int64_t)sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-vop_ref[0][0]) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-vop_ref[0][1]) + + ((int64_t)1 << (alpha + beta + rho - min_ab - 1)); + sprite_offset[1][0] = ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-2 * vop_ref[0][1] + 1) + + (int64_t)2 * w2 * h3 * r * sprite_ref[0][0] - 16 * w2 * h3 + + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); + sprite_offset[1][1] = ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-2 * vop_ref[0][1] + 1) + + (int64_t)2 * w2 * h3 * r * sprite_ref[0][1] - 16 * w2 * h3 + + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3; s->sprite_delta[0][1] = (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3; s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3; @@ -353,10 +346,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[0][1] == 0 && s->sprite_delta[1][0] == 0 && s->sprite_delta[1][1] == a << ctx->sprite_shift[0]) { - s->sprite_offset[0][0] >>= ctx->sprite_shift[0]; - s->sprite_offset[0][1] >>= ctx->sprite_shift[0]; - s->sprite_offset[1][0] >>= ctx->sprite_shift[1]; - s->sprite_offset[1][1] >>= ctx->sprite_shift[1]; + sprite_offset[0][0] >>= ctx->sprite_shift[0]; + sprite_offset[0][1] >>= ctx->sprite_shift[0]; + sprite_offset[1][0] >>= ctx->sprite_shift[1]; + sprite_offset[1][1] >>= ctx->sprite_shift[1]; s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = 0; s->sprite_delta[1][0] = 0; @@ -369,18 +362,18 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int shift_c = 16 - ctx->sprite_shift[1]; if (shift_c < 0 || shift_y < 0 || - FFABS(s->sprite_offset[0][0]) >= INT_MAX >> shift_y || - FFABS(s->sprite_offset[1][0]) >= INT_MAX >> shift_c || - FFABS(s->sprite_offset[0][1]) >= INT_MAX >> shift_y || - FFABS(s->sprite_offset[1][1]) >= INT_MAX >> shift_c + FFABS(sprite_offset[0][0]) >= INT_MAX >> shift_y || + FFABS(sprite_offset[1][0]) >= INT_MAX >> shift_c || + FFABS(sprite_offset[0][1]) >= INT_MAX >> shift_y || + FFABS(sprite_offset[1][1]) >= INT_MAX >> shift_c ) { avpriv_request_sample(s->avctx, "Too large sprite shift or offset"); goto overflow; } for (i = 0; i < 2; i++) { - s->sprite_offset[0][i] *= 1 << shift_y; - s->sprite_offset[1][i] *= 1 << shift_c; + sprite_offset[0][i] *= 1 << shift_y; + sprite_offset[1][i] *= 1 << shift_c; s->sprite_delta[0][i] *= 1 << shift_y; s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; @@ -392,16 +385,16 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[i][1] - a * (1LL<<16) }; - if (llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + if (llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX || llabs(sd[0]) >= INT_MAX || llabs(sd[1]) >= INT_MAX || - llabs(s->sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX + llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX ) { avpriv_request_sample(s->avctx, "Overflow on sprite points"); goto overflow; @@ -410,6 +403,11 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->real_sprite_warping_points = ctx->num_sprite_warping_points; } + s->sprite_offset[0][0] = sprite_offset[0][0]; + s->sprite_offset[0][1] = sprite_offset[0][1]; + s->sprite_offset[1][0] = sprite_offset[1][0]; + s->sprite_offset[1][1] = sprite_offset[1][1]; + return 0; overflow: memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); From cc9b7db429f1a2327d88c1bd710e866309e68ba5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 02:51:13 +0200 Subject: [PATCH 338/658] avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int' Fixes: 1080/clusterfuzz-testcase-5353236754071552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce7098b8f2b59c62b5abdb3d74819db75cf67698) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index ed80b718d5..917adc3dfe 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -60,7 +60,7 @@ static void yuv_a_to_rgba(const uint8_t *ycbcr, const uint8_t *alpha, uint32_t * cb = *ycbcr++; YUV_TO_RGB1_CCIR(cb, cr); YUV_TO_RGB2_CCIR(r, g, b, y); - *rgba++ = (*alpha++ << 24) | (r << 16) | (g << 8) | b; + *rgba++ = ((unsigned)*alpha++ << 24) | (r << 16) | (g << 8) | b; } } From a6fb07d5ba3a0a1561c7e354ce9b8fbf6b404c04 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 03:24:40 +0200 Subject: [PATCH 339/658] avcodec/cavsdec: Fix undefined behavior from integer overflow Fixes: 1335/clusterfuzz-testcase-minimized-5566961566089216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0e5f7f363555d2befafb1c9e1579dbe0a2fbca7) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index fed7043c12..8842346c25 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -465,7 +465,7 @@ static inline void mv_pred_direct(AVSContext *h, cavs_vector *pmv_fw, cavs_vector *col_mv) { cavs_vector *pmv_bw = pmv_fw + MV_BWD_OFFS; - int den = h->direct_den[col_mv->ref]; + unsigned den = h->direct_den[col_mv->ref]; int m = FF_SIGNBIT(col_mv->x); pmv_fw->dist = h->dist[1]; From ac74ac9e1d2f23e3e41a53ea5abe5520013c86cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 15:10:25 +0200 Subject: [PATCH 340/658] avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int' Fixes: 943/clusterfuzz-testcase-5114865297391616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a78ae465fda902565ed041d93403e04490b4be0d) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index a073c0967e..d7ef0067b5 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -753,7 +753,8 @@ static int decode_block_progressive(MJpegDecodeContext *s, int16_t *block, int16_t *quant_matrix, int ss, int se, int Al, int *EOBRUN) { - int code, i, j, level, val, run; + int code, i, j, val, run; + unsigned level; if (*EOBRUN) { (*EOBRUN)--; From 67561969947eed657578e8143b3d62dfbcf4ee08 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 12:48:12 +0200 Subject: [PATCH 341/658] avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so Fixes: out of array access Fixes: 1348/clusterfuzz-testcase-minimized-6195673642827776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce551a3925a1cf9c7824e26a246b99b6773bda4b) Signed-off-by: Michael Niedermayer --- libavcodec/tiertexseqv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/tiertexseqv.c b/libavcodec/tiertexseqv.c index df12ee3809..f86ae2aac1 100644 --- a/libavcodec/tiertexseqv.c +++ b/libavcodec/tiertexseqv.c @@ -213,10 +213,15 @@ static int seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int static av_cold int seqvideo_decode_init(AVCodecContext *avctx) { SeqVideoContext *seq = avctx->priv_data; + int ret; seq->avctx = avctx; avctx->pix_fmt = AV_PIX_FMT_PAL8; + ret = ff_set_dimensions(avctx, 256, 128); + if (ret < 0) + return ret; + seq->frame = av_frame_alloc(); if (!seq->frame) return AVERROR(ENOMEM); From 0eb229a427cdfef5f460da2273f822ed72947251 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 18:01:25 +0200 Subject: [PATCH 342/658] avcodec/wnv1: Fix runtime error: left shift of negative value -1 Fixes: 1338/clusterfuzz-testcase-minimized-6485546354343936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9fac508ca46f93450ec232299dfd15ac70b6f326) Signed-off-by: Michael Niedermayer --- libavcodec/wnv1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 9ff99b2f98..126c01a02d 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -52,7 +52,7 @@ static inline int wnv1_get_code(WNV1Context *w, int base_value) if (v == 15) return ff_reverse[get_bits(&w->gb, 8 - w->shift)]; else - return base_value + ((v - 7) << w->shift); + return base_value + ((v - 7U) << w->shift); } static int decode_frame(AVCodecContext *avctx, From ba0081fbbe9cc4e0186fffcc08939ad302fc5a64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 18:07:25 +0200 Subject: [PATCH 343/658] avcodec/dss_sp: Fix multiple left shift of negative value -466 Fixes: 1339/clusterfuzz-testcase-minimized-4614671485108224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38152d9368beb080b4acd6cd9e5ccc89b3f733bf) Signed-off-by: Michael Niedermayer --- libavcodec/dss_sp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dss_sp.c b/libavcodec/dss_sp.c index ddea48304f..93e54c5209 100644 --- a/libavcodec/dss_sp.c +++ b/libavcodec/dss_sp.c @@ -33,7 +33,7 @@ #define DSS_SP_FRAME_SIZE 42 #define DSS_SP_SAMPLE_COUNT (66 * SUBFRAMES) -#define DSS_SP_FORMULA(a, b, c) (((((a) << 15) + (b) * (c)) + 0x4000) >> 15) +#define DSS_SP_FORMULA(a, b, c) (((((a) * (1 << 15)) + (b) * (c)) + 0x4000) >> 15) typedef struct DssSpSubframe { int16_t gain; @@ -499,7 +499,7 @@ static void dss_sp_scale_vector(int32_t *vec, int bits, int size) vec[i] = vec[i] >> -bits; else for (i = 0; i < size; i++) - vec[i] = vec[i] << bits; + vec[i] = vec[i] * (1 << bits); } static void dss_sp_update_buf(int32_t *hist, int32_t *vector) From 45470150971af8312b1c2cdc8c065d3db4977df5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 18:14:03 +0200 Subject: [PATCH 344/658] avcodec/g722: Fix multiple runtime error: left shift of negative value -1 Fixes: 1340/clusterfuzz-testcase-minimized-4669892148068352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f55df62998681c7702f008ce7c12a00b15e33f53) Signed-off-by: Michael Niedermayer --- libavcodec/g722.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/g722.c b/libavcodec/g722.c index ee3b85f845..ef7ca6d446 100644 --- a/libavcodec/g722.c +++ b/libavcodec/g722.c @@ -88,14 +88,14 @@ static inline void s_zero(int cur_diff, struct G722Band *band) ACCUM(3, band->diff_mem[2], 1); ACCUM(2, band->diff_mem[1], 1); ACCUM(1, band->diff_mem[0], 1); - ACCUM(0, cur_diff << 1, 1); + ACCUM(0, cur_diff * 2, 1); } else { ACCUM(5, band->diff_mem[4], 0); ACCUM(4, band->diff_mem[3], 0); ACCUM(3, band->diff_mem[2], 0); ACCUM(2, band->diff_mem[1], 0); ACCUM(1, band->diff_mem[0], 0); - ACCUM(0, cur_diff << 1, 0); + ACCUM(0, cur_diff * 2, 0); } #undef ACCUM band->s_zero = s_zero; @@ -119,14 +119,14 @@ static void do_adaptive_prediction(struct G722Band *band, const int cur_diff) band->part_reconst_mem[0] = cur_part_reconst; band->pole_mem[1] = av_clip((sg[0] * av_clip(band->pole_mem[0], -8191, 8191) >> 5) + - (sg[1] << 7) + (band->pole_mem[1] * 127 >> 7), -12288, 12288); + (sg[1] * 128) + (band->pole_mem[1] * 127 >> 7), -12288, 12288); limit = 15360 - band->pole_mem[1]; band->pole_mem[0] = av_clip(-192 * sg[0] + (band->pole_mem[0] * 255 >> 8), -limit, limit); s_zero(cur_diff, band); - cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) << 1); + cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) * 2); band->s_predictor = av_clip_int16(band->s_zero + (band->pole_mem[0] * cur_qtzd_reconst >> 15) + (band->pole_mem[1] * band->prev_qtzd_reconst >> 15)); From dd907bec361e62265259e999c3bd3ab117dd58db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 19:26:02 +0200 Subject: [PATCH 345/658] avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int' Fixes: 1341/clusterfuzz-testcase-minimized-5441502618583040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1002932a3b16d35c46a08455f76462909eebb5aa) Signed-off-by: Michael Niedermayer --- libavcodec/cdxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c index c8d66b5845..7a9b41943d 100644 --- a/libavcodec/cdxl.c +++ b/libavcodec/cdxl.c @@ -275,7 +275,7 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data, else aligned_width = FFALIGN(c->avctx->width, 16); c->padded_bits = aligned_width - c->avctx->width; - if (c->video_size < aligned_width * avctx->height * c->bpp / 8) + if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8) return AVERROR_INVALIDDATA; if (!encoding && c->palette_size && c->bpp <= 8) { avctx->pix_fmt = AV_PIX_FMT_PAL8; From e01f02894931767fe98a59fae33375544bfffc92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 19:28:56 +0200 Subject: [PATCH 346/658] avcodec/nellymoser: Fix multiple left shift of negative value -8591 Fixes: 1342/clusterfuzz-testcase-minimized-5490842129137664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0953736b7e97f6e121a0587a95434bf1857a27da) Signed-off-by: Michael Niedermayer --- libavcodec/nellymoser.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/nellymoser.c b/libavcodec/nellymoser.c index 0740c75a0f..d6d5b7a910 100644 --- a/libavcodec/nellymoser.c +++ b/libavcodec/nellymoser.c @@ -85,7 +85,7 @@ const int16_t ff_nelly_delta_table[32] = { static inline int signed_shift(int i, int shift) { if (shift > 0) - return i << shift; + return (unsigned)i << shift; return i >> -shift; } @@ -109,7 +109,7 @@ static int headroom(int *la) return 31; } l = 30 - av_log2(FFABS(*la)); - *la <<= l; + *la *= 1< Date: Fri, 5 May 2017 20:42:11 +0200 Subject: [PATCH 347/658] avcodec/dfa: Fix off by 1 error Fixes out of array access Fixes: 1345/clusterfuzz-testcase-minimized-6062963045695488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f52fbf4f3ed02a7d872d8a102006f29b4421f360) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index f45d019a79..5ddb647c4c 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -175,7 +175,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height return AVERROR_INVALIDDATA; frame += v; } else { - if (frame_end - frame < width + 3) + if (frame_end - frame < width + 4) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); From 09244917995527f0b83dc63814ace8e9ae50668d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 22:17:59 +0200 Subject: [PATCH 348/658] avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int' Fixes: 1346/clusterfuzz-testcase-minimized-5776732600664064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a234b5ade3ca6cde805b92b8b6ecacf693460a8c) Signed-off-by: Michael Niedermayer --- libavcodec/mdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c index 42bd561cd7..8e28aa04f0 100644 --- a/libavcodec/mdec.c +++ b/libavcodec/mdec.c @@ -111,11 +111,11 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) j = scantable[i]; if (level < 0) { level = -level; - level = (level * qscale * quant_matrix[j]) >> 3; + level = (level * (unsigned)qscale * quant_matrix[j]) >> 3; level = (level - 1) | 1; level = -level; } else { - level = (level * qscale * quant_matrix[j]) >> 3; + level = (level * (unsigned)qscale * quant_matrix[j]) >> 3; level = (level - 1) | 1; } } From fb4a81dc3aa35ea53e19c2acb0f57d1bbd0cc2f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 23:00:59 +0200 Subject: [PATCH 349/658] avcodec/aacsbr_template: Do not leave bs_num_env invalid Fixes out of array read Fixes: 1349/clusterfuzz-testcase-minimized-5370707196248064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8ad83b793e883b8c6d114f81073a4e40c0308a3) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_template.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index 511054276a..4d4b705dfa 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -639,6 +639,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", ch_data->bs_num_env); + ch_data->bs_num_env = 2; return -1; } @@ -694,6 +695,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n", ch_data->bs_num_env); + ch_data->bs_num_env = 2; return -1; } From 1fe0de8934cd00d318159e55275da92d13eebab9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 00:13:05 +0200 Subject: [PATCH 350/658] avutil/softfloat: Fix multiple runtime error: left shift of negative value -8 Fixes: 1352/clusterfuzz-testcase-minimized-5757565017260032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 35f3df0d76e28969fa77f2b865e2e40b3ba69722) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index fa91d1e1cb..fed3e77f87 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -235,12 +235,12 @@ static av_unused void av_sincos_sf(int a, int *s, int *c) int st, ct; idx = a >> 26; - sign = (idx << 27) >> 31; + sign = (int32_t)((unsigned)idx << 27) >> 31; cv = av_costbl_1_sf[idx & 0xf]; cv = (cv ^ sign) - sign; idx -= 8; - sign = (idx << 27) >> 31; + sign = (int32_t)((unsigned)idx << 27) >> 31; sv = av_costbl_1_sf[idx & 0xf]; sv = (sv ^ sign) - sign; From e7755214bbf94b95255eee6947ad78dde4beff32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 01:08:54 +0200 Subject: [PATCH 351/658] avcodec/snowdec: Check qbias Fixes: signed integer overflow: -1094995529 * 131 cannot be represented in type 'int' Fixes: 1353/clusterfuzz-testcase-minimized-5208180449607680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 523205ce1ed9415183c162998c68f573479e78fe) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 042aecbbeb..97f55288c1 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -395,6 +395,11 @@ static int decode_header(SnowContext *s){ s->block_max_depth= 0; return AVERROR_INVALIDDATA; } + if (FFABS(s->qbias) > 127) { + av_log(s->avctx, AV_LOG_ERROR, "qbias %d is too large\n", s->qbias); + s->qbias = 0; + return AVERROR_INVALIDDATA; + } return 0; } From 23a76f1057bd063bf72f8c9f40ad69c9313c95d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 12:05:17 +0200 Subject: [PATCH 352/658] avcodec/mlpdec: Fix runtime error: left shift of negative value -22 Fixes: 1355/clusterfuzz-testcase-minimized-6662205472768000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c535436cbeeab89be64e9f3fd652bc736f2f3245) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index c93b058dd7..7cad5d1cad 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -264,7 +264,7 @@ static inline int read_huff_channels(MLPDecodeContext *m, GetBitContext *gbp, result = (result << lsb_bits) + get_bits(gbp, lsb_bits); result += cp->sign_huff_offset; - result <<= quant_step_size; + result *= 1 << quant_step_size; m->sample_buffer[pos + s->blockpos][channel] = result; } From ceb456e3e9e9c7e95022101e5af6396089696131 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 12:10:59 +0200 Subject: [PATCH 353/658] avcodec/fic: Fix multiple left shift of negative value -15 Fixes: 1356/clusterfuzz-testcase-minimized-6008489086287872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b20c71409b24460983ba5d9afa0716714f9e0f7d) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index d3952a4c01..1e28f59d83 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -94,8 +94,8 @@ static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd const int t7 = t3 - t1; const int t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; const int t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; - const int tA = (blk[0 * step] - blk[4 * step] << 15) + rnd; - const int tB = (blk[0 * step] + blk[4 * step] << 15) + rnd; + const int tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; + const int tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; blk[0 * step] = ( t4 + t9 + tB) >> shift; blk[1 * step] = ( t6 + t7 + t8 + tA) >> shift; blk[2 * step] = ( t6 - t7 - t8 + tA) >> shift; From 9f7bc8296bddfa68a375b45905e641cfe40fd048 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 15:17:29 +0200 Subject: [PATCH 354/658] avcodec/mimic: Fix runtime error: left shift of negative value -1 Fixes: 1365/clusterfuzz-testcase-minimized-5624158450876416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fc2c420b82939a8f30838a6aa08bfd936099d3ce) Signed-off-by: Michael Niedermayer --- libavcodec/mimic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mimic.c b/libavcodec/mimic.c index 06fb393b92..ce649c602a 100644 --- a/libavcodec/mimic.c +++ b/libavcodec/mimic.c @@ -262,7 +262,7 @@ static int vlc_decode_block(MimicContext *ctx, int num_coeffs, int qscale) coeff = vlcdec_lookup[num_bits][value]; if (pos < 3) - coeff <<= 4; + coeff *= 16; else /* TODO Use >> 10 instead of / 1001 */ coeff = (coeff * qscale) / 1001; From 677c9f27cc60278c3b7b74b211eda547c56d941c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 16:32:56 +0200 Subject: [PATCH 355/658] avcodec/g723_1: Fix multiple runtime error: left shift of negative value Fixes: 1367/clusterfuzz-testcase-minimized-571496882346393 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4ace2d22192f3995911ec926940125dcb29d606a) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1.c | 18 +++++++++--------- libavcodec/g723_1.h | 2 +- libavcodec/g723_1dec.c | 4 ++-- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/g723_1.c b/libavcodec/g723_1.c index a11fec8a9e..78ce922266 100644 --- a/libavcodec/g723_1.c +++ b/libavcodec/g723_1.c @@ -41,7 +41,7 @@ int ff_g723_1_scale_vector(int16_t *dst, const int16_t *vector, int length) bits= FFMAX(bits, 0); for (i = 0; i < length; i++) - dst[i] = vector[i] << bits >> 3; + dst[i] = (vector[i] * (1 << bits)) >> 3; return bits - 3; } @@ -125,9 +125,9 @@ static void lsp2lpc(int16_t *lpc) for (j = 0; j < LPC_ORDER; j++) { int index = (lpc[j] >> 7) & 0x1FF; int offset = lpc[j] & 0x7f; - int temp1 = cos_tab[index] << 16; + int temp1 = cos_tab[index] * (1 << 16); int temp2 = (cos_tab[index + 1] - cos_tab[index]) * - ((offset << 8) + 0x80) << 1; + (((offset << 8) + 0x80) << 1); lpc[j] = -(av_sat_dadd32(1 << 15, temp1 + temp2) >> 16); } @@ -138,11 +138,11 @@ static void lsp2lpc(int16_t *lpc) */ /* Initialize with values in Q28 */ f1[0] = 1 << 28; - f1[1] = (lpc[0] << 14) + (lpc[2] << 14); + f1[1] = (lpc[0] + lpc[2]) * (1 << 14); f1[2] = lpc[0] * lpc[2] + (2 << 28); f2[0] = 1 << 28; - f2[1] = (lpc[1] << 14) + (lpc[3] << 14); + f2[1] = (lpc[1] + lpc[3]) * (1 << 14); f2[2] = lpc[1] * lpc[3] + (2 << 28); /* @@ -162,8 +162,8 @@ static void lsp2lpc(int16_t *lpc) f1[0] >>= 1; f2[0] >>= 1; - f1[1] = ((lpc[2 * i] << 16 >> i) + f1[1]) >> 1; - f2[1] = ((lpc[2 * i + 1] << 16 >> i) + f2[1]) >> 1; + f1[1] = ((lpc[2 * i] * 65536 >> i) + f1[1]) >> 1; + f2[1] = ((lpc[2 * i + 1] * 65536 >> i) + f2[1]) >> 1; } /* Convert polynomial coefficients to LPC coefficients */ @@ -171,8 +171,8 @@ static void lsp2lpc(int16_t *lpc) int64_t ff1 = f1[i + 1] + f1[i]; int64_t ff2 = f2[i + 1] - f2[i]; - lpc[i] = av_clipl_int32(((ff1 + ff2) << 3) + (1 << 15)) >> 16; - lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) << 3) + + lpc[i] = av_clipl_int32(((ff1 + ff2) * 8) + (1 << 15)) >> 16; + lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) * 8) + (1 << 15)) >> 16; } } diff --git a/libavcodec/g723_1.h b/libavcodec/g723_1.h index 40d6e700b1..f833af01c6 100644 --- a/libavcodec/g723_1.h +++ b/libavcodec/g723_1.h @@ -55,7 +55,7 @@ * @param b 16 bit multiplier */ #define MULL2(a, b) \ - ((((a) >> 16) * (b) << 1) + (((a) & 0xffff) * (b) >> 15)) + ((((a) >> 16) * (b) * 2) + (((a) & 0xffff) * (b) >> 15)) /** * G723.1 frame types diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index 6f283b449f..3454ed6074 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -516,7 +516,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag, (iir_coef)[n - 1] * ((dest)[m - n] >> in_shift);\ }\ \ - (dest)[m] = av_clipl_int32(((src)[m] << 16) + (filter << 3) +\ + (dest)[m] = av_clipl_int32(((src)[m] * 65536) + (filter * 8) +\ (1 << 15)) >> res_shift;\ }\ } @@ -903,7 +903,7 @@ static int g723_1_decode_frame(AVCodecContext *avctx, void *data, &p->subframe[i], p->cur_rate); /* Get the total excitation */ for (j = 0; j < SUBFRAME_LEN; j++) { - int v = av_clip_int16(vector_ptr[j] << 1); + int v = av_clip_int16(vector_ptr[j] * 2); vector_ptr[j] = av_clip_int16(v + acb_vector[j]); } vector_ptr += SUBFRAME_LEN; From 2c7e4e5e71762e0448835fcdd0007e99377e8731 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 16:38:22 +0200 Subject: [PATCH 356/658] avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 1368/clusterfuzz-testcase-minimized-4507293276176384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 12936a4585bc293c0f88327d6840f49e8e744b62) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 5ddb647c4c..3ea12f0511 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -67,7 +67,8 @@ static int decode_tsw1(GetByteContext *gb, uint8_t *frame, int width, int height const uint8_t *frame_start = frame; const uint8_t *frame_end = frame + width * height; int mask = 0x10000, bitbuf = 0; - int v, count, segments; + int v, count; + unsigned segments; unsigned offset; segments = bytestream2_get_le32(gb); From 5578f63494aabd06308c5221a4333127dc40c646 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 16:43:52 +0200 Subject: [PATCH 357/658] avcodec/webp: Fix null pointer dereference Fixes: 1369/clusterfuzz-testcase-minimized-5048908029886464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9bf4523e40148fdd27064ab570952bd8c4d1016e) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index e715c4b164..948e8d398c 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1341,6 +1341,8 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, pkt.size = data_size; ret = ff_vp8_decode_frame(avctx, p, got_frame, &pkt); + if (ret < 0) + return ret; if (s->has_alpha) { ret = vp8_lossy_decode_alpha(avctx, p, s->alpha_data, s->alpha_data_size); From 22de9c949abaabd240a85b285f557e4ee67bee12 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 18:28:09 +0200 Subject: [PATCH 358/658] avcodec/shorten: Check k in get_uint() Fixes: undefined shift Fixes: 1371/clusterfuzz-testcase-minimized-5770822591447040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b6a51f59c467ab9f4b73122dc269206fb517425) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index e4cef61811..388d8dee78 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -155,8 +155,11 @@ static int allocate_buffers(ShortenContext *s) static inline unsigned int get_uint(ShortenContext *s, int k) { - if (s->version != 0) + if (s->version != 0) { k = get_ur_golomb_shorten(&s->gb, ULONGSIZE); + if (k > 31U) + return AVERROR_INVALIDDATA; + } return get_ur_golomb_shorten(&s->gb, k); } From cbd8be63cf34b07f001ed67947491d9faf507717 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 19:07:59 +0200 Subject: [PATCH 359/658] avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from Fixes integer overflow Fixes: 1372/clusterfuzz-testcase-minimized-5712192982745088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ef0f392711445e173a56b2c073dedb021ae3783) Signed-off-by: Michael Niedermayer --- libavcodec/mss3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mss3.c b/libavcodec/mss3.c index 01941967a5..8344bfe8a7 100644 --- a/libavcodec/mss3.c +++ b/libavcodec/mss3.c @@ -356,8 +356,9 @@ static int rac_get_model2_sym(RangeCoder *c, Model2 *m) static int rac_get_model_sym(RangeCoder *c, Model *m) { - int prob, prob2, helper, val; + int val; int end, end2; + unsigned prob, prob2, helper; prob = 0; prob2 = c->range; From 78b47e9229616d62b4935ec263a359b6c9e3c5e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 19:11:46 +0200 Subject: [PATCH 360/658] avcodec/hq_hqa: Fix runtime error: left shift of negative value -207 Fixes: 1375/clusterfuzz-testcase-minimized-6070134701555712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1283c4244767bd19918f355c31d702a94ee0cc1b) Signed-off-by: Michael Niedermayer --- libavcodec/hq_hqa.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index 8825f3d8b7..663521b85d 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -67,11 +67,11 @@ static int hq_decode_block(HQContext *c, GetBitContext *gb, int16_t block[64], memset(block, 0, 64 * sizeof(*block)); if (!is_hqa) { - block[0] = get_sbits(gb, 9) << 6; + block[0] = get_sbits(gb, 9) * 64; q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)]; } else { q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)]; - block[0] = get_sbits(gb, 9) << 6; + block[0] = get_sbits(gb, 9) * 64; } for (;;) { From 54eaa109ed8ba810a493a22b961f3504d8d60718 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 21:31:49 +0200 Subject: [PATCH 361/658] avutil/softfloat: Fix overflow in av_div_sf() Signed-off-by: Michael Niedermayer (cherry picked from commit 277e397eb5964999bd76909f52d4bd3350289c22) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index fed3e77f87..daf91a5557 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -114,8 +114,15 @@ static inline av_const SoftFloat av_mul_sf(SoftFloat a, SoftFloat b){ * @return Will not be more denormalized than a. */ static inline av_const SoftFloat av_div_sf(SoftFloat a, SoftFloat b){ + int64_t temp = (int64_t)a.mant * (1<<(ONE_BITS+1)); + temp /= b.mant; a.exp -= b.exp; - a.mant = ((int64_t)a.mant<<(ONE_BITS+1)) / b.mant; + a.mant = temp; + while (a.mant != temp) { + temp /= 2; + a.exp--; + a.mant = temp; + } a = av_normalize1_sf(a); if (!a.mant || a.exp < MIN_EXP) return FLOAT_0; From 94029d7e179e4a87c30feea9dbd036646132e491 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 22:24:52 +0200 Subject: [PATCH 362/658] avcodec/cdxl: Check format parameter Fixes out of array access Fixes: 1378/clusterfuzz-testcase-minimized-5715088008806400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e1b60aad77c27ed5d4dfc11e5e6a05a38c70489d) Signed-off-by: Michael Niedermayer --- libavcodec/cdxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c index 7a9b41943d..5c0ecb279c 100644 --- a/libavcodec/cdxl.c +++ b/libavcodec/cdxl.c @@ -277,7 +277,7 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data, c->padded_bits = aligned_width - c->avctx->width; if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8) return AVERROR_INVALIDDATA; - if (!encoding && c->palette_size && c->bpp <= 8) { + if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) { avctx->pix_fmt = AV_PIX_FMT_PAL8; } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) { if (c->palette_size != (1 << (c->bpp - 1))) From 47e2c70dcdbeb1200cb81355c6e2279750b3f676 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 22:31:23 +0200 Subject: [PATCH 363/658] avcodec/dds: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 1380/clusterfuzz-testcase-minimized-650122545122508 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8a8335de030aa6cb6356bb16c7d3aefc5a80e362) Signed-off-by: Michael Niedermayer --- libavcodec/dds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index 763371a3aa..50a1a2c9e3 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -39,7 +39,7 @@ #define DDPF_FOURCC (1 << 2) #define DDPF_PALETTE (1 << 5) -#define DDPF_NORMALMAP (1 << 31) +#define DDPF_NORMALMAP (1U << 31) enum DDSPostProc { DDS_NONE = 0, From 8464f25089258f3340bb394a147ecb7be6b7a832 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 02:46:54 +0200 Subject: [PATCH 364/658] avcodec/msmpeg4dec: Correct table depth Fixes undefined shift Fixes: 1381/clusterfuzz-testcase-minimized-5513944540119040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1121d9270783b284a70af317d8785eac7df1b72f) Signed-off-by: Michael Niedermayer --- libavcodec/msmpeg4dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/msmpeg4dec.c b/libavcodec/msmpeg4dec.c index 2f908770e3..73f4be6747 100644 --- a/libavcodec/msmpeg4dec.c +++ b/libavcodec/msmpeg4dec.c @@ -140,7 +140,7 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64]) if(s->msmpeg4_version==2) cbp= get_vlc2(&s->gb, v2_intra_cbpc_vlc.table, V2_INTRA_CBPC_VLC_BITS, 1); else - cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 1); + cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 2); if(cbp<0 || cbp>3){ av_log(s->avctx, AV_LOG_ERROR, "cbpc %d invalid at %d %d\n", cbp, s->mb_x, s->mb_y); return -1; From ef40a32dbb0e98e3b3cc9f8f801153cea5ef6454 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 03:16:53 +0200 Subject: [PATCH 365/658] avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int' Fixes: 1382/clusterfuzz-testcase-minimized-6013445293998080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 669419939c1d36be35196859dc73ec9a194157ad) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 53f56df58d..008935a739 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -210,7 +210,7 @@ static int svq3_decode_end(AVCodecContext *avctx); static void svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp) { - const int qmul = svq3_dequant_coeff[qp]; + const unsigned qmul = svq3_dequant_coeff[qp]; #define stride 16 int i; int temp[16]; @@ -235,10 +235,10 @@ static void svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp) const int z2 = 7 * temp[4 * 1 + i] - 17 * temp[4 * 3 + i]; const int z3 = 17 * temp[4 * 1 + i] + 7 * temp[4 * 3 + i]; - output[stride * 0 + offset] = (z0 + z3) * qmul + 0x80000 >> 20; - output[stride * 2 + offset] = (z1 + z2) * qmul + 0x80000 >> 20; - output[stride * 8 + offset] = (z1 - z2) * qmul + 0x80000 >> 20; - output[stride * 10 + offset] = (z0 - z3) * qmul + 0x80000 >> 20; + output[stride * 0 + offset] = (int)((z0 + z3) * qmul + 0x80000) >> 20; + output[stride * 2 + offset] = (int)((z1 + z2) * qmul + 0x80000) >> 20; + output[stride * 8 + offset] = (int)((z1 - z2) * qmul + 0x80000) >> 20; + output[stride * 10 + offset] = (int)((z0 - z3) * qmul + 0x80000) >> 20; } } #undef stride From d9faa9bd63661ce3a4f07567766524783a8f2e75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 03:23:09 +0200 Subject: [PATCH 366/658] avcodec/ivi_dsp: Fix multiple left shift of negative value -2 Fixes: 1385/clusterfuzz-testcase-minimized-5552882663292928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e88cc94e58e9e4d1293f9f56c973510e30495fd) Signed-off-by: Michael Niedermayer --- libavcodec/ivi_dsp.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index bc9de1a72f..9e41269c3b 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -243,7 +243,7 @@ void ff_ivi_recompose_haar(const IVIPlaneDesc *plane, uint8_t *dst, #define INV_HAAR8(s1, s5, s3, s7, s2, s4, s6, s8,\ d1, d2, d3, d4, d5, d6, d7, d8,\ t0, t1, t2, t3, t4, t5, t6, t7, t8) {\ - t1 = (s1) << 1; t5 = (s5) << 1;\ + t1 = (s1) * 2; t5 = (s5) * 2;\ IVI_HAAR_BFLY(t1, t5, t1, t5, t0); IVI_HAAR_BFLY(t1, s3, t1, t3, t0);\ IVI_HAAR_BFLY(t5, s7, t5, t7, t0); IVI_HAAR_BFLY(t1, s2, t1, t2, t0);\ IVI_HAAR_BFLY(t3, s4, t3, t4, t0); IVI_HAAR_BFLY(t5, s6, t5, t6, t0);\ @@ -284,10 +284,10 @@ void ff_ivi_inverse_haar_8x8(const int32_t *in, int16_t *out, uint32_t pitch, if (flags[i]) { /* pre-scaling */ shift = !(i & 4); - sp1 = src[ 0] << shift; - sp2 = src[ 8] << shift; - sp3 = src[16] << shift; - sp4 = src[24] << shift; + sp1 = src[ 0] * (1 << shift); + sp2 = src[ 8] * (1 << shift); + sp3 = src[16] * (1 << shift); + sp4 = src[24] * (1 << shift); INV_HAAR8( sp1, sp2, sp3, sp4, src[32], src[40], src[48], src[56], dst[ 0], dst[ 8], dst[16], dst[24], From b892a0b1c0788370c1338ccf55ee5c88c0f5331c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 03:27:17 +0200 Subject: [PATCH 367/658] avcodec/texturedsp: Fix multiple runtime error: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 1386/clusterfuzz-testcase-minimized-5323086394032128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e92fb2bea1800b987ebc3cbeef9d48cfe4bcd191) Signed-off-by: Michael Niedermayer --- libavcodec/texturedsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/texturedsp.c b/libavcodec/texturedsp.c index 5012245a26..6049c96791 100644 --- a/libavcodec/texturedsp.c +++ b/libavcodec/texturedsp.c @@ -35,7 +35,7 @@ #define RGBA(r, g, b, a) (((uint8_t)(r) << 0) | \ ((uint8_t)(g) << 8) | \ ((uint8_t)(b) << 16) | \ - ((uint8_t)(a) << 24)) + ((unsigned)(uint8_t)(a) << 24)) static av_always_inline void extract_color(uint32_t colors[4], uint16_t color0, From 23853514e5af2308043f76c76a1568edb9912d31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 03:49:06 +0200 Subject: [PATCH 368/658] avcodec/targa_y216dec: Fix width type Fixes out of array access Fixes: 1376/clusterfuzz-testcase-minimized-6361794975105024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3e56db892600c2fbe34782c6140f1ee832a2c344) Signed-off-by: Michael Niedermayer --- libavcodec/targa_y216dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/targa_y216dec.c b/libavcodec/targa_y216dec.c index 21b3d35d67..443d48a92f 100644 --- a/libavcodec/targa_y216dec.c +++ b/libavcodec/targa_y216dec.c @@ -35,7 +35,8 @@ static int y216_decode_frame(AVCodecContext *avctx, void *data, { AVFrame *pic = data; const uint16_t *src = (uint16_t *)avpkt->data; - uint16_t *y, *u, *v, aligned_width = FFALIGN(avctx->width, 4); + uint16_t *y, *u, *v; + int aligned_width = FFALIGN(avctx->width, 4); int i, j, ret; if (avpkt->size < 4 * avctx->height * aligned_width) { From a11e5577a2532b1f6a2ea1a6ae896ef9d9e22b6a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 14:12:04 +0200 Subject: [PATCH 369/658] avcodec/mss34dsp: Fix multiple signed integer overflow Fixes: 1387/clusterfuzz-testcase-minimized-4802757766676480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 464c4b86ee43b7912e6f23fd3e5ba40381b4c371) Signed-off-by: Michael Niedermayer --- libavcodec/mss34dsp.c | 44 +++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/libavcodec/mss34dsp.c b/libavcodec/mss34dsp.c index 0397add17d..4965ac514d 100644 --- a/libavcodec/mss34dsp.c +++ b/libavcodec/mss34dsp.c @@ -62,30 +62,30 @@ void ff_mss34_gen_quant_mat(uint16_t *qmat, int quality, int luma) } #define DCT_TEMPLATE(blk, step, SOP, shift) \ - const int t0 = -39409 * blk[7 * step] - 58980 * blk[1 * step]; \ - const int t1 = 39410 * blk[1 * step] - 58980 * blk[7 * step]; \ - const int t2 = -33410 * blk[5 * step] - 167963 * blk[3 * step]; \ - const int t3 = 33410 * blk[3 * step] - 167963 * blk[5 * step]; \ - const int t4 = blk[3 * step] + blk[7 * step]; \ - const int t5 = blk[1 * step] + blk[5 * step]; \ - const int t6 = 77062 * t4 + 51491 * t5; \ - const int t7 = 77062 * t5 - 51491 * t4; \ - const int t8 = 35470 * blk[2 * step] - 85623 * blk[6 * step]; \ - const int t9 = 35470 * blk[6 * step] + 85623 * blk[2 * step]; \ - const int tA = SOP(blk[0 * step] - blk[4 * step]); \ - const int tB = SOP(blk[0 * step] + blk[4 * step]); \ + const unsigned t0 =-39409U * blk[7 * step] - 58980U * blk[1 * step]; \ + const unsigned t1 = 39410U * blk[1 * step] - 58980U * blk[7 * step]; \ + const unsigned t2 =-33410U * blk[5 * step] -167963U * blk[3 * step]; \ + const unsigned t3 = 33410U * blk[3 * step] -167963U * blk[5 * step]; \ + const unsigned t4 = blk[3 * step] + blk[7 * step]; \ + const unsigned t5 = blk[1 * step] + blk[5 * step]; \ + const unsigned t6 = 77062U * t4 + 51491U * t5; \ + const unsigned t7 = 77062U * t5 - 51491U * t4; \ + const unsigned t8 = 35470U * blk[2 * step] - 85623U * blk[6 * step]; \ + const unsigned t9 = 35470U * blk[6 * step] + 85623U * blk[2 * step]; \ + const unsigned tA = SOP(blk[0 * step] - blk[4 * step]); \ + const unsigned tB = SOP(blk[0 * step] + blk[4 * step]); \ \ - blk[0 * step] = ( t1 + t6 + t9 + tB) >> shift; \ - blk[1 * step] = ( t3 + t7 + t8 + tA) >> shift; \ - blk[2 * step] = ( t2 + t6 - t8 + tA) >> shift; \ - blk[3 * step] = ( t0 + t7 - t9 + tB) >> shift; \ - blk[4 * step] = (-(t0 + t7) - t9 + tB) >> shift; \ - blk[5 * step] = (-(t2 + t6) - t8 + tA) >> shift; \ - blk[6 * step] = (-(t3 + t7) + t8 + tA) >> shift; \ - blk[7 * step] = (-(t1 + t6) + t9 + tB) >> shift; \ + blk[0 * step] = (int)( t1 + t6 + t9 + tB) >> shift; \ + blk[1 * step] = (int)( t3 + t7 + t8 + tA) >> shift; \ + blk[2 * step] = (int)( t2 + t6 - t8 + tA) >> shift; \ + blk[3 * step] = (int)( t0 + t7 - t9 + tB) >> shift; \ + blk[4 * step] = (int)(-(t0 + t7) - t9 + tB) >> shift; \ + blk[5 * step] = (int)(-(t2 + t6) - t8 + tA) >> shift; \ + blk[6 * step] = (int)(-(t3 + t7) + t8 + tA) >> shift; \ + blk[7 * step] = (int)(-(t1 + t6) + t9 + tB) >> shift; \ -#define SOP_ROW(a) (((a) << 16) + 0x2000) -#define SOP_COL(a) (((a) + 32) << 16) +#define SOP_ROW(a) (((a) * (1U << 16)) + 0x2000) +#define SOP_COL(a) (((a) + 32) * (1U << 16)) void ff_mss34_dct_put(uint8_t *dst, int stride, int *block) { From b0f57bd326976def351d6e19bddfd0e282c6e095 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 14:16:33 +0200 Subject: [PATCH 370/658] avcodec/ra144: Fix runtime error: left shift of negative value -798 Fixes: 1388/clusterfuzz-testcase-minimized-6680800936329216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 78bf446852a7e5e8aa52c7ca9889632e167b665f) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index ceec32d79d..690f7ff3d6 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1598,7 +1598,7 @@ void ff_eval_coefs(int *coefs, const int *refl) int i, j; for (i=0; i < LPC_ORDER; i++) { - b1[i] = refl[i] << 4; + b1[i] = refl[i] * 16; for (j=0; j < i; j++) b1[j] = ((refl[i] * b2[i-j-1]) >> 12) + b2[j]; From 93f9d9dc6c3df88e0e05e76a1a26e3a69e427c3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 15:40:07 +0200 Subject: [PATCH 371/658] avcodec/g726: Fix runtime error: left shift of negative value -2 Fixes: 1393/clusterfuzz-testcase-minimized-5948366791901184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c04aa148824f4fb7f4b70830ad3ca7a6cba8ab79) Signed-off-by: Michael Niedermayer --- libavcodec/g726.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g726.c b/libavcodec/g726.c index ca7f856eac..6922b40f87 100644 --- a/libavcodec/g726.c +++ b/libavcodec/g726.c @@ -269,7 +269,7 @@ static int16_t g726_decode(G726Context* c, int I) c->se += mult(i2f(c->a[i] >> 2, &f), &c->sr[i]); c->se >>= 1; - return av_clip(re_signal << 2, -0xffff, 0xffff); + return av_clip(re_signal * 4, -0xffff, 0xffff); } static av_cold int g726_reset(G726Context *c) From aab7b9e6bcf957e251699d009cb54226c28aaf86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 15:42:17 +0200 Subject: [PATCH 372/658] avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int' Fixes: 1394/clusterfuzz-testcase-minimized-6493376885030912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ac1c87194a67e6104a3d241a4dd1ca0808784bd) Signed-off-by: Michael Niedermayer --- libavcodec/eamad.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index bb0f0053ff..c28fd11d42 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -284,7 +284,7 @@ static int decode_frame(AVCodecContext *avctx, if (avctx->width != width || avctx->height != height) { av_frame_unref(s->last_frame); - if((width * height)/2048*7 > bytestream2_get_bytes_left(&gb)) + if((width * (int64_t)height)/2048*7 > bytestream2_get_bytes_left(&gb)) return AVERROR_INVALIDDATA; if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; From 71a568e47d042100243fbae9e15faa0fd9e44a9c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 15:44:51 +0200 Subject: [PATCH 373/658] avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int' Fixes: 1395/clusterfuzz-testcase-minimized-5330939741732864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a38e9797cb4123d13ba871d166a737786ba04a9b) Signed-off-by: Michael Niedermayer --- libavcodec/s302m.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/s302m.c b/libavcodec/s302m.c index ccfb5913a0..a68ac79f2c 100644 --- a/libavcodec/s302m.c +++ b/libavcodec/s302m.c @@ -120,10 +120,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, if (avctx->bits_per_raw_sample == 24) { uint32_t *o = (uint32_t *)frame->data[0]; for (; buf_size > 6; buf_size -= 7) { - *o++ = (ff_reverse[buf[2]] << 24) | + *o++ = ((unsigned)ff_reverse[buf[2]] << 24) | (ff_reverse[buf[1]] << 16) | (ff_reverse[buf[0]] << 8); - *o++ = (ff_reverse[buf[6] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[6] & 0xf0] << 28) | (ff_reverse[buf[5]] << 20) | (ff_reverse[buf[4]] << 12) | (ff_reverse[buf[3] & 0x0f] << 4); @@ -142,10 +142,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, } else if (avctx->bits_per_raw_sample == 20) { uint32_t *o = (uint32_t *)frame->data[0]; for (; buf_size > 5; buf_size -= 6) { - *o++ = (ff_reverse[buf[2] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[2] & 0xf0] << 28) | (ff_reverse[buf[1]] << 20) | (ff_reverse[buf[0]] << 12); - *o++ = (ff_reverse[buf[5] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[5] & 0xf0] << 28) | (ff_reverse[buf[4]] << 20) | (ff_reverse[buf[3]] << 12); buf += 6; From e2103ad36d4578cd5af091b7860e88999c49ac30 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 18:50:49 +0200 Subject: [PATCH 374/658] avcodec/xwddec: Check bpp more completely Fixes out of array access Fixes: 1399/clusterfuzz-testcase-minimized-4866094172995584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 441026fcb13ac23aa10edc312bdacb6445a0ad06) Signed-off-by: Michael Niedermayer --- libavcodec/xwddec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 64cd8418a2..8b0845fc01 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -157,9 +157,9 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, case XWD_GRAY_SCALE: if (bpp != 1 && bpp != 8) return AVERROR_INVALIDDATA; - if (pixdepth == 1) { + if (bpp == 1 && pixdepth == 1) { avctx->pix_fmt = AV_PIX_FMT_MONOWHITE; - } else if (pixdepth == 8) { + } else if (bpp == 8 && pixdepth == 8) { avctx->pix_fmt = AV_PIX_FMT_GRAY8; } break; From be531b47623650be806b285d219caa3577fded87 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 23:07:42 +0200 Subject: [PATCH 375/658] avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int' Fixes: 1401/clusterfuzz-testcase-minimized-6526248148795392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b1f66cf5c2e4d29ae06cdf3f12cdd3d808006bd) Signed-off-by: Michael Niedermayer --- libavcodec/wmv2dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmv2dsp.c b/libavcodec/wmv2dsp.c index 40e0bef0da..cfa25f08dc 100644 --- a/libavcodec/wmv2dsp.c +++ b/libavcodec/wmv2dsp.c @@ -78,8 +78,8 @@ static void wmv2_idct_col(short * b) a4 = (W0 * b[8 * 0] - W0 * b[8 * 4] ) >> 3; /* step 2 */ - s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; - s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8; + s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; + s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8; /* step 3 */ b[8 * 0] = (a0 + a2 + a1 + a5 + (1 << 13)) >> 14; From 782473f9dfcaca5e3732a6ed0af3df9f2b5981d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 02:28:07 +0200 Subject: [PATCH 376/658] avcodec/ffv1dec: Fix copying planes of paletted formats Signed-off-by: Michael Niedermayer (cherry picked from commit 3a4d387195a5eb3c1700071af8d8150e4f7f6600) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 6a932b2934..3c4504c3c3 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -1003,7 +1003,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac const uint8_t *src[4]; uint8_t *dst[4]; ff_thread_await_progress(&f->last_picture, INT_MAX, 0); - for (j = 0; j < 4; j++) { + for (j = 0; j < desc->nb_components; j++) { int pixshift = desc->comp[j].depth > 8; int sh = (j == 1 || j == 2) ? f->chroma_h_shift : 0; int sv = (j == 1 || j == 2) ? f->chroma_v_shift : 0; @@ -1011,6 +1011,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac (fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift); src[j] = f->last_picture.f->data[j] + f->last_picture.f->linesize[j] * (fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift); + + } + if (desc->flags & AV_PIX_FMT_FLAG_PAL || + desc->flags & AV_PIX_FMT_FLAG_PSEUDOPAL) { + dst[1] = p->data[1]; + src[1] = f->last_picture.f->data[1]; } av_image_copy(dst, p->linesize, src, f->last_picture.f->linesize, From 4f98b97b2ad1ea2244cd8f10758802d9bdc58e16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 11:46:03 +0200 Subject: [PATCH 377/658] avcodec/cdxl: Check format for BGR24 Fixes: out of array access Fixes: 1427/clusterfuzz-testcase-minimized-5020737339392000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e42736b95065c69a7481d0cf55247024f54b660) Signed-off-by: Michael Niedermayer --- libavcodec/cdxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c index 5c0ecb279c..78f5d50102 100644 --- a/libavcodec/cdxl.c +++ b/libavcodec/cdxl.c @@ -279,7 +279,7 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) { + } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8) && c->format != CHUNKY) { if (c->palette_size != (1 << (c->bpp - 1))) return AVERROR_INVALIDDATA; avctx->pix_fmt = AV_PIX_FMT_BGR24; From 7e5ece1052279112eff2541fb036f1fe279fc8f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 11:55:27 +0200 Subject: [PATCH 378/658] avcodec/cavsdec: Check sym_factor Fixes: runtime error: signed integer overflow: 25984 * 130560 cannot be represented in type 'int' Fixes: 1404/clusterfuzz-testcase-minimized-5000441286885376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 279420b5a63b3f254e4932a4afb91759fb50186a) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 8842346c25..4d1b77187b 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1031,6 +1031,10 @@ static int decode_pic(AVSContext *h) h->scale_den[1] = h->dist[1] ? 512/h->dist[1] : 0; if (h->cur.f->pict_type == AV_PICTURE_TYPE_B) { h->sym_factor = h->dist[0] * h->scale_den[1]; + if (FFABS(h->sym_factor) > 32768) { + av_log(h->avctx, AV_LOG_ERROR, "sym_factor %d too large\n", h->sym_factor); + return AVERROR_INVALIDDATA; + } } else { h->direct_den[0] = h->dist[0] ? 16384 / h->dist[0] : 0; h->direct_den[1] = h->dist[1] ? 16384 / h->dist[1] : 0; From 45763713e81a105e39c1ff23a7a3a1d3a6351aa9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 12:04:09 +0200 Subject: [PATCH 379/658] avcodec/hqxdsp: Fix multiple runtime error: signed integer overflow: 248220 * 21407 cannot be represented in type 'int' in idct_col() Fixes: 1405/clusterfuzz-testcase-minimized-5011491835084800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d5118f81bd51b9c33500616b3c637123e8e4691) Signed-off-by: Michael Niedermayer --- libavcodec/hqxdsp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/hqxdsp.c b/libavcodec/hqxdsp.c index feff9c0b68..04a65e7767 100644 --- a/libavcodec/hqxdsp.c +++ b/libavcodec/hqxdsp.c @@ -39,18 +39,18 @@ static inline void idct_col(int16_t *blk, const uint8_t *quant) s6 = (int) blk[6 * 8] * quant[6 * 8]; s7 = (int) blk[7 * 8] * quant[7 * 8]; - t0 = (s3 * 19266 + s5 * 12873) >> 15; - t1 = (s5 * 19266 - s3 * 12873) >> 15; - t2 = ((s7 * 4520 + s1 * 22725) >> 15) - t0; - t3 = ((s1 * 4520 - s7 * 22725) >> 15) - t1; + t0 = (int)(s3 * 19266U + s5 * 12873U) >> 15; + t1 = (int)(s5 * 19266U - s3 * 12873U) >> 15; + t2 = ((int)(s7 * 4520U + s1 * 22725U) >> 15) - t0; + t3 = ((int)(s1 * 4520U - s7 * 22725U) >> 15) - t1; t4 = t0 * 2 + t2; t5 = t1 * 2 + t3; t6 = t2 - t3; t7 = t3 * 2 + t6; t8 = (t6 * 11585) >> 14; t9 = (t7 * 11585) >> 14; - tA = (s2 * 8867 - s6 * 21407) >> 14; - tB = (s6 * 8867 + s2 * 21407) >> 14; + tA = (int)(s2 * 8867U - s6 * 21407U) >> 14; + tB = (int)(s6 * 8867U + s2 * 21407U) >> 14; tC = (s0 >> 1) - (s4 >> 1); tD = (s4 >> 1) * 2 + tC; tE = tC - (tA >> 1); From 34a7677f296ee746115e43b437b205cac7f36ee3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 12:07:56 +0200 Subject: [PATCH 380/658] avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int' Fixes: 1406/clusterfuzz-testcase-minimized-5064865125236736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8824b7370a9fb72f9c699c3751a5ceb56e0cc41d) Signed-off-by: Michael Niedermayer --- libavcodec/vp8dsp.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libavcodec/vp8dsp.c b/libavcodec/vp8dsp.c index 07bea69c78..7d9cfa8278 100644 --- a/libavcodec/vp8dsp.c +++ b/libavcodec/vp8dsp.c @@ -95,7 +95,8 @@ static void vp7_luma_dc_wht_dc_c(int16_t block[4][4][16], int16_t dc[16]) static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) { - int i, a1, b1, c1, d1; + int i; + unsigned a1, b1, c1, d1; int16_t tmp[16]; for (i = 0; i < 4; i++) { @@ -104,10 +105,10 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) c1 = block[i * 4 + 1] * 12540 - block[i * 4 + 3] * 30274; d1 = block[i * 4 + 1] * 30274 + block[i * 4 + 3] * 12540; AV_ZERO64(block + i * 4); - tmp[i * 4 + 0] = (a1 + d1) >> 14; - tmp[i * 4 + 3] = (a1 - d1) >> 14; - tmp[i * 4 + 1] = (b1 + c1) >> 14; - tmp[i * 4 + 2] = (b1 - c1) >> 14; + tmp[i * 4 + 0] = (int)(a1 + d1) >> 14; + tmp[i * 4 + 3] = (int)(a1 - d1) >> 14; + tmp[i * 4 + 1] = (int)(b1 + c1) >> 14; + tmp[i * 4 + 2] = (int)(b1 - c1) >> 14; } for (i = 0; i < 4; i++) { @@ -116,13 +117,13 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274; d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540; dst[0 * stride + i] = av_clip_uint8(dst[0 * stride + i] + - ((a1 + d1 + 0x20000) >> 18)); + ((int)(a1 + d1 + 0x20000) >> 18)); dst[3 * stride + i] = av_clip_uint8(dst[3 * stride + i] + - ((a1 - d1 + 0x20000) >> 18)); + ((int)(a1 - d1 + 0x20000) >> 18)); dst[1 * stride + i] = av_clip_uint8(dst[1 * stride + i] + - ((b1 + c1 + 0x20000) >> 18)); + ((int)(b1 + c1 + 0x20000) >> 18)); dst[2 * stride + i] = av_clip_uint8(dst[2 * stride + i] + - ((b1 - c1 + 0x20000) >> 18)); + ((int)(b1 - c1 + 0x20000) >> 18)); } } From e3368b7f8217d2bfa452efbd9a723590e0dcf3f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 15:17:31 +0200 Subject: [PATCH 381/658] avcodec/dvbsubdec: check region dimensions Fixes: 1408/clusterfuzz-testcase-minimized-6529985844084736 Fixes: integer overflow Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0075d9eced22839fa4f7a6eaa02155803ccae3e6) Signed-off-by: Michael Niedermayer --- libavcodec/dvbsubdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index bf3b1a1019..9e48ab4a25 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -24,6 +24,7 @@ #include "bytestream.h" #include "internal.h" #include "libavutil/colorspace.h" +#include "libavutil/imgutils.h" #include "libavutil/opt.h" #define DVBSUB_PAGE_SEGMENT 0x10 @@ -1242,6 +1243,7 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx, DVBSubObject *object; DVBSubObjectDisplay *display; int fill; + int ret; if (buf_size < 10) return AVERROR_INVALIDDATA; @@ -1270,6 +1272,12 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx, region->height = AV_RB16(buf); buf += 2; + ret = av_image_check_size(region->width, region->height, 0, avctx); + if (ret < 0) { + region->width= region->height= 0; + return ret; + } + if (region->width * region->height != region->buf_size) { av_free(region->pbuf); From d766376f4b534c6045d06f490d30cd0c6253c816 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 15:40:30 +0200 Subject: [PATCH 382/658] avcodec/dss_sp: Fix multiple runtime error: signed integer overflow: -15699 * -164039 cannot be represented in type 'int' Fixed: 1409/clusterfuzz-testcase-minimized-5237365020819456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ea59ef0c031b6b92f051f60c19fdd0a716769834) Signed-off-by: Michael Niedermayer --- libavcodec/dss_sp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dss_sp.c b/libavcodec/dss_sp.c index 93e54c5209..2100936e51 100644 --- a/libavcodec/dss_sp.c +++ b/libavcodec/dss_sp.c @@ -33,7 +33,7 @@ #define DSS_SP_FRAME_SIZE 42 #define DSS_SP_SAMPLE_COUNT (66 * SUBFRAMES) -#define DSS_SP_FORMULA(a, b, c) (((((a) * (1 << 15)) + (b) * (c)) + 0x4000) >> 15) +#define DSS_SP_FORMULA(a, b, c) ((int)((((a) * (1 << 15)) + (b) * (unsigned)(c)) + 0x4000) >> 15) typedef struct DssSpSubframe { int16_t gain; @@ -524,7 +524,7 @@ static void dss_sp_shift_sq_sub(const int32_t *filter_buf, tmp = dst[a] * filter_buf[0]; for (i = 14; i > 0; i--) - tmp -= error_buf[i] * filter_buf[i]; + tmp -= error_buf[i] * (unsigned)filter_buf[i]; for (i = 14; i > 0; i--) error_buf[i] = error_buf[i - 1]; From ddef5acc31568357e383ded37b4f9b6d6813241c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 15:46:55 +0200 Subject: [PATCH 383/658] avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int' Fixes: 1411/clusterfuzz-testcase-minimized-5776085184675840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 29692023b2f1e0580a4065f4c9b62bafd89ab337) Signed-off-by: Michael Niedermayer --- libavcodec/bmvvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bmvvideo.c b/libavcodec/bmvvideo.c index 97f850dbae..cf7f0a0501 100644 --- a/libavcodec/bmvvideo.c +++ b/libavcodec/bmvvideo.c @@ -107,7 +107,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, if (src < source || src >= source_end) return AVERROR_INVALIDDATA; shift += 2; - val |= *src << shift; + val |= (unsigned)*src << shift; if (*src & 0xC) break; } From d48a152b7cd8d7487abf39c91682ddd534625815 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 01:42:53 +0200 Subject: [PATCH 384/658] avcodec/htmlsubtitles: Check for string truncation and return error Fixes out of array access Fixes: 1354/clusterfuzz-testcase-minimized-5520132195483648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f4ae3cce64bd46b1d539bdeac39753f83015f114) Signed-off-by: Michael Niedermayer --- libavcodec/htmlsubtitles.c | 12 +++++++++--- libavcodec/htmlsubtitles.h | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index 8b57febd26..16295daa0c 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -46,11 +46,12 @@ typedef struct SrtStack { static void rstrip_spaces_buf(AVBPrint *buf) { - while (buf->len > 0 && buf->str[buf->len - 1] == ' ') - buf->str[--buf->len] = 0; + if (av_bprint_is_complete(buf)) + while (buf->len > 0 && buf->str[buf->len - 1] == ' ') + buf->str[--buf->len] = 0; } -void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) +int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) { char *param, buffer[128], tmp[128]; int len, tag_close, sptr = 1, line_start = 1, an = 0, end = 0; @@ -171,8 +172,13 @@ void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) line_start = 0; } + if (!av_bprint_is_complete(dst)) + return AVERROR(ENOMEM); + while (dst->len >= 2 && !strncmp(&dst->str[dst->len - 2], "\\N", 2)) dst->len -= 2; dst->str[dst->len] = 0; rstrip_spaces_buf(dst); + + return 0; } diff --git a/libavcodec/htmlsubtitles.h b/libavcodec/htmlsubtitles.h index e10cdda241..f3a8ef5d8b 100644 --- a/libavcodec/htmlsubtitles.h +++ b/libavcodec/htmlsubtitles.h @@ -23,6 +23,6 @@ #include "libavutil/bprint.h" -void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in); +int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in); #endif /* AVCODEC_HTMLSUBTITLES_H */ From e82d6dafdef6a165c97c376d189a374047903af5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 20:24:48 +0200 Subject: [PATCH 385/658] avcodec/g723_1dec: Fix several integer related cases of undefined behaviour Fixes: 1412/clusterfuzz-testcase-minimized-6561308772139008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d3088e0fd8749788818cb5df92abaa3b12e409e1) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index 3454ed6074..0bb2ab96c4 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -663,7 +663,7 @@ static int estimate_sid_gain(G723_1_Context *p) t = p->sid_gain << shift; else t = p->sid_gain >> -shift; - x = t * cng_filt[0] >> 16; + x = av_clipl_int32(t * (int64_t)cng_filt[0] >> 16); if (x >= cng_bseg[2]) return 0x3F; @@ -732,7 +732,7 @@ static void generate_noise(G723_1_Context *p) off[i * 2 + 1] = ((t >> 1) & 1) + SUBFRAME_LEN; t >>= 2; for (j = 0; j < 11; j++) { - signs[i * 11 + j] = (t & 1) * 2 - 1 << 14; + signs[i * 11 + j] = ((t & 1) * 2 - 1) * (1 << 14); t >>= 1; } } @@ -776,7 +776,7 @@ static void generate_noise(G723_1_Context *p) sum = 0; if (shift < 0) { for (j = 0; j < SUBFRAME_LEN * 2; j++) { - t = vector_ptr[j] << -shift; + t = vector_ptr[j] * (1 << -shift); sum += t * t; tmp[j] = t; } @@ -814,7 +814,7 @@ static void generate_noise(G723_1_Context *p) if (shift < 0) x >>= -shift; else - x <<= shift; + x *= 1 << shift; x = av_clip(x, -10000, 10000); for (j = 0; j < 11; j++) { From 99341b2a7fd1344ccfc71f3b3500a52ea4593660 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 May 2017 00:02:22 +0200 Subject: [PATCH 386/658] avcodec/indeo2: Check for invalid VLCs Fixes: timeout Fixes: 1416/clusterfuzz-testcase-minimized-5536862435278848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 159fb8ff7e4038edf13e91d3c08bc7b8abc369b9) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index f12d6d00d1..d99ad18f0e 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -68,6 +68,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (i = 0; i < c * 2; i++) dst[out++] = 0x80; } else { /* copy two values from table */ + if (c <= 0) + return AVERROR_INVALIDDATA; dst[out++] = table[c * 2]; dst[out++] = table[(c * 2) + 1]; } @@ -89,7 +91,10 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst out++; } } else { /* add two deltas from table */ - int t = dst[out - pitch] + (table[c * 2] - 128); + int t; + if (c <= 0) + return AVERROR_INVALIDDATA; + t = dst[out - pitch] + (table[c * 2] - 128); t = av_clip_uint8(t); dst[out] = t; out++; @@ -125,6 +130,8 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_ c -= 0x7F; out += c * 2; } else { /* add two deltas from table */ + if (c <= 0) + return AVERROR_INVALIDDATA; t = dst[out] + (((table[c * 2] - 128)*3) >> 2); t = av_clip_uint8(t); dst[out] = t; From 1e52bd434498f76d485f1c062593198e28e1c508 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 00:44:37 +0200 Subject: [PATCH 387/658] avcodec/takdec: Fix multiple runtime error: left shift of negative value -1 Fixes: 1423/clusterfuzz-testcase-minimized-5063889899225088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c5d2fa2fdff08e77bba0c9a31b91826a807c551c) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 023bc878e8..285df4938d 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -431,19 +431,19 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, s->predictors[0] = get_sbits(gb, 10); s->predictors[1] = get_sbits(gb, 10); - s->predictors[2] = get_sbits(gb, size) << (10 - size); - s->predictors[3] = get_sbits(gb, size) << (10 - size); + s->predictors[2] = get_sbits(gb, size) * (1 << (10 - size)); + s->predictors[3] = get_sbits(gb, size) * (1 << (10 - size)); if (filter_order > 4) { int tmp = size - get_bits1(gb); for (i = 4; i < filter_order; i++) { if (!(i & 3)) x = tmp - get_bits(gb, 2); - s->predictors[i] = get_sbits(gb, x) << (10 - size); + s->predictors[i] = get_sbits(gb, x) * (1 << (10 - size)); } } - tfilter[0] = s->predictors[0] << 6; + tfilter[0] = s->predictors[0] * 64; for (i = 1; i < filter_order; i++) { int32_t *p1 = &tfilter[0]; int32_t *p2 = &tfilter[i - 1]; @@ -455,7 +455,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, p2--; } - tfilter[i] = s->predictors[i] << 6; + tfilter[i] = s->predictors[i] * 64; } x = 1 << (32 - (15 - filter_quant)); @@ -489,7 +489,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, s->residues[i + j + 1] * s->filter[j + 1] + s->residues[i + j ] * s->filter[j ]; } - v = (av_clip_intp2(v >> filter_quant, 13) << dshift) - *decoded; + v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - *decoded; *decoded++ = v; s->residues[filter_order + i] = v >> dshift; } From 1ddb2441d6bff489ee38495152d6ee988dfa96fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 00:50:05 +0200 Subject: [PATCH 388/658] avcodec/lagarith: Fix runtime error: left shift of negative value -1 Fixes: 1424/clusterfuzz-testcase-minimized-6088327159611392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ddb2dd7edbccc5596d8e3c039133be8444cb1d02) Signed-off-by: Michael Niedermayer --- libavcodec/lagarith.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 93d13448c9..a3e8347004 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -98,7 +98,7 @@ static uint32_t softfloat_mul(uint32_t x, uint64_t mantissa) static uint8_t lag_calc_zero_run(int8_t x) { - return (x << 1) ^ (x >> 7); + return (x * 2) ^ (x >> 7); } static int lag_decode_prob(GetBitContext *gb, uint32_t *value) From 9b14178421c7b1aa34f9ce526ca89a42ee392813 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 00:56:45 +0200 Subject: [PATCH 389/658] avcodec/lagarith: Check scale_factor Fixes: 1425/clusterfuzz-testcase-minimized-6295712339853312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ed3c9b5b0dd5abb545c48e930e1c32c187b0776a) Signed-off-by: Michael Niedermayer --- libavcodec/lagarith.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index a3e8347004..2ad6c61c59 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -191,7 +191,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb) } scale_factor++; - cumulative_target = 1 << scale_factor; + if (scale_factor >= 32U) + return AVERROR_INVALIDDATA; + cumulative_target = 1U << scale_factor; if (scaled_cumul_prob > cumulative_target) { av_log(rac->avctx, AV_LOG_ERROR, From 22f9831d0db1554679620850007ef621d8105342 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 01:18:36 +0200 Subject: [PATCH 390/658] avcodec/texturedsp: Fix runtime error: left shift of 218 by 24 places cannot be represented in type 'int' Fixes: 1428/clusterfuzz-testcase-minimized-5263281793007616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2bd8eb05d21b582d627a93852b59cb3cfc305dae) Signed-off-by: Michael Niedermayer --- libavcodec/texturedsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/texturedsp.c b/libavcodec/texturedsp.c index 6049c96791..49e97c91ae 100644 --- a/libavcodec/texturedsp.c +++ b/libavcodec/texturedsp.c @@ -291,7 +291,7 @@ static inline void dxt5_block_internal(uint8_t *dst, ptrdiff_t stride, } } } - pixel = colors[code & 3] | (alpha << 24); + pixel = colors[code & 3] | ((unsigned)alpha << 24); code >>= 2; AV_WL32(dst + x * 4, pixel); } From 9bc7868bc9166ccbaed88fe562c51838556b2f34 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 01:26:39 +0200 Subject: [PATCH 391/658] avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int' Fixes: 1429/clusterfuzz-testcase-minimized-5959951610544128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae6fd1790f48c457a8cedb445dcac73f8f7b7698) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 008935a739..6eb263ba7d 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -268,16 +268,16 @@ static void svq3_add_idct_c(uint8_t *dst, int16_t *block, } for (i = 0; i < 4; i++) { - const int z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]); - const int z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); - const int z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; - const int z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; + const unsigned z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]); + const unsigned z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); + const unsigned z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; + const unsigned z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; const int rr = (dc + 0x80000); - dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((z0 + z3) * qmul + rr >> 20)); - dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((z1 + z2) * qmul + rr >> 20)); - dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((z1 - z2) * qmul + rr >> 20)); - dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((z0 - z3) * qmul + rr >> 20)); + dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((int)((z0 + z3) * qmul + rr) >> 20)); + dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((int)((z1 + z2) * qmul + rr) >> 20)); + dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((int)((z1 - z2) * qmul + rr) >> 20)); + dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((int)((z0 - z3) * qmul + rr) >> 20)); } memset(block, 0, 16 * sizeof(int16_t)); From 24d048f3e6bfb4d05c53683b3afc24dd92c12abd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 14:33:27 +0200 Subject: [PATCH 392/658] avcodec/y41pdec: Fix width in input buffer size check Fixes: out of array read Fixes: 1437/clusterfuzz-testcase-minimized-4569970002362368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d8d3729475c7dce52d8fb9ffb280fd2ea62e1a2) Signed-off-by: Michael Niedermayer --- libavcodec/y41pdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/y41pdec.c b/libavcodec/y41pdec.c index 1b177d4262..85a39e4ae2 100644 --- a/libavcodec/y41pdec.c +++ b/libavcodec/y41pdec.c @@ -43,7 +43,7 @@ static int y41p_decode_frame(AVCodecContext *avctx, void *data, uint8_t *y, *u, *v; int i, j, ret; - if (avpkt->size < 3LL * avctx->height * avctx->width / 2) { + if (avpkt->size < 3LL * avctx->height * FFALIGN(avctx->width, 8) / 2) { av_log(avctx, AV_LOG_ERROR, "Insufficient input data.\n"); return AVERROR(EINVAL); } From 4170c380247fc113544ec0a933140e2ee962bde1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 14:41:23 +0200 Subject: [PATCH 393/658] avcodec/cavs: Check updated MV Fixes: runtime error: signed integer overflow: 251 + 2147483647 cannot be represented in type 'int' Fixes: 1438/clusterfuzz-testcase-minimized-4917542646710272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5871adc90f8c1037535563e33ebeaf032bb4d5d6) Signed-off-by: Michael Niedermayer --- libavcodec/cavs.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/cavs.c b/libavcodec/cavs.c index 10e118e55b..8542b124ef 100644 --- a/libavcodec/cavs.c +++ b/libavcodec/cavs.c @@ -613,8 +613,15 @@ void ff_cavs_mv(AVSContext *h, enum cavs_mv_loc nP, enum cavs_mv_loc nC, mv_pred_median(h, mvP, mvA, mvB, mvC); if (mode < MV_PRED_PSKIP) { - mvP->x += get_se_golomb(&h->gb); - mvP->y += get_se_golomb(&h->gb); + int mx = get_se_golomb(&h->gb) + (unsigned)mvP->x; + int my = get_se_golomb(&h->gb) + (unsigned)mvP->y; + + if (mx != (int16_t)mx || my != (int16_t)my) { + av_log(h->avctx, AV_LOG_ERROR, "MV %d %d out of supported range\n", mx, my); + } else { + mvP->x = mx; + mvP->y = my; + } } set_mvs(mvP, size); } From 9f3267def692928e46c1d59aa1570c3029453f44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E8=B5=9E?= Date: Wed, 10 May 2017 14:55:34 +0200 Subject: [PATCH 394/658] avformat/wavdec: Check chunk_size Fixes integer overflow and out of array access Signed-off-by: Michael Niedermayer (cherry picked from commit 3d232196372f309a75ed074c4cef30578eec1782) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 7176cd6f2d..8bbb301afc 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -829,6 +829,8 @@ static int w64_read_header(AVFormatContext *s) chunk_key[4] = 0; avio_read(pb, chunk_key, 4); chunk_size = avio_rl32(pb); + if (chunk_size == UINT32_MAX) + return AVERROR_INVALIDDATA; value = av_mallocz(chunk_size + 1); if (!value) From 159e5ba8d79a909583b7489ec17ccbbf787a3750 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 18:51:58 +0200 Subject: [PATCH 395/658] avcodec/dss_sp: Fix runtime error: signed integer overflow: 2147481189 + 4096 cannot be represented in type 'int' Fixes: 1441/clusterfuzz-testcase-minimized-6223152357048320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ea428789371fa0601e9ebb5b7f2216d4e73e831) Signed-off-by: Michael Niedermayer --- libavcodec/dss_sp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dss_sp.c b/libavcodec/dss_sp.c index 2100936e51..14025fcdde 100644 --- a/libavcodec/dss_sp.c +++ b/libavcodec/dss_sp.c @@ -529,7 +529,7 @@ static void dss_sp_shift_sq_sub(const int32_t *filter_buf, for (i = 14; i > 0; i--) error_buf[i] = error_buf[i - 1]; - tmp = (tmp + 4096) >> 13; + tmp = (int)(tmp + 4096U) >> 13; error_buf[1] = tmp; From e4def6e0b6085db85765d734b1044638d0e884ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 19:02:05 +0200 Subject: [PATCH 396/658] avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int' Fixes: 1443/clusterfuzz-testcase-minimized-4826998612426752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8de60ba2740185c53cabbee6c00ed67a0d530e2) Signed-off-by: Michael Niedermayer --- libavcodec/eatqi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c index 8fd5cdb17f..92b23d009c 100644 --- a/libavcodec/eatqi.c +++ b/libavcodec/eatqi.c @@ -112,7 +112,7 @@ static inline void tqi_idct_put(AVCodecContext *avctx, AVFrame *frame, static void tqi_calculate_qtable(TqiContext *t, int quant) { - const int qscale = (215 - 2*quant)*5; + const int64_t qscale = (215 - 2*quant)*5; int i; t->intra_matrix[0] = (ff_inv_aanscales[0] * ff_mpeg1_default_intra_matrix[0]) >> 11; From 41392c52499a47d61979c6880be51a4fe41306cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 19:09:31 +0200 Subject: [PATCH 397/658] avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1 Fixes: 1446/clusterfuzz-testcase-minimized-5577409124368384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db5fae32294763677caa4c1417dcba704c7e764e) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index da843c4440..08af622fa2 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -177,10 +177,10 @@ static int make_ydt15_entry(int p1, int p2, int16_t *ydt) int lo, hi; lo = ydt[p1]; - lo += (lo << 5) + (lo << 10); + lo += (lo * 32) + (lo * 1024); hi = ydt[p2]; - hi += (hi << 5) + (hi << 10); - return (lo + (hi << 16)) << 1; + hi += (hi * 32) + (hi * 1024); + return (lo + (hi * (1 << 16))) * 2; } static int make_cdt15_entry(int p1, int p2, int16_t *cdt) @@ -188,9 +188,9 @@ static int make_cdt15_entry(int p1, int p2, int16_t *cdt) int r, b, lo; b = cdt[p2]; - r = cdt[p1] << 10; + r = cdt[p1] * 1024; lo = b + r; - return (lo + (lo << 16)) << 1; + return (lo + (lo * (1 << 16))) * 2; } #if HAVE_BIGENDIAN From 8ec17629d72d5b35e6c00c12970ddb9a5ab03ff8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 21:54:31 +0200 Subject: [PATCH 398/658] avfilter/vf_uspp: Fix currently unused input frame dimensions Found-by: Nicolas Signed-off-by: Michael Niedermayer (cherry picked from commit 942036e97c8b149ce2f3ec6e7cbc990df8713d0c) Signed-off-by: Michael Niedermayer --- libavfilter/vf_uspp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_uspp.c b/libavfilter/vf_uspp.c index f963254e11..41f72161d9 100644 --- a/libavfilter/vf_uspp.c +++ b/libavfilter/vf_uspp.c @@ -227,8 +227,8 @@ static void filter(USPPContext *p, uint8_t *dst[3], uint8_t *src[3], p->frame->quality = ff_norm_qscale((qpsum + qpcount/2) / qpcount, p->qscale_type) * FF_QP2LAMBDA; } // init per MB qscale stuff FIXME - p->frame->height = height; - p->frame->width = width; + p->frame->height = height + BLOCK; + p->frame->width = width + BLOCK; for (i = 0; i < count; i++) { const int x1 = offset[i+count-1][0]; From 21b1dd8f74c94ec263b1c127863a8d0591c18b5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 18:37:49 +0200 Subject: [PATCH 399/658] avcodec/webp: Always set pix_fmt Fixes: out of array access Fixes: 1434/clusterfuzz-testcase-minimized-6314998085189632 Fixes: 1435/clusterfuzz-testcase-minimized-6483783723253760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 ++ libavcodec/webp.c | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 068223920e..63e7849284 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2548,6 +2548,8 @@ int vp78_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, enum AVDiscard skip_thresh; VP8Frame *av_uninit(curframe), *prev_frame; + av_assert0(avctx->pix_fmt == AV_PIX_FMT_YUVA420P || avctx->pix_fmt == AV_PIX_FMT_YUV420P); + if (is_vp7) ret = vp7_decode_frame_header(s, avpkt->data, avpkt->size); else diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 948e8d398c..fd77e3b3a8 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1326,9 +1326,8 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, if (!s->initialized) { ff_vp8_decode_init(avctx); s->initialized = 1; - if (s->has_alpha) - avctx->pix_fmt = AV_PIX_FMT_YUVA420P; } + avctx->pix_fmt = s->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P; s->lossless = 0; if (data_size > INT_MAX) { From 7edd1cd6fa9f4e8eaf0819a48c13e1f1d7dbf674 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 00:49:31 +0200 Subject: [PATCH 400/658] avcodec/mpeg12dec: Fixes runtime error: division by zero Fixes: 1464/clusterfuzz-testcase-minimized-4925445571084288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0ece1f4addf8ac31df95775a2d36be2a55fc759) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index eb90af2143..50360c8132 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1242,7 +1242,8 @@ static int mpeg_decode_postinit(AVCodecContext *avctx) if (avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO) { // MPEG-1 aspect - avctx->sample_aspect_ratio = av_d2q(1.0 / ff_mpeg1_aspect[s->aspect_ratio_info], 255); + AVRational aspect_inv = av_d2q(ff_mpeg1_aspect[s->aspect_ratio_info], 255); + avctx->sample_aspect_ratio = (AVRational) { aspect_inv.den, aspect_inv.num }; } else { // MPEG-2 // MPEG-2 aspect if (s->aspect_ratio_info > 1) { From 79c489952a8c5de772e06d4f3d8fbcd0e18e9357 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 15:13:53 +0200 Subject: [PATCH 401/658] avcodec/aacdec_fixed: Fix multiple shift exponent 33 is too large for 32-bit type 'int' Fixes: 1471/clusterfuzz-testcase-minimized-6376460543590400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3a0ff78168f80f5b2c5c5544325aca4023bc67a4) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index acb8178337..6a5bdebe89 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -171,7 +171,11 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len) s = offset - (s >> 2); - if (s > 0) { + if (s > 31) { + for (i=0; i 0) { round = 1 << (s-1); for (i=0; i> 32); From e9b0d127b0daf6e7ac72a1bdfd41584661af2b36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 15:18:50 +0200 Subject: [PATCH 402/658] avcodec/dvbsubdec: Check entry_id Fixes: randomly writing over the array end Fixes: 1473/clusterfuzz-testcase-minimized-5768907824562176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8a69f2602fea04b7ebae2db16f2581e8ff5ee0cd) Signed-off-by: Michael Niedermayer --- libavcodec/dvbsubdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index 9e48ab4a25..9525cb7885 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -1218,9 +1218,9 @@ static int dvbsub_parse_clut_segment(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } - if (depth & 0x80) + if (depth & 0x80 && entry_id < 4) clut->clut4[entry_id] = RGBA(r,g,b,255 - alpha); - else if (depth & 0x40) + else if (depth & 0x40 && entry_id < 16) clut->clut16[entry_id] = RGBA(r,g,b,255 - alpha); else if (depth & 0x20) clut->clut256[entry_id] = RGBA(r,g,b,255 - alpha); From becd83e164db216e0336b4f3cb7f833460da552f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 18:35:24 +0200 Subject: [PATCH 403/658] avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers Signed-off-by: Michael Niedermayer (cherry picked from commit e717fa1f0a66825fb10fec7debad768f311ee240) Signed-off-by: Michael Niedermayer --- libavcodec/cllc.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/libavcodec/cllc.c b/libavcodec/cllc.c index 1c6902afd4..386b2f0ed2 100644 --- a/libavcodec/cllc.c +++ b/libavcodec/cllc.c @@ -29,6 +29,10 @@ #include "avcodec.h" #include "internal.h" +#define VLC_BITS 7 +#define VLC_DEPTH 2 + + typedef struct CLLCContext { AVCodecContext *avctx; BswapDSPContext bdsp; @@ -74,7 +78,7 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) prefix <<= 1; } - return ff_init_vlc_sparse(vlc, 7, count, bits, 1, 1, + return ff_init_vlc_sparse(vlc, VLC_BITS, count, bits, 1, 1, codes, 2, 2, symbols, 1, 1, 0); } @@ -101,7 +105,7 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left, for (i = 0; i < ctx->avctx->width; i++) { /* Always get the alpha component */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[0].table, 7, 2); + GET_VLC(code, bits, gb, vlc[0].table, VLC_BITS, VLC_DEPTH); pred[0] += code; dst[0] = pred[0]; @@ -110,21 +114,21 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left, if (dst[0]) { /* Red */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[1].table, 7, 2); + GET_VLC(code, bits, gb, vlc[1].table, VLC_BITS, VLC_DEPTH); pred[1] += code; dst[1] = pred[1]; /* Green */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[2].table, 7, 2); + GET_VLC(code, bits, gb, vlc[2].table, VLC_BITS, VLC_DEPTH); pred[2] += code; dst[2] = pred[2]; /* Blue */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[3].table, 7, 2); + GET_VLC(code, bits, gb, vlc[3].table, VLC_BITS, VLC_DEPTH); pred[3] += code; dst[3] = pred[3]; @@ -166,7 +170,7 @@ static int read_rgb24_component_line(CLLCContext *ctx, GetBitContext *gb, /* Simultaneously read and restore the line */ for (i = 0; i < ctx->avctx->width; i++) { UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc->table, 7, 2); + GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH); pred += code; dst[0] = pred; @@ -195,7 +199,7 @@ static int read_yuv_component_line(CLLCContext *ctx, GetBitContext *gb, /* Simultaneously read and restore the line */ for (i = 0; i < ctx->avctx->width >> is_chroma; i++) { UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc->table, 7, 2); + GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH); pred += code; outbuf[i] = pred; From 5e23b4a8396e881f68c06544fd110d8436a5b7db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 18:39:33 +0200 Subject: [PATCH 404/658] avcodec/cllc: Check num_bits Fixes: runtime error: shift exponent -2 is negative Fixes: 1479/clusterfuzz-testcase-minimized-6638493360979968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2bfd0a97587d26c0c39413a6291ccc66e4a928d0) Signed-off-by: Michael Niedermayer --- libavcodec/cllc.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/cllc.c b/libavcodec/cllc.c index 386b2f0ed2..24fa168e36 100644 --- a/libavcodec/cllc.c +++ b/libavcodec/cllc.c @@ -55,6 +55,13 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) num_lens = get_bits(gb, 5); + if (num_lens > VLC_BITS * VLC_DEPTH) { + vlc->table = NULL; + + av_log(ctx->avctx, AV_LOG_ERROR, "To long VLCs %d\n", num_lens); + return AVERROR_INVALIDDATA; + } + for (i = 0; i < num_lens; i++) { num_codes = get_bits(gb, 9); num_codes_sum += num_codes; From 1147b109b7e01db451e290a8d73c377438301d4c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 19:10:16 +0200 Subject: [PATCH 405/658] avcodec/msmpeg4dec: Check for cbpy VLC errors Fixes: runtime error: left shift of negative value -1 Fixes: 1480/clusterfuzz-testcase-minimized-5188321007370240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 15e892aad12b23e9b5686cf66ca6fa739c734ead) Signed-off-by: Michael Niedermayer --- libavcodec/msmpeg4dec.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavcodec/msmpeg4dec.c b/libavcodec/msmpeg4dec.c index 73f4be6747..27703163e0 100644 --- a/libavcodec/msmpeg4dec.c +++ b/libavcodec/msmpeg4dec.c @@ -169,12 +169,23 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64]) s->mv[0][0][1] = my; *mb_type_ptr = MB_TYPE_L0 | MB_TYPE_16x16; } else { + int v; if(s->msmpeg4_version==2){ s->ac_pred = get_bits1(&s->gb); - cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors + v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1); + if (v < 0) { + av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n"); + return -1; + } + cbp|= v<<2; } else{ s->ac_pred = 0; - cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors + v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1); + if (v < 0) { + av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n"); + return -1; + } + cbp|= v<<2; if(s->pict_type==AV_PICTURE_TYPE_P) cbp^=0x3C; } *mb_type_ptr = MB_TYPE_INTRA; From 4476107e3acb29c03b8ce888f20f8b96b30e6711 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 23:24:23 +0200 Subject: [PATCH 406/658] avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610 Fixes: 1487/clusterfuzz-testcase-minimized-6288036495097856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6899e6e56065d9365963e02690dc9e2ce7866050) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 357da97b0d..9b3adfa9a8 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1966,9 +1966,9 @@ static int get_delayed_pic(DiracContext *s, AVFrame *picture, int *got_frame) if (out) { out->reference ^= DELAYED_PIC_REF; - *got_frame = 1; if((ret = av_frame_ref(picture, out->avframe)) < 0) return ret; + *got_frame = 1; } return 0; From 9f0f354a97bfcd6fef88193614c85ad0a0bda661 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 May 2017 13:05:46 +0200 Subject: [PATCH 407/658] avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int' Fixes: 1503/clusterfuzz-testcase-minimized-5369271855087616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit df640dbbc949d0f4deefaf43e86b8bd50ae997cc) Signed-off-by: Michael Niedermayer --- libavcodec/wmv2dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmv2dsp.c b/libavcodec/wmv2dsp.c index cfa25f08dc..7b59d10a43 100644 --- a/libavcodec/wmv2dsp.c +++ b/libavcodec/wmv2dsp.c @@ -48,8 +48,8 @@ static void wmv2_idct_row(short * b) a4 = W0 * b[0] - W0 * b[4]; /* step 2 */ - s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7 - s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8; + s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7 + s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8; /* step 3 */ b[0] = (a0 + a2 + a1 + a5 + (1 << 7)) >> 8; From bf7bcd803a5c729d0c0a5a8483087b315d0b9231 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 May 2017 13:13:46 +0200 Subject: [PATCH 408/658] avcodec/g723_1dec: Fix runtime error: left shift of negative value -1 Fixes: 1504/clusterfuzz-testcase-minimized-6249212138225664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c4c0245686bc2fcc545644101c7b328fed71f268) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index 0bb2ab96c4..0ca83411f4 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -694,13 +694,13 @@ static int estimate_sid_gain(G723_1_Context *p) if (y <= 0) { t = seg * 32 + (val + 1 << seg2); t = t * t - x; - val = (seg2 - 1 << 4) + val; + val = (seg2 - 1) * 16 + val; if (t >= y) val++; } else { t = seg * 32 + (val - 1 << seg2); t = t * t - x; - val = (seg2 - 1 << 4) + val; + val = (seg2 - 1) * 16 + val; if (t >= y) val--; } From f224214ae24fd988a1de2a90432ec8da9fd7cf99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 May 2017 13:15:33 +0200 Subject: [PATCH 409/658] avcodec/texturedsp: Fix runtime error: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 1505/clusterfuzz-testcase-minimized-4561688818876416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f225003d17364cd38fd28f268ae2b29abd8e5024) Signed-off-by: Michael Niedermayer --- libavcodec/texturedsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/texturedsp.c b/libavcodec/texturedsp.c index 49e97c91ae..90b1eb4f11 100644 --- a/libavcodec/texturedsp.c +++ b/libavcodec/texturedsp.c @@ -158,7 +158,7 @@ static inline void dxt3_block_internal(uint8_t *dst, ptrdiff_t stride, for (x = 0; x < 4; x++) { uint8_t alpha = alpha_values[x]; - uint32_t pixel = colors[code & 3] | (alpha << 24); + uint32_t pixel = colors[code & 3] | ((unsigned)alpha << 24); code >>= 2; AV_WL32(dst + x * 4, pixel); From d5c3132d6fbd7528b07c6492e2728baf97a577a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 13:01:36 +0200 Subject: [PATCH 410/658] avcodec/avcodec: Limit the number of side data elements per packet Fixes: 1293/clusterfuzz-testcase-minimized-6054752074858496 See: [FFmpeg-devel] [PATCH] avcodec/avcodec: Limit the number of side data elements per packet Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d5711cb89121268e8d78ebe8563a68e67a236cbb) Signed-off-by: Michael Niedermayer --- libavcodec/avcodec.h | 12 +++++++++++- libavcodec/avpacket.c | 5 ++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 39713ed76b..1be52e7a12 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -1515,7 +1515,17 @@ enum AVPacketSideDataType { * should be associated with a video stream and containts data in the form * of the AVMasteringDisplayMetadata struct. */ - AV_PKT_DATA_MASTERING_DISPLAY_METADATA + AV_PKT_DATA_MASTERING_DISPLAY_METADATA, + + /** + * The number of side data elements (in fact a bit more than it). + * This is not part of the public API/ABI in the sense that it may + * change when new side data types are added. + * This must stay the last enum value. + * If its value becomes huge, some code using it + * needs to be updated as it assumes it to be smaller than other limits. + */ + AV_PKT_DATA_NB }; #define AV_PKT_DATA_QUALITY_FACTOR AV_PKT_DATA_QUALITY_STATS //DEPRECATED diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index e8b2959541..8ffae4bcb2 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -298,7 +298,7 @@ int av_packet_add_side_data(AVPacket *pkt, enum AVPacketSideDataType type, AVPacketSideData *tmp; int elems = pkt->side_data_elems; - if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data)) + if ((unsigned)elems + 1 > AV_PKT_DATA_NB) return AVERROR(ERANGE); tmp = av_realloc(pkt->side_data, (elems + 1) * sizeof(*tmp)); @@ -433,6 +433,9 @@ int av_packet_split_side_data(AVPacket *pkt){ p-= size+5; } + if (i > AV_PKT_DATA_NB) + return AVERROR(ERANGE); + pkt->side_data = av_malloc_array(i, sizeof(*pkt->side_data)); if (!pkt->side_data) return AVERROR(ENOMEM); From e85a3a1d3e3d3e1b9d6b96a3ecb044ed37355005 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 14:50:40 +0200 Subject: [PATCH 411/658] avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int' Fixes: 1440/clusterfuzz-testcase-minimized-5785716111966208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ccce2248bf56692fc7bd436ca2c9acca772d486a) Signed-off-by: Michael Niedermayer --- libavcodec/vp8dsp.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libavcodec/vp8dsp.c b/libavcodec/vp8dsp.c index 7d9cfa8278..fed5c67a90 100644 --- a/libavcodec/vp8dsp.c +++ b/libavcodec/vp8dsp.c @@ -53,7 +53,8 @@ static void name ## _idct_dc_add4y_c(uint8_t *dst, int16_t block[4][16], \ #if CONFIG_VP7_DECODER static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) { - int i, a1, b1, c1, d1; + int i; + unsigned a1, b1, c1, d1; int16_t tmp[16]; for (i = 0; i < 4; i++) { @@ -61,10 +62,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) b1 = (dc[i * 4 + 0] - dc[i * 4 + 2]) * 23170; c1 = dc[i * 4 + 1] * 12540 - dc[i * 4 + 3] * 30274; d1 = dc[i * 4 + 1] * 30274 + dc[i * 4 + 3] * 12540; - tmp[i * 4 + 0] = (a1 + d1) >> 14; - tmp[i * 4 + 3] = (a1 - d1) >> 14; - tmp[i * 4 + 1] = (b1 + c1) >> 14; - tmp[i * 4 + 2] = (b1 - c1) >> 14; + tmp[i * 4 + 0] = (int)(a1 + d1) >> 14; + tmp[i * 4 + 3] = (int)(a1 - d1) >> 14; + tmp[i * 4 + 1] = (int)(b1 + c1) >> 14; + tmp[i * 4 + 2] = (int)(b1 - c1) >> 14; } for (i = 0; i < 4; i++) { @@ -73,10 +74,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274; d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540; AV_ZERO64(dc + i * 4); - block[0][i][0] = (a1 + d1 + 0x20000) >> 18; - block[3][i][0] = (a1 - d1 + 0x20000) >> 18; - block[1][i][0] = (b1 + c1 + 0x20000) >> 18; - block[2][i][0] = (b1 - c1 + 0x20000) >> 18; + block[0][i][0] = (int)(a1 + d1 + 0x20000) >> 18; + block[3][i][0] = (int)(a1 - d1 + 0x20000) >> 18; + block[1][i][0] = (int)(b1 + c1 + 0x20000) >> 18; + block[2][i][0] = (int)(b1 - c1 + 0x20000) >> 18; } } From f450115354ef2bef7eff4454d7b9e3561fa69be3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 14:39:26 +0200 Subject: [PATCH 412/658] avcodec/mlp: Fix multiple runtime error: left shift of negative value -1 Fixes: 1512/clusterfuzz-testcase-minimized-4713846423945216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74dc728a2c2cc353da20cdc09b8cdfbbe14b7be8) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 6 +++--- libavcodec/mlpdsp.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 7cad5d1cad..b471f0d760 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -684,7 +684,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp, } for (i = 0; i < order; i++) - fcoeff[i] = get_sbits(gbp, coeff_bits) << coeff_shift; + fcoeff[i] = get_sbits(gbp, coeff_bits) * (1 << coeff_shift); if (get_bits1(gbp)) { int state_bits, state_shift; @@ -999,8 +999,8 @@ static void generate_2_noise_channels(MLPDecodeContext *m, unsigned int substr) for (i = 0; i < s->blockpos; i++) { uint16_t seed_shr7 = seed >> 7; - m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) << s->noise_shift; - m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) << s->noise_shift; + m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) * (1 << s->noise_shift); + m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) * (1 << s->noise_shift); seed = (seed << 16) ^ seed_shr7 ^ (seed_shr7 << 5); } diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 3ae8c37708..2fc453c1f0 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -113,8 +113,8 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, for (i = 0; i < blockpos; i++) { for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) { int mat_ch = ch_assign[out_ch]; - int32_t sample = sample_buffer[i][mat_ch] - << output_shift[mat_ch]; + int32_t sample = sample_buffer[i][mat_ch] * + (1 << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) *data_32++ = sample << 8; From 84e272d4e23f49f90405527d14254c000c32e6a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 May 2017 04:12:15 +0200 Subject: [PATCH 413/658] avcodec/aacsbr_template: Do not change bs_num_env before its checked Fixes: 1489/clusterfuzz-testcase-minimized-5075102901207040 Fixes: out of array access Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87b08ee6d2a3b0880f0a267c5d51dc7f415e81d7) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_template.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index 4d4b705dfa..f69c2d612b 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -623,25 +623,26 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, int abs_bord_trail = 16; int num_rel_lead, num_rel_trail; unsigned bs_num_env_old = ch_data->bs_num_env; + int bs_frame_class, bs_num_env; ch_data->bs_freq_res[0] = ch_data->bs_freq_res[ch_data->bs_num_env]; ch_data->bs_amp_res = sbr->bs_amp_res_header; ch_data->t_env_num_env_old = ch_data->t_env[bs_num_env_old]; - switch (ch_data->bs_frame_class = get_bits(gb, 2)) { + switch (bs_frame_class = get_bits(gb, 2)) { case FIXFIX: - ch_data->bs_num_env = 1 << get_bits(gb, 2); + bs_num_env = 1 << get_bits(gb, 2); + if (bs_num_env > 4) { + av_log(ac->avctx, AV_LOG_ERROR, + "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", + bs_num_env); + return -1; + } + ch_data->bs_num_env = bs_num_env; num_rel_lead = ch_data->bs_num_env - 1; if (ch_data->bs_num_env == 1) ch_data->bs_amp_res = 0; - if (ch_data->bs_num_env > 4) { - av_log(ac->avctx, AV_LOG_ERROR, - "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", - ch_data->bs_num_env); - ch_data->bs_num_env = 2; - return -1; - } ch_data->t_env[0] = 0; ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail; @@ -689,15 +690,15 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, abs_bord_trail += get_bits(gb, 2); num_rel_lead = get_bits(gb, 2); num_rel_trail = get_bits(gb, 2); - ch_data->bs_num_env = num_rel_lead + num_rel_trail + 1; + bs_num_env = num_rel_lead + num_rel_trail + 1; - if (ch_data->bs_num_env > 5) { + if (bs_num_env > 5) { av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n", - ch_data->bs_num_env); - ch_data->bs_num_env = 2; + bs_num_env); return -1; } + ch_data->bs_num_env = bs_num_env; ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail; @@ -712,6 +713,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, get_bits1_vector(gb, ch_data->bs_freq_res + 1, ch_data->bs_num_env); break; } + ch_data->bs_frame_class = bs_frame_class; av_assert0(bs_pointer >= 0); if (bs_pointer > ch_data->bs_num_env + 1) { From b6c8e47333303d4762e9af4d1f9d2d23988b5409 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 18:13:48 +0200 Subject: [PATCH 414/658] avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1 Fixes: 1535/clusterfuzz-testcase-minimized-5826695535788032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 26227d91865ddfbfe35c9ff84853cc469e1c7daf) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 6a5bdebe89..1b5e8aa326 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -125,7 +125,7 @@ static inline int *DEC_SQUAD(int *dst, unsigned idx) static inline int *DEC_UPAIR(int *dst, unsigned idx, unsigned sign) { dst[0] = (idx & 15) * (1 - (sign & 0xFFFFFFFE)); - dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) << 1)); + dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) * 2)); return dst + 2; } @@ -134,16 +134,16 @@ static inline int *DEC_UQUAD(int *dst, unsigned idx, unsigned sign) { unsigned nz = idx >> 12; - dst[0] = (idx & 3) * (1 + (((int)sign >> 31) << 1)); + dst[0] = (idx & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) * 2)); return dst + 4; } From e5abfbf2abc1fbee04bcf3fde11305a01ca0f3c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 18:27:27 +0200 Subject: [PATCH 415/658] avcodec/webp: Add missing input padding Fixes: 1536/clusterfuzz-testcase-minimized-5973925404082176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a3508cc3fe643a8adad6a82a60bece3ea3c5dc63) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index fd77e3b3a8..e502ce6662 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1042,7 +1042,7 @@ static int apply_color_indexing_transform(WebPContext *s) uint8_t *line; int pixel_bits = 8 >> pal->size_reduction; - line = av_malloc(img->frame->linesize[0]); + line = av_malloc(img->frame->linesize[0] + AV_INPUT_BUFFER_PADDING_SIZE); if (!line) return AVERROR(ENOMEM); From b18a2cbdbf270e1a4f5f52184cd9f8faa51f0d1a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 19:28:01 +0200 Subject: [PATCH 416/658] avcodec/ac3dec: Keep track of band structure It is needed in some corner cases that seem not to be forbidden Fixes: out of array index Fixes: 1538/clusterfuzz-testcase-minimized-4696904925446144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9351a156de724edb69ba6e1f05884fe806a13a21) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 27 +++++++++++++++------------ libavcodec/ac3dec.h | 2 ++ 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index fac189b6b6..ead2909577 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -744,30 +744,31 @@ static void ac3_upmix_delay(AC3DecodeContext *s) * @param[in] default_band_struct default band structure table * @param[out] num_bands number of bands (optionally NULL) * @param[out] band_sizes array containing the number of bins in each band (optionally NULL) + * @param[in,out] band_struct current band structure */ static void decode_band_structure(GetBitContext *gbc, int blk, int eac3, int ecpl, int start_subband, int end_subband, const uint8_t *default_band_struct, - int *num_bands, uint8_t *band_sizes) + int *num_bands, uint8_t *band_sizes, + uint8_t *band_struct, int band_struct_size) { int subbnd, bnd, n_subbands, n_bands=0; uint8_t bnd_sz[22]; - uint8_t coded_band_struct[22]; - const uint8_t *band_struct; n_subbands = end_subband - start_subband; + if (!blk) + memcpy(band_struct, default_band_struct, band_struct_size); + + av_assert0(band_struct_size >= start_subband + n_subbands); + + band_struct += start_subband + 1; + /* decode band structure from bitstream or use default */ if (!eac3 || get_bits1(gbc)) { for (subbnd = 0; subbnd < n_subbands - 1; subbnd++) { - coded_band_struct[subbnd] = get_bits1(gbc); + band_struct[subbnd] = get_bits1(gbc); } - band_struct = coded_band_struct; - } else if (!blk) { - band_struct = &default_band_struct[start_subband+1]; - } else { - /* no change in band structure */ - return; } /* calculate number of bands and band sizes based on band structure. @@ -894,7 +895,8 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) start_subband, end_subband, ff_eac3_default_spx_band_struct, &s->num_spx_bands, - s->spx_band_sizes); + s->spx_band_sizes, + s->spx_band_struct, sizeof(s->spx_band_struct)); } } if (!s->eac3 || !s->spx_in_use) { @@ -1028,7 +1030,8 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) decode_band_structure(gbc, blk, s->eac3, 0, cpl_start_subband, cpl_end_subband, ff_eac3_default_cpl_band_struct, - &s->num_cpl_bands, s->cpl_band_sizes); + &s->num_cpl_bands, s->cpl_band_sizes, + s->cpl_band_struct, sizeof(s->cpl_band_struct)); } else { /* coupling not in use */ for (ch = 1; ch <= fbw_channels; ch++) { diff --git a/libavcodec/ac3dec.h b/libavcodec/ac3dec.h index c2b867e32c..5330a5156a 100644 --- a/libavcodec/ac3dec.h +++ b/libavcodec/ac3dec.h @@ -128,6 +128,7 @@ typedef struct AC3DecodeContext { int phase_flags_in_use; ///< phase flags in use (phsflginu) int phase_flags[AC3_MAX_CPL_BANDS]; ///< phase flags (phsflg) int num_cpl_bands; ///< number of coupling bands (ncplbnd) + uint8_t cpl_band_struct[AC3_MAX_CPL_BANDS]; uint8_t cpl_band_sizes[AC3_MAX_CPL_BANDS]; ///< number of coeffs in each coupling band int firstchincpl; ///< first channel in coupling int first_cpl_coords[AC3_MAX_CHANNELS]; ///< first coupling coordinates states (firstcplcos) @@ -144,6 +145,7 @@ typedef struct AC3DecodeContext { int spx_dst_start_freq; ///< spx starting frequency bin for copying (copystartmant) ///< the copy region ends at the start of the spx region. int num_spx_bands; ///< number of spx bands (nspxbnds) + uint8_t spx_band_struct[SPX_MAX_BANDS]; uint8_t spx_band_sizes[SPX_MAX_BANDS]; ///< number of bins in each spx band uint8_t first_spx_coords[AC3_MAX_CHANNELS]; ///< first spx coordinates states (firstspxcos) INTFLOAT spx_noise_blend[AC3_MAX_CHANNELS][SPX_MAX_BANDS]; ///< spx noise blending factor (nblendfact) From 536e29d4cf91c371216c5f2734e9c61054ee67d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 23:13:38 +0200 Subject: [PATCH 417/658] avcodec/mlpdec: Check that there is enough data for headers Fixes: out of array access Fixes: 1541/clusterfuzz-testcase-minimized-6403410590957568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e3e51f8c14d22ae11684dcfe58df355f0f9e6401) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index b471f0d760..fa4347fb23 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -1162,6 +1162,11 @@ static int read_access_unit(AVCodecContext *avctx, void* data, substr_header_size += 2; } + if (length < header_size + substr_header_size) { + av_log(m->avctx, AV_LOG_ERROR, "Insuffient data for headers\n"); + goto error; + } + if (!(nonrestart_substr ^ m->is_major_sync_unit)) { av_log(m->avctx, AV_LOG_ERROR, "Invalid nonrestart_substr.\n"); goto error; From d792783f5632abc508c49f2040d6a0ea51f36f91 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 23:16:44 +0200 Subject: [PATCH 418/658] avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int' Fixes: 1556/clusterfuzz-testcase-minimized-5027865978470400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 86b1b0d33dd7459f0d9c352c51ee2e374fd6f7fe) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 6eb263ba7d..1306cd6020 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -250,7 +250,7 @@ static void svq3_add_idct_c(uint8_t *dst, int16_t *block, int i; if (dc) { - dc = 13 * 13 * (dc == 1 ? 1538 * block[0] + dc = 13 * 13 * (dc == 1 ? 1538U* block[0] : qmul * (block[0] >> 3) / 2); block[0] = 0; } From 6d2a00d0f1139bda6ccf961cc9a69cd2871017ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 23:21:24 +0200 Subject: [PATCH 419/658] avcodec/webp: Fix signedness in prefix_code check Fixes: out of array read Fixes: 1557/clusterfuzz-testcase-minimized-6535013757616128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c5cd1c9d33b4b287f85d42efb1aecfaee31de6c) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index e502ce6662..8a8e1a8a9d 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -693,7 +693,7 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, length = offset + get_bits(&s->gb, extra_bits) + 1; } prefix_code = huff_reader_get_symbol(&hg[HUFF_IDX_DIST], &s->gb); - if (prefix_code > 39) { + if (prefix_code > 39U) { av_log(s->avctx, AV_LOG_ERROR, "distance prefix code too large: %d\n", prefix_code); return AVERROR_INVALIDDATA; From 536275b673c008afa2e912edebf70815c6796dfe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 23:24:04 +0200 Subject: [PATCH 420/658] avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int' Fixes: 1559/clusterfuzz-testcase-minimized-5048096079740928 Fixes: 1560/clusterfuzz-testcase-minimized-6011037813833728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8630b2cd36c57918acfe18302fe77d1ceefbd676) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 3c4504c3c3..3ddef24556 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -45,7 +45,8 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state, if (get_rac(c, state + 0)) return 0; else { - int i, e, a; + int i, e; + unsigned a; e = 0; while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10 e++; From d5ac8a296a010374a2c6931d81cc8a43f259a84c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Apr 2017 18:46:48 +0200 Subject: [PATCH 421/658] libswscale/tests/swscale: Fix uninitialized variables Signed-off-by: Michael Niedermayer (cherry picked from commit 7796f290653349a4126f2d448d11bb4440b9f257) Signed-off-by: Michael Niedermayer --- libswscale/tests/swscale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/tests/swscale.c b/libswscale/tests/swscale.c index 58c211453a..8291ce8359 100644 --- a/libswscale/tests/swscale.c +++ b/libswscale/tests/swscale.c @@ -308,10 +308,10 @@ static int fileTest(uint8_t *ref[4], int refStride[4], int w, int h, FILE *fp, struct Results r; enum AVPixelFormat srcFormat; char srcStr[12]; - int srcW, srcH; + int srcW = 0, srcH = 0; enum AVPixelFormat dstFormat; char dstStr[12]; - int dstW, dstH; + int dstW = 0, dstH = 0; int flags; int ret; From 993671b570f310ec10456793af9412478d4f6c26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 14:00:42 +0200 Subject: [PATCH 422/658] avcodec/g723_1dec: Fix LCG type Fixes: 1567/clusterfuzz-testcase-minimized-5693653555085312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f2c539d3501111f10a2b4e9480ea54c0a3190680) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index 0ca83411f4..de70957387 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -487,7 +487,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag, (FRAME_LEN - lag) * sizeof(*out)); } else { /* Unvoiced */ for (i = 0; i < FRAME_LEN; i++) { - *rseed = *rseed * 521 + 259; + *rseed = (int16_t)(*rseed * 521 + 259); out[i] = gain * *rseed >> 15; } memset(buf, 0, (FRAME_LEN + PITCH_MAX) * sizeof(*buf)); From d8082e5e6cdfa5386b5c4c3b09c6af743afd82c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 14:06:56 +0200 Subject: [PATCH 423/658] avcodec/hqxdsp: Fix runtime error: signed integer overflow: -196264 * 11585 cannot be represented in type 'int' Fixes: 1568/clusterfuzz-testcase-minimized-5944868608147456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b923213276777f33d6366b1cb9d1845a8658f365) Signed-off-by: Michael Niedermayer --- libavcodec/hqxdsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hqxdsp.c b/libavcodec/hqxdsp.c index 04a65e7767..7f8044e463 100644 --- a/libavcodec/hqxdsp.c +++ b/libavcodec/hqxdsp.c @@ -47,8 +47,8 @@ static inline void idct_col(int16_t *blk, const uint8_t *quant) t5 = t1 * 2 + t3; t6 = t2 - t3; t7 = t3 * 2 + t6; - t8 = (t6 * 11585) >> 14; - t9 = (t7 * 11585) >> 14; + t8 = (int)(t6 * 11585U) >> 14; + t9 = (int)(t7 * 11585U) >> 14; tA = (int)(s2 * 8867U - s6 * 21407U) >> 14; tB = (int)(s6 * 8867U + s2 * 21407U) >> 14; tC = (s0 >> 1) - (s4 >> 1); From c1aa23caae2caab33a362f7615a2ae336587956c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 14:42:45 +0200 Subject: [PATCH 424/658] avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]' It seems dual mono with a LFE channel is not forbidden Fixes: 1570/clusterfuzz-testcase-minimized-6455337349545984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c55e637072b694a1db40e21948d218bfa2e744bb) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index ead2909577..00f59275d1 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1331,7 +1331,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) for (ch = 1; ch <= s->channels; ch++) { int audio_channel = 0; INTFLOAT gain; - if (s->channel_mode == AC3_CHMODE_DUALMONO) + if (s->channel_mode == AC3_CHMODE_DUALMONO && ch <= 2) audio_channel = 2-ch; if (s->heavy_compression && s->compression_exists[audio_channel]) gain = s->heavy_dynamic_range[audio_channel]; From 0d3efe30b5ff3e44ef8836accbf38c8d425ab340 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 16:47:13 +0200 Subject: [PATCH 425/658] avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode Fixes: Integer overflow Fixes: 1572/clusterfuzz-testcase-minimized-4578773729017856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 467677769a2222ff8beab3c4d7826df9b7cbc81b) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 523f63bda5..20d2171405 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2448,16 +2448,20 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) ff_init_scantable(s->idsp.idct_permutation, &s->intra_v_scantable, ff_alternate_vertical_scan); } - if (s->pict_type == AV_PICTURE_TYPE_S && - (ctx->vol_sprite_usage == STATIC_SPRITE || - ctx->vol_sprite_usage == GMC_SPRITE)) { - if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0) - return AVERROR_INVALIDDATA; - if (ctx->sprite_brightness_change) - av_log(s->avctx, AV_LOG_ERROR, - "sprite_brightness_change not supported\n"); - if (ctx->vol_sprite_usage == STATIC_SPRITE) - av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); + if (s->pict_type == AV_PICTURE_TYPE_S) { + if((ctx->vol_sprite_usage == STATIC_SPRITE || + ctx->vol_sprite_usage == GMC_SPRITE)) { + if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0) + return AVERROR_INVALIDDATA; + if (ctx->sprite_brightness_change) + av_log(s->avctx, AV_LOG_ERROR, + "sprite_brightness_change not supported\n"); + if (ctx->vol_sprite_usage == STATIC_SPRITE) + av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); + } else { + memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); + memset(s->sprite_delta, 0, sizeof(s->sprite_delta)); + } } if (ctx->shape != BIN_ONLY_SHAPE) { From e964d47439d58e0db10d94497166516853813a59 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 01:35:56 +0200 Subject: [PATCH 426/658] avcodec/dds: Fix runtime error: left shift of 210 by 24 places cannot be represented in type 'int' Fixes: 1510/clusterfuzz-testcase-minimized-5826231746428928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit afb4632cc30e83287338690c785ebac180436a59) Signed-off-by: Michael Niedermayer --- libavcodec/dds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index 50a1a2c9e3..ddb6b1b2c9 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -688,7 +688,7 @@ static int dds_decode(AVCodecContext *avctx, void *data, (frame->data[1][2+i*4]<<0)+ (frame->data[1][1+i*4]<<8)+ (frame->data[1][0+i*4]<<16)+ - (frame->data[1][3+i*4]<<24) + ((unsigned)frame->data[1][3+i*4]<<24) ); frame->palette_has_changed = 1; From 528fb0b27d70b0b5a2d8a27bdd1f6798ae6876d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 01:31:19 +0200 Subject: [PATCH 427/658] avcodec/rscc: Check pixel_size for overflow Fixes: 1509/clusterfuzz-testcase-minimized-5129419876204544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 934572c5c3592732a30336afdf2df9926a8b4df2) Signed-off-by: Michael Niedermayer --- libavcodec/rscc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c index fe0df2eec1..618002f6da 100644 --- a/libavcodec/rscc.c +++ b/libavcodec/rscc.c @@ -209,6 +209,12 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, ctx->tiles[i].y = bytestream2_get_le16(gbc); ctx->tiles[i].h = bytestream2_get_le16(gbc); + if (pixel_size + ctx->tiles[i].w * (int64_t)ctx->tiles[i].h * ctx->component_size > INT_MAX) { + av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions\n"); + ret = AVERROR_INVALIDDATA; + goto end; + } + pixel_size += ctx->tiles[i].w * ctx->tiles[i].h * ctx->component_size; ff_dlog(avctx, "tile %d orig(%d,%d) %dx%d.\n", i, From 1cdc9447f423d468a97f6d1b84ed8321d6ef3713 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 May 2017 19:38:46 +0200 Subject: [PATCH 428/658] avcodec/cllc: Check prefix Fixes: runtime error: left shift of 1610706944 by 1 places cannot be represented in type 'int' Fixes: 1421/clusterfuzz-testcase-minimized-6239947507892224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 62c5949beca2c95d6af5c74985467438d2295a66) Signed-off-by: Michael Niedermayer --- libavcodec/cllc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cllc.c b/libavcodec/cllc.c index 24fa168e36..97d3ae40ea 100644 --- a/libavcodec/cllc.c +++ b/libavcodec/cllc.c @@ -81,6 +81,10 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) count++; } + if (prefix > (65535 - 256)/2) { + vlc->table = NULL; + return AVERROR_INVALIDDATA; + } prefix <<= 1; } From 6f4e69d661e01320ec0d7a831f52c2d886055fbc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 14:43:02 +0200 Subject: [PATCH 429/658] avcodec/webp: Factor update_canvas_size() out Signed-off-by: Michael Niedermayer (cherry picked from commit c4f63b78b71e07dd2f5d49c032d9c3eef620c0f3) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 8a8e1a8a9d..9947cc6389 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1098,6 +1098,21 @@ static int apply_color_indexing_transform(WebPContext *s) return 0; } +static void update_canvas_size(AVCodecContext *avctx, int w, int h) +{ + WebPContext *s = avctx->priv_data; + if (s->width && s->width != w) { + av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n", + s->width, w); + } + s->width = w; + if (s->height && s->height != h) { + av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n", + s->height, h); + } + s->height = h; +} + static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, int *got_frame, uint8_t *data_start, unsigned int data_size, int is_alpha_chunk) @@ -1122,16 +1137,8 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, w = get_bits(&s->gb, 14) + 1; h = get_bits(&s->gb, 14) + 1; - if (s->width && s->width != w) { - av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n", - s->width, w); - } - s->width = w; - if (s->height && s->height != h) { - av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n", - s->width, w); - } - s->height = h; + + update_canvas_size(avctx, w, h); ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) From 4e5543571a101a376cce1c1be722e00174f4707e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 14:43:03 +0200 Subject: [PATCH 430/658] avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame() Fixes: 1407/clusterfuzz-testcase-minimized-6044604124102656 Fixes: 1420/clusterfuzz-testcase-minimized-6059927359455232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 72810d20b74f05cc4b214d6c277fa6f43160df54) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 9947cc6389..04d898ee7b 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1349,6 +1349,9 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, ret = ff_vp8_decode_frame(avctx, p, got_frame, &pkt); if (ret < 0) return ret; + + update_canvas_size(avctx, avctx->width, avctx->height); + if (s->has_alpha) { ret = vp8_lossy_decode_alpha(avctx, p, s->alpha_data, s->alpha_data_size); From 1e5d151417a6150f657887a9a841eba1ff860875 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 May 2017 16:08:14 +0200 Subject: [PATCH 431/658] avcodec/snowdec: Check width Fixes: out of array read Fixes: 1419/clusterfuzz-testcase-minimized-6108700873850880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 78aa93807b3e0674e34d32c0bf6f78d7f5b7927e) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 97f55288c1..022e9693c7 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -384,6 +384,10 @@ static int decode_header(SnowContext *s){ av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_count %d too large for size\n", s->spatial_decomposition_count); return AVERROR_INVALIDDATA; } + if (s->avctx->width > 65536-4) { + av_log(s->avctx, AV_LOG_ERROR, "Width %d is too large\n", s->avctx->width); + return AVERROR_INVALIDDATA; + } s->qlog += get_symbol(&s->c, s->header_state, 1); From 6fa860449f3623b3d4c7ca0a29ddb6bb4485840b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 May 2017 13:25:34 +0200 Subject: [PATCH 432/658] avcodec/flacdec: Return error code instead of 0 for failures Fixes: infinite loop Fixes: 1418/clusterfuzz-testcase-minimized-5934472438480896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3f5a68533decdfb4757207e8d7b5af06e1dcd197) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 4dde0e0591..c372c1b91d 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -201,12 +201,12 @@ static int get_metadata_size(const uint8_t *buf, int buf_size) buf += 4; do { if (buf_end - buf < 4) - return 0; + return AVERROR_INVALIDDATA; flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size); buf += 4; if (buf_end - buf < metadata_size) { /* need more data in order to read the complete header */ - return 0; + return AVERROR_INVALIDDATA; } buf += metadata_size; } while (!metadata_last); From 70cda595c3f33161f84d9aef92490105e577235f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 14:28:20 +0200 Subject: [PATCH 433/658] avcodec/opus_silk: Fix integer overflow and out of array read Fixes: 1362/clusterfuzz-testcase-minimized-6097275002552320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4654baff125d937ae0b1037aa5f0bf53c7351658) Signed-off-by: Michael Niedermayer --- libavcodec/opus_silk.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 9c30b122dc..1274a144cf 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -851,8 +851,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_ if (nlsf[0] < min_delta[0]) nlsf[0] = min_delta[0]; for (i = 1; i < order; i++) - if (nlsf[i] < nlsf[i - 1] + min_delta[i]) - nlsf[i] = nlsf[i - 1] + min_delta[i]; + nlsf[i] = FFMAX(nlsf[i], FFMIN(nlsf[i - 1] + min_delta[i], 32767)); /* push backwards to increase distance */ if (nlsf[order-1] > 32768 - min_delta[order]) From 0159afe0c2f1bddd8f141fe9bbfaf0fb7ce32fb1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 13:16:07 +0200 Subject: [PATCH 434/658] avcodec/aacps: Fix undefined behavior Fixes: 1337/clusterfuzz-testcase-minimized-5212314171080704 Fixes the existence of a potentially invalid pointer intermediate Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 527f89e05922e840083ac6d49eeb838b1e350dd4) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index ccc79ffc1d..48b595adbd 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -975,7 +975,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r) h_step[1][3] = AAC_MSUB31_V3(H22[1][e+1][b], h[1][3], width); } ps->dsp.stereo_interpolate[!PS_BASELINE && ps->enable_ipdopd]( - l[k] + start + 1, r[k] + start + 1, + l[k] + 1 + start, r[k] + 1 + start, h, h_step, stop - start); } } From b25aca2af8e4dba371370ceab16198c7535522bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 May 2017 21:19:06 +0200 Subject: [PATCH 435/658] avcodec/tiff: reset sampling[] if its invalid Fixes divission by 0 Fixes: clusterfuzz-testcase-minimized-5592896440893440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f08122fbe039a56ab3c24f74636b4b0efea97d85) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index af433d9a4e..dac406862d 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1018,6 +1018,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->subsampling[i] = ff_tget(&s->gb, type, s->le); if (s->subsampling[i] <= 0) { av_log(s->avctx, AV_LOG_ERROR, "subsampling %d is invalid\n", s->subsampling[i]); + s->subsampling[i] = 1; return AVERROR_INVALIDDATA; } } From ab22fca14b381f54001bc9547a5835bef62eda8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 May 2017 21:21:20 +0200 Subject: [PATCH 436/658] avcodec/svq3: Fix runtime error: left shift of negative value -6 Fixes: 1604/clusterfuzz-testcase-minimized-5312060206350336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a6eb006ad47beb6d5e5cc2c99f8185965209ec6b) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 1306cd6020..5bde666936 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -511,8 +511,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, if (mode != PREDICT_MODE) { svq3_pred_motion(s, k, part_width >> 2, dir, 1, &mx, &my); } else { - mx = s->next_pic->motion_val[0][b_xy][0] << 1; - my = s->next_pic->motion_val[0][b_xy][1] << 1; + mx = s->next_pic->motion_val[0][b_xy][0] * 2; + my = s->next_pic->motion_val[0][b_xy][1] * 2; if (dir == 0) { mx = mx * s->frame_num_offset / From 54918674f7cbe673fcaee5ad3643e5e474548a82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 May 2017 03:04:26 +0200 Subject: [PATCH 437/658] avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int' Fixes: 1616/clusterfuzz-testcase-minimized-5119196578971648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5ea6bc2a166edac37042f2bbc28eb603a0fbeccb) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index 08af622fa2..28dccaae47 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -180,7 +180,7 @@ static int make_ydt15_entry(int p1, int p2, int16_t *ydt) lo += (lo * 32) + (lo * 1024); hi = ydt[p2]; hi += (hi * 32) + (hi * 1024); - return (lo + (hi * (1 << 16))) * 2; + return (lo + (hi * (1U << 16))) * 2; } static int make_cdt15_entry(int p1, int p2, int16_t *cdt) @@ -190,7 +190,7 @@ static int make_cdt15_entry(int p1, int p2, int16_t *cdt) b = cdt[p2]; r = cdt[p1] * 1024; lo = b + r; - return (lo + (lo * (1 << 16))) * 2; + return (lo + (lo * (1U << 16))) * 2; } #if HAVE_BIGENDIAN From 7f2eeb2c7478286f32c532b7c24e059cdbf59911 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 25 Apr 2017 20:23:12 -0300 Subject: [PATCH 438/658] avformat/concatdec: fix the h264 annexb extradata check The start code can be either in the first three or four bytes. (cherry picked from commit b4330a0e02fcbef61d630a369abe5f4421ced659) --- libavformat/concatdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index b3a430e5a0..9bb7556d9d 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -199,8 +199,11 @@ static int detect_stream_specific(AVFormatContext *avf, int idx) AVBitStreamFilterContext *bsf; int ret; - if (cat->auto_convert && st->codecpar->codec_id == AV_CODEC_ID_H264 && - (st->codecpar->extradata_size < 4 || AV_RB32(st->codecpar->extradata) != 1)) { + if (cat->auto_convert && st->codecpar->codec_id == AV_CODEC_ID_H264) { + if (!st->codecpar->extradata_size || + (st->codecpar->extradata_size >= 3 && AV_RB24(st->codecpar->extradata) == 1) || + (st->codecpar->extradata_size >= 4 && AV_RB32(st->codecpar->extradata) == 1)) + return 0; av_log(cat->avf, AV_LOG_INFO, "Auto-inserting h264_mp4toannexb bitstream filter\n"); if (!(bsf = av_bitstream_filter_init("h264_mp4toannexb"))) { From d2c6bcdbf181daaea1f28d5f7bbe54e20fc46db6 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 22 Apr 2017 13:25:32 -0300 Subject: [PATCH 439/658] avcodec/options: factorize avcodec_copy_context() cleanup code Reviewed-by: Aaron Levinson Tested-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 54a4c9b4e9a1524b1ac5d2be97c8042272402d0a) --- libavcodec/options.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/libavcodec/options.c b/libavcodec/options.c index d8e3dbfa33..116d1ce4a6 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -187,6 +187,19 @@ void avcodec_free_context(AVCodecContext **pavctx) } #if FF_API_COPY_CONTEXT +static void copy_context_reset(AVCodecContext *avctx) +{ + av_opt_free(avctx); + av_freep(&avctx->rc_override); + av_freep(&avctx->intra_matrix); + av_freep(&avctx->inter_matrix); + av_freep(&avctx->extradata); + av_freep(&avctx->subtitle_header); + av_buffer_unref(&avctx->hw_frames_ctx); + avctx->subtitle_header_size = 0; + avctx->extradata_size = 0; +} + int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src) { const AVCodec *orig_codec = dest->codec; @@ -199,12 +212,7 @@ int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src) return AVERROR(EINVAL); } - av_opt_free(dest); - av_freep(&dest->rc_override); - av_freep(&dest->intra_matrix); - av_freep(&dest->inter_matrix); - av_freep(&dest->extradata); - av_freep(&dest->subtitle_header); + copy_context_reset(dest); memcpy(dest, src, sizeof(*dest)); av_opt_copy(dest, src); @@ -263,15 +271,7 @@ FF_ENABLE_DEPRECATION_WARNINGS return 0; fail: - av_freep(&dest->subtitle_header); - av_freep(&dest->rc_override); - av_freep(&dest->intra_matrix); - av_freep(&dest->inter_matrix); - av_freep(&dest->extradata); - av_buffer_unref(&dest->hw_frames_ctx); - dest->subtitle_header_size = 0; - dest->extradata_size = 0; - av_opt_free(dest); + copy_context_reset(dest); return AVERROR(ENOMEM); } #endif From 1564125e4eb1a1a78d46f30c6638b42f599cc8a5 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 24 Apr 2017 14:53:47 -0300 Subject: [PATCH 440/658] avcodec/options: do a more thorough clean up in avcodec_copy_context() Free coded_frame and coded_side_data to prevent potential leaks. Reviewed-by: Aaron Levinson Tested-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit cac8de2da5c4935773128335c11b806faa73e19d) --- libavcodec/options.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/libavcodec/options.c b/libavcodec/options.c index 116d1ce4a6..e124fb442e 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -189,14 +189,25 @@ void avcodec_free_context(AVCodecContext **pavctx) #if FF_API_COPY_CONTEXT static void copy_context_reset(AVCodecContext *avctx) { + int i; + av_opt_free(avctx); +#if FF_API_CODED_FRAME +FF_DISABLE_DEPRECATION_WARNINGS + av_frame_free(&avctx->coded_frame); +FF_ENABLE_DEPRECATION_WARNINGS +#endif av_freep(&avctx->rc_override); av_freep(&avctx->intra_matrix); av_freep(&avctx->inter_matrix); av_freep(&avctx->extradata); av_freep(&avctx->subtitle_header); av_buffer_unref(&avctx->hw_frames_ctx); + for (i = 0; i < avctx->nb_coded_side_data; i++) + av_freep(&avctx->coded_side_data[i].data); + av_freep(&avctx->coded_side_data); avctx->subtitle_header_size = 0; + avctx->nb_coded_side_data = 0; avctx->extradata_size = 0; } @@ -237,11 +248,13 @@ FF_ENABLE_DEPRECATION_WARNINGS /* reallocate values that should be allocated separately */ dest->extradata = NULL; + dest->coded_side_data = NULL; dest->intra_matrix = NULL; dest->inter_matrix = NULL; dest->rc_override = NULL; dest->subtitle_header = NULL; dest->hw_frames_ctx = NULL; + dest->nb_coded_side_data = 0; #define alloc_and_copy_or_fail(obj, size, pad) \ if (src->obj && size > 0) { \ From 9ebbb29ad61db72cebab31a6a68970ca8063bcf8 Mon Sep 17 00:00:00 2001 From: Aaron Levinson Date: Thu, 20 Apr 2017 23:30:13 -0700 Subject: [PATCH 441/658] avformat/utils: free AVStream.codec properly in free_stream() Fixes memory leaks. Signed-off-by: James Almer (cherry picked from commit b9d2005ea5d6837917a69bc2b8e98f5695f54e39) --- libavformat/utils.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 17bbdb44be..d71aca851b 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3994,9 +3994,7 @@ static void free_stream(AVStream **pst) av_freep(&st->index_entries); #if FF_API_LAVF_AVCTX FF_DISABLE_DEPRECATION_WARNINGS - av_freep(&st->codec->extradata); - av_freep(&st->codec->subtitle_header); - av_freep(&st->codec); + avcodec_free_context(&st->codec); FF_ENABLE_DEPRECATION_WARNINGS #endif av_freep(&st->priv_data); From 75f9fe1519deba4285cbc8cb5b8919b97ba40366 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 11 Apr 2017 01:03:51 -0300 Subject: [PATCH 442/658] avcodec/aac_adtstoasc: fix ASC passthrough on small frames ASC frames smaller than AAC_ADTS_HEADER_SIZE were being discarded. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 0f05f2c7e67949ce77de3cf7013f7d4da1c3e046) --- libavcodec/aac_adtstoasc_bsf.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/aac_adtstoasc_bsf.c b/libavcodec/aac_adtstoasc_bsf.c index 48889fc48e..d47fa230ab 100644 --- a/libavcodec/aac_adtstoasc_bsf.c +++ b/libavcodec/aac_adtstoasc_bsf.c @@ -49,14 +49,14 @@ static int aac_adtstoasc_filter(AVBSFContext *bsfc, AVPacket *out) if (ret < 0) return ret; + if (bsfc->par_in->extradata && in->size >= 2 && (AV_RB16(in->data) >> 4) != 0xfff) + goto finish; + if (in->size < AAC_ADTS_HEADER_SIZE) goto packet_too_small; init_get_bits(&gb, in->data, AAC_ADTS_HEADER_SIZE * 8); - if (bsfc->par_in->extradata && show_bits(&gb, 12) != 0xfff) - goto finish; - if (avpriv_aac_parse_header(&gb, &hdr) < 0) { av_log(bsfc, AV_LOG_ERROR, "Error parsing ADTS frame header!\n"); ret = AVERROR_INVALIDDATA; From f125c54b7a5f7b3d742aab2b11a59b7a4eaf4d74 Mon Sep 17 00:00:00 2001 From: Aaron Levinson Date: Tue, 16 May 2017 05:04:36 -0700 Subject: [PATCH 443/658] avutil/hwcontext_dxva2: Don't improperly free IDirect3DSurface9 objects Add dxva2_pool_release_dummy() and use it in call to av_buffer_create() in dxva2_pool_alloc(). Prior to this change, av_buffer_create() was called with NULL for the third argument, which indicates that av_buffer_default_free() should be used to free the buffer's data. Eventually, it gets to buffer_pool_free() and calls buf->free() on a surface object (which is av_buffer_default_free()). This can result in a crash when the debug version of the C-runtime is used on Windows. While it doesn't appear to result in a crash when the release version of the C-runtime is used on Windows, it likely results in memory corruption, since av_free() is being called on memory that was allocated using IDirectXVideoAccelerationService::CreateSurface(). Signed-off-by: Aaron Levinson Reviewed-by: wm4 Reviewed-by: Steven Liu Reviewed-by: Mark Thompson (cherry picked from commit 0c1c514643d5e1645160d697fa4c27cd38c7c791) --- libavutil/hwcontext_dxva2.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavutil/hwcontext_dxva2.c b/libavutil/hwcontext_dxva2.c index e79254bb34..cf926e89f0 100644 --- a/libavutil/hwcontext_dxva2.c +++ b/libavutil/hwcontext_dxva2.c @@ -101,6 +101,13 @@ static void dxva2_frames_uninit(AVHWFramesContext *ctx) } } +static void dxva2_pool_release_dummy(void *opaque, uint8_t *data) +{ + // important not to free anything here--data is a surface object + // associated with the call to CreateSurface(), and these surfaces are + // released in dxva2_frames_uninit() +} + static AVBufferRef *dxva2_pool_alloc(void *opaque, int size) { AVHWFramesContext *ctx = (AVHWFramesContext*)opaque; @@ -110,7 +117,7 @@ static AVBufferRef *dxva2_pool_alloc(void *opaque, int size) if (s->nb_surfaces_used < hwctx->nb_surfaces) { s->nb_surfaces_used++; return av_buffer_create((uint8_t*)s->surfaces_internal[s->nb_surfaces_used - 1], - sizeof(*hwctx->surfaces), NULL, 0, 0); + sizeof(*hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); } return NULL; From c823d72a5f4329fbf38ad97818189386d8793581 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 6 May 2017 20:31:45 -0300 Subject: [PATCH 444/658] avcodec/hevc_sei: fix amount of bits skipped when reading picture timing SEI message The code was skipping the entire reported SEI message size regardless of the amount of bits read. While in theory safe for NALU where the picture timing SEI message is alone or at the end as we're using the checked bitstream reader, it isn't in any other situation, where every SEI message in the NALU after the picture timing one would potentially fail to parse. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit f738140807f504c9af7850042067777832f05e88) Conflicts: libavcodec/hevc_sei.c --- libavcodec/hevc_sei.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index 148f246df1..971350e0af 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -145,7 +145,7 @@ static int decode_nal_sei_display_orientation(HEVCContext *s) return 0; } -static int decode_pic_timing(HEVCContext *s) +static int decode_pic_timing(HEVCContext *s, int size) { GetBitContext *gb = &s->HEVClc->gb; HEVCSPS *sps; @@ -166,8 +166,12 @@ static int decode_pic_timing(HEVCContext *s) } get_bits(gb, 2); // source_scan_type get_bits(gb, 1); // duplicate_flag + skip_bits1(gb); + size--; } - return 1; + skip_bits_long(gb, 8 * size); + + return 0; } static int decode_registered_user_data_closed_caption(HEVCContext *s, int size) @@ -297,9 +301,8 @@ static int decode_nal_sei_prefix(HEVCContext *s, int type, int size) return decode_nal_sei_display_orientation(s); case SEI_TYPE_PICTURE_TIMING: { - int ret = decode_pic_timing(s); + int ret = decode_pic_timing(s, size); av_log(s->avctx, AV_LOG_DEBUG, "Skipped PREFIX SEI %d\n", type); - skip_bits(gb, 8 * size); return ret; } case SEI_TYPE_MASTERING_DISPLAY_INFO: From d35159d3bba29bd113d10a515a36642a1872a4c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 May 2017 23:44:24 +0200 Subject: [PATCH 445/658] avcodec/hq_hqa: Fix: runtime error: signed integer overflow: -255 * 10180917 cannot be represented in type 'int' Fixes: 1626/clusterfuzz-testcase-minimized-6416580571299840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d9cb583c8f005a260d255853ef5f1c21e8599a0) Signed-off-by: Michael Niedermayer --- libavcodec/hq_hqa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index 663521b85d..14bd38f5c0 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -82,7 +82,7 @@ static int hq_decode_block(HQContext *c, GetBitContext *gb, int16_t block[64], pos += ff_hq_ac_skips[val]; if (pos >= 64) break; - block[ff_zigzag_direct[pos]] = (ff_hq_ac_syms[val] * q[pos]) >> 12; + block[ff_zigzag_direct[pos]] = (int)(ff_hq_ac_syms[val] * (unsigned)q[pos]) >> 12; pos++; } From a32a9bde993a2a24202ae4e31cff772646fe4085 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 00:44:36 +0200 Subject: [PATCH 446/658] avcodec/takdec: Fix runtime error: left shift of negative value -42 Fixes: 1635/clusterfuzz-testcase-minimized-4992749856096256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 99c4c76cfbc4ae56dc8c37f5fab02f88f6b2cb48) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 285df4938d..f556c5baa1 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -902,7 +902,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, for (chan = 0; chan < avctx->channels; chan++) { int32_t *samples = (int32_t *)frame->extended_data[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] <<= 8; + samples[i] *= 1 << 8; } break; } From 63cc52ed97f57ae47f47118ee84ac3877c591b82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 00:53:32 +0200 Subject: [PATCH 447/658] avcodec/mlpdec: Fix runtime error: left shift of negative value -1 Fixes: 1636/clusterfuzz-testcase-minimized-5310494757879808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 552adf1dd3a38fb7a1a6109dd2b517d63290f20e) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index fa4347fb23..eaf1aa7c75 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -701,7 +701,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp, /* TODO: Check validity of state data. */ for (i = 0; i < order; i++) - fp->state[i] = state_bits ? get_sbits(gbp, state_bits) << state_shift : 0; + fp->state[i] = state_bits ? get_sbits(gbp, state_bits) * (1 << state_shift) : 0; } } From 792f15c109cc7f64d19ed139f63dcb4b33329eba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 01:12:55 +0200 Subject: [PATCH 448/658] avcodec/flicvideo: Check frame_size before decrementing Fixes: runtime error: signed integer overflow: -2147483627 - 22 cannot be represented in type 'int' Fixes: 1637/clusterfuzz-testcase-minimized-5376582493405184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 355e27e24dc88d6ba8f27501a34925d9d937a399) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index c9c6c24e55..192d4fe8a7 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -202,6 +202,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, num_chunks = bytestream2_get_le16(&g2); bytestream2_skip(&g2, 8); /* skip padding */ + if (frame_size < 16) + return AVERROR_INVALIDDATA; + frame_size -= 16; /* iterate through the chunks */ @@ -522,6 +525,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, if (frame_size > buf_size) frame_size = buf_size; + if (frame_size < 16) + return AVERROR_INVALIDDATA; frame_size -= 16; /* iterate through the chunks */ From 9b9a620ce6983ea56a0b94501e4661d2ccf916d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 02:44:30 +0200 Subject: [PATCH 449/658] Update for 3.1.8 Signed-off-by: Michael Niedermayer --- Changelog | 210 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 212 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 960beb4447..2ce1e79cf5 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,216 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. + +version 3.1.8: +- avcodec/flicvideo: Check frame_size before decrementing +- avcodec/mlpdec: Fix runtime error: left shift of negative value -1 +- avcodec/takdec: Fix runtime error: left shift of negative value -42 +- avcodec/hq_hqa: Fix: runtime error: signed integer overflow: -255 * 10180917 cannot be represented in type 'int' +- avcodec/hevc_sei: fix amount of bits skipped when reading picture timing SEI message +- avutil/hwcontext_dxva2: Don't improperly free IDirect3DSurface9 objects +- avcodec/aac_adtstoasc: fix ASC passthrough on small frames +- avformat/utils: free AVStream.codec properly in free_stream() +- avcodec/options: do a more thorough clean up in avcodec_copy_context() +- avcodec/options: factorize avcodec_copy_context() cleanup code +- avformat/concatdec: fix the h264 annexb extradata check +- avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int' +- avcodec/svq3: Fix runtime error: left shift of negative value -6 +- avcodec/tiff: reset sampling[] if its invalid +- avcodec/aacps: Fix undefined behavior +- avcodec/opus_silk: Fix integer overflow and out of array read +- avcodec/flacdec: Return error code instead of 0 for failures +- avcodec/snowdec: Check width +- avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame() +- avcodec/webp: Factor update_canvas_size() out +- avcodec/cllc: Check prefix +- avcodec/rscc: Check pixel_size for overflow +- avcodec/dds: Fix runtime error: left shift of 210 by 24 places cannot be represented in type 'int' +- avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode +- avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]' +- avcodec/hqxdsp: Fix runtime error: signed integer overflow: -196264 * 11585 cannot be represented in type 'int' +- avcodec/g723_1dec: Fix LCG type +- libswscale/tests/swscale: Fix uninitialized variables +- avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int' +- avcodec/webp: Fix signedness in prefix_code check +- avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int' +- avcodec/mlpdec: Check that there is enough data for headers +- avcodec/ac3dec: Keep track of band structure +- avcodec/webp: Add missing input padding +- avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1 +- avcodec/aacsbr_template: Do not change bs_num_env before its checked +- avcodec/mlp: Fix multiple runtime error: left shift of negative value -1 +- avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int' +- avcodec/avcodec: Limit the number of side data elements per packet +- avcodec/texturedsp: Fix runtime error: left shift of 255 by 24 places cannot be represented in type 'int' +- avcodec/g723_1dec: Fix runtime error: left shift of negative value -1 +- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int' +- avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610 +- avcodec/msmpeg4dec: Check for cbpy VLC errors +- avcodec/cllc: Check num_bits +- avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers +- avcodec/dvbsubdec: Check entry_id +- avcodec/aacdec_fixed: Fix multiple shift exponent 33 is too large for 32-bit type 'int' +- avcodec/mpeg12dec: Fixes runtime error: division by zero +- avcodec/webp: Always set pix_fmt +- avfilter/vf_uspp: Fix currently unused input frame dimensions +- avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1 +- avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int' +- avcodec/dss_sp: Fix runtime error: signed integer overflow: 2147481189 + 4096 cannot be represented in type 'int' +- avformat/wavdec: Check chunk_size +- avcodec/cavs: Check updated MV +- avcodec/y41pdec: Fix width in input buffer size check +- avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int' +- avcodec/texturedsp: Fix runtime error: left shift of 218 by 24 places cannot be represented in type 'int' +- avcodec/lagarith: Check scale_factor +- avcodec/lagarith: Fix runtime error: left shift of negative value -1 +- avcodec/takdec: Fix multiple runtime error: left shift of negative value -1 +- avcodec/indeo2: Check for invalid VLCs +- avcodec/g723_1dec: Fix several integer related cases of undefined behaviour +- avcodec/htmlsubtitles: Check for string truncation and return error +- avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int' +- avcodec/dss_sp: Fix multiple runtime error: signed integer overflow: -15699 * -164039 cannot be represented in type 'int' +- avcodec/dvbsubdec: check region dimensions +- avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int' +- avcodec/hqxdsp: Fix multiple runtime error: signed integer overflow: 248220 * 21407 cannot be represented in type 'int' in idct_col() +- avcodec/cavsdec: Check sym_factor +- avcodec/cdxl: Check format for BGR24 +- avcodec/ffv1dec: Fix copying planes of paletted formats +- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int' +- avcodec/xwddec: Check bpp more completely +- avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int' +- avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int' +- avcodec/g726: Fix runtime error: left shift of negative value -2 +- avcodec/ra144: Fix runtime error: left shift of negative value -798 +- avcodec/mss34dsp: Fix multiple signed integer overflow +- avcodec/targa_y216dec: Fix width type +- avcodec/texturedsp: Fix multiple runtime error: left shift of 255 by 24 places cannot be represented in type 'int' +- avcodec/ivi_dsp: Fix multiple left shift of negative value -2 +- avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int' +- avcodec/msmpeg4dec: Correct table depth +- avcodec/dds: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/cdxl: Check format parameter +- avutil/softfloat: Fix overflow in av_div_sf() +- avcodec/hq_hqa: Fix runtime error: left shift of negative value -207 +- avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from +- avcodec/shorten: Check k in get_uint() +- avcodec/webp: Fix null pointer dereference +- avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' +- avcodec/g723_1: Fix multiple runtime error: left shift of negative value +- avcodec/mimic: Fix runtime error: left shift of negative value -1 +- avcodec/fic: Fix multiple left shift of negative value -15 +- avcodec/mlpdec: Fix runtime error: left shift of negative value -22 +- avcodec/snowdec: Check qbias +- avutil/softfloat: Fix multiple runtime error: left shift of negative value -8 +- avcodec/aacsbr_template: Do not leave bs_num_env invalid +- avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int' +- avcodec/dfa: Fix off by 1 error +- avcodec/nellymoser: Fix multiple left shift of negative value -8591 +- avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int' +- avcodec/g722: Fix multiple runtime error: left shift of negative value -1 +- avcodec/dss_sp: Fix multiple left shift of negative value -466 +- avcodec/wnv1: Fix runtime error: left shift of negative value -1 +- avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so +- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int' +- avcodec/cavsdec: Fix undefined behavior from integer overflow +- avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int' +- libavcodec/mpeg4videodec: Convert sprite_offset to 64bit +- avcodec/pngdec: Use ff_set_dimensions() +- avcodec/msvideo1: Check buffer size before re-getting the frame +- avcodec/h264_cavlc: Fix undefined behavior on qscale overflow +- avcodec/dcadsp: Fix runtime error: signed integer overflow +- avcodec/svq3: Reject dx/dy beyond 16bit +- avcodec/svq3: Increase offsets to prevent integer overflows +- avcodec/indeo2: Check remaining bits in ir2_decode_plane() +- avcodec/vp3: Check remaining bits in unpack_dct_coeffs() +- doc/developer: Add terse documentation of assumed C implementation defined behavior +- avcodec/mdec: Fix runtime error: left shift of negative value -127 +- avcodec/x86/vc1dsp_init: Fix build failure with --disable-optimizations and clang +- libavcodec/exr : fix float to uint16 conversion for negative float value +- avformat/webmdashenc: Validate the 'streams' adaptation sets parameter +- avformat/webmdashenc: Require the 'adaptation_sets' option to be set +- avformat/oggparseogm: Check ff_alloc_extradata() for failure +- avformat/oggparseogm: Check available data before reading global header +- avcodec/dvdsubdec: Fixes 2 runtime error: left shift of 170 by 24 places cannot be represented in type 'int' +- avformat/oggparsedaala: Do not leave an invalid value in gpshift +- avformat/oggparsedaala: Check duration for AV_NOPTS_VALUE +- avfilter/af_sofalizer: Fix bad shift +- avcodec: fix uninitialized variable read +- avfilter/avfiltergraph: Add assert to write down in machine readable form what is assumed about sample rates in swap_samplerates_on_filter() +- avcodec/tiff: Perform multiply in tiff_unpack_lzma() as 64bit +- omx: Fix OOM check +- avcodec/vdpau_hevc: Fix potential out-of-bounds write +- avcodec/h264_ps: Fix runtime error: signed integer overflow: 2147483647 + 26 cannot be represented in type 'int' +- avcodec/tiff: Check geotag count for being non zero +- avcodec/vp56: Check avctx->error_concealment before enabling EC +- avcodec/tiff: Check stripsize strippos for overflow +- avcodec/mpegaudiodec_template: Make l3_unscale() work with e=0 +- avcodec/tiff: Check for multiple geo key directories +- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' +- avcodec/rv34: Fix runtime error: signed integer overflow: 36880 * 66288 cannot be represented in type 'int' +- avcodec/amrwbdec: Fix runtime error: left shift of negative value -1 +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: -135088512 * 16 cannot be represented in type 'int' +- avcodec/h264_mvpred: Fix runtime error: left shift of negative value -1 +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -127 +- avcodec/wavpack: Fix runtime error: left shift of negative value -5 +- avcodec/wavpack: Fix runtime error: left shift of negative value -2 +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 134527392 * 16 cannot be represented in type 'int' +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -13 +- avcodec/h264_mvpred: Fix multiple runtime error: left shift of negative value +- avcodec/adxdec: Fix runtime error: left shift of negative value -1 +- avcodec/mpeg4videodec: Improve the overflow checks in mpeg4_decode_sprite_trajectory() +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -511 +- avcodec/h264_direct: Fix runtime error: left shift of negative value -14 +- avcodec/pictordec: Check plane value before doing value/mask computations +- avcodec/mpeg4videodec: Fix runtime error: left shift of negative value -2650 +- avcodec/eac3dec: Fix runtime error: left shift of negative value -3 +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -2 +- avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows +- avcodec/mpeg4videodec: Check sprite_offset in addition to shifts +- avcodec/mpeg4video: Fix runtime error: left shift of negative value +- avcodec/ituh263dec: Fix runtime error: left shift of negative value -22 +- avcodec/rv40: Fix runtime error: left shift of negative value +- avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int' +- avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -507 +- avcodec/eac3dec: Fix runtime error: left shift of negative value +- avcodec/htmlsubtitles: Fix reading one byte beyond the array +- avcodec/vp6: clear dimensions on failed resolution change in vp6_parse_header() +- avcodec/vp56: Reset have_undamaged_frame on resolution changes +- avcodec/vp8: Fix hang with slice threads +- avcodec/vp8: Check for the bitstream end per MB in decode_mb_row_no_filter() +- avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder() +- avcodec/vp8: remove redundant check +- avcodec/vp56: Require a correctly decoded frame before using vp56_conceal_mb() +- avcodec/vp3: Do not return random positive values but the buf size +- avcodec/vp8: Check for bitsteam end in decode_mb_row_no_filter() +- avcodec/vp56: Factorize vp56_render_mb() out +- avcodec/vp3dsp: Fix multiple signed integer overflow: 46341 * 47523 cannot be represented in type 'int' +- Add CHECK/SUINT code +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -1 +- avcodec/vp56: Clear dimensions in case of failure in the middle of a resolution change +- avcodec/vp56: Implement very basic error concealment +- avcodec/amrwbdec: Fix 2 runtime errors: left shift of negative value -1 +- avcodec/pngdec: Fix runtime error: left shift of 152 by 24 places cannot be represented in type 'int' +- avcodec/vp56: Fix sign typo +- avcodec/mpegaudiodec_template: Correct return code on id3 tag discarding +- avcodec/rv34: Simplify and factor get_slice_offset() code +- avcodec/pictordec: Do not read more than nb_planes +- avcodec/srtdec: Fix signed integer overflow: 1811992524 * 384 cannot be represented in type 'int' +- avcodec/pngdec: Check bit depth for validity +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value +- avcodec/wavpacl: Fix runtime error: left shift of negative value -1 +- avformat/http: Check for truncated buffers in http_connect() +- lavf/mov.c: Avoid heap allocation wraps in mov_read_{senc,saiz}() +- lavf/mov.c: Avoid OOB in mov_read_udta_string() +- avformat/apng: fix setting frame delay when max_fps is set to no limit +- swresample/resample: free existing ResampleContext on reinit +- swresample/resample: move resample_free() higher in the file +- lavfi/buffersrc: fix directly setting channel layout +- lavf/mpeg: Initialize a stack variable used by memcmp(). +- lavc/avpacket: Initialize a variable in error path. + + version 3.1.7: - avcodec/h264_slice: Clear ref_counts on redundant slices - lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid diff --git a/RELEASE b/RELEASE index 23887f6eba..c848fb9cb4 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.1.7 +3.1.8 diff --git a/doc/Doxyfile b/doc/Doxyfile index 6fdabbe62b..745d21773c 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.1.7 +PROJECT_NUMBER = 3.1.8 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 8c021166d194d09649ac2d8b544584787ceb3319 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Tue, 23 May 2017 11:24:40 +0200 Subject: [PATCH 450/658] avcodec/nvenc: remove unnecessary alignment Fixes #6260 --- libavcodec/nvenc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 984dd3bc3f..5634d8d57a 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -974,8 +974,8 @@ static av_cold int nvenc_alloc_surface(AVCodecContext *avctx, int idx) } else { NV_ENC_CREATE_INPUT_BUFFER allocSurf = { 0 }; allocSurf.version = NV_ENC_CREATE_INPUT_BUFFER_VER; - allocSurf.width = (avctx->width + 31) & ~31; - allocSurf.height = (avctx->height + 31) & ~31; + allocSurf.width = avctx->width; + allocSurf.height = avctx->height; allocSurf.memoryHeap = NV_ENC_MEMORY_HEAP_SYSMEM_CACHED; allocSurf.bufferFmt = ctx->surfaces[idx].format; @@ -1609,8 +1609,8 @@ int ff_nvenc_encode_frame(AVCodecContext *avctx, AVPacket *pkt, pic_params.inputBuffer = inSurf->input_surface; pic_params.bufferFmt = inSurf->format; - pic_params.inputWidth = avctx->width; - pic_params.inputHeight = avctx->height; + pic_params.inputWidth = inSurf->width; + pic_params.inputHeight = inSurf->height; pic_params.outputBitstream = inSurf->output_surface; if (avctx->flags & AV_CODEC_FLAG_INTERLACED_DCT) { From d2f43c48f9cd9c4432ca7c14d543beca968cf58a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 15:51:46 +0200 Subject: [PATCH 451/658] avcodec/aacdec_template: Fix fixed point scale in decode_cce() Fixes: runtime error: shift exponent 1073741824 is too large for 32-bit type 'int' Fixes: 1654/clusterfuzz-testcase-minimized-5151903795118080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53a502206a9ea698926694d7252526fe00d1ea44) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 883ed527f7..a37032a025 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2155,7 +2155,11 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che) coup->coupling_point += get_bits1(gb) || (coup->coupling_point >> 1); sign = get_bits(gb, 1); - scale = AAC_RENAME(cce_scale)[get_bits(gb, 2)]; +#if USE_FIXED + scale = get_bits(gb, 2); +#else + scale = cce_scale[get_bits(gb, 2)]; +#endif if ((ret = decode_ics(ac, sce, gb, 0, 0))) return ret; From f0a24f2f77d1364fb848557da19ac1dfe3ccf791 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 16:45:46 +0200 Subject: [PATCH 452/658] avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' Fixes: 1656/clusterfuzz-testcase-minimized-5900404925661184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 94d05ff15985d17aba070eaec82acd21c0da3d86) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index ee9b4eb45f..ffb0f22ec0 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -424,6 +424,8 @@ static int read_payload_length_info(struct LATMContext *ctx, GetBitContext *gb) if (ctx->frame_length_type == 0) { int mux_slot_length = 0; do { + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; tmp = get_bits(gb, 8); mux_slot_length += tmp; } while (tmp == 255); @@ -453,7 +455,7 @@ static int read_audio_mux_element(struct LATMContext *latmctx, } if (latmctx->audio_mux_version_A == 0) { int mux_slot_length_bytes = read_payload_length_info(latmctx, gb); - if (mux_slot_length_bytes * 8 > get_bits_left(gb)) { + if (mux_slot_length_bytes < 0 || mux_slot_length_bytes * 8LL > get_bits_left(gb)) { av_log(latmctx->aac_ctx.avctx, AV_LOG_ERROR, "incomplete frame\n"); return AVERROR_INVALIDDATA; } else if (mux_slot_length_bytes * 8 + 256 < get_bits_left(gb)) { From 2e7cf081a061844d858b4432217cfc5e7bcd152b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 01:54:43 +0200 Subject: [PATCH 453/658] avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877 cannot be represented in type 'int' Fixes: 1657/clusterfuzz-testcase-minimized-4710000079405056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 58ac7fb9c395ab91cb321fa4c8c9e127ce8147c3) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 3ea12f0511..8067ac94e5 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -250,7 +250,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le16u(gb); while ((segments & 0xC000) == 0xC000) { unsigned skip_lines = -(int16_t)segments; - unsigned delta = -((int16_t)segments * width); + int64_t delta = -((int16_t)segments * (int64_t)width); if (frame_end - frame <= delta || y + lines + skip_lines > height) return AVERROR_INVALIDDATA; frame += delta; From fceacfc1320fd0609fa60b3f238651240a351f16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 02:07:17 +0200 Subject: [PATCH 454/658] avcodec/mlpdec: Fix: runtime error: left shift of negative value -8 Fixes: 1658/clusterfuzz-testcase-minimized-4889937130291200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 25c81e4b737bcc737b13c9a752cb301a28cb3906) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index eaf1aa7c75..5426712007 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -759,7 +759,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo if (get_bits1(gbp)) coeff_val = get_sbits(gbp, frac_bits + 2); - s->matrix_coeff[mat][ch] = coeff_val << (14 - frac_bits); + s->matrix_coeff[mat][ch] = coeff_val * (1 << (14 - frac_bits)); } if (s->noise_type) From 3a69d5d3f01d407b9c8fc58c31fc53f93b8e31a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 17:13:18 +0200 Subject: [PATCH 455/658] avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int' Fixes: 1669/clusterfuzz-testcase-minimized-5287529198649344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a173f484b52ed63292439de5347e49bd78cad0ed) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 1e28f59d83..2c11515459 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -88,22 +88,22 @@ static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; - const int t4 = 5793 * (t2 + t0 + 0x800 >> 12); - const int t5 = 5793 * (t3 + t1 + 0x800 >> 12); - const int t6 = t2 - t0; - const int t7 = t3 - t1; - const int t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; - const int t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; - const int tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; - const int tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; - blk[0 * step] = ( t4 + t9 + tB) >> shift; - blk[1 * step] = ( t6 + t7 + t8 + tA) >> shift; - blk[2 * step] = ( t6 - t7 - t8 + tA) >> shift; - blk[3 * step] = ( t5 - t9 + tB) >> shift; - blk[4 * step] = ( -t5 - t9 + tB) >> shift; - blk[5 * step] = (-(t6 - t7) - t8 + tA) >> shift; - blk[6 * step] = (-(t6 + t7) + t8 + tA) >> shift; - blk[7 * step] = ( -t4 + t9 + tB) >> shift; + const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12); + const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12); + const unsigned t6 = t2 - t0; + const unsigned t7 = t3 - t1; + const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; + const unsigned t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; + const unsigned tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; + const unsigned tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; + blk[0 * step] = (int)( t4 + t9 + tB) >> shift; + blk[1 * step] = (int)( t6 + t7 + t8 + tA) >> shift; + blk[2 * step] = (int)( t6 - t7 - t8 + tA) >> shift; + blk[3 * step] = (int)( t5 - t9 + tB) >> shift; + blk[4 * step] = (int)( -t5 - t9 + tB) >> shift; + blk[5 * step] = (int)(-(t6 - t7) - t8 + tA) >> shift; + blk[6 * step] = (int)(-(t6 + t7) + t8 + tA) >> shift; + blk[7 * step] = (int)( -t4 + t9 + tB) >> shift; } static void fic_idct_put(uint8_t *dst, int stride, int16_t *block) From 08375d37be071518526fc9001f07ecb32336268a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 17:46:56 +0200 Subject: [PATCH 456/658] avcodec/mimic: Use ff_set_dimensions() to set the dimensions Fixes: OOM Fixes: 1671/clusterfuzz-testcase-minimized-4759078033162240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e434840fd4b3c854beec845f950b80bc1bf93b60) Signed-off-by: Michael Niedermayer --- libavcodec/mimic.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/mimic.c b/libavcodec/mimic.c index ce649c602a..b77171a822 100644 --- a/libavcodec/mimic.c +++ b/libavcodec/mimic.c @@ -390,9 +390,11 @@ static int mimic_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + res = ff_set_dimensions(avctx, width, height); + if (res < 0) + return res; + ctx->avctx = avctx; - avctx->width = width; - avctx->height = height; avctx->pix_fmt = AV_PIX_FMT_YUV420P; for (i = 0; i < 3; i++) { ctx->num_vblocks[i] = AV_CEIL_RSHIFT(height, 3 + !!i); From 51a80d0f71650d9d71f01e913f428a5534c494fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 May 2017 12:25:52 +0200 Subject: [PATCH 457/658] avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 150 is too large for 32-bit type 'int' Fixes: 1681/clusterfuzz-testcase-minimized-5970545365483520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3fb104f4476ad238e2ca768e9b80dc314e6e856d) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index b26314a7eb..480062dfcc 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -288,6 +288,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, shift = a00.exp; if (shift >= 3) alpha0[k][0] = 0x7fffffff; + else if (shift <= -30) + alpha0[k][0] = 0; else { a00.mant <<= 1; shift = 2-shift; @@ -302,6 +304,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, shift = a01.exp; if (shift >= 3) alpha0[k][1] = 0x7fffffff; + else if (shift <= -30) + alpha0[k][1] = 0; else { a01.mant <<= 1; shift = 2-shift; @@ -315,6 +319,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, shift = a10.exp; if (shift >= 3) alpha1[k][0] = 0x7fffffff; + else if (shift <= -30) + alpha1[k][0] = 0; else { a10.mant <<= 1; shift = 2-shift; @@ -329,6 +335,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, shift = a11.exp; if (shift >= 3) alpha1[k][1] = 0x7fffffff; + else if (shift <= -30) + alpha1[k][1] = 0; else { a11.mant <<= 1; shift = 2-shift; From b526aed4d580983af25d8210dd5c65dde01255f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 May 2017 01:23:01 +0200 Subject: [PATCH 458/658] avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context Fixes: runtime error: index 8 out of bounds for type 'uint8_t [8]' Fixes: 1699/clusterfuzz-testcase-minimized-6327177438035968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 64ea4d102a070b95832ae4a751688f87da7760a2) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 5426712007..eac19a0d5e 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -729,6 +729,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Number of primitive matrices cannot be greater than %d.\n", max_primitive_matrices); + s->num_primitive_matrices = 0; return AVERROR_INVALIDDATA; } From 1476c1b2c751d86b136498ca38e97d40569d1b16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 00:06:10 +0200 Subject: [PATCH 459/658] avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 170 is too large for 32-bit type 'int' Fixes part of 1709/clusterfuzz-testcase-minimized-4513580554649600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6310fc714de3cd73848416ead73228fcef8b6dc0) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 480062dfcc..01f81afaaa 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -575,20 +575,25 @@ static void sbr_hf_assemble(int Y1[38][64][2], SoftFloat *in = sbr->s_m[e]; for (m = 0; m+1 < m_max; m+=2) { - shift = 22 - in[m ].exp; - round = 1 << (shift-1); - out[2*m ] += (in[m ].mant * A + round) >> shift; + shift = 22 - in[m ].exp; + if (shift < 32) { + round = 1 << (shift-1); + out[2*m ] += (in[m ].mant * A + round) >> shift; + } - shift = 22 - in[m+1].exp; - round = 1 << (shift-1); - out[2*m+2] += (in[m+1].mant * B + round) >> shift; + shift = 22 - in[m+1].exp; + if (shift < 32) { + round = 1 << (shift-1); + out[2*m+2] += (in[m+1].mant * B + round) >> shift; + } } if(m_max&1) { - shift = 22 - in[m ].exp; - round = 1 << (shift-1); - - out[2*m ] += (in[m ].mant * A + round) >> shift; + shift = 22 - in[m ].exp; + if (shift < 32) { + round = 1 << (shift-1); + out[2*m ] += (in[m ].mant * A + round) >> shift; + } } } indexnoise = (indexnoise + m_max) & 0x1ff; From 4b5920e493023ac75d48aca72c5ea752825f2a56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 01:43:04 +0200 Subject: [PATCH 460/658] avcodec/sbrdsp_fixed: fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: part of 1709/clusterfuzz-testcase-minimized-4513580554649600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 384508b2ff69bc3fad1e1c2e7de0dcd0913c6208) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index f4e3de0c71..924da83c85 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -229,11 +229,11 @@ static void sbr_hf_gen_c(int (*X_high)[2], const int (*X_low)[2], static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2], const SoftFloat *g_filt, int m_max, intptr_t ixh) { - int m, r; + int m; int64_t accu; for (m = 0; m < m_max; m++) { - r = 1 << (22-g_filt[m].exp); + int64_t r = 1LL << (22-g_filt[m].exp); accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7); Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp)); From eee339866667ec7792173cb0a3263cc043864d44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 02:42:12 +0200 Subject: [PATCH 461/658] avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128 cannot be represented in type 'int' Fixes: 1711/clusterfuzz-testcase-minimized-5248503515185152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d04fc94e1021b70e542dc01a48b8398c6fc6325) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 2fc453c1f0..fbafa92d72 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -114,7 +114,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) { int mat_ch = ch_assign[out_ch]; int32_t sample = sample_buffer[i][mat_ch] * - (1 << output_shift[mat_ch]); + (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) *data_32++ = sample << 8; From 56ce2cae385e2de3b6f7618c28cb28ce7a87d012 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 02:46:55 +0200 Subject: [PATCH 462/658] avcodec/takdec: Fix runtime error: left shift of negative value -63 Fixes: 1713/clusterfuzz-testcase-minimized-5791887476654080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d66193252b4067144f11211f8f3e1d5a50146235) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index f556c5baa1..b438ae43b3 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -860,7 +860,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, if (s->sample_shift[chan] > 0) for (i = 0; i < s->nb_samples; i++) - decoded[i] <<= s->sample_shift[chan]; + decoded[i] *= 1 << s->sample_shift[chan]; } } From 87de89ac7856598cfb7bd3b74387c68defa517e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 02:51:04 +0200 Subject: [PATCH 463/658] avcodec/aac_defines: Fix: runtime error: left shift of negative value -2 Fixes: 1716/clusterfuzz-testcase-minimized-4691012196761600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c3547dcbc326474745f02a618e01848a293f3f92) Signed-off-by: Michael Niedermayer --- libavcodec/aac_defines.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aac_defines.h b/libavcodec/aac_defines.h index c12dc2fab7..0ea667e77b 100644 --- a/libavcodec/aac_defines.h +++ b/libavcodec/aac_defines.h @@ -45,7 +45,7 @@ typedef int AAC_SIGNE; #define Q30(x) (int)((x)*1073741824.0 + 0.5) #define Q31(x) (int)((x)*2147483648.0 + 0.5) #define RANGE15(x) x -#define GET_GAIN(x, y) (-(y) << (x)) + 1024 +#define GET_GAIN(x, y) (-(y) * (1 << (x))) + 1024 #define AAC_MUL16(x, y) (int)(((int64_t)(x) * (y) + 0x8000) >> 16) #define AAC_MUL26(x, y) (int)(((int64_t)(x) * (y) + 0x2000000) >> 26) #define AAC_MUL30(x, y) (int)(((int64_t)(x) * (y) + 0x20000000) >> 30) From e6d6363eb30dfdf3c4aeb3f269ee63a91a79b042 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 00:07:02 +0200 Subject: [PATCH 464/658] avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308 cannot be represented in type 'int' Fixes: 1630/clusterfuzz-testcase-minimized-6326111917047808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 955db411929a9876d3cd016fbbb9c49b6362feba) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index b438ae43b3..a05b50ac5c 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -265,11 +265,11 @@ static int decode_segment(TAKDecContext *s, int8_t mode, int32_t *decoded, int l code = xcodes[mode - 1]; for (i = 0; i < len; i++) { - int x = get_bits_long(gb, code.init); + unsigned x = get_bits_long(gb, code.init); if (x >= code.escape && get_bits1(gb)) { x |= 1 << code.init; if (x >= code.aescape) { - int scale = get_unary(gb, 1, 9); + unsigned scale = get_unary(gb, 1, 9); if (scale == 9) { int scale_bits = get_bits(gb, 3); if (scale_bits > 0) { From 859188863b9d54362a291b52bee7ce0b953cffc2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 13:22:16 +0200 Subject: [PATCH 465/658] avcodec/vmnc: Check location before use Fixes: runtime error: signed integer overflow: 65535 * 64256 cannot be represented in type 'int' Fixes: 1717/clusterfuzz-testcase-minimized-5491696676634624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ec2b76aab44f55be22eb12d86eb0dfd2eff68581) Signed-off-by: Michael Niedermayer --- libavcodec/vmnc.c | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index 49abb776f2..dfabfd394a 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -374,6 +374,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, w = bytestream2_get_be16(gb); h = bytestream2_get_be16(gb); enc = bytestream2_get_be32(gb); + if ((dx + w > c->width) || (dy + h > c->height)) { + av_log(avctx, AV_LOG_ERROR, + "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", + w, h, dx, dy, c->width, c->height); + return AVERROR_INVALIDDATA; + } outptr = c->pic->data[0] + dx * c->bpp2 + dy * c->pic->linesize[0]; size_left = bytestream2_get_bytes_left(gb); switch (enc) { @@ -451,12 +457,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, bytestream2_skip(gb, 2); break; case 0x00000000: // raw rectangle data - if ((dx + w > c->width) || (dy + h > c->height)) { - av_log(avctx, AV_LOG_ERROR, - "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", - w, h, dx, dy, c->width, c->height); - return AVERROR_INVALIDDATA; - } if (size_left < w * h * c->bpp2) { av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", @@ -467,12 +467,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, c->pic->linesize[0]); break; case 0x00000005: // HexTile encoded rectangle - if ((dx + w > c->width) || (dy + h > c->height)) { - av_log(avctx, AV_LOG_ERROR, - "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", - w, h, dx, dy, c->width, c->height); - return AVERROR_INVALIDDATA; - } res = decode_hextile(c, outptr, gb, w, h, c->pic->linesize[0]); if (res < 0) return res; From 9ac7c504eaa44fcd75fbc8e731e81e61210fc11c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 16:01:27 +0200 Subject: [PATCH 466/658] avcodec/mpeg4videodec: Check for multiple VOL headers Fixes multiple: runtime error: signed integer overflow: 2147115008 + 413696 cannot be represented in type 'int' Fixes: 1723/clusterfuzz-testcase-minimized-5309409372667904 Fixes: 1727/clusterfuzz-testcase-minimized-5900685306494976 Fixes: 1737/clusterfuzz-testcase-minimized-5922321338466304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit efeb47fd5d5cbf980e52a6d5e741c3c74b94b5e2) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 20d2171405..52ec688ce8 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2559,6 +2559,7 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb) MpegEncContext *s = &ctx->m; unsigned startcode, v; int ret; + int vol = 0; /* search next start code */ align_get_bits(gb); @@ -2647,6 +2648,11 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb) } if (startcode >= 0x120 && startcode <= 0x12F) { + if (vol) { + av_log(s->avctx, AV_LOG_ERROR, "Multiple VOL headers"); + return AVERROR_INVALIDDATA; + } + vol++; if ((ret = decode_vol_header(ctx, gb)) < 0) return ret; } else if (startcode == USER_DATA_STARTCODE) { From 9a680966d1be0305855bfa4a5cee7cbbe1bbf218 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 16:53:55 +0200 Subject: [PATCH 467/658] avcodec/aacdec_fixed: Fix runtime error: shift exponent 34 is too large for 32-bit type 'int' Fixes: 1721/clusterfuzz-testcase-minimized-4719352135811072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5228e44c7f3a5eba537c8a39a45cfbf2961a28d) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 1b5e8aa326..33f959070c 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -207,7 +207,11 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len) c /= band_energy; s = 21 + nlz - (s >> 2); - if (s > 0) { + if (s > 31) { + for (i=0; i 0) { round = 1 << (s-1); for (i=0; i> 32); From a8fb8cd716dfe29a113068f9e3ded58912dcebfb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 21:49:54 +0200 Subject: [PATCH 468/658] avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int' Fixes: 1724/clusterfuzz-testcase-minimized-4842395432648704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 40fa6a2fa2c255293a780a194eecae5df52644a1) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index d7ef0067b5..ba0e714f2b 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -734,7 +734,7 @@ static int decode_dc_progressive(MJpegDecodeContext *s, int16_t *block, int component, int dc_index, int16_t *quant_matrix, int Al) { - int val; + unsigned val; s->bdsp.clear_block(block); val = mjpeg_decode_dc(s, dc_index); if (val == 0xfffff) { From 7b074e728d2402099107d283f6660400c2bdd550 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 May 2017 01:19:50 +0200 Subject: [PATCH 469/658] avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71 Fixes: 1734/clusterfuzz-testcase-minimized-5385630815092736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8fb00b3e858b7a5aeccfe6bdfc10290c2121c3ec) Signed-off-by: Michael Niedermayer --- libavcodec/ivi_dsp.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index 9e41269c3b..1ea039f0e8 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -116,10 +116,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, b0_2 = b0_ptr[pitch+indx+1]; tmp1 = tmp0 + b0_1; - p0 = tmp0 << 4; - p1 = tmp1 << 3; - p2 = (tmp0 + tmp2) << 3; - p3 = (tmp1 + tmp2 + b0_2) << 2; + p0 = tmp0 * 16; + p1 = tmp1 * 8; + p2 = (tmp0 + tmp2) * 8; + p3 = (tmp1 + tmp2 + b0_2) * 4; } /* process the HL-band by applying HPF vertically and LPF horizontally */ @@ -132,10 +132,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, tmp2 = tmp1 - tmp0*6 + b1_3; b1_3 = b1_1 - b1_2*6 + b1_ptr[pitch+indx+1]; - p0 += (tmp0 + tmp1) << 3; - p1 += (tmp0 + tmp1 + b1_1 + b1_2) << 2; - p2 += tmp2 << 2; - p3 += (tmp2 + b1_3) << 1; + p0 += (tmp0 + tmp1) * 8; + p1 += (tmp0 + tmp1 + b1_1 + b1_2) * 4; + p2 += tmp2 * 4; + p3 += (tmp2 + b1_3) * 2; } /* process the LH-band by applying LPF vertically and HPF horizontally */ @@ -146,10 +146,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, tmp0 = b2_1 + b2_2; tmp1 = b2_1 - b2_2*6 + b2_3; - p0 += tmp0 << 3; - p1 += tmp1 << 2; - p2 += (tmp0 + b2_4 + b2_5) << 2; - p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) << 1; + p0 += tmp0 * 8; + p1 += tmp1 * 4; + p2 += (tmp0 + b2_4 + b2_5) * 4; + p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) * 2; } /* process the HH-band by applying HPF both vertically and horizontally */ @@ -163,9 +163,9 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, b3_9 = b3_3 - b3_6*6 + b3_ptr[pitch+indx+1]; - p0 += (tmp0 + tmp1) << 2; - p1 += (tmp0 - tmp1*6 + tmp2) << 1; - p2 += (b3_7 + b3_8) << 1; + p0 += (tmp0 + tmp1) * 4; + p1 += (tmp0 - tmp1*6 + tmp2) * 2; + p2 += (b3_7 + b3_8) * 2; p3 += b3_7 - b3_8*6 + b3_9; } From 3b67878ab4f6598b3af46ec9d10f1f11244084ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 May 2017 22:18:52 +0200 Subject: [PATCH 470/658] avcodec/jpeglsdec: Check get_bits_left() before decoding a picture Signed-off-by: Michael Niedermayer (cherry picked from commit 4bc3008d04451cd31818e21703ed7ed96b6ff074) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 68151cbbd8..20b40445fd 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -385,6 +385,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan); } + if (get_bits_left(&s->gb) < s->height) { + ret = AVERROR_INVALIDDATA; + goto end; + } if (ilv == 0) { /* separate planes */ if (s->cur_scan > s->nb_components) { ret = AVERROR_INVALIDDATA; From 1d35eda0b2c59f742512f39f1ddeabf662fc69bf Mon Sep 17 00:00:00 2001 From: Max Justicz Date: Wed, 24 May 2017 15:25:50 +0200 Subject: [PATCH 471/658] avcodec/sanm: Fix uninitialized reference frames Fixes: poc.snm Signed-off-by: Michael Niedermayer (cherry picked from commit ca616b0f72c65b0ef5f9e1e6125698b15f50a26e) Signed-off-by: Michael Niedermayer --- libavcodec/sanm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 1aa002b6a5..065bf7aca1 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -462,11 +462,11 @@ static void destroy_buffers(SANMVideoContext *ctx) static av_cold int init_buffers(SANMVideoContext *ctx) { - av_fast_padded_malloc(&ctx->frm0, &ctx->frm0_size, ctx->buf_size); - av_fast_padded_malloc(&ctx->frm1, &ctx->frm1_size, ctx->buf_size); - av_fast_padded_malloc(&ctx->frm2, &ctx->frm2_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm0, &ctx->frm0_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm1, &ctx->frm1_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm2, &ctx->frm2_size, ctx->buf_size); if (!ctx->version) - av_fast_padded_malloc(&ctx->stored_frame, + av_fast_padded_mallocz(&ctx->stored_frame, &ctx->stored_frame_size, ctx->buf_size); if (!ctx->frm0 || !ctx->frm1 || !ctx->frm2 || From b3f8d3880002ab934f7afdf7d96001dbee6afe4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 May 2017 19:40:42 +0200 Subject: [PATCH 472/658] avcodec/jpeg2000dec: Check tile offsets Fixes: runtime error: signed integer overflow: 4096 - -2147483648 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 89325417e7b33f4b08171d9d609c48662d96b2d3) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index e9f5f51af3..b320c41c3a 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -298,6 +298,14 @@ static int get_siz(Jpeg2000DecoderContext *s) return AVERROR_PATCHWELCOME; } + if (s->tile_offset_x < 0 || s->tile_offset_y < 0 || + s->image_offset_x < s->tile_offset_x || + s->image_offset_y < s->tile_offset_y) { + av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n", + s->ncomponents); + return AVERROR_INVALIDDATA; + } + s->ncomponents = ncomponents; if (s->tile_width <= 0 || s->tile_height <= 0) { From 5202bef67aadf67af4e276998470658ad40f7541 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2017 11:11:33 +0200 Subject: [PATCH 473/658] avcodec/jpeg2000dec: Fix copy and paste error Found-by: jamrial Signed-off-by: Michael Niedermayer (cherry picked from commit 5782e0ba8cc30bb08a806cdeda1adfb89a0556b4) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index b320c41c3a..fca7740b5d 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -301,8 +301,7 @@ static int get_siz(Jpeg2000DecoderContext *s) if (s->tile_offset_x < 0 || s->tile_offset_y < 0 || s->image_offset_x < s->tile_offset_x || s->image_offset_y < s->tile_offset_y) { - av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n", - s->ncomponents); + av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n"); return AVERROR_INVALIDDATA; } From e383baee9c665163c3a35847e5b555cc94206e95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2017 20:07:49 +0200 Subject: [PATCH 474/658] avcodec/smc: Check remaining input Fixes: Timeout Fixes: 1818/clusterfuzz-testcase-minimized-5039166473633792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 356194fcb17375de2472f4cbff6ede48d6a374b2) Signed-off-by: Michael Niedermayer --- libavcodec/smc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index 69d78ad1d1..bb5f808da2 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -132,6 +132,10 @@ static void smc_decode_stream(SmcContext *s) row_ptr, image_size); return; } + if (bytestream2_get_bytes_left(&s->gb) < 1) { + av_log(s->avctx, AV_LOG_ERROR, "input too small\n"); + return; + } opcode = bytestream2_get_byte(&s->gb); switch (opcode & 0xF0) { From b77ce15e472256499606f415df269716929765ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2017 23:01:27 +0200 Subject: [PATCH 475/658] avcodec/aacdec_fixed: Fix runtime error: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 1825/clusterfuzz-testcase-minimized-6002833050566656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e87d146d798ca25d8f3a4520a6deb7946b39d73) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 33f959070c..29a363dec8 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -187,7 +187,7 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len) round = 1 << (s-1); for (i=0; i> s); - dst[i] = out * ssign; + dst[i] = out * (unsigned)ssign; } } } From 9aaadb1ee3eb276ba5dd4f9d0143895cc0f85432 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Apr 2017 13:49:09 +0200 Subject: [PATCH 476/658] avutil/internal: Do not enable CHECKED with DEBUG This avoids potential undefined behavior in debug mode while still allowing developers which want to check for potential additional overflows to do so by manually enabling this. Reviewed-by: wm4 Signed-off-by: Michael Niedermayer (cherry picked from commit a44b3abb4cf922e379fbac55452d0482a8223597) Signed-off-by: Michael Niedermayer --- libavutil/internal.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavutil/internal.h b/libavutil/internal.h index cc2d97dc52..e4da21b1b5 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -30,9 +30,8 @@ # define NDEBUG #endif -#if defined(DEBUG) && !defined(CHECKED) -# define CHECKED -#endif +// This can be enabled to allow detection of additional integer overflows with ubsan +//#define CHECKED #include #include From 162ad001b834568ca96f28af21633919a3e9b0df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 May 2017 18:01:31 +0200 Subject: [PATCH 477/658] avformat/mux: Fix copy an paste typo Found-by: Roger Scott Signed-off-by: Michael Niedermayer (cherry picked from commit 1a36354698fc0453ba4d337786d2cb4d3e374cfb) Signed-off-by: Michael Niedermayer --- libavformat/mux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mux.c b/libavformat/mux.c index a447645198..221ec7ffdc 100644 --- a/libavformat/mux.c +++ b/libavformat/mux.c @@ -697,7 +697,7 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt) av_log(s, AV_LOG_WARNING, "failed to avoid negative " "pts %s in stream %d.\n" "Try -avoid_negative_ts 1 as a possible workaround.\n", - av_ts2str(pkt->dts), + av_ts2str(pkt->pts), pkt->stream_index ); } From 4354def5efb7b5fcad6295b38b0624d9a5b295a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 May 2017 13:07:00 +0200 Subject: [PATCH 478/658] avcodec/ra144dec: Fix runtime error: left shift of negative value -17 Fixes: 1830/clusterfuzz-testcase-minimized-5828293733384192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53c0c637d36c1de9ea461a8d863e8703da090894) Signed-off-by: Michael Niedermayer --- libavcodec/ra144dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144dec.c b/libavcodec/ra144dec.c index 3eed17c0da..c716c32e67 100644 --- a/libavcodec/ra144dec.c +++ b/libavcodec/ra144dec.c @@ -113,7 +113,7 @@ static int ra144_decode_frame(AVCodecContext * avctx, void *data, do_output_subblock(ractx, block_coefs[i], refl_rms[i], &gb); for (j=0; j < BLOCKSIZE; j++) - *samples++ = av_clip_int16(ractx->curr_sblock[j + 10] << 2); + *samples++ = av_clip_int16(ractx->curr_sblock[j + 10] * (1 << 2)); } ractx->old_energy = energy; From f71d15f04fef53a870f8f00233edcb4fbb461580 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 May 2017 13:17:34 +0200 Subject: [PATCH 479/658] avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error Fixes: runtime error: index 12 out of bounds for type 'uint8_t [8]' Fixes: 1832/clusterfuzz-testcase-minimized-6574546079449088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ac8dfcbd89a818b786d05ebc1af70f7bf6aeb86e) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index eac19a0d5e..f60f14cc71 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -729,8 +729,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Number of primitive matrices cannot be greater than %d.\n", max_primitive_matrices); - s->num_primitive_matrices = 0; - return AVERROR_INVALIDDATA; + goto error; } for (mat = 0; mat < s->num_primitive_matrices; mat++) { @@ -743,12 +742,12 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Invalid channel %d specified as output from matrix.\n", s->matrix_out_ch[mat]); - return AVERROR_INVALIDDATA; + goto error; } if (frac_bits > 14) { av_log(m->avctx, AV_LOG_ERROR, "Too many fractional bits specified.\n"); - return AVERROR_INVALIDDATA; + goto error; } max_chan = s->max_matrix_channel; @@ -770,6 +769,11 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo } return 0; +error: + s->num_primitive_matrices = 0; + memset(s->matrix_out_ch, 0, sizeof(s->matrix_out_ch)); + + return AVERROR_INVALIDDATA; } /** Read channel parameters. */ From 5aaec845738ba401a97eae4fb16955610f30b1d8 Mon Sep 17 00:00:00 2001 From: Kevin Mark Date: Sat, 27 May 2017 10:10:46 -0400 Subject: [PATCH 480/658] doc/filters: Clarify scale2ref example Signed-off-by: Kevin Mark Signed-off-by: Michael Niedermayer (cherry picked from commit 114e8716214d414d7965029ae5fe74668ed69e4a) Signed-off-by: Michael Niedermayer --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index b482236e10..92f541de93 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -11514,7 +11514,7 @@ uses the reference video instead of the main input as basis. @itemize @item -Scale a subtitle stream to match the main video in size before overlaying +Scale a subtitle stream (b) to match the main video (a) in size before overlaying @example 'scale2ref[b][a];[a][b]overlay' @end example From 8da4f91fca831d8d8e8e4aa257d4a2927a2af9e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 03:03:46 +0200 Subject: [PATCH 481/658] avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2 Fixes: 1839/clusterfuzz-testcase-minimized-6238490993885184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 357f2316a08478a4442e8051978c7b161e10281c) Signed-off-by: Michael Niedermayer --- libavcodec/ivi_dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index 1ea039f0e8..a57d09e0fb 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -393,8 +393,8 @@ void ff_ivi_inverse_haar_4x4(const int32_t *in, int16_t *out, uint32_t pitch, if (flags[i]) { /* pre-scaling */ shift = !(i & 2); - sp1 = src[0] << shift; - sp2 = src[4] << shift; + sp1 = src[0] * (1 << shift); + sp2 = src[4] * (1 << shift); INV_HAAR4( sp1, sp2, src[8], src[12], dst[0], dst[4], dst[8], dst[12], t0, t1, t2, t3, t4); From 9ff9355b84977bba806fdaa979e19a90898f54d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 May 2017 21:08:48 +0200 Subject: [PATCH 482/658] avcodec/sbrdsp_template: Fix: runtime error: signed integer overflow: 849815297 + 1315389781 cannot be represented in type 'int' Fixes: 1770/clusterfuzz-testcase-minimized-5285511235108864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c36ee216f1e668e2c2af1573bd9dbbb2a501f48) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_template.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/sbrdsp_template.c b/libavcodec/sbrdsp_template.c index b649dfd7ee..897a3bbffb 100644 --- a/libavcodec/sbrdsp_template.c +++ b/libavcodec/sbrdsp_template.c @@ -33,8 +33,13 @@ static void sbr_qmf_deint_bfly_c(INTFLOAT *v, const INTFLOAT *src0, const INTFLO { int i; for (i = 0; i < 64; i++) { - v[ i] = AAC_SRA_R((src0[i] - src1[63 - i]), 5); - v[127 - i] = AAC_SRA_R((src0[i] + src1[63 - i]), 5); +#if USE_FIXED + v[ i] = (int)(0x10U + src0[i] - src1[63 - i]) >> 5; + v[127 - i] = (int)(0x10U + src0[i] + src1[63 - i]) >> 5; +#else + v[ i] = src0[i] - src1[63 - i]; + v[127 - i] = src0[i] + src1[63 - i]; +#endif } } From 1c0524da00f06acef67465164512c251402c8bce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2017 03:21:50 +0200 Subject: [PATCH 483/658] avcodec/libfdk-aacdec: Correct buffer_size parameter the timeDataSize argument to aacDecoder_DecodeFrame() seems undocumented and until 2016 04 (203e3f28fbebec7011342017fafc2a0bda0ce530) unused. after that commit libfdk-aacdec interprets it as size in sample units and memsets that on error. FFmpeg as well as others (like GStreamer) did interpret it as size in bytes Fixes: 1442/clusterfuzz-testcase-minimized-4540199973421056 (This requires recent libfdk to reproduce) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ca6776a993903dbcfef5ae8a18556c40ecf83e1c) Signed-off-by: Michael Niedermayer --- libavcodec/libfdk-aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libfdk-aacdec.c b/libavcodec/libfdk-aacdec.c index e5f7c4ebdc..2857b9453f 100644 --- a/libavcodec/libfdk-aacdec.c +++ b/libavcodec/libfdk-aacdec.c @@ -325,7 +325,7 @@ static int fdk_aac_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) s->decoder_buffer, s->decoder_buffer_size, 0); + err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) s->decoder_buffer, s->decoder_buffer_size / sizeof(INT_PCM), 0); if (err == AAC_DEC_NOT_ENOUGH_BITS) { ret = avpkt->size - valid; goto end; From f4ff72cde6fc542cd653779e4279eb28732f0a38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 03:18:02 +0200 Subject: [PATCH 484/658] avcodec/wnv1: More strict buffer size check This requires at least 25% of a picture to allocate and decode it Fixes: Timeout Fixes: 1845/clusterfuzz-testcase-minimized-5075974343360512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f50c25124a015a539823077bb302ff0c7ce8963) Signed-off-by: Michael Niedermayer --- libavcodec/wnv1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 126c01a02d..915e9c7dc9 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -68,7 +68,7 @@ static int decode_frame(AVCodecContext *avctx, int prev_y = 0, prev_u = 0, prev_v = 0; uint8_t *rbuf; - if (buf_size <= 8) { + if (buf_size < 8 + avctx->height * (avctx->width/2)/8) { av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size); return AVERROR_INVALIDDATA; } From cadb2d590dc926601e2025036038ee427f26a6c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 03:34:09 +0200 Subject: [PATCH 485/658] avcodec/aacdec_fixed: Fix multiple runtime error: shift exponent 127 is too large for 32-bit type 'int' Fixes: 1851/clusterfuzz-testcase-minimized-5692607495667712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6c3a63fc3d1be7ac947e38a165a299c9e5d37764) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 29a363dec8..b78a27a236 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -370,7 +370,9 @@ static void apply_dependent_coupling_fixed(AACContext *ac, shift = (gain-1024) >> 3; } - if (shift < 0) { + if (shift < -31) { + // Nothing to do + } else if (shift < 0) { shift = -shift; round = 1 << (shift - 1); From efa7ce36e372e458b534529bb7d0a21b89368ad6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 13:30:46 +0200 Subject: [PATCH 486/658] avcodec/sheervideo: Check input buffer size before allocating and decoding Fixes: Timeout Fixes: 1858/clusterfuzz-testcase-minimized-6450473802399744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8030c14bd7ac983b81ebe898631979f6b5aea09) Signed-off-by: Michael Niedermayer --- libavcodec/sheervideo.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/sheervideo.c b/libavcodec/sheervideo.c index 2f08b7bff0..5b03ce4431 100644 --- a/libavcodec/sheervideo.c +++ b/libavcodec/sheervideo.c @@ -3098,6 +3098,11 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_PATCHWELCOME; } + if (avpkt->size < 20 + avctx->width * avctx->height / 16) { + av_log(avctx, AV_LOG_ERROR, "Input packet too small\n"); + return AVERROR_INVALIDDATA; + } + if (s->format != format) { if (ret < 0) return ret; From c04d2b2f9ded653af6d3bf6064d767550bcc62eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 13:52:13 +0200 Subject: [PATCH 487/658] avcodec/jpeg2000dec: Check tile offsets more completely Signed-off-by: Michael Niedermayer (cherry picked from commit 9c1812491f7be2730351969f4abd9b99d300d604) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index fca7740b5d..6267629fad 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -300,7 +300,10 @@ static int get_siz(Jpeg2000DecoderContext *s) if (s->tile_offset_x < 0 || s->tile_offset_y < 0 || s->image_offset_x < s->tile_offset_x || - s->image_offset_y < s->tile_offset_y) { + s->image_offset_y < s->tile_offset_y || + s->tile_width + (int64_t)s->tile_offset_x <= s->image_offset_x || + s->tile_height + (int64_t)s->tile_offset_y <= s->image_offset_y + ) { av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n"); return AVERROR_INVALIDDATA; } From ed1a66821382586c80799c1fc625419a567b5c82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 14:00:30 +0200 Subject: [PATCH 488/658] avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int' Fixes: 1870/clusterfuzz-testcase-minimized-4686788029317120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 781f88bb26534ececc76eaa972f02536ba2f0f55) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000.h b/libavcodec/jpeg2000.h index ed3b421ad8..873e4505ec 100644 --- a/libavcodec/jpeg2000.h +++ b/libavcodec/jpeg2000.h @@ -220,7 +220,7 @@ static inline int ff_jpeg2000_ceildivpow2(int a, int b) static inline int ff_jpeg2000_ceildiv(int a, int b) { - return (a + b - 1) / b; + return (a + (int64_t)b - 1) / b; } /* TIER-1 routines */ From b778eb8d64c2143eef04d470e76f2a701bdc2b32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 17:12:35 +0200 Subject: [PATCH 489/658] avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int' Fixes: 1871/clusterfuzz-testcase-minimized-5719950331215872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b9c032ebc0ad17ac0ffefb915ff96baf9d79cab1) Signed-off-by: Michael Niedermayer --- libavcodec/snow.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index 59c710b5f9..f7ed1f82e7 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -540,7 +540,8 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state, int is_signed){ if(get_rac(c, state+0)) return 0; else{ - int i, e, a; + int i, e; + unsigned a; e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; From 41c6624c885c8ff0a921118b9d8af680d7acee4c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 17:20:42 +0200 Subject: [PATCH 490/658] avcodec/ylc: Check count in build_vlc() Fixes: runtime error: signed integer overflow: 211633430 + 2147483647 cannot be represented in type 'int' Fixes: 1874/clusterfuzz-testcase-minimized-5037763613163520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 67b30decf7793523f7fdaef6fdf7f1179ef42b18) Signed-off-by: Michael Niedermayer --- libavcodec/ylc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/ylc.c b/libavcodec/ylc.c index 95a5e05baa..1af880f4d4 100644 --- a/libavcodec/ylc.c +++ b/libavcodec/ylc.c @@ -108,7 +108,7 @@ static int build_vlc(AVCodecContext *avctx, VLC *vlc, const uint32_t *table) int new_node = j; int first_node = cur_node; int second_node = cur_node; - int nd, st; + unsigned nd, st; nodes[cur_node].count = -1; @@ -132,6 +132,10 @@ static int build_vlc(AVCodecContext *avctx, VLC *vlc, const uint32_t *table) st = nodes[first_node].count; nodes[second_node].count = 0; nodes[first_node].count = 0; + if (nd >= UINT32_MAX - st) { + av_log(avctx, AV_LOG_ERROR, "count overflow\n"); + return AVERROR_INVALIDDATA; + } nodes[cur_node].count = nd + st; nodes[cur_node].sym = -1; nodes[cur_node].n0 = cur_node; From 228093ec9368dba09a33c1a3f15b5966b1d871e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 18:09:47 +0200 Subject: [PATCH 491/658] avcodec/aacdec_fixed: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 1878/clusterfuzz-testcase-minimized-6441918630199296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6b9cb5d26a2d9905093621d12785bc5903dce66d) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index b78a27a236..7945c46355 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -211,8 +211,8 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len) for (i=0; i 0) { - round = 1 << (s-1); + } else if (s >= 0) { + round = s ? 1 << (s-1) : 0; for (i=0; i> 32); coefs[i] = ((int)(out+round) >> s) * ssign; From f88fd9027c49f20ce0ff0b04658322314fac605e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 18:37:50 +0200 Subject: [PATCH 492/658] avcodec/webp: Fixes null pointer dereference Fixes: 1470/clusterfuzz-testcase-minimized-5404421666111488 Fixes: 1472/clusterfuzz-testcase-minimized-5677426430443520 Fixes: 1875/clusterfuzz-testcase-minimized-5536474562822144 Approved-by: BBB Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 67020711b7d45afa073ef671f755765035a64373) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 04d898ee7b..6aa0e4aed8 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1350,6 +1350,9 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, if (ret < 0) return ret; + if (!*got_frame) + return AVERROR_INVALIDDATA; + update_canvas_size(avctx, avctx->width, avctx->height); if (s->has_alpha) { From 78603ff0f9e0c717f3637f1442ef1d108e5d7d91 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 20:08:49 +0200 Subject: [PATCH 493/658] avcodec/aac_defines: Add missing () to AAC_HALF_SUM() macro Fixes: runtime error: shift exponent 1073741848 is too large for 32-bit type 'INTFLOAT' (aka 'int') Fixes: 1880/clusterfuzz-testcase-minimized-4900645322620928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 872bac81590ccbec40ba7ad203421d9e38d1b253) Signed-off-by: Michael Niedermayer --- libavcodec/aac_defines.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aac_defines.h b/libavcodec/aac_defines.h index 0ea667e77b..3c79a8a4a1 100644 --- a/libavcodec/aac_defines.h +++ b/libavcodec/aac_defines.h @@ -72,7 +72,7 @@ typedef int AAC_SIGNE; #define AAC_MSUB31_V3(x, y, z) (int)((((int64_t)(x) * (z)) - \ ((int64_t)(y) * (z)) + \ 0x40000000) >> 31) -#define AAC_HALF_SUM(x, y) (x) >> 1 + (y) >> 1 +#define AAC_HALF_SUM(x, y) (((x) >> 1) + ((y) >> 1)) #define AAC_SRA_R(x, y) (int)(((x) + (1 << ((y) - 1))) >> (y)) #else From 37709a5f8205e7ed8ade812df66c6489404eb40d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 21:38:24 +0200 Subject: [PATCH 494/658] avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int' Fixes: 1884/clusterfuzz-testcase-minimized-4637425835966464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4c472c52525fcab4c80cdbc98b4625d318c84fcb) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 690f7ff3d6..4f8471d28a 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1701,7 +1701,7 @@ void ff_subblock_synthesis(RA144Context *ractx, const int16_t *lpc_coefs, if (cba_idx) { cba_idx += BLOCKSIZE/2 - 1; ff_copy_and_dup(ractx->buffer_a, ractx->adapt_cb, cba_idx); - m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * gval) >> 12; + m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * (unsigned)gval) >> 12; } else { m[0] = 0; } From b31bb8a6142cea7a4e84450fe8c1dec8ee8eab4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 21:44:32 +0200 Subject: [PATCH 495/658] avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int' Fixes: 1885/clusterfuzz-testcase-minimized-5336328549957632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c845450d2daa0d066045cf94ab51cb496f1b824) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 4f8471d28a..c869824e35 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1573,7 +1573,7 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx) if((int)(a*(unsigned)b) != a*(int64_t)b) return 1; #endif - bp1[j] = ((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * b) >> 12; + bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12; } if ((unsigned) bp1[i] + 0x1000 > 0x1fff) From e561676c55aa9d3745b5e30b41693a179cbee8d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 21:54:02 +0200 Subject: [PATCH 496/658] avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes part of: 1888/clusterfuzz-testcase-minimized-5237704826552320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c9e884f3d98df85bf7f2cf30d71877b22929fdcb) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 245a32a8d7..4f0e52dbf7 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -272,7 +272,7 @@ static int tm2_read_deltas(TM2Context *ctx, int stream_id) for (i = 0; i < d; i++) { v = get_bits_long(&ctx->gb, mb); if (v & (1 << (mb - 1))) - ctx->deltas[stream_id][i] = v - (1 << mb); + ctx->deltas[stream_id][i] = v - (1U << mb); else ctx->deltas[stream_id][i] = v; } From 79f75b123b3416a824ae36c2c8a898a4dd1ee820 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 21:54:02 +0200 Subject: [PATCH 497/658] avcodec/truemotion2: Fix passing null pointer to memset() Fixes part of: 1888/clusterfuzz-testcase-minimized-5237704826552320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c901627918ff7480c1bb6f9cae507ee2c7c933d8) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 4f0e52dbf7..e6ae05f1d5 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -915,7 +915,8 @@ static int decode_frame(AVCodecContext *avctx, buf_size - offset); if (t < 0) { int j = tm2_stream_order[i]; - memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]); + if (l->tok_lens[j]) + memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]); return t; } offset += t; From 4ba6f68b27c2668943982d04c8bc624504c8375b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 May 2017 13:45:29 +0200 Subject: [PATCH 498/658] avcodec/jpeg2000dec: Use ff_set_dimensions() Fixes: OOM Fixes: 1890/clusterfuzz-testcase-minimized-6329019509243904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f3da6fbff864e05e8871dd04222143abdee9e77b) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 6267629fad..b23e1678d5 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -260,6 +260,7 @@ static int get_siz(Jpeg2000DecoderContext *s) uint32_t log2_chroma_wh = 0; const enum AVPixelFormat *possible_fmts = NULL; int possible_fmts_nb = 0; + int ret; if (bytestream2_get_bytes_left(&s->g) < 36) { av_log(s->avctx, AV_LOG_ERROR, "Insufficient space for SIZ\n"); @@ -359,10 +360,13 @@ static int get_siz(Jpeg2000DecoderContext *s) } /* compute image size with reduction factor */ - s->avctx->width = ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x, - s->reduction_factor); - s->avctx->height = ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y, - s->reduction_factor); + ret = ff_set_dimensions(s->avctx, + ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x, + s->reduction_factor), + ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y, + s->reduction_factor)); + if (ret < 0) + return ret; if (s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_2K || s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_4K) { From f11bc174292fc6cea5aa35b25572eb45b057d236 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 May 2017 14:07:33 +0200 Subject: [PATCH 499/658] avcodec/ansi: Fix frame memleak Fixes: 1892/clusterfuzz-testcase-minimized-4519341733183488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e091b9b3c7859030f2896ca2ae96faa3afc694a1) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index 19c88d8d51..8032aebe5e 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -80,10 +80,6 @@ static av_cold int decode_init(AVCodecContext *avctx) AnsiContext *s = avctx->priv_data; avctx->pix_fmt = AV_PIX_FMT_PAL8; - s->frame = av_frame_alloc(); - if (!s->frame) - return AVERROR(ENOMEM); - /* defaults */ s->font = avpriv_vga16_font; s->font_height = 16; @@ -98,6 +94,11 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "Invalid dimensions %d %d\n", avctx->width, avctx->height); return AVERROR(EINVAL); } + + s->frame = av_frame_alloc(); + if (!s->frame) + return AVERROR(ENOMEM); + return 0; } From 64168825dec02348010bce8ee664b2bdb6d66007 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 May 2017 03:09:11 +0200 Subject: [PATCH 500/658] avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int' Fixes: 1894/clusterfuzz-testcase-minimized-4716739789062144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d90c5bf10559554d6f9cd1dfb90767b991b76d5d) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index f828fc725b..a679d424eb 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -548,7 +548,7 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, if (type != AV_SAMPLE_FMT_S16P) S = T + ((s->decorr[i].weightA * (int64_t)A + 512) >> 10); else - S = T + ((s->decorr[i].weightA * A + 512) >> 10); + S = T + ((int)(s->decorr[i].weightA * (unsigned)A + 512) >> 10); if (A && T) s->decorr[i].weightA -= ((((T ^ A) >> 30) & 2) - 1) * s->decorr[i].delta; s->decorr[i].samplesA[j] = T = S; From ea70971cbe9ffd23cfd0bf519280a131097f8979 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 May 2017 03:13:21 +0200 Subject: [PATCH 501/658] avcodec/wavpack: Check float_shift Fixes: runtime error: shift exponent 40 is too large for 32-bit type 'unsigned int' Fixes: 1898/clusterfuzz-testcase-minimized-5970744880136192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4020b009d1e88ff10abd25fb768165afa546851d) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index a679d424eb..3bc345e797 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -872,6 +872,12 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->float_flag = bytestream2_get_byte(&gb); s->float_shift = bytestream2_get_byte(&gb); s->float_max_exp = bytestream2_get_byte(&gb); + if (s->float_shift > 31) { + av_log(avctx, AV_LOG_ERROR, + "Invalid FLOATINFO, shift = %d (> 31)\n", s->float_shift); + s->float_shift = 0; + continue; + } got_float = 1; bytestream2_skip(&gb, 1); break; From 276eae8adc95c83ef0717376142af2e2f5b55d17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 May 2017 04:03:09 +0200 Subject: [PATCH 502/658] avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float' Fixes: 1902/clusterfuzz-testcase-minimized-4762451407011840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87bddba43b725d43767f2a387cdea0936ac1b549) Signed-off-by: Michael Niedermayer --- libavcodec/acelp_pitch_delay.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/acelp_pitch_delay.c b/libavcodec/acelp_pitch_delay.c index 8ec1ba3a83..c345a99c81 100644 --- a/libavcodec/acelp_pitch_delay.c +++ b/libavcodec/acelp_pitch_delay.c @@ -135,7 +135,7 @@ float ff_amr_set_fixed_gain(float fixed_gain_factor, float fixed_mean_energy, ff_exp10(0.05 * (avpriv_scalarproduct_float_c(pred_table, prediction_error, 4) + energy_mean)) / - sqrtf(fixed_mean_energy); + sqrtf(fixed_mean_energy ? fixed_mean_energy : 1.0); // update quantified prediction error energy history memmove(&prediction_error[0], &prediction_error[1], From 39c729c375a67eb87d420e2079a003af6f0c7bf2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 May 2017 21:29:20 +0200 Subject: [PATCH 503/658] avformat/avidec: Limit formats in gab2 to srt and ass/ssa This prevents part of one exploit leading to an information leak Found-by: Emil Lerner and Pavel Cheremushkin Reported-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit a5d849b149ca67ced2d271dc84db0bc95a548abb) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index ebb21bd937..65193289c4 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1088,6 +1088,9 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) if (!sub_demuxer) goto error; + if (strcmp(sub_demuxer->name, "srt") && strcmp(sub_demuxer->name, "ass")) + goto error; + if (!(ast->sub_ctx = avformat_alloc_context())) goto error; From 2a55e8bda94375e2d61236c618e2a119b21217b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 13:21:58 +0200 Subject: [PATCH 504/658] avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int' Fixes: 1903/clusterfuzz-testcase-minimized-5359318167715840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 58f8cd4ac576028ef492a005bd06b1f22c3a6879) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 4d1b77187b..cd4eec9caf 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -615,7 +615,7 @@ static inline int decode_residual_inter(AVSContext *h) /* get quantizer */ if (h->cbp && !h->qp_fixed) - h->qp = (h->qp + get_se_golomb(&h->gb)) & 63; + h->qp = (h->qp + (unsigned)get_se_golomb(&h->gb)) & 63; for (block = 0; block < 4; block++) if (h->cbp & (1 << block)) decode_residual_block(h, &h->gb, inter_dec, 0, h->qp, From 4911902c6f312bd060e2b7d4158a84f0aa7b1db9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 13:39:45 +0200 Subject: [PATCH 505/658] avcodec/pnm: Use ff_set_dimensions() Fixes: OOM Fixes: 1906/clusterfuzz-testcase-minimized-4599315114754048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a1c0d1d906d27d3f9e1b058bb065f897f90c1c7c) Signed-off-by: Michael Niedermayer --- libavcodec/pnm.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c index 1675959fbf..8b4a4ac292 100644 --- a/libavcodec/pnm.c +++ b/libavcodec/pnm.c @@ -24,6 +24,7 @@ #include "libavutil/imgutils.h" #include "avcodec.h" +#include "internal.h" #include "pnm.h" static inline int pnm_space(int c) @@ -61,6 +62,7 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) { char buf1[32], tuple_type[32]; int h, w, depth, maxval; + int ret; pnm_get(s, buf1, sizeof(buf1)); if(buf1[0] != 'P') @@ -110,8 +112,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) if (w <= 0 || h <= 0 || maxval <= 0 || depth <= 0 || tuple_type[0] == '\0' || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) return AVERROR_INVALIDDATA; - avctx->width = w; - avctx->height = h; + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + return ret; s->maxval = maxval; if (depth == 1) { if (maxval == 1) { @@ -153,8 +156,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) if(w <= 0 || h <= 0 || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) return AVERROR_INVALIDDATA; - avctx->width = w; - avctx->height = h; + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + return ret; if (avctx->pix_fmt != AV_PIX_FMT_MONOWHITE && avctx->pix_fmt != AV_PIX_FMT_MONOBLACK) { pnm_get(s, buf1, sizeof(buf1)); From 6ad05cbad1de2bbdaaeb34fd66931c485ef3e8a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 15:52:56 +0200 Subject: [PATCH 506/658] avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int' Fixes: 1908/clusterfuzz-testcase-minimized-5392712477966336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 08cb69e870c1b2fdc3574780a3662b92bfd6ef79) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index c869824e35..2ed7361e38 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1512,7 +1512,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m, v[0] = 0; for (i=!skip_first; i<3; i++) - v[i] = (ff_gain_val_tab[n][i] * m[i]) >> ff_gain_exp_tab[n]; + v[i] = (ff_gain_val_tab[n][i] * (unsigned)m[i]) >> ff_gain_exp_tab[n]; if (v[0]) { for (i=0; i < BLOCKSIZE; i++) From 317690375e78904e8bd11f4c0f46d8ddf29a8b65 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 22:02:07 +0200 Subject: [PATCH 507/658] avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int' Fixes: 1909/clusterfuzz-testcase-minimized-6732072662073344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6726328f7940a76c43b4d97ac37ababf363d042f) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 83f2ec2bac..895046722f 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -738,7 +738,7 @@ static int scaling_list_data(GetBitContext *gb, AVCodecContext *avctx, ScalingLi ff_hevc_diag_scan8x8_x[i]; scaling_list_delta_coef = get_se_golomb(gb); - next_coef = (next_coef + scaling_list_delta_coef + 256) % 256; + next_coef = (next_coef + 256U + scaling_list_delta_coef) % 256; sl->sl[size_id][matrix_id][pos] = next_coef; } } From 89b2e25e138d3cf7e1651ded171c9c7cbfff00ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 22:18:23 +0200 Subject: [PATCH 508/658] avcodec/cinepak: Check input packet size before frame reallocation Reduces time spend decoding 1917/clusterfuzz-testcase-minimized-5023221273329664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e47057e932ff9a071d52fa1d5d4a956340eb2475) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 737462bd9c..4b12fcbca6 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -322,9 +322,6 @@ static int cinepak_decode (CinepakContext *s) int y0 = 0; int encoded_buf_size; - if (s->size < 10) - return AVERROR_INVALIDDATA; - frame_flags = s->data[0]; num_strips = AV_RB16 (&s->data[8]); encoded_buf_size = AV_RB24(&s->data[1]); @@ -439,6 +436,9 @@ static int cinepak_decode_frame(AVCodecContext *avctx, s->data = buf; s->size = buf_size; + if (s->size < 10) + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; From 4007ba9833cb0725124f22147ca0523857ff5982 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 22:53:02 +0200 Subject: [PATCH 509/658] avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int' Fixes: 1922/clusterfuzz-testcase-minimized-5561194112876544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a47273c803edfbc43793349b74429ae29b05c003) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 3bc345e797..9ce074d975 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -239,7 +239,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, if (get_bits_left(gb) <= 0) goto error; if (get_bits1(gb)) { - add -= (mid - base); + add -= (mid - (unsigned)base); base = mid; } else add = mid - base - 1; From 3ecefcabe076578b8e31217043af578cfac0a682 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jun 2017 18:48:37 +0200 Subject: [PATCH 510/658] avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' Fixes: 1967/clusterfuzz-testcase-minimized-5757031199801344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b3e580b7f436206e84dac89415e057fa9abdab8) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 9ce074d975..e55cd82595 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -184,7 +184,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, goto error; t += t2; } else { - if (get_bits_left(gb) < t2 - 1) + if (t2 >= 32 || get_bits_left(gb) < t2 - 1) goto error; t += get_bits_long(gb, t2 - 1) | (1 << (t2 - 1)); } From cc6eec316e2a49c255f068821c6de497b2e3f1c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Jun 2017 22:31:02 +0200 Subject: [PATCH 511/658] avcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'INTFLOAT' (aka 'int') Fixes: 2005/clusterfuzz-testcase-minimized-5744226438479872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9faf098163b33e7b0f5baafa3371ef5401f4105d) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 48b595adbd..01f6d1f076 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -942,7 +942,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r) int stop = ps->border_position[e+1]; INTFLOAT width = Q30(1.f) / ((stop - start) ? (stop - start) : 1); #if USE_FIXED - width <<= 1; + width = FFMIN(2U*width, INT_MAX); #endif b = k_to_i[k]; h[0][0] = H11[0][e][b]; From 6af15d2d896dc4a909a1d80d70d227f96730f3a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Jun 2017 14:47:16 +0200 Subject: [PATCH 512/658] avformat/options: log filename on open The loglevel is choosen so that the main filename and any images of multi image sequences are shown only at debug level to avoid clutter. This makes exploits in playlists more visible. As they would show accesses to private/sensitive files Signed-off-by: Michael Niedermayer (cherry picked from commit 53e0d5d7247548743e13c59c35e59fc2161e9582) Signed-off-by: Michael Niedermayer --- libavformat/options.c | 12 ++++++++++++ libavformat/utils.c | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/options.c b/libavformat/options.c index 04d9c454d3..8fbc0d445e 100644 --- a/libavformat/options.c +++ b/libavformat/options.c @@ -102,6 +102,18 @@ static const AVClass av_format_context_class = { static int io_open_default(AVFormatContext *s, AVIOContext **pb, const char *url, int flags, AVDictionary **options) { + int loglevel; + + if (!strcmp(url, s->filename) || + s->iformat && !strcmp(s->iformat->name, "image2") || + s->oformat && !strcmp(s->oformat->name, "image2") + ) { + loglevel = AV_LOG_DEBUG; + } else + loglevel = AV_LOG_INFO; + + av_log(s, loglevel, "Opening \'%s\' for %s\n", url, flags & AVIO_FLAG_WRITE ? "writing" : "reading"); + #if FF_API_OLD_OPEN_CALLBACKS FF_DISABLE_DEPRECATION_WARNINGS if (s->open_cb) diff --git a/libavformat/utils.c b/libavformat/utils.c index d71aca851b..46dc5109d1 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -497,6 +497,7 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, if ((ret = av_opt_set_dict(s, &tmp)) < 0) goto fail; + av_strlcpy(s->filename, filename ? filename : "", sizeof(s->filename)); if ((ret = init_input(s, filename, &tmp)) < 0) goto fail; s->probe_score = ret; @@ -534,7 +535,6 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, } s->duration = s->start_time = AV_NOPTS_VALUE; - av_strlcpy(s->filename, filename ? filename : "", sizeof(s->filename)); /* Allocate private data. */ if (s->iformat->priv_data_size > 0) { From 80d39a5bb34dff46de36c243cf4394a8508d9377 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 13:02:51 +0200 Subject: [PATCH 513/658] avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int' Fixes: 1352/clusterfuzz-testcase-minimized-5757565017260032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 136ce8baa4fc16cf38690cb457f7356c00e00a28) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index 6416da436e..c5b1d50a13 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -69,7 +69,7 @@ static void scale_coefs ( int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7; mul = (dynrng & 0x1f) + 0x20; - shift = 4 - ((dynrng << 23) >> 28); + shift = 4 - (sign_extend(dynrng, 9) >> 5); if (shift > 0 ) { round = 1 << (shift-1); for (i=0; i Date: Sun, 4 Jun 2017 13:38:02 +0200 Subject: [PATCH 514/658] avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer() Fixes 1745/clusterfuzz-testcase-minimized-6160693365571584 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit faa5a2181df53b5226f998a20b735798addcd365) Signed-off-by: Michael Niedermayer --- libavcodec/pafvideo.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index cab3129f8f..1618a3e7c3 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -267,12 +267,20 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, uint8_t code, *dst, *end; int i, frame, ret; - if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) - return ret; + if (pkt->size < 2) + return AVERROR_INVALIDDATA; bytestream2_init(&c->gb, pkt->data, pkt->size); code = bytestream2_get_byte(&c->gb); + if ((code & 0xF) > 4) { + avpriv_request_sample(avctx, "unknown/invalid code"); + return AVERROR_INVALIDDATA; + } + + if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) + return ret; + if (code & 0x20) { // frame is keyframe for (i = 0; i < 4; i++) memset(c->frame[i], 0, c->frame_size); @@ -367,8 +375,7 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, } break; default: - avpriv_request_sample(avctx, "unknown/invalid code"); - return AVERROR_INVALIDDATA; + av_assert0(0); } av_image_copy_plane(c->pic->data[0], c->pic->linesize[0], From 0ad5a36b8b7a08c24dca4f1505922aa1efc8c117 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 15:41:18 +0200 Subject: [PATCH 515/658] avcodec/dxv: Check remaining bytes in dxv_decompress_raw() Fixes: Timeout Fixes: 2006/clusterfuzz-testcase-minimized-5766515037044736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eb5049227033d946add93c0714bb8a28d94166f1) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index 05a9aadd24..f194b134b5 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -331,6 +331,9 @@ static int dxv_decompress_raw(AVCodecContext *avctx) DXVContext *ctx = avctx->priv_data; GetByteContext *gbc = &ctx->gbc; + if (bytestream2_get_bytes_left(gbc) < ctx->tex_size) + return AVERROR_INVALIDDATA; + bytestream2_get_buffer(gbc, ctx->tex_data, ctx->tex_size); return 0; } From 278b8d18ad297b0841a22f9f6aca5efe0c33eb6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 17:06:27 +0200 Subject: [PATCH 516/658] avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]' Fixes: 2010/clusterfuzz-testcase-minimized-6209288450080768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 29808fff339da3e0f26131f7a6209b853947a54b) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 895046722f..4b2a6244ee 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -169,6 +169,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, } } + if (k >= FF_ARRAY_ELEMS(rps->used)) { + av_log(avctx, AV_LOG_ERROR, + "Invalid num_delta_pocs: %d\n", k); + return AVERROR_INVALIDDATA; + } + rps->num_delta_pocs = k; rps->num_negative_pics = k0; // sort in increasing order (smallest first) From 1f4da7c38460e42e43a22d461b74d6f7dfcb4d8c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 20:45:09 +0200 Subject: [PATCH 517/658] avutil/softfloat: Fix sign error in and improve documentation of av_int2sf() Signed-off-by: Michael Niedermayer (cherry picked from commit 6019d721d4c10bf73018d68511d9d0a914c0a389) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index daf91a5557..c50aaf5285 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -177,8 +177,10 @@ static inline av_const SoftFloat av_sub_sf(SoftFloat a, SoftFloat b){ //FIXME log, exp, pow /** - * Converts a mantisse and exponent to a SoftFloat - * @returns a SoftFloat with value v * 2^frac_bits + * Converts a mantisse and exponent to a SoftFloat. + * This converts a fixed point value v with frac_bits fractional bits to a + * SoftFloat. + * @returns a SoftFloat with value v * 2^-frac_bits */ static inline av_const SoftFloat av_int2sf(int v, int frac_bits){ int exp_offset = 0; From 6f49b9a6881349601e6ab41a2eaedadc90dbb02d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 21:37:47 +0200 Subject: [PATCH 518/658] avcodec/qdrw: Fix null pointer dereference The RGB555 PACKBITSRGN case tries to read a palette, if such palette is actually stored then it accesses a null pointer. All 16bit samples i could find use DIRECTBITSRGN. Fixes: 2065/clusterfuzz-testcase-minimized-6298930457346048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 46b865ea9f86cbd12e1bf701913263c7932cccb0) Signed-off-by: Michael Niedermayer --- libavcodec/qdrw.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index 828cfea3fd..2cf18869e1 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -55,6 +55,8 @@ static int parse_palette(AVCodecContext *avctx, GetByteContext *gbc, bytestream2_skip(gbc, 6); continue; } + if (avctx->pix_fmt != AV_PIX_FMT_PAL8) + return AVERROR_INVALIDDATA; r = bytestream2_get_byte(gbc); bytestream2_skip(gbc, 1); g = bytestream2_get_byte(gbc); @@ -227,7 +229,9 @@ static int decode_frame(AVCodecContext *avctx, if ((ret = ff_get_buffer(avctx, p, 0)) < 0) return ret; - parse_palette(avctx, &gbc, (uint32_t *)p->data[1], colors); + ret = parse_palette(avctx, &gbc, (uint32_t *)p->data[1], colors); + if (ret < 0) + return ret; p->palette_has_changed = 1; /* jump to image data */ From e0a3b8670d27863bfe6175b383918a5516a6bc42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Jun 2017 21:20:04 +0200 Subject: [PATCH 519/658] avformat/hls: Check local file extensions This reduces the attack surface of local file-system information leaking. It prevents the existing exploit leading to an information leak. As well as similar hypothetical attacks. Leaks of information from files and symlinks ending in common multimedia extensions are still possible. But files with sensitive information like private keys and passwords generally do not use common multimedia filename extensions. It does not stop leaks via remote addresses in the LAN. The existing exploit depends on a specific decoder as well. It does appear though that the exploit should be possible with any decoder. The problem is that as long as sensitive information gets into the decoder, the output of the decoder becomes sensitive as well. The only obvious solution is to prevent access to sensitive information. Or to disable hls or possibly some of its feature. More complex solutions like checking the path to limit access to only subdirectories of the hls path may work as an alternative. But such solutions are fragile and tricky to implement portably and would not stop every possible attack nor would they work with all valid hls files. Developers have expressed their dislike / objected to disabling hls by default as well as disabling hls with local files. There also where objections against restricting remote url file extensions. This here is a less robust but also lower inconvenience solution. It can be applied stand alone or together with other solutions. limiting the check to local files was suggested by nevcairiel This recommits the security fix without the author name joke which was originally requested by Nicolas. Found-by: Emil Lerner and Pavel Cheremushkin Reported-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit 189ff4219644532bdfa7bab28dfedaee4d6d4021) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 72415320d4..3b89ae5a7c 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -203,6 +203,7 @@ typedef struct HLSContext { char *http_proxy; ///< holds the address of the HTTP proxy server AVDictionary *avio_opts; int strict_std_compliance; + char *allowed_extensions; } HLSContext; static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) @@ -617,8 +618,19 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, return AVERROR_INVALIDDATA; // only http(s) & file are allowed - if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) + if (av_strstart(proto_name, "file", NULL)) { + if (strcmp(c->allowed_extensions, "ALL") && !av_match_ext(url, c->allowed_extensions)) { + av_log(s, AV_LOG_ERROR, + "Filename extension of \'%s\' is not a common multimedia extension, blocked for security reasons.\n" + "If you wish to override this adjust allowed_extensions, you can set it to \'ALL\' to allow all\n", + url); + return AVERROR_INVALIDDATA; + } + } else if (av_strstart(proto_name, "http", NULL)) { + ; + } else return AVERROR_INVALIDDATA; + if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':') ; else if (av_strstart(url, "crypto", NULL) && !strncmp(proto_name, url + 7, strlen(proto_name)) && url[7 + strlen(proto_name)] == ':') @@ -2046,6 +2058,10 @@ static int hls_probe(AVProbeData *p) static const AVOption hls_options[] = { {"live_start_index", "segment index to start live streams at (negative values are from the end)", OFFSET(live_start_index), AV_OPT_TYPE_INT, {.i64 = -3}, INT_MIN, INT_MAX, FLAGS}, + {"allowed_extensions", "List of file extensions that hls is allowed to access", + OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, + {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, + INT_MIN, INT_MAX, FLAGS}, {NULL} }; From bcf63142d1596095d3ae72bd8a8807bc77f500b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Jun 2017 19:33:56 +0200 Subject: [PATCH 520/658] avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int' Fixes: 2067/clusterfuzz-testcase-minimized-5578430902960128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e6ee86d9254e8fd2158cc9a31d3be96b0809411) Signed-off-by: Michael Niedermayer --- libavcodec/cavs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/cavs.c b/libavcodec/cavs.c index 8542b124ef..c1b280b344 100644 --- a/libavcodec/cavs.c +++ b/libavcodec/cavs.c @@ -537,8 +537,7 @@ void ff_cavs_inter(AVSContext *h, enum cavs_mb mb_type) static inline void scale_mv(AVSContext *h, int *d_x, int *d_y, cavs_vector *src, int distp) { - int den = h->scale_den[FFMAX(src->ref, 0)]; - + int64_t den = h->scale_den[FFMAX(src->ref, 0)]; *d_x = (src->x * distp * den + 256 + FF_SIGNBIT(src->x)) >> 9; *d_y = (src->y * distp * den + 256 + FF_SIGNBIT(src->y)) >> 9; } From 42b26b41a4e626fc9dbcb5e897a21729b2c85c87 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Jun 2017 20:39:21 +0200 Subject: [PATCH 521/658] avcodec/tiff: Avoid loosing allocated geotag values Fixes memleak Fixes: 2076/clusterfuzz-testcase-minimized-6542640243802112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d7cbeab4c1381f95ed0ebf85d7950bee96f66164) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index dac406862d..c46f771565 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1122,6 +1122,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) bytestream2_seek(&s->gb, pos + s->geotags[i].offset, SEEK_SET); if (bytestream2_get_bytes_left(&s->gb) < s->geotags[i].count) return AVERROR_INVALIDDATA; + if (s->geotags[i].val) + return AVERROR_INVALIDDATA; ap = av_malloc(s->geotags[i].count); if (!ap) { av_log(s->avctx, AV_LOG_ERROR, "Error allocating temporary buffer\n"); From 79f0677332c3ca619b6bd192df13106a6235378e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Jun 2017 22:23:15 +0200 Subject: [PATCH 522/658] avcodec/mjpegdec: Check that reference frame matches the current frame Fixes: out of array read Fixes: 2097/clusterfuzz-testcase-minimized-5036861833609216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4705edbbb96e193f51c72248f508ae5693702a48) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index ba0e714f2b..32b6b3b84d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1475,6 +1475,15 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask, return -1; } + if (reference) { + if (reference->width != s->picture_ptr->width || + reference->height != s->picture_ptr->height || + reference->format != s->picture_ptr->format) { + av_log(s->avctx, AV_LOG_ERROR, "Reference mismatching\n"); + return AVERROR_INVALIDDATA; + } + } + av_assert0(s->picture_ptr->data[0]); /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); From e8aa646e4a23a77a7b47ff6c563092a95c1c258a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jun 2017 16:01:16 +0200 Subject: [PATCH 523/658] avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int' Fixes: 2079/clusterfuzz-testcase-minimized-5345861779324928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e4efd41b83e78c7f2ee3e74bee90226110743a8e) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index a05b50ac5c..66983d67c9 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -860,7 +860,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, if (s->sample_shift[chan] > 0) for (i = 0; i < s->nb_samples; i++) - decoded[i] *= 1 << s->sample_shift[chan]; + decoded[i] *= 1U << s->sample_shift[chan]; } } @@ -902,7 +902,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, for (chan = 0; chan < avctx->channels; chan++) { int32_t *samples = (int32_t *)frame->extended_data[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] *= 1 << 8; + samples[i] *= 1U << 8; } break; } From fb1d3fb1e5afacafff805a0e948c5cd3a4290ba5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jun 2017 16:21:37 +0200 Subject: [PATCH 524/658] avcodec/pafvideo: Fix assertion failure Fixes: 2100/clusterfuzz-testcase-minimized-4522961547558912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c4360559ee2a6c8c624f24fc7e2a1cf00972ba68) Signed-off-by: Michael Niedermayer --- libavcodec/pafvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index 1618a3e7c3..91bfe16376 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -273,7 +273,7 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, bytestream2_init(&c->gb, pkt->data, pkt->size); code = bytestream2_get_byte(&c->gb); - if ((code & 0xF) > 4) { + if ((code & 0xF) > 4 || (code & 0xF) == 3) { avpriv_request_sample(avctx, "unknown/invalid code"); return AVERROR_INVALIDDATA; } From faa104541d36fa081cc56eeb8eb679e956fad54d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jun 2017 16:28:57 +0200 Subject: [PATCH 525/658] avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int' Fixes: 2106/clusterfuzz-testcase-minimized-6136503639998464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 18bca25adbae9d010d75f9fc197c0af656af758d) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 52ec688ce8..0da925c4f8 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2333,7 +2333,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) if (s->pict_type != AV_PICTURE_TYPE_B) { s->last_time_base = s->time_base; s->time_base += time_incr; - s->time = s->time_base * s->avctx->framerate.num + time_increment; + s->time = s->time_base * (int64_t)s->avctx->framerate.num + time_increment; if (s->workaround_bugs & FF_BUG_UMP4) { if (s->time < s->last_non_b_time) { /* header is not mpeg-4-compatible, broken encoder, @@ -2345,7 +2345,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) s->pp_time = s->time - s->last_non_b_time; s->last_non_b_time = s->time; } else { - s->time = (s->last_time_base + time_incr) * s->avctx->framerate.num + time_increment; + s->time = (s->last_time_base + time_incr) * (int64_t)s->avctx->framerate.num + time_increment; s->pb_time = s->pp_time - (s->last_non_b_time - s->time); if (s->pp_time <= s->pb_time || s->pp_time <= s->pp_time - s->pb_time || From cd16f4cf4b08d46b1284768522be4b71ae6fc71e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Jun 2017 13:44:32 +0200 Subject: [PATCH 526/658] avcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008 * 59 cannot be represented in type 'int' Fixes: 2113/clusterfuzz-testcase-minimized-6510704959946752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4e3ab1a5c12fe3a88f44b734d3f2e25f4769ec47) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index c5b1d50a13..56b62548ec 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -65,7 +65,7 @@ static void scale_coefs ( int len) { int i, shift, round; - int16_t mul; + unsigned mul; int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7; mul = (dynrng & 0x1f) + 0x20; From 26afadbd29359dea996d7fb2fd647bf9cbb59584 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Jun 2017 13:58:47 +0200 Subject: [PATCH 527/658] avcodec/indeo4: Check remaining data in Pic hdr extension parsing code Fixes: Timeout Fixes: 2115/clusterfuzz-testcase-minimized-6594111748440064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a3b5b60bdf451faefeeec07c4e684a251968bf2d) Signed-off-by: Michael Niedermayer --- libavcodec/indeo4.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 69f78c90b2..53bb5a239c 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -237,6 +237,8 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) /* skip picture header extension if any */ while (get_bits1(&ctx->gb)) { ff_dlog(avctx, "Pic hdr extension encountered!\n"); + if (get_bits_left(&ctx->gb) < 10) + return AVERROR_INVALIDDATA; skip_bits(&ctx->gb, 8); } From f263c4687f60c489d7086bbd4a58d1bb279fde80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jun 2017 18:45:08 +0200 Subject: [PATCH 528/658] avcodec/cfhd: Check band parameters before storing them Fixes out of array read Fixes: 2169/clusterfuzz-testcase-minimized-5688641642823680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 54aaadf648073149f1ac34f56cbde4e6c5aa22ef) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index dfc9ace792..9473473f2d 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -317,22 +317,22 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->prescale_shift[2] = (data >> 6) & 0x7; av_log(avctx, AV_LOG_DEBUG, "Prescale shift (VC-5): %x\n", data); } else if (tag == 27) { - s->plane[s->channel_num].band[0][0].width = data; - s->plane[s->channel_num].band[0][0].stride = data; av_log(avctx, AV_LOG_DEBUG, "Lowpass width %"PRIu16"\n", data); if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_width) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass width\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[0][0].width = data; + s->plane[s->channel_num].band[0][0].stride = data; } else if (tag == 28) { - s->plane[s->channel_num].band[0][0].height = data; av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data); if (data < 3 || data > s->plane[s->channel_num].band[0][0].height) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[0][0].height = data; } else if (tag == 1) av_log(avctx, AV_LOG_DEBUG, "Sample type? %"PRIu16"\n", data); else if (tag == 10) { @@ -363,39 +363,39 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, av_log(avctx, AV_LOG_DEBUG, "Tag/Value = %x %x\n", tag2, val2); } } else if (tag == 41) { - s->plane[s->channel_num].band[s->level][s->subband_num].width = data; - s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); av_log(avctx, AV_LOG_DEBUG, "Highpass width %i channel %i level %i subband %i\n", data, s->channel_num, s->level, s->subband_num); if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass width\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].width = data; + s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); } else if (tag == 42) { - s->plane[s->channel_num].band[s->level][s->subband_num].height = data; av_log(avctx, AV_LOG_DEBUG, "Highpass height %i\n", data); if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass height\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].height = data; } else if (tag == 49) { - s->plane[s->channel_num].band[s->level][s->subband_num].width = data; - s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); av_log(avctx, AV_LOG_DEBUG, "Highpass width2 %i\n", data); if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass width2\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].width = data; + s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); } else if (tag == 50) { - s->plane[s->channel_num].band[s->level][s->subband_num].height = data; av_log(avctx, AV_LOG_DEBUG, "Highpass height2 %i\n", data); if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass height2\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].height = data; } else if (tag == 71) { s->codebook = data; av_log(avctx, AV_LOG_DEBUG, "Codebook %i\n", s->codebook); From 4f2aaccff0ecc3a0b5f3c1791c7bb5837ae3f602 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jun 2017 19:43:25 +0200 Subject: [PATCH 529/658] avcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot be represented in type 'int' Fixes: 2174/clusterfuzz-testcase-minimized-5739234533048320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90e8317b3b33dcb54ae01e419d85cbbfbd874963) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index 192d4fe8a7..157f0c31a7 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -275,10 +275,14 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, while (compressed_lines > 0) { if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) break; + if (y_ptr > pixel_limit) + return AVERROR_INVALIDDATA; line_packets = bytestream2_get_le16(&g2); if ((line_packets & 0xC000) == 0xC000) { // line skip opcode line_packets = -line_packets; + if (line_packets > s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr += line_packets * s->frame->linesize[0]; } else if ((line_packets & 0xC000) == 0x4000) { av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets); @@ -327,6 +331,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, case FLI_LC: /* line compressed */ starting_line = bytestream2_get_le16(&g2); + if (starting_line >= s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr = 0; y_ptr += starting_line * s->frame->linesize[0]; @@ -563,9 +569,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, while (compressed_lines > 0) { if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) break; + if (y_ptr > pixel_limit) + return AVERROR_INVALIDDATA; line_packets = bytestream2_get_le16(&g2); if (line_packets < 0) { line_packets = -line_packets; + if (line_packets > s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr += line_packets * s->frame->linesize[0]; } else { compressed_lines--; From 9f5ada68805113d96b26ec0eee7748714a7910d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 00:45:20 +0200 Subject: [PATCH 530/658] avcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot be represented in type 'int' Fixes: 2175/clusterfuzz-testcase-minimized-5809657849315328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 71da0a5c9750e9fd0c9609470f610d32952923eb) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 2ed7361e38..c077b7b327 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1601,7 +1601,7 @@ void ff_eval_coefs(int *coefs, const int *refl) b1[i] = refl[i] * 16; for (j=0; j < i; j++) - b1[j] = ((refl[i] * b2[i-j-1]) >> 12) + b2[j]; + b1[j] = ((int)(refl[i] * (unsigned)b2[i-j-1]) >> 12) + b2[j]; FFSWAP(int *, b1, b2); } From 427ee58d613a6d8a011f237cf4e11ee7dbe63018 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 01:05:26 +0200 Subject: [PATCH 531/658] avcodec/tiff: Fix leak of geotags[].val Fixes: 2176/clusterfuzz-testcase-minimized-5908197216878592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 22a25ab3896cbb8dceebdba4d439e8b2b398ff0e) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index c46f771565..d026a5bd98 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1096,6 +1096,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) if (s->geotags[i].count == 0 || s->geotags[i].offset + s->geotags[i].count > count) { av_log(s->avctx, AV_LOG_WARNING, "Invalid GeoTIFF key %d\n", s->geotags[i].key); + } else if (s->geotags[i].val) { + av_log(s->avctx, AV_LOG_WARNING, "Duplicate GeoTIFF key %d\n", s->geotags[i].key); } else { char *ap = doubles2str(&dp[s->geotags[i].offset], s->geotags[i].count, ", "); if (!ap) { From 7927112377b5f1be313e69fb05b74898ba194b4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 14:32:35 +0200 Subject: [PATCH 532/658] avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1297616 Fixes: 2195/clusterfuzz-testcase-minimized-4736721533009920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6d499ecef9c2467772b6066176ffda0b7ab27cc2) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 7945c46355..4506001619 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -389,7 +389,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac, for (k = offsets[i]; k < offsets[i + 1]; k++) { tmp = (int)(((int64_t)src[group * 128 + k] * c + \ (int64_t)0x1000000000) >> 37); - dest[group * 128 + k] += tmp << shift; + dest[group * 128 + k] += tmp * (1 << shift); } } } From afc6d2242cbc29bd027283aa0e003357d867c1e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 14:34:54 +0200 Subject: [PATCH 533/658] avcodec/snowdec: Fix runtime error: left shift of negative value -1 Fixes: 2197/clusterfuzz-testcase-minimized-6010716676947968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2e44126363bc9e23093ceced5d7bde1ee4bbb338) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 022e9693c7..7d6d7ff44f 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -586,7 +586,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for(; yqsb, yq); for(x=0; x Date: Sun, 11 Jun 2017 20:19:59 +0200 Subject: [PATCH 534/658] avcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640 cannot be represented in type 'int' Fixes: 2181/clusterfuzz-testcase-minimized-6314784322486272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c996374d4d86e0efbef71812448b4c65656bc667) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.h b/libavcodec/wavpack.h index a1b46d5bd7..c71006112a 100644 --- a/libavcodec/wavpack.h +++ b/libavcodec/wavpack.h @@ -94,7 +94,7 @@ typedef struct Decorr { typedef struct WvChannel { int median[3]; int slow_level, error_limit; - int bitrate_acc, bitrate_delta; + unsigned bitrate_acc, bitrate_delta; } WvChannel; // macros for manipulating median values From 3a3c32ea1f81e3364bf693926e9c88ddde659f05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 20:28:46 +0200 Subject: [PATCH 535/658] avcodec/jpeg2000dwt: Fix runtime error: left shift of negative value -123 Fixes: 2208/clusterfuzz-testcase-minimized-5976593765761024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d24043e1a2f93f206a2ad59054f24f45ff023e5c) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 188cc261a4..735ed0b1dc 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -488,7 +488,7 @@ static void dwt_decode97_int(DWTContext *s, int32_t *t) line += 5; for (i = 0; i < w * h; i++) - data[i] <<= I_PRESHIFT; + data[i] *= 1 << I_PRESHIFT; for (lev = 0; lev < s->ndeclevels; lev++) { int lh = s->linelen[lev][0], From fc5bbdf2c5ab27d71a282b336383eb3d775d7037 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Jun 2017 13:28:23 +0200 Subject: [PATCH 536/658] avcodec/sbrdsp_fixed: Return an error from sbr_hf_apply_noise() if operations are impossible Fixes: 1775/clusterfuzz-testcase-minimized-5330288148217856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d549f026d8b64b879c3ce3b8c7d153c82aa5eb52) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 924da83c85..f42708a8a7 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -242,7 +242,7 @@ static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2], } } -static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], +static av_always_inline int sbr_hf_apply_noise(int (*Y)[2], const SoftFloat *s_m, const SoftFloat *q_filt, int noise, @@ -260,7 +260,10 @@ static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], int shift, round; shift = 22 - s_m[m].exp; - if (shift < 30) { + if (shift < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_apply_noise, shift=%d\n", shift); + return AVERROR(ERANGE); + } else if (shift < 30) { round = 1 << (shift-1); y0 += (s_m[m].mant * phi_sign0 + round) >> shift; y1 += (s_m[m].mant * phi_sign1 + round) >> shift; @@ -270,7 +273,10 @@ static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], int64_t accu; shift = 22 - q_filt[m].exp; - if (shift < 30) { + if (shift < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_apply_noise, shift=%d\n", shift); + return AVERROR(ERANGE); + } else if (shift < 30) { round = 1 << (shift-1); accu = (int64_t)q_filt[m].mant * ff_sbr_noise_table_fixed[noise][0]; @@ -286,6 +292,7 @@ static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], Y[m][1] = y1; phi_sign1 = -phi_sign1; } + return 0; } #include "sbrdsp_template.c" From fe3fcc551d710e0a7207322e02ba7974f0d1c293 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Jun 2017 16:25:59 +0200 Subject: [PATCH 537/658] avcodec/aacsbr_fixed: Check shift in sbr_hf_assemble() Fixes: runtime error: shift exponent -10 is negative Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d1992448d37f7cfa2acda5cc729dc0ff1b019390) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 01f81afaaa..1f5ff410d1 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -575,22 +575,30 @@ static void sbr_hf_assemble(int Y1[38][64][2], SoftFloat *in = sbr->s_m[e]; for (m = 0; m+1 < m_max; m+=2) { + int shift2; shift = 22 - in[m ].exp; + shift2= 22 - in[m+1].exp; + if (shift < 1 || shift2 < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_assemble, shift=%d,%d\n", shift, shift2); + return; + } if (shift < 32) { round = 1 << (shift-1); out[2*m ] += (in[m ].mant * A + round) >> shift; } - shift = 22 - in[m+1].exp; - if (shift < 32) { - round = 1 << (shift-1); - out[2*m+2] += (in[m+1].mant * B + round) >> shift; + if (shift2 < 32) { + round = 1 << (shift2-1); + out[2*m+2] += (in[m+1].mant * B + round) >> shift2; } } if(m_max&1) { shift = 22 - in[m ].exp; - if (shift < 32) { + if (shift < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_assemble, shift=%d\n", shift); + return; + } else if (shift < 32) { round = 1 << (shift-1); out[2*m ] += (in[m ].mant * A + round) >> shift; } From c19fd272482ec0c74e53486e473b0b9b1b68184f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Jun 2017 23:49:23 +0200 Subject: [PATCH 538/658] avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case Fixes: runtime error: signed integer overflow: 131072 + 2147352576 cannot be represented in type 'int' Fixes: 2192/clusterfuzz-testcase-minimized-5370387988742144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a87be404ab7e3f47e67e79160dcc9623e36835b) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 40 +++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 0da925c4f8..96c5b7b6fd 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -284,26 +284,26 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 2: - sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-vop_ref[0][0]) + - (r * sprite_ref[0][1] - virtual_ref[0][1]) * - (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) + - (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - (-vop_ref[0][0]) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-2 * vop_ref[0][0] + 1) + - (r * sprite_ref[0][1] - virtual_ref[0][1]) * - (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * - sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); - sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * - (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * - sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); + sprite_offset[0][0] = ((int64_t) sprite_ref[0][0] * (1 << alpha + rho)) + + ((int64_t) -r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t) -vop_ref[0][0]) + + ((int64_t) r * sprite_ref[0][1] - virtual_ref[0][1]) * + ((int64_t) -vop_ref[0][1]) + (1 << (alpha + rho - 1)); + sprite_offset[0][1] = ((int64_t) sprite_ref[0][1] * (1 << alpha + rho)) + + ((int64_t) -r * sprite_ref[0][1] + virtual_ref[0][1]) * + ((int64_t) -vop_ref[0][0]) + + ((int64_t) -r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t) -vop_ref[0][1]) + (1 << (alpha + rho - 1)); + sprite_offset[1][0] = (((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-2 * vop_ref[0][0] + 1) + + ((int64_t) r * sprite_ref[0][1] - virtual_ref[0][1]) * + ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * + (int64_t) sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); + sprite_offset[1][1] = (((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * + ((int64_t)-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * + (int64_t) sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); s->sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]); s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]); From 5d609474f3b5196f33204dc572cf4914d88cda2e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Jun 2017 23:55:17 +0200 Subject: [PATCH 539/658] avcodec/mpeg4videodec: Check sprite delta upshift against overflowing. Fixes: runtime error: signed integer overflow: -268386304 * 16 cannot be represented in type 'int' Fixes: 2204/clusterfuzz-testcase-minimized-5616756909408256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 12245ab1f677074b8ff83e87f76a41aba692ccd6) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 96c5b7b6fd..ba2d0a33df 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -361,14 +361,16 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; - if (shift_c < 0 || shift_y < 0 || - FFABS(sprite_offset[0][0]) >= INT_MAX >> shift_y || - FFABS(sprite_offset[1][0]) >= INT_MAX >> shift_c || - FFABS(sprite_offset[0][1]) >= INT_MAX >> shift_y || - FFABS(sprite_offset[1][1]) >= INT_MAX >> shift_c - ) { - avpriv_request_sample(s->avctx, "Too large sprite shift or offset"); - goto overflow; + for (i = 0; i < 2; i++) { + if (shift_c < 0 || shift_y < 0 || + FFABS( sprite_offset[0][i]) >= INT_MAX >> shift_y || + FFABS( sprite_offset[1][i]) >= INT_MAX >> shift_c || + FFABS(s->sprite_delta[0][i]) >= INT_MAX >> shift_y || + FFABS(s->sprite_delta[1][i]) >= INT_MAX >> shift_y + ) { + avpriv_request_sample(s->avctx, "Too large sprite shift, delta or offset"); + goto overflow; + } } for (i = 0; i < 2; i++) { From 8d0c353b733bb36919b7c2ec7ae92d75d28196ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 01:26:01 +0200 Subject: [PATCH 540/658] avcodec/hevc_refs: Check nb_refs in add_candidate_ref() Fixes: runtime error: index 16 out of bounds for type 'int [16]' Fixes: 2209/clusterfuzz-testcase-minimized-5012343912136704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1cb4ef526dd1e5f547d0354efb0831d07e967919) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c index 611ad458de..df52e401ad 100644 --- a/libavcodec/hevc_refs.c +++ b/libavcodec/hevc_refs.c @@ -438,7 +438,7 @@ static int add_candidate_ref(HEVCContext *s, RefPicList *list, { HEVCFrame *ref = find_ref_idx(s, poc); - if (ref == s->ref) + if (ref == s->ref || list->nb_refs >= MAX_REFS) return AVERROR_INVALIDDATA; if (!ref) { From 2d7e26277a7b0a349e8c789357924a6659a8eb5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 01:28:28 +0200 Subject: [PATCH 541/658] avcodec/hevcdec: Check nb_sps Signed-off-by: Michael Niedermayer (cherry picked from commit bc406744620710911de9157eafa3e61d0246566f) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index cb1263cb43..3389b7f5c7 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -246,6 +246,8 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb) nb_sps = get_ue_golomb_long(gb); nb_sh = get_ue_golomb_long(gb); + if (nb_sps > sps->num_long_term_ref_pics_sps) + return AVERROR_INVALIDDATA; if (nb_sh + (uint64_t)nb_sps > FF_ARRAY_ELEMS(rps->poc)) return AVERROR_INVALIDDATA; From 3e6b7d5802f1e218f2462628489e6ffba1024bed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 23:26:18 +0200 Subject: [PATCH 542/658] avcodec/jpeg2000: Fixes integer overflow in ff_jpeg2000_ceildivpow2() Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 2231/clusterfuzz-testcase-minimized-4565181982048256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e3fadc57c5c170f31455abacbcbd67115d7321d7) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000.h b/libavcodec/jpeg2000.h index 873e4505ec..8a022ad918 100644 --- a/libavcodec/jpeg2000.h +++ b/libavcodec/jpeg2000.h @@ -215,7 +215,7 @@ typedef struct Jpeg2000Component { /* misc tools */ static inline int ff_jpeg2000_ceildivpow2(int a, int b) { - return -(((int64_t)(-a)) >> b); + return -((-(int64_t)a) >> b); } static inline int ff_jpeg2000_ceildiv(int a, int b) From cfaa5affadd538b0bce37389d38df4a58f7589a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 23:41:46 +0200 Subject: [PATCH 543/658] avcodec/truemotion2: Move skip computation after checks Fixes: runtime error: signed integer overflow: 630067357 * 4 cannot be represented in type 'int' Fixes: 2233/clusterfuzz-testcase-minimized-5943031318446080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3c716682a8b69e6644a385a663aaf0e5dc808ae8) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index e6ae05f1d5..a463a925fd 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -298,15 +298,15 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i /* get stream length in dwords */ bytestream2_init(&gb, buf, buf_size); len = bytestream2_get_be32(&gb); - skip = len * 4 + 4; if (len == 0) return 4; - if (len >= INT_MAX / 4 - 1 || len < 0 || skip > buf_size) { + if (len >= INT_MAX / 4 - 1 || len < 0 || len * 4 + 4 > buf_size) { av_log(ctx->avctx, AV_LOG_ERROR, "Error, invalid stream size.\n"); return AVERROR_INVALIDDATA; } + skip = len * 4 + 4; toks = bytestream2_get_be32(&gb); if (toks & 1) { From 37c77f74c277631463fe7e82e54bae5efdc48bee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Jun 2017 02:16:54 +0200 Subject: [PATCH 544/658] avcodec/shorten: Sanity check maxnlpc Fixes OOM Fixes: 2131/clusterfuzz-testcase-minimized-4718045157130240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e77ddd31a8e14bcf5eccd6008d866ae90b4b0d4c) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 388d8dee78..a36a77210e 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -436,6 +436,10 @@ static int read_header(ShortenContext *s) s->blocksize = blocksize; maxnlpc = get_uint(s, LPCQSIZE); + if (maxnlpc > 1024U) { + av_log(s->avctx, AV_LOG_ERROR, "maxnlpc is: %d\n", maxnlpc); + return AVERROR_INVALIDDATA; + } s->nmean = get_uint(s, 0); skip_bytes = get_uint(s, NSKIPSIZE); From d51d7b0971443f17d3ca598fd6d83ade6785f442 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Jun 2017 19:57:08 +0200 Subject: [PATCH 545/658] avcodec/jpeg2000dec: Check nonzerobits more completely Fixes: runtime error: shift exponent 36 is too large for 32-bit type 'int' Fixes: 2239/clusterfuzz-testcase-minimized-5639766592716800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dfb61ea2630029b7aec7911aade769bf1a914eea) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index b23e1678d5..f1abc9a5ef 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -960,9 +960,9 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, if (!cblk->npasses) { int v = expn[bandno] + numgbits - 1 - tag_tree_decode(s, prec->zerobits + cblkno, 100); - if (v < 0) { + if (v < 0 || v > 30) { av_log(s->avctx, AV_LOG_ERROR, - "nonzerobits %d invalid\n", v); + "nonzerobits %d invalid or unsupported\n", v); return AVERROR_INVALIDDATA; } cblk->nonzerobits = v; From 10dc2c48ed0424a3a895e85cb4aa3bdc605bc10d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jun 2017 00:34:08 +0200 Subject: [PATCH 546/658] avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps() Fixes: runtime error: signed integer overflow: 2147483647 + 6 cannot be represented in type 'int' Fixes: 2263/clusterfuzz-testcase-minimized-4800359627227136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1edbf5e20c75f06d6987bc823e63aa4e649ccddd) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 3389b7f5c7..c1fa67f67b 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -271,12 +271,16 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb) delta_poc_msb_present = get_bits1(gb); if (delta_poc_msb_present) { - int delta = get_ue_golomb_long(gb); + int64_t delta = get_ue_golomb_long(gb); + int64_t poc; if (i && i != nb_sps) delta += prev_delta_msb; - rps->poc[i] += s->poc - delta * max_poc_lsb - s->sh.pic_order_cnt_lsb; + poc = rps->poc[i] + s->poc - delta * max_poc_lsb - s->sh.pic_order_cnt_lsb; + if (poc != (int32_t)poc) + return AVERROR_INVALIDDATA; + rps->poc[i] = poc; prev_delta_msb = delta; } } From 2d0fd04f1619d98738fa5a06d2f7e486ca7badaf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jun 2017 14:54:19 +0200 Subject: [PATCH 547/658] avcodec/hevcpred_template: Fix left shift of negative value Fixes: runtime error: left shift of negative value -1 Fixes: 2250/clusterfuzz-testcase-minimized-5693382112313344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c94326c1fc2fb5719c6f28fe1b95c0c74417998b) Signed-off-by: Michael Niedermayer --- libavcodec/hevcpred_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcpred_template.c b/libavcodec/hevcpred_template.c index 6ae87cca13..6fe33546b1 100644 --- a/libavcodec/hevcpred_template.c +++ b/libavcodec/hevcpred_template.c @@ -35,7 +35,7 @@ static av_always_inline void FUNC(intra_pred)(HEVCContext *s, int x0, int y0, #define MVF(x, y) \ (s->ref->tab_mvf[(x) + (y) * min_pu_width]) #define MVF_PU(x, y) \ - MVF(PU(x0 + ((x) << hshift)), PU(y0 + ((y) << vshift))) + MVF(PU(x0 + ((x) * (1 << hshift))), PU(y0 + ((y) * (1 << vshift)))) #define IS_INTRA(x, y) \ (MVF_PU(x, y).pred_flag == PF_INTRA) #define MIN_TB_ADDR_ZS(x, y) \ From 575ba21007872ef481b6fe54142fe4f476fb72c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jun 2017 15:06:21 +0200 Subject: [PATCH 548/658] avcodec/jpeg2000dsp: Reorder operations in ict_int() to avoid 2 integer overflows Fixes: runtime error: signed integer overflow: 58065 * 51981 cannot be represented in type 'int' Fixes: 2271/clusterfuzz-testcase-minimized-5778297776504832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c746f92a8e03d5a062359fba836eba4b3530687e) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c index d183cbb87d..c746aed924 100644 --- a/libavcodec/jpeg2000dsp.c +++ b/libavcodec/jpeg2000dsp.c @@ -64,10 +64,10 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize) int i; for (i = 0; i < csize; i++) { - i0 = *src0 + (((i_ict_params[0] * *src2) + (1 << 15)) >> 16); + i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16); i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16) - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16); - i2 = *src0 + (((i_ict_params[3] * *src1) + (1 << 15)) >> 16); + i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16); *src0++ = i0; *src1++ = i1; *src2++ = i2; From 8a38efad428f9e8bdea69c0a8d706ffb1de87ad5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Jun 2017 14:37:19 +0200 Subject: [PATCH 549/658] avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output Fixes: runtime error: signed integer overflow: 2147483543 + 128 cannot be represented in type 'int' Fixes: 2234/clusterfuzz-testcase-minimized-6266896041115648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 27c20068054d8c6786833234f7b6db19f1e98362) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 66983d67c9..cc5623e0ca 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -887,7 +887,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, uint8_t *samples = (uint8_t *)frame->extended_data[chan]; int32_t *decoded = s->decoded[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] = decoded[i] + 0x80; + samples[i] = decoded[i] + 0x80U; } break; case AV_SAMPLE_FMT_S16P: From dcace98d085bb0993eebc8ee1112be3f1e3f4a07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Jun 2017 15:41:44 +0200 Subject: [PATCH 550/658] Update for 3.1.9 Signed-off-by: Michael Niedermayer --- Changelog | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 105 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 2ce1e79cf5..cea0f738fb 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,109 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.1.9: +- avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output +- avcodec/jpeg2000dsp: Reorder operations in ict_int() to avoid 2 integer overflows +- avcodec/hevcpred_template: Fix left shift of negative value +- avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps() +- avcodec/jpeg2000dec: Check nonzerobits more completely +- avcodec/shorten: Sanity check maxnlpc +- avcodec/truemotion2: Move skip computation after checks +- avcodec/jpeg2000: Fixes integer overflow in ff_jpeg2000_ceildivpow2() +- avcodec/hevcdec: Check nb_sps +- avcodec/hevc_refs: Check nb_refs in add_candidate_ref() +- avcodec/mpeg4videodec: Check sprite delta upshift against overflowing. +- avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case +- avcodec/aacsbr_fixed: Check shift in sbr_hf_assemble() +- avcodec/sbrdsp_fixed: Return an error from sbr_hf_apply_noise() if operations are impossible +- avcodec/jpeg2000dwt: Fix runtime error: left shift of negative value -123 +- avcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640 cannot be represented in type 'int' +- avcodec/snowdec: Fix runtime error: left shift of negative value -1 +- avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1297616 +- avcodec/tiff: Fix leak of geotags[].val +- avcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot be represented in type 'int' +- avcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot be represented in type 'int' +- avcodec/cfhd: Check band parameters before storing them +- avcodec/indeo4: Check remaining data in Pic hdr extension parsing code +- avcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008 * 59 cannot be represented in type 'int' +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int' +- avcodec/pafvideo: Fix assertion failure +- avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int' +- avcodec/mjpegdec: Check that reference frame matches the current frame +- avcodec/tiff: Avoid loosing allocated geotag values +- avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int' +- avformat/hls: Check local file extensions +- avcodec/qdrw: Fix null pointer dereference +- avutil/softfloat: Fix sign error in and improve documentation of av_int2sf() +- avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]' +- avcodec/dxv: Check remaining bytes in dxv_decompress_raw() +- avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer() +- avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int' +- avformat/options: log filename on open +- avcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'INTFLOAT' (aka 'int') +- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' +- avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int' +- avcodec/cinepak: Check input packet size before frame reallocation +- avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int' +- avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int' +- avcodec/pnm: Use ff_set_dimensions() +- avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int' +- avformat/avidec: Limit formats in gab2 to srt and ass/ssa +- avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float' +- avcodec/wavpack: Check float_shift +- avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int' +- avcodec/ansi: Fix frame memleak +- avcodec/jpeg2000dec: Use ff_set_dimensions() +- avcodec/truemotion2: Fix passing null pointer to memset() +- avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int' +- avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int' +- avcodec/aac_defines: Add missing () to AAC_HALF_SUM() macro +- avcodec/webp: Fixes null pointer dereference +- avcodec/aacdec_fixed: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/ylc: Check count in build_vlc() +- avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int' +- avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int' +- avcodec/jpeg2000dec: Check tile offsets more completely +- avcodec/sheervideo: Check input buffer size before allocating and decoding +- avcodec/aacdec_fixed: Fix multiple runtime error: shift exponent 127 is too large for 32-bit type 'int' +- avcodec/wnv1: More strict buffer size check +- avcodec/libfdk-aacdec: Correct buffer_size parameter +- avcodec/sbrdsp_template: Fix: runtime error: signed integer overflow: 849815297 + 1315389781 cannot be represented in type 'int' +- avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2 +- doc/filters: Clarify scale2ref example +- avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error +- avcodec/ra144dec: Fix runtime error: left shift of negative value -17 +- avformat/mux: Fix copy an paste typo +- avutil/internal: Do not enable CHECKED with DEBUG +- avcodec/aacdec_fixed: Fix runtime error: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' +- avcodec/smc: Check remaining input +- avcodec/jpeg2000dec: Fix copy and paste error +- avcodec/jpeg2000dec: Check tile offsets +- avcodec/sanm: Fix uninitialized reference frames +- avcodec/jpeglsdec: Check get_bits_left() before decoding a picture +- avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71 +- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int' +- avcodec/aacdec_fixed: Fix runtime error: shift exponent 34 is too large for 32-bit type 'int' +- avcodec/mpeg4videodec: Check for multiple VOL headers +- avcodec/vmnc: Check location before use +- avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308 cannot be represented in type 'int' +- avcodec/aac_defines: Fix: runtime error: left shift of negative value -2 +- avcodec/takdec: Fix runtime error: left shift of negative value -63 +- avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128 cannot be represented in type 'int' +- avcodec/sbrdsp_fixed: fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 170 is too large for 32-bit type 'int' +- avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context +- avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 150 is too large for 32-bit type 'int' +- avcodec/mimic: Use ff_set_dimensions() to set the dimensions +- avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int' +- avcodec/mlpdec: Fix: runtime error: left shift of negative value -8 +- avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877 cannot be represented in type 'int' +- avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' +- avcodec/aacdec_template: Fix fixed point scale in decode_cce() +- avcodec/nvenc: remove unnecessary alignment + + version 3.1.8: - avcodec/flicvideo: Check frame_size before decrementing - avcodec/mlpdec: Fix runtime error: left shift of negative value -1 diff --git a/RELEASE b/RELEASE index c848fb9cb4..7148b0a991 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.1.8 +3.1.9 diff --git a/doc/Doxyfile b/doc/Doxyfile index 745d21773c..b234a11f4a 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.1.8 +PROJECT_NUMBER = 3.1.9 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 8ead0d3806743a5b57d51bf89bcd9a349813396f Mon Sep 17 00:00:00 2001 From: Anton Mitrofanov Date: Wed, 31 May 2017 02:37:41 +0300 Subject: [PATCH 551/658] avcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4 Use the correct ctxIdxInc calculation for coded_block_flag. Keep old behavior for old versions of x264 for backward compatibility. Signed-off-by: Ronald S. Bultje (cherry picked from commit 840b41b2a643fc8f0617c0370125a19c02c6b586) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 47 +++++++++++++++++++++++++++++------------ 1 file changed, 33 insertions(+), 14 deletions(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index d23b4fc6f1..5c8b79f6b2 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2348,21 +2348,40 @@ decode_intra_mb: if (CHROMA444(h) && IS_8x8DCT(mb_type)){ int i; uint8_t *nnz_cache = sl->non_zero_count_cache; - for (i = 0; i < 2; i++){ - if (sl->left_type[LEFT(i)] && !IS_8x8DCT(sl->left_type[LEFT(i)])) { - nnz_cache[3+8* 1 + 2*8*i]= - nnz_cache[3+8* 2 + 2*8*i]= - nnz_cache[3+8* 6 + 2*8*i]= - nnz_cache[3+8* 7 + 2*8*i]= - nnz_cache[3+8*11 + 2*8*i]= - nnz_cache[3+8*12 + 2*8*i]= IS_INTRA(mb_type) ? 64 : 0; + if (h->sei.unregistered.x264_build < 151U) { + for (i = 0; i < 2; i++){ + if (sl->left_type[LEFT(i)] && !IS_8x8DCT(sl->left_type[LEFT(i)])) { + nnz_cache[3+8* 1 + 2*8*i]= + nnz_cache[3+8* 2 + 2*8*i]= + nnz_cache[3+8* 6 + 2*8*i]= + nnz_cache[3+8* 7 + 2*8*i]= + nnz_cache[3+8*11 + 2*8*i]= + nnz_cache[3+8*12 + 2*8*i]= IS_INTRA(mb_type) ? 64 : 0; + } + } + if (sl->top_type && !IS_8x8DCT(sl->top_type)){ + uint32_t top_empty = !IS_INTRA(mb_type) ? 0 : 0x40404040; + AV_WN32A(&nnz_cache[4+8* 0], top_empty); + AV_WN32A(&nnz_cache[4+8* 5], top_empty); + AV_WN32A(&nnz_cache[4+8*10], top_empty); + } + } else { + for (i = 0; i < 2; i++){ + if (sl->left_type[LEFT(i)] && !IS_8x8DCT(sl->left_type[LEFT(i)])) { + nnz_cache[3+8* 1 + 2*8*i]= + nnz_cache[3+8* 2 + 2*8*i]= + nnz_cache[3+8* 6 + 2*8*i]= + nnz_cache[3+8* 7 + 2*8*i]= + nnz_cache[3+8*11 + 2*8*i]= + nnz_cache[3+8*12 + 2*8*i]= !IS_INTRA_PCM(sl->left_type[LEFT(i)]) ? 0 : 64; + } + } + if (sl->top_type && !IS_8x8DCT(sl->top_type)){ + uint32_t top_empty = !IS_INTRA_PCM(sl->top_type) ? 0 : 0x40404040; + AV_WN32A(&nnz_cache[4+8* 0], top_empty); + AV_WN32A(&nnz_cache[4+8* 5], top_empty); + AV_WN32A(&nnz_cache[4+8*10], top_empty); } - } - if (sl->top_type && !IS_8x8DCT(sl->top_type)){ - uint32_t top_empty = CABAC(h) && !IS_INTRA(mb_type) ? 0 : 0x40404040; - AV_WN32A(&nnz_cache[4+8* 0], top_empty); - AV_WN32A(&nnz_cache[4+8* 5], top_empty); - AV_WN32A(&nnz_cache[4+8*10], top_empty); } } h->cur_pic.mb_type[mb_xy] = mb_type; From ac86dc7716bf47045d6e64982b38a153a9b073ec Mon Sep 17 00:00:00 2001 From: Anton Mitrofanov Date: Tue, 13 Jun 2017 23:37:29 +0300 Subject: [PATCH 552/658] avcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264 Signed-off-by: Ronald S. Bultje (cherry picked from commit 06dda70f1e7c69a3b1684af5e6930431c62c527a) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mb.c b/libavcodec/h264_mb.c index e33a59e4ca..4ae56ae8c2 100644 --- a/libavcodec/h264_mb.c +++ b/libavcodec/h264_mb.c @@ -636,7 +636,7 @@ static av_always_inline void hl_decode_mb_predict_luma(const H264Context *h, uint8_t *const ptr = dest_y + block_offset[i]; const int dir = sl->intra4x4_pred_mode_cache[scan8[i]]; if (transform_bypass && h->ps.sps->profile_idc == 244 && dir <= 1) { - if (h->sei.unregistered.x264_build != -1) { + if (h->sei.unregistered.x264_build < 151U) { h->hpc.pred8x8l_add[dir](ptr, sl->mb + (i * 16 + p * 256 << pixel_shift), linesize); } else h->hpc.pred8x8l_filter_add[dir](ptr, sl->mb + (i * 16 + p * 256 << pixel_shift), From 70b7147926498a21a819acaabe61a29614933499 Mon Sep 17 00:00:00 2001 From: Anton Mitrofanov Date: Wed, 14 Jun 2017 03:01:56 +0300 Subject: [PATCH 553/658] avcodec/h264: Fix mix of lossless and lossy MBs decoding Signed-off-by: Ronald S. Bultje (cherry picked from commit cf231b68da1150c100114f2c5671b7ed740f917a) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 16 ++++++++-------- libavcodec/h264_cavlc.c | 16 ++++++++-------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 5c8b79f6b2..111d7917b8 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2390,14 +2390,6 @@ decode_intra_mb: const uint8_t *scan, *scan8x8; const uint32_t *qmul; - if(IS_INTERLACED(mb_type)){ - scan8x8 = sl->qscale ? h->field_scan8x8 : h->field_scan8x8_q0; - scan = sl->qscale ? h->field_scan : h->field_scan_q0; - }else{ - scan8x8 = sl->qscale ? h->zigzag_scan8x8 : h->zigzag_scan8x8_q0; - scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; - } - // decode_cabac_mb_dqp if(get_cabac_noinline( &sl->cabac, &sl->cabac_state[60 + (sl->last_qscale_diff != 0)])){ int val = 1; @@ -2428,6 +2420,14 @@ decode_intra_mb: }else sl->last_qscale_diff=0; + if(IS_INTERLACED(mb_type)){ + scan8x8 = sl->qscale ? h->field_scan8x8 : h->field_scan8x8_q0; + scan = sl->qscale ? h->field_scan : h->field_scan_q0; + }else{ + scan8x8 = sl->qscale ? h->zigzag_scan8x8 : h->zigzag_scan8x8_q0; + scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; + } + decode_cabac_luma_residual(h, sl, scan, scan8x8, pixel_shift, mb_type, cbp, 0); if (CHROMA444(h)) { decode_cabac_luma_residual(h, sl, scan, scan8x8, pixel_shift, mb_type, cbp, 1); diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 0e366d97b0..4d743e1324 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -1102,14 +1102,6 @@ decode_intra_mb: const uint8_t *scan, *scan8x8; const int max_qp = 51 + 6 * (h->ps.sps->bit_depth_luma - 8); - if(IS_INTERLACED(mb_type)){ - scan8x8 = sl->qscale ? h->field_scan8x8_cavlc : h->field_scan8x8_cavlc_q0; - scan = sl->qscale ? h->field_scan : h->field_scan_q0; - }else{ - scan8x8 = sl->qscale ? h->zigzag_scan8x8_cavlc : h->zigzag_scan8x8_cavlc_q0; - scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; - } - dquant= get_se_golomb(&sl->gb); sl->qscale += (unsigned)dquant; @@ -1126,6 +1118,14 @@ decode_intra_mb: sl->chroma_qp[0] = get_chroma_qp(h, 0, sl->qscale); sl->chroma_qp[1] = get_chroma_qp(h, 1, sl->qscale); + if(IS_INTERLACED(mb_type)){ + scan8x8 = sl->qscale ? h->field_scan8x8_cavlc : h->field_scan8x8_cavlc_q0; + scan = sl->qscale ? h->field_scan : h->field_scan_q0; + }else{ + scan8x8 = sl->qscale ? h->zigzag_scan8x8_cavlc : h->zigzag_scan8x8_cavlc_q0; + scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; + } + if ((ret = decode_luma_residual(h, sl, gb, scan, scan8x8, pixel_shift, mb_type, cbp, 0)) < 0 ) { return -1; } From 5cd693fd426b4fc13899e0fa5b47c49325243409 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 17:58:45 +0200 Subject: [PATCH 554/658] avcodec/htmlsubtitles: Replace very slow redundant sscanf() calls by cleaner and faster code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reduces the worst case from O(n²) to O(n) time Fixes Timeout Fixes: 2127/clusterfuzz-testcase-minimized-6595787859427328 Signed-off-by: Michael Niedermayer (cherry picked from commit 4132218b87cd6fb13abd162e3037ef4563286baa) Signed-off-by: Michael Niedermayer --- libavcodec/htmlsubtitles.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index 16295daa0c..70311c66d5 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -56,6 +56,7 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) char *param, buffer[128], tmp[128]; int len, tag_close, sptr = 1, line_start = 1, an = 0, end = 0; SrtStack stack[16]; + int closing_brace_missing = 0; stack[0].tag[0] = 0; strcpy(stack[0].param[PARAM_SIZE], "{\\fs}"); @@ -83,11 +84,20 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) and all microdvd like styles such as {Y:xxx} */ len = 0; an += sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0; - if ((an != 1 && (len = 0, sscanf(in, "{\\%*[^}]}%n", &len) >= 0 && len > 0)) || - (len = 0, sscanf(in, "{%*1[CcFfoPSsYy]:%*[^}]}%n", &len) >= 0 && len > 0)) { - in += len - 1; - } else - av_bprint_chars(dst, *in, 1); + + if (!closing_brace_missing) { + if ( (an != 1 && in[1] == '\\') + || (in[1] && strchr("CcFfoPSsYy", in[1]) && in[2] == ':')) { + char *bracep = strchr(in+2, '}'); + if (bracep) { + in = bracep; + break; + } else + closing_brace_missing = 1; + } + } + + av_bprint_chars(dst, *in, 1); break; case '<': tag_close = in[1] == '/'; From 1124df46393b4e8fa37712b942b3e7fe6e3a97d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Jun 2017 14:04:32 +0200 Subject: [PATCH 555/658] avcodec/aacdec_fixed: Check s for being too small Fixes: runtime error: shift exponent -8 is negative Fixes: 2286/clusterfuzz-testcase-minimized-5711764169687040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf7edbd6c5d48d7302877352f7b60092d5b65243) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 4506001619..0cac3bf4eb 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -181,14 +181,15 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len) out = (int)(((int64_t)src[i] * c) >> 32); dst[i] = ((int)(out+round) >> s) * ssign; } - } - else { + } else if (s > -32) { s = s + 32; round = 1 << (s-1); for (i=0; i> s); dst[i] = out * (unsigned)ssign; } + } else { + av_log(NULL, AV_LOG_ERROR, "Overflow in subband_scale()\n"); } } From 48b0e94a6cb5f1278354743b89bcc8984fb1b560 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Jun 2017 14:08:58 +0200 Subject: [PATCH 556/658] avcodec/wavpack: Fix undefined integer negation Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 2291/clusterfuzz-testcase-minimized-5538453481586688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f89747086af741ddc34e2378cde8519b8faee78) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index e55cd82595..0dcc05037d 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -307,8 +307,8 @@ static float wv_get_value_float(WavpackFrameContext *s, uint32_t *crc, int S) S <<= s->float_shift; sign = S < 0; if (sign) - S = -S; - if (S >= 0x1000000) { + S = -(unsigned)S; + if (S >= 0x1000000U) { if (s->got_extra_bits && get_bits1(&s->gb_extra_bits)) S = get_bits(&s->gb_extra_bits, 23); else From feefeb4df1c18603508b87659fa4d423212d2c60 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 01:35:49 +0200 Subject: [PATCH 557/658] avcodec/lpc: signed integer overflow in compute_lpc_coefs() (aacdec_fixed) Fixes: runtime error: signed integer overflow: -1575818955 + -915383657 cannot be represented in type 'int' Fixes: 2224/clusterfuzz-testcase-minimized-6208559949807616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e95fcfe8fb28fdfdaecec465c60aad79bc340a3d) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/lpc.h b/libavcodec/lpc.h index edb1a6bc7d..704ffa9d4b 100644 --- a/libavcodec/lpc.h +++ b/libavcodec/lpc.h @@ -117,11 +117,14 @@ void ff_lpc_end(LPCContext *s); #if USE_FIXED typedef int LPC_TYPE; +typedef unsigned LPC_TYPE_U; #else #ifdef LPC_USE_DOUBLE typedef double LPC_TYPE; +typedef double LPC_TYPE_U; #else typedef float LPC_TYPE; +typedef float LPC_TYPE_U; #endif #endif // USE_FIXED @@ -192,8 +195,8 @@ static inline int AAC_RENAME(compute_lpc_coefs)(const LPC_TYPE *autoc, int max_o for(j=0; j < (i+1)>>1; j++) { LPC_TYPE f = lpc_last[ j]; LPC_TYPE b = lpc_last[i-1-j]; - lpc[ j] = f + AAC_MUL26(r, b); - lpc[i-1-j] = b + AAC_MUL26(r, f); + lpc[ j] = f + (LPC_TYPE_U)AAC_MUL26(r, b); + lpc[i-1-j] = b + (LPC_TYPE_U)AAC_MUL26(r, f); } if (fail && err < 0) From af1f0f815b9a8a16c9a9e517d9fde202adc13d4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2017 13:52:06 +0200 Subject: [PATCH 558/658] avcodec/mpeg4videodec: Fix overflow in virtual_ref computation Fixes: runtime error: signed integer overflow: 262144 * -16120 cannot be represented in type 'int' Fixes: 2292/clusterfuzz-testcase-minimized-6156080415506432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5443c4bdf4828ac5b7b19cf54feb496c2da40079) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index ba2d0a33df..0edea05004 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -243,18 +243,18 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g * from w&h based to w2&h2 based which are of the 2^x form. */ virtual_ref[0][0] = 16 * (vop_ref[0][0] + w2) + ROUNDED_DIV(((w - w2) * - (r * sprite_ref[0][0] - 16 * vop_ref[0][0]) + - w2 * (r * sprite_ref[1][0] - 16 * vop_ref[1][0])), w); + (r * sprite_ref[0][0] - 16LL * vop_ref[0][0]) + + w2 * (r * sprite_ref[1][0] - 16LL * vop_ref[1][0])), w); virtual_ref[0][1] = 16 * vop_ref[0][1] + ROUNDED_DIV(((w - w2) * - (r * sprite_ref[0][1] - 16 * vop_ref[0][1]) + - w2 * (r * sprite_ref[1][1] - 16 * vop_ref[1][1])), w); + (r * sprite_ref[0][1] - 16LL * vop_ref[0][1]) + + w2 * (r * sprite_ref[1][1] - 16LL * vop_ref[1][1])), w); virtual_ref[1][0] = 16 * vop_ref[0][0] + - ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][0] - 16 * vop_ref[0][0]) + - h2 * (r * sprite_ref[2][0] - 16 * vop_ref[2][0])), h); + ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][0] - 16LL * vop_ref[0][0]) + + h2 * (r * sprite_ref[2][0] - 16LL * vop_ref[2][0])), h); virtual_ref[1][1] = 16 * (vop_ref[0][1] + h2) + - ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][1] - 16 * vop_ref[0][1]) + - h2 * (r * sprite_ref[2][1] - 16 * vop_ref[2][1])), h); + ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][1] - 16LL * vop_ref[0][1]) + + h2 * (r * sprite_ref[2][1] - 16LL * vop_ref[2][1])), h); switch (ctx->num_sprite_warping_points) { case 0: From fc30465bcb35c38b411af99f10c0d44f6b19302a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2017 14:38:34 +0200 Subject: [PATCH 559/658] avcodec/hevc_filter: Fix invalid shift Fixes: runtime error: left shift of negative value -1 Fixes: 2299/clusterfuzz-testcase-minimized-4843509351710720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d7b3d5c3f2e2ff1994762b5e09c05fbc33790b5b) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_filter.c b/libavcodec/hevc_filter.c index 1f33b0cdfe..9fbcd1d8b8 100644 --- a/libavcodec/hevc_filter.c +++ b/libavcodec/hevc_filter.c @@ -471,7 +471,7 @@ static int get_pcm(HEVCContext *s, int x, int y) #define TC_CALC(qp, bs) \ tctable[av_clip((qp) + DEFAULT_INTRA_TC_OFFSET * ((bs) - 1) + \ - (tc_offset >> 1 << 1), \ + (tc_offset & -2), \ 0, MAX_QP + DEFAULT_INTRA_TC_OFFSET)] static void deblocking_filter_CTB(HEVCContext *s, int x0, int y0) From 46842f6de995cd3b530f2112b72e197300b1ed25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Jun 2017 17:56:34 +0200 Subject: [PATCH 560/658] avcodec/cfhd: Fix undefined shift Fixes: runtime error: left shift of negative value -1 Fixes: 2303/clusterfuzz-testcase-minimized-5529675273076736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5a950f4e32a9756391f81987246d96b6549dd447) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 9473473f2d..c7bc54617d 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -710,7 +710,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, output = s->plane[plane].subband[0]; for (i = 0; i < lowpass_height * 2; i++) { for (j = 0; j < lowpass_width * 2; j++) - output[j] <<= 2; + output[j] *= 4; output += lowpass_width * 2; } From 9c52cf95ee3569603105c5bd03284811391208fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Jun 2017 19:34:31 +0200 Subject: [PATCH 561/658] avcodec/cfhd: Check bpc before setting bpc in context Fixes: runtime error: shift exponent 32 is too large for 32-bit type 'int' Fixes: 2306/clusterfuzz-testcase-minimized-5002997392211968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6f1d2355a7e4d681bea82b4cf4280272d9fe8af3) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index c7bc54617d..51ff26e57a 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -258,6 +258,11 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->coded_height = data; } else if (tag == 101) { av_log(avctx, AV_LOG_DEBUG, "Bits per component: %"PRIu16"\n", data); + if (data < 1 || data > 31) { + av_log(avctx, AV_LOG_ERROR, "Bits per component %d is invalid\n", data); + ret = AVERROR(EINVAL); + break; + } s->bpc = data; } else if (tag == 12) { av_log(avctx, AV_LOG_DEBUG, "Channel Count: %"PRIu16"\n", data); @@ -404,12 +409,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, av_log(avctx, AV_LOG_DEBUG, "Other codebook? %i\n", s->codebook); } else if (tag == 70) { av_log(avctx, AV_LOG_DEBUG, "Subsampling or bit-depth flag? %i\n", data); - s->bpc = data; - if (!(s->bpc == 10 || s->bpc == 12)) { + if (!(data == 10 || data == 12)) { av_log(avctx, AV_LOG_ERROR, "Invalid bits per channel\n"); ret = AVERROR(EINVAL); break; } + s->bpc = data; } else if (tag == 84) { av_log(avctx, AV_LOG_DEBUG, "Sample format? %i\n", data); if (data == 1) From a2d9595a4b4e0e6fe85683ff79774fd618b282cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Jun 2017 03:10:22 +0200 Subject: [PATCH 562/658] Changelog: update --- Changelog | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Changelog b/Changelog index cea0f738fb..87a2a49eaf 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,17 @@ releases are sorted from youngest to oldest. version 3.1.9: +- avcodec/cfhd: Check bpc before setting bpc in context +- avcodec/cfhd: Fix undefined shift +- avcodec/hevc_filter: Fix invalid shift +- avcodec/mpeg4videodec: Fix overflow in virtual_ref computation +- avcodec/lpc: signed integer overflow in compute_lpc_coefs() (aacdec_fixed) +- avcodec/wavpack: Fix undefined integer negation +- avcodec/aacdec_fixed: Check s for being too small +- avcodec/htmlsubtitles: Replace very slow redundant sscanf() calls by cleaner and faster code +- avcodec/h264: Fix mix of lossless and lossy MBs decoding +- avcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264 +- avcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4 - avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output - avcodec/jpeg2000dsp: Reorder operations in ict_int() to avoid 2 integer overflows - avcodec/hevcpred_template: Fix left shift of negative value From 62b536690d2777b72eefd5af936e4773058f2fdb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Jun 2017 20:21:05 +0200 Subject: [PATCH 563/658] avcodec/tiff: Update pointer only when the result is used Fixes: runtime error: signed integer overflow: 538976288 * 32 cannot be represented in type 'int' Fixes: 2310/clusterfuzz-testcase-minimized-4534784887881728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 27f80ab0160d2e64007e1c9799ffd4504cc13eb5) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index d026a5bd98..fcfa32dc8b 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1288,6 +1288,8 @@ static int decode_frame(AVCodecContext *avctx, stride = p->linesize[plane]; dst = p->data[plane]; for (i = 0; i < s->height; i += s->rps) { + if (i) + dst += s->rps * stride; if (s->stripsizesoff) ssize = ff_tget(&stripsizes, s->sstype, le); else @@ -1308,7 +1310,6 @@ static int decode_frame(AVCodecContext *avctx, return ret; break; } - dst += s->rps * stride; } if (s->predictor == 2) { if (s->photometric == TIFF_PHOTOMETRIC_YCBCR) { From 10a085a21f2da353652d67f17292b24fbd9fd67a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Jun 2017 21:21:56 +0200 Subject: [PATCH 564/658] avcodec/takdec: Fix integer overflow Fixes: runtime error: signed integer overflow: 512 + 2147483146 cannot be represented in type 'int' Fixes: 2314/clusterfuzz-testcase-minimized-4519333877252096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c2ef4f6b4d52a7b7184c747ffea3576926ea1b1) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index cc5623e0ca..c4c4b30aba 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -481,7 +481,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, int v = 1 << (filter_quant - 1); if (filter_order & -16) - v += s->adsp.scalarproduct_int16(&s->residues[i], s->filter, + v += (unsigned)s->adsp.scalarproduct_int16(&s->residues[i], s->filter, filter_order & -16); for (j = filter_order & -16; j < filter_order; j += 4) { v += s->residues[i + j + 3] * s->filter[j + 3] + From b3cf49b6f9a2a3459250350fdb2b70ac164116e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Jun 2017 01:58:48 +0200 Subject: [PATCH 565/658] avcodec/wavpack: Fix integer overflow Fixes: runtime error: signed integer overflow: 227511904 + 1964113935 cannot be represented in type 'int' Fixes: 2331/clusterfuzz-testcase-minimized-6182185830711296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 24e95f9d4de012f51fdd5767dff0b3142e13ec3a) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 0dcc05037d..a4f05f094f 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -219,7 +219,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, INC_MED(1); DEC_MED(2); } else { - base = GET_MED(0) + GET_MED(1) + GET_MED(2) * (t - 2); + base = GET_MED(0) + GET_MED(1) + GET_MED(2) * (t - 2U); add = GET_MED(2) - 1; INC_MED(0); INC_MED(1); From f626a479f41245de5d5f666c76833797b94a8b57 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Jun 2017 13:45:35 +0200 Subject: [PATCH 566/658] avcodec/mpeg4videodec: Fix GMC with videos of dimension 1 Fixes: runtime error: shift exponent -1 is negative Fixes: 2338/clusterfuzz-testcase-minimized-5153426541379584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4976a3411f71518d17a57e373b62517f066648fd) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 0edea05004..2e74a33758 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -171,7 +171,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int a = 2 << s->sprite_warping_accuracy; int rho = 3 - s->sprite_warping_accuracy; int r = 16 / a; - int alpha = 0; + int alpha = 1; int beta = 0; int w = s->width; int h = s->height; From 62e942ab1c04d29c8c14257e46bf65f66e0ff792 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Jun 2017 00:13:53 +0200 Subject: [PATCH 567/658] avcodec/wavpack: Fix integer overflow in wv_unpack_stereo() Fixes: runtime error: signed integer overflow: 2080374785 + 2080374784 cannot be represented in type 'int' Fixes: 2351/clusterfuzz-testcase-minimized-5359403240783872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 73ea2a028e12a7d779834f78dc496c8c4b08361f) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index a4f05f094f..70625548eb 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -474,7 +474,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, } if (type == AV_SAMPLE_FMT_S16P) { - if (FFABS(L) + FFABS(R) > (1<<19)) { + if (FFABS(L) + (unsigned)FFABS(R) > (1<<19)) { av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, R); return AVERROR_INVALIDDATA; } From 750fec58e175b22ac23ff349c4b0a9b765ea4d0c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jul 2017 14:57:20 +0200 Subject: [PATCH 568/658] avcodec/apedec: Fix integer overflow Fixes: out of array access Fixes: PoC.ape and others Found-by: Bingchang, Liu@VARAS of IIE Signed-off-by: Michael Niedermayer (cherry picked from commit ba4beaf6149f7241c8bd85fe853318c2f6837ad0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index b99598b4ee..072e3b42cf 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1412,6 +1412,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, int32_t *sample24; int i, ch, ret; int blockstodecode; + uint64_t decoded_buffer_size; /* this should never be negative, but bad things will happen if it is, so check it just to make sure. */ @@ -1467,7 +1468,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, skip_bits_long(&s->gb, offset); } - if (!nblocks || nblocks > INT_MAX) { + if (!nblocks || nblocks > INT_MAX / 2 / sizeof(*s->decoded_buffer) - 8) { av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %"PRIu32".\n", nblocks); return AVERROR_INVALIDDATA; @@ -1493,8 +1494,9 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, blockstodecode = s->samples; /* reallocate decoded sample buffer if needed */ - av_fast_malloc(&s->decoded_buffer, &s->decoded_size, - 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)); + decoded_buffer_size = 2LL * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer); + av_assert0(decoded_buffer_size <= INT_MAX); + av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size); if (!s->decoded_buffer) return AVERROR(ENOMEM); memset(s->decoded_buffer, 0, s->decoded_size); From 634e9a696d85fd32456f61aa23ca5f90544788fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Jun 2017 15:05:08 +0200 Subject: [PATCH 569/658] avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int() Fixes: runtime error: signed integer overflow: -163654656 * 256 cannot be represented in type 'int' Fixes: 2367/clusterfuzz-testcase-minimized-4648678897745920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ea5366670e26b2c6c396e6a5f49827a2b71e6dd6) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 735ed0b1dc..e4aa2e4a3d 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -488,7 +488,7 @@ static void dwt_decode97_int(DWTContext *s, int32_t *t) line += 5; for (i = 0; i < w * h; i++) - data[i] *= 1 << I_PRESHIFT; + data[i] *= 1LL << I_PRESHIFT; for (lev = 0; lev < s->ndeclevels; lev++) { int lh = s->linelen[lev][0], From 73f42b7b58caea043578f6041be655b15c14fc70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Jun 2017 20:29:02 +0200 Subject: [PATCH 570/658] avcodec/vb: Check vertical GMC component before multiply Fixes: runtime error: signed integer overflow: 8224 * 663584 cannot be represented in type 'int' Fixes: 2393/clusterfuzz-testcase-minimized-6128334993883136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bc6ab72bc7af27189e7b524b97e45c6fcadab5cf) Signed-off-by: Michael Niedermayer --- libavcodec/vb.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vb.c b/libavcodec/vb.c index 560165adc7..021657f7d8 100644 --- a/libavcodec/vb.c +++ b/libavcodec/vb.c @@ -205,6 +205,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (flags & VB_HAS_GMC) { i = (int16_t)bytestream2_get_le16(&c->stream); j = (int16_t)bytestream2_get_le16(&c->stream); + if (FFABS(j) > avctx->height) { + av_log(avctx, AV_LOG_ERROR, "GMV out of range\n"); + return AVERROR_INVALIDDATA; + } offset = i + j * avctx->width; } if (flags & VB_HAS_VIDEO) { From d2452b9e20ec16f241274f9ea836803b0652678e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Jun 2017 20:47:59 +0200 Subject: [PATCH 571/658] avcodec/cfhd: Fix invalid left shift of negative value Fixes: runtime error: left shift of negative value -1 Fixes: 2395/clusterfuzz-testcase-minimized-6540529313513472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c709f009dad20d99b28918f4f8d7cd394b838def) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 51ff26e57a..3dc768e516 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -662,7 +662,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, output = s->plane[plane].subband[0]; for (i = 0; i < lowpass_height * 2; i++) { for (j = 0; j < lowpass_width * 2; j++) - output[j] <<= 2; + output[j] *= 4; output += lowpass_width * 2; } From 0837678cbd332489cd89700df22d0a8da0e3721c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Jun 2017 16:23:32 +0200 Subject: [PATCH 572/658] avcodec/hevc_ps: Fix integer overflow with beta/tc offsets Fixes: runtime error: signed integer overflow: 2113929216 * 2 cannot be represented in type 'int' Fixes: 2422/clusterfuzz-testcase-minimized-5242114713583616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de54a37c1dfa2817b5838720fac44e82312ccbfd) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 4b2a6244ee..7a4ca7083a 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1572,20 +1572,22 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, pps->deblocking_filter_override_enabled_flag = get_bits1(gb); pps->disable_dbf = get_bits1(gb); if (!pps->disable_dbf) { - pps->beta_offset = get_se_golomb(gb) * 2; - pps->tc_offset = get_se_golomb(gb) * 2; - if (pps->beta_offset/2 < -6 || pps->beta_offset/2 > 6) { + int beta_offset_div2 = get_se_golomb(gb); + int tc_offset_div2 = get_se_golomb(gb) ; + if (beta_offset_div2 < -6 || beta_offset_div2 > 6) { av_log(avctx, AV_LOG_ERROR, "pps_beta_offset_div2 out of range: %d\n", - pps->beta_offset/2); + beta_offset_div2); ret = AVERROR_INVALIDDATA; goto err; } - if (pps->tc_offset/2 < -6 || pps->tc_offset/2 > 6) { + if (tc_offset_div2 < -6 || tc_offset_div2 > 6) { av_log(avctx, AV_LOG_ERROR, "pps_tc_offset_div2 out of range: %d\n", - pps->tc_offset/2); + tc_offset_div2); ret = AVERROR_INVALIDDATA; goto err; } + pps->beta_offset = 2 * beta_offset_div2; + pps->tc_offset = 2 * tc_offset_div2; } } From 965f15551fb07f1c0be37fd369b0ab4462da0965 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 5 Jul 2017 00:05:11 +0200 Subject: [PATCH 573/658] avcodec/h264_slice: Fix signed integer overflow Fixes: runtime error: signed integer overflow: 26 + 2147483644 cannot be represented in type 'int' Fixes: 2456/clusterfuzz-testcase-minimized-4822695051001856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7592d97f10134422d4509ab1287796af70e003ba) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 474400ba2f..d3f1360359 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1667,7 +1667,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264SliceContext *sl) } sl->last_qscale_diff = 0; - tmp = pps->init_qp + get_se_golomb(&sl->gb); + tmp = pps->init_qp + (unsigned)get_se_golomb(&sl->gb); if (tmp > 51 + 6 * (sps->bit_depth_luma - 8)) { av_log(h->avctx, AV_LOG_ERROR, "QP %u out of range\n", tmp); return AVERROR_INVALIDDATA; From be1f146a0f1c1d30d6ec09b93c29615dae7caff6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Jun 2017 13:47:32 +0200 Subject: [PATCH 574/658] avcodec/wavpack: Fix invalid shift Fixes: runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 2377/clusterfuzz-testcase-minimized-6108505935183872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c07af720984acaafaa273369080b458d73975775) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 70625548eb..0429adcfe1 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -837,9 +837,9 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, continue; } bytestream2_get_buffer(&gb, val, 4); - if (val[0] > 31) { + if (val[0] > 30) { av_log(avctx, AV_LOG_ERROR, - "Invalid INT32INFO, extra_bits = %d (> 32)\n", val[0]); + "Invalid INT32INFO, extra_bits = %d (> 30)\n", val[0]); continue; } else if (val[0]) { s->extra_bits = val[0]; From 215d6f897d3ef879dcfcf2a66881e3542881cec2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Jul 2017 03:30:54 +0200 Subject: [PATCH 575/658] avcodec/sbrdsp_fixed: Fix integer overflow in sbr_hf_apply_noise() Fixes: runtime error: signed integer overflow: -2049425300 + -117591631 cannot be represented in type 'int' Fixes: part of 2096/clusterfuzz-testcase-minimized-4901566068817920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2061de8a3f73f14806e5f6ccaf9a635f740a54e6) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index f42708a8a7..7d593a18b8 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -253,8 +253,8 @@ static av_always_inline int sbr_hf_apply_noise(int (*Y)[2], int m; for (m = 0; m < m_max; m++) { - int y0 = Y[m][0]; - int y1 = Y[m][1]; + unsigned y0 = Y[m][0]; + unsigned y1 = Y[m][1]; noise = (noise + 1) & 0x1ff; if (s_m[m].mant) { int shift, round; From 51f0580c5f4315cae4788e0fbfb7c26fa191afd3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jul 2017 22:51:57 +0200 Subject: [PATCH 576/658] avcodec/ylc: Fix vlc of 31 bits Fixes: runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 2515/clusterfuzz-testcase-minimized-6197200012967936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit fe9242204d33db070b8a9d907d93c9ead8a6f3ee) Signed-off-by: Michael Niedermayer --- libavcodec/ylc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ylc.c b/libavcodec/ylc.c index 1af880f4d4..c2263e729a 100644 --- a/libavcodec/ylc.c +++ b/libavcodec/ylc.c @@ -68,7 +68,7 @@ static void get_tree_codes(uint32_t *bits, int16_t *lens, uint8_t *xlat, s = nodes[node].sym; if (s != -1) { - bits[*pos] = (~pfx) & ((1 << FFMAX(pl, 1)) - 1); + bits[*pos] = (~pfx) & ((1U << FFMAX(pl, 1)) - 1); lens[*pos] = FFMAX(pl, 1); xlat[*pos] = s + (pl == 0); (*pos)++; From 910878e4d90a0850872336d656b12b77daf15f21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jul 2017 15:19:18 +0200 Subject: [PATCH 577/658] avcodec/aacps (fixed point): Fix multiple signed integer overflows Fixes: runtime error: signed integer overflow: 1421978265 - -1810326882 cannot be represented in type 'int' Fixes: 2527/clusterfuzz-testcase-minimized-5260915396050944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 80b9e40b6f1e15db9f36c195e7375e65f6b4924f) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 01f6d1f076..8b2cb9f02c 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -692,26 +692,17 @@ static void decorrelation(PSContext *ps, INTFLOAT (*out)[32][2], const INTFLOAT for (i = 0; i < NR_PAR_BANDS[is34]; i++) { for (n = n0; n < nL; n++) { int decayed_peak; - int denom; - decayed_peak = (int)(((int64_t)peak_decay_factor * \ peak_decay_nrg[i] + 0x40000000) >> 31); peak_decay_nrg[i] = FFMAX(decayed_peak, power[i][n]); - power_smooth[i] += (power[i][n] - power_smooth[i] + 2) >> 2; - peak_decay_diff_smooth[i] += (peak_decay_nrg[i] - power[i][n] - \ - peak_decay_diff_smooth[i] + 2) >> 2; - denom = peak_decay_diff_smooth[i] + (peak_decay_diff_smooth[i] >> 1); - if (denom > power_smooth[i]) { - int p = power_smooth[i]; - while (denom < 0x40000000) { - denom <<= 1; - p <<= 1; - } - transient_gain[i][n] = p / (denom >> 16); - } - else { - transient_gain[i][n] = 1 << 16; - } + power_smooth[i] += (power[i][n] + 2LL - power_smooth[i]) >> 2; + peak_decay_diff_smooth[i] += (peak_decay_nrg[i] + 2LL - power[i][n] - \ + peak_decay_diff_smooth[i]) >> 2; + + if (peak_decay_diff_smooth[i]) { + transient_gain[i][n] = FFMIN(power_smooth[i]*43691LL / peak_decay_diff_smooth[i], 1<<16); + } else + transient_gain[i][n] = 1 << 16; } } #else From 506bbbc09929e1d2778259fb9549743c5bce5fdc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Jul 2017 16:24:18 +0200 Subject: [PATCH 578/658] avcodec/mjpegdec: Clip DC also on the negative side. Fixes: runtime error: signed integer overflow: -16711425 + -2130772346 cannot be represented in type 'int' Fixes: 2533/clusterfuzz-testcase-minimized-5372857678823424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c28f648b19dd36ff9bc869ad527a1569a0b623e2) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 32b6b3b84d..714c51013d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -693,7 +693,7 @@ static int decode_block(MJpegDecodeContext *s, int16_t *block, int component, return AVERROR_INVALIDDATA; } val = val * quant_matrix[0] + s->last_dc[component]; - val = FFMIN(val, 32767); + val = av_clip_int16(val); s->last_dc[component] = val; block[0] = val; /* AC coefs */ From 94077cf6735afd1a166848d388c3a59764e7c71c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Jul 2017 17:25:16 +0200 Subject: [PATCH 579/658] avcodec/magicyuv: Check that vlc len is not too large Fixes: runtime error: shift exponent -95 is negative Fixes: 2568/clusterfuzz-testcase-minimized-4926115716005888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 341f01290c2353669ed2263f56e1a9f4c67cc597) Signed-off-by: Michael Niedermayer --- libavcodec/magicyuv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index 3bb4c5a8b4..fdd427920c 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -90,6 +90,8 @@ static int build_huff(VLC *vlc, uint8_t *len) for (i = 0; i < 256; i++) { he[i].sym = 255 - i; he[i].len = len[i]; + if (len[i] == 0 || len[i] > 32) + return AVERROR_INVALIDDATA; } AV_QSORT(he, 256, HuffEntry, ff_magy_huff_cmp_len); From a2c3c9bc6038b03af917c7d840ca56d062574ba2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 14 Jul 2017 00:45:29 +0200 Subject: [PATCH 580/658] avcodec/aacdec_template: Fix undefined integer overflow in apply_tns() Fixes: runtime error: signed integer overflow: -2147483648 - 1202286525 cannot be represented in type 'int' Fixes: 2071/clusterfuzz-testcase-minimized-6036414271586304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ef8f03133a0bd83c74200a8cf30982c0f574016) Signed-off-by: Michael Niedermayer --- libavcodec/aac_defines.h | 2 ++ libavcodec/aacdec_template.c | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/aac_defines.h b/libavcodec/aac_defines.h index 3c79a8a4a1..438d78a7aa 100644 --- a/libavcodec/aac_defines.h +++ b/libavcodec/aac_defines.h @@ -35,6 +35,7 @@ #define AAC_RENAME(x) x ## _fixed #define AAC_RENAME_32(x) x ## _fixed_32 typedef int INTFLOAT; +typedef unsigned UINTFLOAT; ///< Equivalent to INTFLOAT, Used as temporal cast to avoid undefined sign overflow operations. typedef int64_t INT64FLOAT; typedef int16_t SHORTFLOAT; typedef SoftFloat AAC_FLOAT; @@ -83,6 +84,7 @@ typedef int AAC_SIGNE; #define AAC_RENAME(x) x #define AAC_RENAME_32(x) x typedef float INTFLOAT; +typedef float UINTFLOAT; typedef float INT64FLOAT; typedef float SHORTFLOAT; typedef float AAC_FLOAT; diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index a37032a025..996ab638ad 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2363,7 +2363,7 @@ static int decode_extension_payload(AACContext *ac, GetBitContext *gb, int cnt, * @param decode 1 if tool is used normally, 0 if tool is used in LTP. * @param coef spectral coefficients */ -static void apply_tns(INTFLOAT coef[1024], TemporalNoiseShaping *tns, +static void apply_tns(INTFLOAT coef_param[1024], TemporalNoiseShaping *tns, IndividualChannelStream *ics, int decode) { const int mmm = FFMIN(ics->tns_max_bands, ics->max_sfb); @@ -2371,6 +2371,7 @@ static void apply_tns(INTFLOAT coef[1024], TemporalNoiseShaping *tns, int bottom, top, order, start, end, size, inc; INTFLOAT lpc[TNS_MAX_ORDER]; INTFLOAT tmp[TNS_MAX_ORDER+1]; + UINTFLOAT *coef = coef_param; for (w = 0; w < ics->num_windows; w++) { bottom = ics->num_swb; @@ -2400,7 +2401,7 @@ static void apply_tns(INTFLOAT coef[1024], TemporalNoiseShaping *tns, // ar filter for (m = 0; m < size; m++, start += inc) for (i = 1; i <= FFMIN(m, order); i++) - coef[start] -= AAC_MUL26(coef[start - i * inc], lpc[i - 1]); + coef[start] -= AAC_MUL26((INTFLOAT)coef[start - i * inc], lpc[i - 1]); } else { // ma filter for (m = 0; m < size; m++, start += inc) { From 02bec657f37101b70978997f18d3f482dcea0295 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Jul 2017 22:22:52 +0200 Subject: [PATCH 581/658] avcodec/aacdec_template (fixed point): Check gain in decode_cce() to avoid undefined shifts later Fixes: runtime error: shift exponent 47 is too large for 32-bit type 'int' Fixes: 2581/clusterfuzz-testcase-minimized-4681474395602944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2886142e0c3b5f4304c6e2a2bd282770a8a47f93) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 996ab638ad..b3ce500973 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2173,6 +2173,10 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che) cge = coup->coupling_point == AFTER_IMDCT ? 1 : get_bits1(gb); gain = cge ? get_vlc2(gb, vlc_scalefactors.table, 7, 3) - 60: 0; gain_cache = GET_GAIN(scale, gain); +#if USE_FIXED + if ((abs(gain_cache)-1024) >> 3 > 30) + return AVERROR(ERANGE); +#endif } if (coup->coupling_point == AFTER_IMDCT) { coup->gain[c][0] = gain_cache; @@ -2190,6 +2194,10 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che) t >>= 1; } gain_cache = GET_GAIN(scale, t) * s; +#if USE_FIXED + if ((abs(gain_cache)-1024) >> 3 > 30) + return AVERROR(ERANGE); +#endif } } coup->gain[c][idx] = gain_cache; From c6d9d0022093f2a8b5331b0d41e99429ccf3f02a Mon Sep 17 00:00:00 2001 From: Vodyannikov Aleksandr Date: Fri, 21 Jul 2017 11:49:45 +0200 Subject: [PATCH 582/658] avcodec/cfhd: Fix decoding regression due to height check Fixes: Ticket6546 Regression since: 54aaadf648073149f1ac34f56cbde4e6c5aa22ef Reviewed-by: Muhammad Faiz Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 47c93657249f1a4bc8a7aaf2f9f3a33510bee38c) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 3dc768e516..e11ebf9ee2 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -332,7 +332,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->plane[s->channel_num].band[0][0].stride = data; } else if (tag == 28) { av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data); - if (data < 3 || data > s->plane[s->channel_num].band[0][0].height) { + if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_height) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n"); ret = AVERROR(EINVAL); break; From 2453c66b0ff8a847c1882f60ca7b94177fc43c16 Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Sat, 22 Jul 2017 00:09:29 +0200 Subject: [PATCH 583/658] doc/filters: typo in frei0r Signed-off-by: Brice Waegeneire Signed-off-by: Michael Niedermayer (cherry picked from commit 6a6eec485d23b0c47a7cfeb94995db1be91c0e1a) Signed-off-by: Michael Niedermayer --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index 92f541de93..e92227c964 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -8094,7 +8094,7 @@ It accepts the following parameters: @item filter_name The name of the frei0r effect to load. If the environment variable @env{FREI0R_PATH} is defined, the frei0r effect is searched for in each of the -directories specified by the colon-separated list in @env{FREIOR_PATH}. +directories specified by the colon-separated list in @env{FREI0R_PATH}. Otherwise, the standard frei0r paths are searched, in this order: @file{HOME/.frei0r-1/lib/}, @file{/usr/local/lib/frei0r-1/}, @file{/usr/lib/frei0r-1/}. From 918d45ec82ea83c5463339d7e72fb4dcc9a167d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jul 2017 16:52:47 +0200 Subject: [PATCH 584/658] avcodec/aacdec_fixed: fix: left shift of negative value -1 Fixes: 2699/clusterfuzz-testcase-minimized-5631303862976512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2dfb8c417891e0cc3670f8e0791ea0c7071314fe) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 0cac3bf4eb..ccc82057e1 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -430,7 +430,7 @@ static void apply_independent_coupling_fixed(AACContext *ac, else { for (i = 0; i < len; i++) { tmp = (int)(((int64_t)src[i] * c + (int64_t)0x1000000000) >> 37); - dest[i] += tmp << shift; + dest[i] += tmp * (1 << shift); } } } From 2755c73d55b2c92e73698aa03c580f311dc36d6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Jul 2017 00:44:14 +0200 Subject: [PATCH 585/658] avcodec/aacps: Fix multiple integer overflow in map_val_34_to_20() Fixes: avcodec/aacps.c:511:40: runtime error: signed integer overflow: 1509077651 + 758068176 cannot be represented in type 'int' Fixes: 2678/clusterfuzz-testcase-minimized-4702787684270080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0764fe1d09833ae4dcf9e427df09378d0d6a3386) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 8b2cb9f02c..aa0220b147 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -499,13 +499,13 @@ static void map_idx_34_to_20(int8_t *par_mapped, const int8_t *par, int full) static void map_val_34_to_20(INTFLOAT par[PS_MAX_NR_IIDICC]) { #if USE_FIXED - par[ 0] = (int)(((int64_t)(par[ 0] + (par[ 1]>>1)) * 1431655765 + \ + par[ 0] = (int)(((int64_t)(par[ 0] + (unsigned)(par[ 1]>>1)) * 1431655765 + \ 0x40000000) >> 31); - par[ 1] = (int)(((int64_t)((par[ 1]>>1) + par[ 2]) * 1431655765 + \ + par[ 1] = (int)(((int64_t)((par[ 1]>>1) + (unsigned)par[ 2]) * 1431655765 + \ 0x40000000) >> 31); - par[ 2] = (int)(((int64_t)(par[ 3] + (par[ 4]>>1)) * 1431655765 + \ + par[ 2] = (int)(((int64_t)(par[ 3] + (unsigned)(par[ 4]>>1)) * 1431655765 + \ 0x40000000) >> 31); - par[ 3] = (int)(((int64_t)((par[ 4]>>1) + par[ 5]) * 1431655765 + \ + par[ 3] = (int)(((int64_t)((par[ 4]>>1) + (unsigned)par[ 5]) * 1431655765 + \ 0x40000000) >> 31); #else par[ 0] = (2*par[ 0] + par[ 1]) * 0.33333333f; From a0edd7f583b8f63340a3c46c04d44f2ed5e0d4e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Jul 2017 02:57:12 +0200 Subject: [PATCH 586/658] avcodec/ylc: Fix shift overflow Fixes: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 2698/clusterfuzz-testcase-minimized-4713541443518464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 03a9e6ff303ad82e75b734edbe4917ca5fd60159) Signed-off-by: Michael Niedermayer --- libavcodec/ylc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ylc.c b/libavcodec/ylc.c index c2263e729a..346960a6cc 100644 --- a/libavcodec/ylc.c +++ b/libavcodec/ylc.c @@ -68,7 +68,7 @@ static void get_tree_codes(uint32_t *bits, int16_t *lens, uint8_t *xlat, s = nodes[node].sym; if (s != -1) { - bits[*pos] = (~pfx) & ((1U << FFMAX(pl, 1)) - 1); + bits[*pos] = (~pfx) & ((1ULL << FFMAX(pl, 1)) - 1); lens[*pos] = FFMAX(pl, 1); xlat[*pos] = s + (pl == 0); (*pos)++; From 65304d33a20f0d88bcc526ac01e5299c88cff566 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Jul 2017 03:19:07 +0200 Subject: [PATCH 587/658] avformat/oggparsecelt: Do not re-allocate os->private Fixes: double free Fixes: clusterfuzz-testcase-minimized-5080550145785856 Found-by: ClusterFuzz Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 7140761481e4296723a592019a0244ebe6c1a8cf) Signed-off-by: Michael Niedermayer --- libavformat/oggparsecelt.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/oggparsecelt.c b/libavformat/oggparsecelt.c index 6d567f988a..9c438a096a 100644 --- a/libavformat/oggparsecelt.c +++ b/libavformat/oggparsecelt.c @@ -65,9 +65,14 @@ static int celt_header(AVFormatContext *s, int idx) st->codecpar->channels = nb_channels; if (sample_rate) avpriv_set_pts_info(st, 64, 1, sample_rate); - priv->extra_headers_left = 1 + extra_headers; - av_free(os->private); + + if (os->private) { + av_free(priv); + priv = os->private; + } os->private = priv; + priv->extra_headers_left = 1 + extra_headers; + AV_WL32(st->codecpar->extradata + 0, overlap); AV_WL32(st->codecpar->extradata + 4, version); return 1; From 7f3124e08c3084c27ffa1dbd71659844a2c23f32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Jul 2017 15:48:37 +0200 Subject: [PATCH 588/658] avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2 Fixes: runtime error: signed integer overflow: -2147483647 - 2 cannot be represented in type 'int' Fixes: 2702/clusterfuzz-testcase-minimized-4511932591636480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74c1c22d7f0d25f527ed2ebf62493be5ad52c972) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 7a4ca7083a..87e807bdd3 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1413,6 +1413,7 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, HEVCSPS *sps = NULL; int i, ret = 0; unsigned int pps_id = 0; + unsigned log2_parallel_merge_level_minus2; AVBufferRef *pps_buf; HEVCPPS *pps = av_mallocz(sizeof(*pps)); @@ -1599,13 +1600,14 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, goto err; } pps->lists_modification_present_flag = get_bits1(gb); - pps->log2_parallel_merge_level = get_ue_golomb_long(gb) + 2; - if (pps->log2_parallel_merge_level > sps->log2_ctb_size) { + log2_parallel_merge_level_minus2 = get_ue_golomb_long(gb); + if (log2_parallel_merge_level_minus2 > sps->log2_ctb_size) { av_log(avctx, AV_LOG_ERROR, "log2_parallel_merge_level_minus2 out of range: %d\n", - pps->log2_parallel_merge_level - 2); + log2_parallel_merge_level_minus2); ret = AVERROR_INVALIDDATA; goto err; } + pps->log2_parallel_merge_level = log2_parallel_merge_level_minus2 + 2; pps->slice_header_extension_present_flag = get_bits1(gb); From 956f2db21ffc1ca7f8dae7a3f44b09a145d9b9fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Jul 2017 03:26:59 +0200 Subject: [PATCH 589/658] avcodec/dnxhddec: Move mb height check out of non hr branch Fixes: out of array access Fixes: poc.dnxhd Found-by: Bingchang, Liu@VARAS of IIE Signed-off-by: Michael Niedermayer (cherry picked from commit 296debd213bd6dce7647cedd34eb64e5b94cdc92) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index cb1fc798b2..862e964b51 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -273,14 +273,18 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, if (header_prefix == DNXHD_HEADER_HR2) { ctx->data_offset = 0x170 + (ctx->mb_height << 2); } else { - if (ctx->mb_height > 68 || - (ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) { + if (ctx->mb_height > 68) { av_log(ctx->avctx, AV_LOG_ERROR, "mb height too big: %d\n", ctx->mb_height); return AVERROR_INVALIDDATA; } ctx->data_offset = 0x280; } + if ((ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) { + av_log(ctx->avctx, AV_LOG_ERROR, + "mb height too big: %d\n", ctx->mb_height); + return AVERROR_INVALIDDATA; + } if (buf_size < ctx->data_offset) { av_log(ctx->avctx, AV_LOG_ERROR, From f4c8449238319d23e2e1bcd151c9af38e36c7eb3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Jul 2017 20:26:43 +0200 Subject: [PATCH 590/658] avcodec/diracdec: Fix integer overflow in signed multiplication in UNPACK_ARITH() Fixes: runtime error: signed integer overflow: 1073741823 * 4 cannot be represented in type 'int' Fixes: 2729/clusterfuzz-testcase-minimized-5902915464069120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e275a74b09cc87f4334ed572f919b7647d4bea1) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 9b3adfa9a8..160085f852 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -462,7 +462,8 @@ static inline int coeff_unpack_golomb(GetBitContext *gb, int qfactor, int qoffse static inline void coeff_unpack_arith_##n(DiracArith *c, int qfactor, int qoffset, \ SubBand *b, type *buf, int x, int y) \ { \ - int coeff, sign, sign_pred = 0, pred_ctx = CTX_ZPZN_F1; \ + int sign, sign_pred = 0, pred_ctx = CTX_ZPZN_F1; \ + unsigned coeff; \ const int mstride = -(b->stride >> (1+b->pshift)); \ if (b->parent) { \ const type *pbuf = (type *)b->parent->ibuf; \ From 54a6c1368cdbb13eb0015433edca0d0fc9ea5dfb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Jul 2017 13:41:59 +0200 Subject: [PATCH 591/658] avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2 Fixes: out of array accesses Fixes: crash-9238fa9e8d4fde3beda1f279626f53812cb001cb-SEGV Found-by: JunDong Xie of Ant-financial Light-Year Security Lab Signed-off-by: Michael Niedermayer (cherry picked from commit 08c073434e25cba8c43aae5ed9554fdd594adfb0) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 68 ++++++++++++++++++++++++++++++------------- 1 file changed, 48 insertions(+), 20 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index cde0da78ce..2ea88d09c5 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -433,50 +433,78 @@ void ff_rtmp_packet_destroy(RTMPPacket *pkt) pkt->size = 0; } -int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) +static int amf_tag_skip(GetByteContext *gb) { - const uint8_t *base = data; AMFDataType type; unsigned nb = -1; int parse_key = 1; - if (data >= data_end) + if (bytestream2_get_bytes_left(gb) < 1) return -1; - switch ((type = *data++)) { - case AMF_DATA_TYPE_NUMBER: return 9; - case AMF_DATA_TYPE_BOOL: return 2; - case AMF_DATA_TYPE_STRING: return 3 + AV_RB16(data); - case AMF_DATA_TYPE_LONG_STRING: return 5 + AV_RB32(data); - case AMF_DATA_TYPE_NULL: return 1; - case AMF_DATA_TYPE_DATE: return 11; + + type = bytestream2_get_byte(gb); + switch (type) { + case AMF_DATA_TYPE_NUMBER: + bytestream2_get_be64(gb); + return 0; + case AMF_DATA_TYPE_BOOL: + bytestream2_get_byte(gb); + return 0; + case AMF_DATA_TYPE_STRING: + bytestream2_skip(gb, bytestream2_get_be16(gb)); + return 0; + case AMF_DATA_TYPE_LONG_STRING: + bytestream2_skip(gb, bytestream2_get_be32(gb)); + return 0; + case AMF_DATA_TYPE_NULL: + return 0; + case AMF_DATA_TYPE_DATE: + bytestream2_skip(gb, 10); + return 0; case AMF_DATA_TYPE_ARRAY: parse_key = 0; case AMF_DATA_TYPE_MIXEDARRAY: - nb = bytestream_get_be32(&data); + nb = bytestream2_get_be32(gb); case AMF_DATA_TYPE_OBJECT: while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) { int t; if (parse_key) { - int size = bytestream_get_be16(&data); + int size = bytestream2_get_be16(gb); if (!size) { - data++; + bytestream2_get_byte(gb); break; } - if (size < 0 || size >= data_end - data) + if (size < 0 || size >= bytestream2_get_bytes_left(gb)) return -1; - data += size; + bytestream2_skip(gb, size); } - t = ff_amf_tag_size(data, data_end); - if (t < 0 || t >= data_end - data) + t = amf_tag_skip(gb); + if (t < 0 || bytestream2_get_bytes_left(gb) <= 0) return -1; - data += t; } - return data - base; - case AMF_DATA_TYPE_OBJECT_END: return 1; + return 0; + case AMF_DATA_TYPE_OBJECT_END: return 0; default: return -1; } } +int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) +{ + GetByteContext gb; + int ret; + + if (data >= data_end) + return -1; + + bytestream2_init(&gb, data, data_end - data); + + ret = amf_tag_skip(&gb); + if (ret < 0 || bytestream2_get_bytes_left(&gb) <= 0) + return -1; + av_assert0(bytestream2_tell(&gb) >= 0 && bytestream2_tell(&gb) <= data_end - data); + return bytestream2_tell(&gb); +} + int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, const uint8_t *name, uint8_t *dst, int dst_size) { From 06ce68d8a07d6365d67fdd8ed3c1e422f97a43fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Jul 2017 14:37:26 +0200 Subject: [PATCH 592/658] avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2 Fixes: out of array accesses Found-by: JunDong Xie of Ant-financial Light-Year Security Lab Signed-off-by: Michael Niedermayer (cherry picked from commit ffcc82219cef0928bed2d558b19ef6ea35634130) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 57 ++++++++++++++++++++++++++++--------------- 1 file changed, 37 insertions(+), 20 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 2ea88d09c5..ca7838868e 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -505,53 +505,70 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) return bytestream2_tell(&gb); } -int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, +static int amf_get_field_value2(GetByteContext *gb, const uint8_t *name, uint8_t *dst, int dst_size) { int namelen = strlen(name); int len; - while (*data != AMF_DATA_TYPE_OBJECT && data < data_end) { - len = ff_amf_tag_size(data, data_end); - if (len < 0) - len = data_end - data; - data += len; + while (bytestream2_peek_byte(gb) != AMF_DATA_TYPE_OBJECT && bytestream2_get_bytes_left(gb) > 0) { + int ret = amf_tag_skip(gb); + if (ret < 0) + return -1; } - if (data_end - data < 3) + if (bytestream2_get_bytes_left(gb) < 3) return -1; - data++; + bytestream2_get_byte(gb); + for (;;) { - int size = bytestream_get_be16(&data); + int size = bytestream2_get_be16(gb); if (!size) break; - if (size < 0 || size >= data_end - data) + if (size < 0 || size >= bytestream2_get_bytes_left(gb)) return -1; - data += size; - if (size == namelen && !memcmp(data-size, name, namelen)) { - switch (*data++) { + bytestream2_skip(gb, size); + if (size == namelen && !memcmp(gb->buffer-size, name, namelen)) { + switch (bytestream2_get_byte(gb)) { case AMF_DATA_TYPE_NUMBER: - snprintf(dst, dst_size, "%g", av_int2double(AV_RB64(data))); + snprintf(dst, dst_size, "%g", av_int2double(bytestream2_get_be64(gb))); break; case AMF_DATA_TYPE_BOOL: - snprintf(dst, dst_size, "%s", *data ? "true" : "false"); + snprintf(dst, dst_size, "%s", bytestream2_get_byte(gb) ? "true" : "false"); break; case AMF_DATA_TYPE_STRING: - len = bytestream_get_be16(&data); - av_strlcpy(dst, data, FFMIN(len+1, dst_size)); + len = bytestream2_get_be16(gb); + if (dst_size < 1) + return -1; + if (dst_size < len + 1) + len = dst_size - 1; + bytestream2_get_buffer(gb, dst, len); + dst[len] = 0; break; default: return -1; } return 0; } - len = ff_amf_tag_size(data, data_end); - if (len < 0 || len >= data_end - data) + len = amf_tag_skip(gb); + if (len < 0 || bytestream2_get_bytes_left(gb) <= 0) return -1; - data += len; } return -1; } +int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, + const uint8_t *name, uint8_t *dst, int dst_size) +{ + GetByteContext gb; + + if (data >= data_end) + return -1; + + bytestream2_init(&gb, data, data_end - data); + + return amf_get_field_value2(&gb, name, dst, dst_size); +} + static const char* rtmp_packet_type(int type) { switch (type) { From 6274709c1c110cbb714a2bd0292bb9e96d9d561f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Jul 2017 23:49:26 +0200 Subject: [PATCH 593/658] avcodec/takdec: Fix integer overflow in decode_subframe() Fixes: runtime error: signed integer overflow: -536870912 - 1972191120 cannot be represented in type 'int' Fixes: 2711/clusterfuzz-testcase-minimized-4975142398590976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c630d159ffe8a9822e81f9c041652762b37e068) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index c4c4b30aba..c74e952562 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -489,7 +489,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, s->residues[i + j + 1] * s->filter[j + 1] + s->residues[i + j ] * s->filter[j ]; } - v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - *decoded; + v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - (unsigned)*decoded; *decoded++ = v; s->residues[filter_order + i] = v >> dshift; } From 6b1c71040d170c66b20d214a17aacefc215cd9c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Jul 2017 23:49:27 +0200 Subject: [PATCH 594/658] avcodec/diracdec: Fix integer overflow in divide3() Fixes: runtime error: signed integer overflow: -1073746548 * 21845 cannot be represented in type 'int' Fixes: 2729/clusterfuzz-testcase-minimized-5902915464069120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0220c768c7fc933a76c863ebbb0abdf68a88533) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 160085f852..42518c2681 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -231,7 +231,7 @@ enum dirac_subband { /* magic number division by 3 from schroedinger */ static inline int divide3(int x) { - return ((x+1)*21845 + 10922) >> 16; + return (int)((x+1U)*21845 + 10922) >> 16; } static DiracFrame *remove_frame(DiracFrame *framelist[], int picnum) From acedc53186c4c9564d3b6442bb293ffc4d7b7f8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Jul 2017 03:22:40 +0200 Subject: [PATCH 595/658] avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0() Fixes: runtime error: signed integer overflow: 9 * 335544320 cannot be represented in type 'int' Fixes: 2739/clusterfuzz-testcase-minimized-6737297955356672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf8ab72ae95bb11f2c281d464594c2f6ba70326b) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 4d338651fa..62f8472b41 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -99,7 +99,7 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b1 + ((b0 + b2 + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ - (b2 + ((-b0 + 9*b1 + 9*b3 - b4 + 8) >> 4)) + (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ (b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5)) From 6d849e2706d04588d16ee65dacea21f24f30d9d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Jul 2017 15:46:50 +0200 Subject: [PATCH 596/658] avcodec/diracdec: Check weight_log2denom Fixes: runtime error: shift exponent -1 is negative Fixes: 2742/clusterfuzz-testcase-minimized-5724322402402304 Fixes: 2744/clusterfuzz-testcase-minimized-4672435653705728 Fixes: 2749/clusterfuzz-testcase-minimized-5298741273690112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 880f5c59139e1d85d3a0b3433103f3fea17ff2d3) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 42518c2681..579ff97322 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1100,6 +1100,11 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) if (get_bits1(gb)) { s->weight_log2denom = get_interleaved_ue_golomb(gb); + if (s->weight_log2denom < 1 || s->weight_log2denom > 8) { + av_log(s->avctx, AV_LOG_ERROR, "weight_log2denom unsupported or invalid\n"); + s->weight_log2denom = 1; + return AVERROR_INVALIDDATA; + } s->weight[0] = dirac_get_se_golomb(gb); if (s->num_refs == 2) s->weight[1] = dirac_get_se_golomb(gb); From fef71d661b7a251f70f132f1585b7dfa08117423 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Aug 2017 12:13:51 +0200 Subject: [PATCH 597/658] Update for 3.1.10 Signed-off-by: Michael Niedermayer --- Changelog | 37 +++++++++++++++++++++++++++++++++++++ doc/Doxyfile | 2 +- 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 87a2a49eaf..d6c9ce1723 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,43 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.1.10: +- avcodec/diracdec: Check weight_log2denom +- avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0() +- avcodec/diracdec: Fix integer overflow in divide3() +- avcodec/takdec: Fix integer overflow in decode_subframe() +- avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2 +- avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2 +- avcodec/diracdec: Fix integer overflow in signed multiplication in UNPACK_ARITH() +- avcodec/dnxhddec: Move mb height check out of non hr branch +- avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2 +- avformat/oggparsecelt: Do not re-allocate os->private +- avcodec/ylc: Fix shift overflow +- avcodec/aacps: Fix multiple integer overflow in map_val_34_to_20() +- avcodec/aacdec_fixed: fix: left shift of negative value -1 +- doc/filters: typo in frei0r +- avcodec/cfhd: Fix decoding regression due to height check +- avcodec/aacdec_template (fixed point): Check gain in decode_cce() to avoid undefined shifts later +- avcodec/aacdec_template: Fix undefined integer overflow in apply_tns() +- avcodec/magicyuv: Check that vlc len is not too large +- avcodec/mjpegdec: Clip DC also on the negative side. +- avcodec/aacps (fixed point): Fix multiple signed integer overflows +- avcodec/ylc: Fix vlc of 31 bits +- avcodec/sbrdsp_fixed: Fix integer overflow in sbr_hf_apply_noise() +- avcodec/wavpack: Fix invalid shift +- avcodec/h264_slice: Fix signed integer overflow +- avcodec/hevc_ps: Fix integer overflow with beta/tc offsets +- avcodec/cfhd: Fix invalid left shift of negative value +- avcodec/vb: Check vertical GMC component before multiply +- avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int() +- avcodec/apedec: Fix integer overflow +- avcodec/wavpack: Fix integer overflow in wv_unpack_stereo() +- avcodec/mpeg4videodec: Fix GMC with videos of dimension 1 +- avcodec/wavpack: Fix integer overflow +- avcodec/takdec: Fix integer overflow +- avcodec/tiff: Update pointer only when the result is used + + version 3.1.9: - avcodec/cfhd: Check bpc before setting bpc in context - avcodec/cfhd: Fix undefined shift diff --git a/doc/Doxyfile b/doc/Doxyfile index b234a11f4a..f750ee5495 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.1.9 +PROJECT_NUMBER = 3.1.10 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From afa34cb36edca0ff809b7e58474bbce12271ecba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Aug 2017 15:52:22 +0200 Subject: [PATCH 598/658] RELEASE: Update release number Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 7148b0a991..c7a249882e 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.1.9 +3.1.10 From eadb52d4590433896bbde2395e2ca796caebf08c Mon Sep 17 00:00:00 2001 From: Muhammad Faiz Date: Thu, 3 Aug 2017 07:59:09 +0700 Subject: [PATCH 599/658] avfilter/vf_ssim: fix temp size calculation Also use av_mallocz_array. Fix Ticket6519. Reviewed-by: Tobias Rapp Signed-off-by: Muhammad Faiz (cherry picked from commit f2d23ec03f28c6233059687c65a9124f65f8c312) --- libavfilter/vf_ssim.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_ssim.c b/libavfilter/vf_ssim.c index dd8f264812..6fc80995a9 100644 --- a/libavfilter/vf_ssim.c +++ b/libavfilter/vf_ssim.c @@ -147,6 +147,8 @@ static float ssim_endn(const int (*sum0)[4], const int (*sum1)[4], int width) return ssim; } +#define SUM_LEN(w) (((w) >> 2) + 3) + static float ssim_plane(SSIMDSPContext *dsp, uint8_t *main, int main_stride, uint8_t *ref, int ref_stride, @@ -155,7 +157,7 @@ static float ssim_plane(SSIMDSPContext *dsp, int z = 0, y; float ssim = 0.0; int (*sum0)[4] = temp; - int (*sum1)[4] = sum0 + (width >> 2) + 3; + int (*sum1)[4] = sum0 + SUM_LEN(width); width >>= 2; height >>= 2; @@ -297,7 +299,7 @@ static int config_input_ref(AVFilterLink *inlink) for (i = 0; i < s->nb_components; i++) s->coefs[i] = (double) s->planeheight[i] * s->planewidth[i] / sum; - s->temp = av_malloc((2 * inlink->w + 12) * sizeof(*s->temp)); + s->temp = av_mallocz_array(2 * SUM_LEN(inlink->w), sizeof(int[4])); if (!s->temp) return AVERROR(ENOMEM); From ee17fdffd4cb55eb8533ec2684ce5d7c8cf1fb22 Mon Sep 17 00:00:00 2001 From: Steven Siloti Date: Tue, 18 Jul 2017 11:26:39 -0700 Subject: [PATCH 600/658] avformat/utils: fix memory leak in avformat_free_context The pointer to the packet queue is stored in the internal structure so the queue needs to be flushed before internal is freed. Signed-off-by: Steven Siloti Signed-off-by: Michael Niedermayer (cherry picked from commit 949debd1d1df3a96315b3a3083831162845c1188) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 46dc5109d1..5a35953d24 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4046,8 +4046,8 @@ void avformat_free_context(AVFormatContext *s) av_freep(&s->chapters); av_dict_free(&s->metadata); av_freep(&s->streams); - av_freep(&s->internal); flush_packet_queue(s); + av_freep(&s->internal); av_free(s); } From 74e9dbf0dfb009ced1dcba341b25bc37357b7b7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Aug 2017 02:41:05 +0200 Subject: [PATCH 601/658] avcodec/h264_slice: Fix overflow in slice offset Fixes: runtime error: signed integer overflow: 1610612736 * 2 cannot be represented in type 'int' Fixes: 2817/clusterfuzz-testcase-minimized-5289691240726528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f53bde6d817ae13a47748f321adbdfa79e15982) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index d3f1360359..cdd56af1f7 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1697,17 +1697,19 @@ int ff_h264_decode_slice_header(H264Context *h, H264SliceContext *sl) sl->deblocking_filter ^= 1; // 1<->0 if (sl->deblocking_filter) { - sl->slice_alpha_c0_offset = get_se_golomb(&sl->gb) * 2; - sl->slice_beta_offset = get_se_golomb(&sl->gb) * 2; - if (sl->slice_alpha_c0_offset > 12 || - sl->slice_alpha_c0_offset < -12 || - sl->slice_beta_offset > 12 || - sl->slice_beta_offset < -12) { + int slice_alpha_c0_offset_div2 = get_se_golomb(&sl->gb); + int slice_beta_offset_div2 = get_se_golomb(&sl->gb); + if (slice_alpha_c0_offset_div2 > 6 || + slice_alpha_c0_offset_div2 < -6 || + slice_beta_offset_div2 > 6 || + slice_beta_offset_div2 < -6) { av_log(h->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", - sl->slice_alpha_c0_offset, sl->slice_beta_offset); + slice_alpha_c0_offset_div2, slice_beta_offset_div2); return AVERROR_INVALIDDATA; } + sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2; + sl->slice_beta_offset = slice_beta_offset_div2 * 2; } } From 46023f3258f4082cf1aba9b47401bdb137174103 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Aug 2017 03:26:30 +0200 Subject: [PATCH 602/658] avcodec/aacdec_fixed: fix invalid shift in predict() Fixes: runtime error: shift exponent -2 is negative Fixes: 2818/clusterfuzz-testcase-minimized-5062943676825600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e443051b277f73b94a2f660d3fd31a1a7beab52) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index ccc82057e1..e7c2d2d299 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -305,8 +305,12 @@ static av_always_inline void predict(PredictorState *ps, int *coef, if (output_enable) { int shift = 28 - pv.exp; - if (shift < 31) - *coef += (pv.mant + (1 << (shift - 1))) >> shift; + if (shift < 31) { + if (shift > 0) { + *coef += (pv.mant + (1 << (shift - 1))) >> shift; + } else + *coef += pv.mant << -shift; + } } e0 = av_int2sf(*coef, 2); From 55fe7a738f4ca6a92972f699f5d8816a5e133405 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Aug 2017 05:01:45 +0200 Subject: [PATCH 603/658] avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97* Fix multiple: runtime error: signed integer overflow: 6497 * 3409630 cannot be represented in type 'int' Fixes: 2819/clusterfuzz-testcase-minimized-4743700301217792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a5380f9c1c460acccb2edaa8609e4a57c0456088) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 62f8472b41..e715e53bc4 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ - (b1 - ((1817*(b0 + b2) + 2048) >> 12)) + (b1 - ((int)(1817U*(b0 + b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ - (b1 - (( 113*(b0 + b2) + 64) >> 7)) + (b1 - ((int)( 113U*(b0 + b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ - (b1 + (( 217*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)( 217U*(b0 + b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ - (b1 + ((6497*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)(6497U*(b0 + b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ From a5c83b586b8097948a9cbba8937f89245cad4274 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Aug 2017 13:32:54 +0200 Subject: [PATCH 604/658] avcodec/mpeg4videodec: Clear mcsel before decoding an image Fixes: runtime error: signed integer overflow: 2146467840 + 1032192 cannot be represented in type 'int' Fixes: 2826/clusterfuzz-testcase-minimized-5901511613743104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7735ed29741d985e1e670249ca56e7a1ce18b729) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 2e74a33758..d04286bc3d 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2283,6 +2283,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) int time_incr, time_increment; int64_t pts; + s->mcsel = 0; s->pict_type = get_bits(gb, 2) + AV_PICTURE_TYPE_I; /* pict type: I = 0 , P = 1 */ if (s->pict_type == AV_PICTURE_TYPE_B && s->low_delay && ctx->vol_control_parameters == 0 && !(s->avctx->flags & AV_CODEC_FLAG_LOW_DELAY)) { From df2efc212dabc2cccb7101e15bba0c78cb5d80b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Aug 2017 03:32:43 +0200 Subject: [PATCH 605/658] avcodec/diracdec: Check perspective_exp and zrs_exp. Fixes: undefined shift Fixes: runtime error: shift exponent 264 is too large for 32-bit type 'int' Fixes: 2860/clusterfuzz-testcase-minimized-4672811689836544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e6cab874512070b36267a5a53fd053f90072fa2) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 579ff97322..6f6a0ece45 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1082,6 +1082,10 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) s->globalmc[ref].perspective[0] = dirac_get_se_golomb(gb); s->globalmc[ref].perspective[1] = dirac_get_se_golomb(gb); } + if (s->globalmc[ref].perspective_exp + (uint64_t)s->globalmc[ref].zrs_exp > 30) { + return AVERROR_INVALIDDATA; + } + } } From 1b5548cc0913032587b4579e4b8b23ebed4c5124 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Aug 2017 20:32:03 +0200 Subject: [PATCH 606/658] avcodec/snowdec: Fix off by 1 error Fixes: runtime error: index 4 out of bounds for type 'int8_t [4]' Fixes: 3023/clusterfuzz-testcase-minimized-6421736130084864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d132683ddd4050d3fe103ca88c73258c3442dc34) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 7d6d7ff44f..4ebfa07c6a 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -355,7 +355,7 @@ static int decode_header(SnowContext *s){ Plane *p= &s->plane[plane_index]; p->diag_mc= get_rac(&s->c, s->header_state); htaps= get_symbol(&s->c, s->header_state, 0)*2 + 2; - if((unsigned)htaps > HTAPS_MAX || htaps==0) + if((unsigned)htaps >= HTAPS_MAX || htaps==0) return AVERROR_INVALIDDATA; p->htaps= htaps; for(i= htaps/2; i; i--){ From 96d5786027445bf01ab47212a1a71b9d2f2ea2df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Aug 2017 18:24:37 +0200 Subject: [PATCH 607/658] avcodec/fic: Fixes signed integer overflow Fixes: runtime error: signed integer overflow: 1037142357 + 1227025305 cannot be represented in type 'int' Fixes: 3024/clusterfuzz-testcase-minimized-5885660323905536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9d5b015c2022e8deebb93367f8ee8a8eb779e8) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 2c11515459..f66c05b94b 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -84,12 +84,12 @@ static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' }; static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd) { - const int t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; - const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; - const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; - const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; - const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12); - const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12); + const unsigned t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; + const unsigned t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; + const unsigned t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; + const unsigned t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; + const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12); + const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12); const unsigned t6 = t2 - t0; const unsigned t7 = t3 - t1; const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; From b2f99c424f154df4f912c8ed24f6f99a211fe9cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Aug 2017 16:42:58 +0200 Subject: [PATCH 608/658] avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0() Fixes: runtime error: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int' Fixes: 3013/clusterfuzz-testcase-minimized-4644084197097472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a165b53daa8a3a526d2328ca72c4aa9e7f163045) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 972c711cff..e436c247a1 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_ TYPE *b1 = (TYPE *)_b1; TYPE *b2 = (TYPE *)_b2; for (i = 0; i < width; i++) - b1[i] -= (b0[i] + b2[i] + 2) >> 2; + b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2; } static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2, From 3ee6a9cfb44c9ffbaf47f5a66f698fa222e8b92d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Aug 2017 23:38:58 +0200 Subject: [PATCH 609/658] avcodec/me_cmp: Fix crashes on ARM due to misalignment Adds a diff_pixels_unaligned() Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872503 Signed-off-by: Michael Niedermayer (cherry picked from commit bc488ec28aec4bc91ba47283c49c9f7f25696eaa) Signed-off-by: Michael Niedermayer --- libavcodec/me_cmp.c | 10 +++++----- libavcodec/pixblockdsp.c | 1 + libavcodec/pixblockdsp.h | 5 +++++ libavcodec/x86/pixblockdsp_init.c | 2 ++ 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/me_cmp.c b/libavcodec/me_cmp.c index dc76b07ba2..4234000487 100644 --- a/libavcodec/me_cmp.c +++ b/libavcodec/me_cmp.c @@ -555,7 +555,7 @@ static int dct_sad8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); return s->mecc.sum_abs_dctelem(temp); } @@ -595,7 +595,7 @@ static int dct264_sad8x8_c(MpegEncContext *s, uint8_t *src1, int16_t dct[8][8]; int i, sum = 0; - s->pdsp.diff_pixels(dct[0], src1, src2, stride); + s->pdsp.diff_pixels_unaligned(dct[0], src1, src2, stride); #define SRC(x) dct[i][x] #define DST(x, v) dct[i][x] = v @@ -622,7 +622,7 @@ static int dct_max8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); for (i = 0; i < 64; i++) @@ -641,7 +641,7 @@ static int quant_psnr8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); s->mb_intra = 0; - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); memcpy(bak, temp, 64 * sizeof(int16_t)); @@ -744,7 +744,7 @@ static int bit8x8_c(MpegEncContext *s, uint8_t *src1, uint8_t *src2, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->block_last_index[0 /* FIXME */] = last = diff --git a/libavcodec/pixblockdsp.c b/libavcodec/pixblockdsp.c index f0883d3d08..6152fe40c3 100644 --- a/libavcodec/pixblockdsp.c +++ b/libavcodec/pixblockdsp.c @@ -82,6 +82,7 @@ av_cold void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx) { const unsigned high_bit_depth = avctx->bits_per_raw_sample > 8; + c->diff_pixels_unaligned = c->diff_pixels = diff_pixels_c; switch (avctx->bits_per_raw_sample) { diff --git a/libavcodec/pixblockdsp.h b/libavcodec/pixblockdsp.h index 79ed86c3a6..b14514de7e 100644 --- a/libavcodec/pixblockdsp.h +++ b/libavcodec/pixblockdsp.h @@ -31,6 +31,11 @@ typedef struct PixblockDSPContext { const uint8_t *s1 /* align 8 */, const uint8_t *s2 /* align 8 */, int stride); + void (*diff_pixels_unaligned)(int16_t *av_restrict block /* align 16 */, + const uint8_t *s1, + const uint8_t *s2, + int stride); + } PixblockDSPContext; void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx); diff --git a/libavcodec/x86/pixblockdsp_init.c b/libavcodec/x86/pixblockdsp_init.c index 4d06a44c6d..b9027dee54 100644 --- a/libavcodec/x86/pixblockdsp_init.c +++ b/libavcodec/x86/pixblockdsp_init.c @@ -39,12 +39,14 @@ av_cold void ff_pixblockdsp_init_x86(PixblockDSPContext *c, if (EXTERNAL_MMX(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_mmx; + c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_mmx; } if (EXTERNAL_SSE2(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_sse2; + c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_sse2; } } From 1fa31e28fd5d8d5c8e784b9e6c84c1ec7bffd3d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Aug 2017 02:15:49 +0200 Subject: [PATCH 610/658] avcodec/aacdec_template: Fix running cleanup in decode_ics_info() Fixes: out of array read Fixes: 2873/clusterfuzz-testcase-minimized-5924145713905664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Previous version reviewed-by: Alex Converse Signed-off-by: Michael Niedermayer (cherry picked from commit 6f03ffb47d51368a4bbc87702df8446e4660845d) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index b3ce500973..7819d710bf 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1255,6 +1255,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, const MPEG4AudioConfig *const m4ac = &ac->oc[1].m4ac; const int aot = m4ac->object_type; const int sampling_index = m4ac->sampling_index; + int ret_fail = AVERROR_INVALIDDATA; + if (aot != AOT_ER_AAC_ELD) { if (get_bits1(gb)) { av_log(ac->avctx, AV_LOG_ERROR, "Reserved bit set.\n"); @@ -1305,8 +1307,10 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, ics->num_swb = ff_aac_num_swb_512[sampling_index]; ics->tns_max_bands = ff_tns_max_bands_512[sampling_index]; } - if (!ics->num_swb || !ics->swb_offset) - return AVERROR_BUG; + if (!ics->num_swb || !ics->swb_offset) { + ret_fail = AVERROR_BUG; + goto fail; + } } else { ics->swb_offset = ff_swb_offset_1024[sampling_index]; ics->num_swb = ff_aac_num_swb_1024[sampling_index]; @@ -1330,7 +1334,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, if (aot == AOT_ER_AAC_LD) { av_log(ac->avctx, AV_LOG_ERROR, "LTP in ER AAC LD not yet implemented.\n"); - return AVERROR_PATCHWELCOME; + ret_fail = AVERROR_PATCHWELCOME; + goto fail; } if ((ics->ltp.present = get_bits(gb, 1))) decode_ltp(&ics->ltp, gb, ics->max_sfb); @@ -1349,7 +1354,7 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, return 0; fail: ics->max_sfb = 0; - return AVERROR_INVALIDDATA; + return ret_fail; } /** From edac232860366fc954dc93f4610f76b6062ba933 Mon Sep 17 00:00:00 2001 From: Vitaly Buka Date: Sun, 20 Aug 2017 11:56:47 -0700 Subject: [PATCH 611/658] avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit 8c2bb10ddfef1f151b9455d152c9aca91140a4b0) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 01d61597a8..c4af9cbb17 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1540,7 +1540,7 @@ FF_ENABLE_DEPRECATION_WARNINGS } if (!avctx->rc_initial_buffer_occupancy) - avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4; + avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3LL / 4; if (avctx->ticks_per_frame && avctx->time_base.num && avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) { From 7b6dba892f63a620d4510c9114f414cfa6435942 Mon Sep 17 00:00:00 2001 From: Vitaly Buka Date: Sun, 20 Aug 2017 11:56:47 -0700 Subject: [PATCH 612/658] avformat/mov: Fix signed integer overflows with total_size Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit 4a404cb5b90b878cbe1bb528fac65cf508668cc5) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index a77d6908e3..1815a7303f 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4415,7 +4415,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (atom.size < 0) atom.size = INT64_MAX; - while (total_size + 8 <= atom.size && !avio_feof(pb)) { + while (total_size <= atom.size - 8 && !avio_feof(pb)) { int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL; a.size = atom.size; a.type=0; From 6622be010b09368f57bfd09715386a373d79066c Mon Sep 17 00:00:00 2001 From: Vitaly Buka Date: Sun, 20 Aug 2017 11:56:47 -0700 Subject: [PATCH 613/658] avformat/aviobuf: Fix signed integer overflow in avio_seek() Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit eca2a49716ae1f42804dd3545da2f740edf03250) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 95793c92cd..2c56adb307 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -249,6 +249,8 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) offset1 = pos + (s->buf_ptr - s->buffer); if (offset == 0) return offset1; + if (offset > INT64_MAX - offset1) + return AVERROR(EINVAL); offset += offset1; } if (offset < 0) From 5351c8bd46e23168b1aed8f92779fb1a20a7214a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Aug 2017 21:30:37 +0200 Subject: [PATCH 614/658] avformat/rtpdec_h264: Fix heap-buffer-overflow Fixes: rtp_sdp/poc.sdp Found-by: Bingchang Signed-off-by: Michael Niedermayer (cherry picked from commit c42a1388a6d1bfd8001bf6a4241d8ca27e49326d) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec_h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtpdec_h264.c b/libavformat/rtpdec_h264.c index 8dd56a549e..6f8148ab6d 100644 --- a/libavformat/rtpdec_h264.c +++ b/libavformat/rtpdec_h264.c @@ -166,7 +166,7 @@ static int sdp_parse_fmtp_config_h264(AVFormatContext *s, parse_profile_level_id(s, h264_data, value); } else if (!strcmp(attr, "sprop-parameter-sets")) { int ret; - if (value[strlen(value) - 1] == ',') { + if (*value == 0 || value[strlen(value) - 1] == ',') { av_log(s, AV_LOG_WARNING, "Missing PPS in sprop-parameter-sets, ignoring\n"); return 0; } From 0575adfd4a59a0cef51e3ca081896a348c07c12e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Aug 2017 00:18:48 +0200 Subject: [PATCH 615/658] avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps() Fixes: integer overflow Fixes: 2893/clusterfuzz-testcase-minimized-5809330567774208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b44dcbc44e99daf9515753e9fd4c2e1ea53a2fa) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 87e807bdd3..b58689ab68 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -224,6 +224,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, prev = 0; for (i = 0; i < rps->num_negative_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; + if (delta_poc < 1 || delta_poc > 32768) { + av_log(avctx, AV_LOG_ERROR, + "Invalid value of delta_poc: %d\n", + delta_poc); + return AVERROR_INVALIDDATA; + } prev -= delta_poc; rps->delta_poc[i] = prev; rps->used[i] = get_bits1(gb); @@ -231,6 +237,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, prev = 0; for (i = 0; i < nb_positive_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; + if (delta_poc < 1 || delta_poc > 32768) { + av_log(avctx, AV_LOG_ERROR, + "Invalid value of delta_poc: %d\n", + delta_poc); + return AVERROR_INVALIDDATA; + } prev += delta_poc; rps->delta_poc[rps->num_negative_pics + i] = prev; rps->used[rps->num_negative_pics + i] = get_bits1(gb); From 5ff09443c5168e27b1708a314b6385440cfe8a4c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Aug 2017 11:02:38 +0200 Subject: [PATCH 616/658] ffprobe: Fix null pointer dereference with color primaries Found-by: AD-lab of venustech Signed-off-by: Michael Niedermayer (cherry picked from commit 837cb4325b712ff1aab531bf41668933f61d75d2) Signed-off-by: Michael Niedermayer (cherry picked from commit b2c39fcc3c0749490dc93bca80f56724878b55fe) Signed-off-by: Michael Niedermayer --- ffprobe.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/ffprobe.c b/ffprobe.c index aee9ba982c..9b14541a9f 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -1789,6 +1789,16 @@ static void print_pkt_side_data(WriterContext *w, writer_print_section_footer(w); } +static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries) +{ + const char *val = av_color_primaries_name(color_primaries); + if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) { + print_str_opt("color_primaries", "unknown"); + } else { + print_str("color_primaries", val); + } +} + static void show_packet(WriterContext *w, InputFile *ifile, AVPacket *pkt, int packet_idx) { char val_str[128]; @@ -2257,10 +2267,7 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id else print_str_opt("color_transfer", av_color_transfer_name(par->color_trc)); - if (par->color_primaries != AVCOL_PRI_UNSPECIFIED) - print_str("color_primaries", av_color_primaries_name(par->color_primaries)); - else - print_str_opt("color_primaries", av_color_primaries_name(par->color_primaries)); + print_primaries(w, par->color_primaries); if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED) print_str("chroma_location", av_chroma_location_name(par->chroma_location)); From d4a333f00b5015e402d92ed2f4205a4102e6ab31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Aug 2017 17:27:17 +0200 Subject: [PATCH 617/658] ffprobe: Fix NULL pointer handling in color parameter printing Signed-off-by: Michael Niedermayer (cherry picked from commit 351e28f9a799d9bbbb33dd10c964dca7219fa13b) Signed-off-by: Michael Niedermayer --- ffprobe.c | 62 +++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 44 insertions(+), 18 deletions(-) diff --git a/ffprobe.c b/ffprobe.c index 9b14541a9f..25678040f8 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -1789,6 +1789,26 @@ static void print_pkt_side_data(WriterContext *w, writer_print_section_footer(w); } +static void print_color_range(WriterContext *w, enum AVColorRange color_range, const char *fallback) +{ + const char *val = av_color_range_name(color_range); + if (!val || color_range == AVCOL_RANGE_UNSPECIFIED) { + print_str_opt("color_range", fallback); + } else { + print_str("color_range", val); + } +} + +static void print_color_space(WriterContext *w, enum AVColorSpace color_space) +{ + const char *val = av_color_space_name(color_space); + if (!val || color_space == AVCOL_SPC_UNSPECIFIED) { + print_str_opt("color_space", "unknown"); + } else { + print_str("color_space", val); + } +} + static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries) { const char *val = av_color_primaries_name(color_primaries); @@ -1799,6 +1819,26 @@ static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primar } } +static void print_color_trc(WriterContext *w, enum AVColorTransferCharacteristic color_trc) +{ + const char *val = av_color_transfer_name(color_trc); + if (!val || color_trc == AVCOL_TRC_UNSPECIFIED) { + print_str_opt("color_transfer", "unknown"); + } else { + print_str("color_transfer", val); + } +} + +static void print_chroma_location(WriterContext *w, enum AVChromaLocation chroma_location) +{ + const char *val = av_chroma_location_name(chroma_location); + if (!val || chroma_location == AVCHROMA_LOC_UNSPECIFIED) { + print_str_opt("chroma_location", "unspecified"); + } else { + print_str("chroma_location", val); + } +} + static void show_packet(WriterContext *w, InputFile *ifile, AVPacket *pkt, int packet_idx) { char val_str[128]; @@ -2253,26 +2293,12 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id if (s) print_str ("pix_fmt", s); else print_str_opt("pix_fmt", "unknown"); print_int("level", par->level); - if (par->color_range != AVCOL_RANGE_UNSPECIFIED) - print_str ("color_range", av_color_range_name(par->color_range)); - else - print_str_opt("color_range", "N/A"); - - s = av_get_colorspace_name(par->color_space); - if (s) print_str ("color_space", s); - else print_str_opt("color_space", "unknown"); - - if (par->color_trc != AVCOL_TRC_UNSPECIFIED) - print_str("color_transfer", av_color_transfer_name(par->color_trc)); - else - print_str_opt("color_transfer", av_color_transfer_name(par->color_trc)); + print_color_range(w, par->color_range, "N/A"); + print_color_space(w, par->color_space); + print_color_trc(w, par->color_trc); print_primaries(w, par->color_primaries); - - if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED) - print_str("chroma_location", av_chroma_location_name(par->chroma_location)); - else - print_str_opt("chroma_location", av_chroma_location_name(par->chroma_location)); + print_chroma_location(w, par->chroma_location); #if FF_API_PRIVATE_OPT if (dec_ctx && dec_ctx->timecode_frame_start >= 0) { From 0d32491b74947bdb0d2be04d8ca909ff9406660d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Aug 2017 01:26:58 +0200 Subject: [PATCH 618/658] avformat/hls: Fix DoS due to infinite loop Fixes: loop.m3u The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome Found-by: Xiaohei and Wangchu from Alibaba Security Team Previous version reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit 7ec414892ddcad88313848494b6fc5f437c9ca4a) Signed-off-by: Michael Niedermayer --- doc/demuxers.texi | 18 ++++++++++++++++++ libavformat/hls.c | 7 +++++++ 2 files changed, 25 insertions(+) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index 25b12a8977..d75dc9497e 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -306,6 +306,24 @@ used to end the output video at the length of the shortest input file, which in this case is @file{input.mp4} as the GIF in this example loops infinitely. +@section hls + +HLS demuxer + +It accepts the following options: + +@table @option +@item live_start_index +segment index to start live streams at (negative values are from the end). + +@item allowed_extensions +',' separated list of file extensions that hls is allowed to access. + +@item max_reload +Maximum number of times a insufficient list is attempted to be reloaded. +Default value is 1000. +@end table + @section image2 Image file demuxer. diff --git a/libavformat/hls.c b/libavformat/hls.c index 3b89ae5a7c..087885a121 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -204,6 +204,7 @@ typedef struct HLSContext { AVDictionary *avio_opts; int strict_std_compliance; char *allowed_extensions; + int max_reload; } HLSContext; static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) @@ -1254,6 +1255,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size) HLSContext *c = v->parent->priv_data; int ret, i; int just_opened = 0; + int reload_count = 0; restart: if (!v->needed) @@ -1285,6 +1287,9 @@ restart: reload_interval = default_reload_interval(v); reload: + reload_count++; + if (reload_count > c->max_reload) + return AVERROR_EOF; if (!v->finished && av_gettime_relative() - v->last_load_time >= reload_interval) { if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) { @@ -2062,6 +2067,8 @@ static const AVOption hls_options[] = { OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, INT_MIN, INT_MAX, FLAGS}, + {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, {NULL} }; From 0eb399381a2b3429980aa939bcd4dfbf0780f140 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= Date: Fri, 25 Aug 2017 12:37:25 +0200 Subject: [PATCH 619/658] avformat/asfdec: Fix DoS due to lack of eof check Fixes: loop.asf Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 7f9ec5593e04827249e7aeb466da06a98a0d7329) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 2c81b138f2..294fd345f5 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) count = avio_rl32(pb); // markers count avio_rl16(pb); // reserved 2 bytes name_len = avio_rl16(pb); // name length - for (i = 0; i < name_len; i++) - avio_r8(pb); // skip the name + avio_skip(pb, name_len); for (i = 0; i < count; i++) { int64_t pres_time; int name_len; + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time pres_time -= asf->hdr.preroll * 10000; From 64aa8bb886a157af1e784de28839041cc6f5be81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= Date: Fri, 25 Aug 2017 01:15:27 +0200 Subject: [PATCH 620/658] avformat/cinedec: Fix DoS due to lack of eof check Fixes: loop.cine Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 7e80b63ecd259d69d383623e75b318bf2bd491f6) Signed-off-by: Michael Niedermayer --- libavformat/cinedec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c index 0efedda1a3..545c97ad43 100644 --- a/libavformat/cinedec.c +++ b/libavformat/cinedec.c @@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx) /* parse image offsets */ avio_seek(pb, offImageOffsets, SEEK_SET); - for (i = 0; i < st->duration; i++) + for (i = 0; i < st->duration; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME); + } return 0; } From 770482def3b3064e236f9a0e1b6f5d0ca35ae7e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= Date: Fri, 25 Aug 2017 01:15:28 +0200 Subject: [PATCH 621/658] avformat/rmdec: Fix DoS due to lack of eof check Fixes: loop.ivr Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 124eb202e70678539544f6268efc98131f19fa49) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 0809b0b251..c4f3e59676 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1235,8 +1235,11 @@ static int ivr_read_header(AVFormatContext *s) av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val); } else if (type == 4) { av_log(s, AV_LOG_DEBUG, "%s = '0x", key); - for (j = 0; j < len; j++) + for (j = 0; j < len; j++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb)); + } av_log(s, AV_LOG_DEBUG, "'\n"); } else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", tlen)) { nb_streams = value = avio_rb32(pb); From 953c6259d601bcda1d5045339913af1978be41fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= Date: Fri, 25 Aug 2017 01:15:29 +0200 Subject: [PATCH 622/658] avformat/rl2: Fix DoS due to lack of eof check Fixes: loop.rl2 Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de) Signed-off-by: Michael Niedermayer --- libavformat/rl2.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavformat/rl2.c b/libavformat/rl2.c index 0bec8f1d9a..eb1682dfcb 100644 --- a/libavformat/rl2.c +++ b/libavformat/rl2.c @@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s) } /** read offset and size tables */ - for(i=0; i < frame_count;i++) + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_size[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_offset[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; audio_size[i] = avio_rl32(pb) & 0xFFFF; + } /** build the sample index */ for(i=0;i Date: Fri, 25 Aug 2017 01:15:30 +0200 Subject: [PATCH 623/658] avformat/mvdec: Fix DoS due to lack of eof check Fixes: loop.mv Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 80ef4b1569..e9e9fab503 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -338,6 +338,8 @@ static int mv_read_header(AVFormatContext *avctx) uint32_t pos = avio_rb32(pb); uint32_t asize = avio_rb32(pb); uint32_t vsize = avio_rb32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); From fcc2119eac26e7949a1a2149bf2bf3dd98b07d8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Aug 2017 14:00:55 +0200 Subject: [PATCH 624/658] avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate() Fixes: runtime error: signed integer overflow: 8903997421129740175 + 354481484684609529 cannot be represented in type 'long' Fixes: 2045/clusterfuzz-testcase-minimized-6751255865065472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eefb68c9c335dda423c9115ba11dc4bb3e73e3f9) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 7d593a18b8..f45bb847a8 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -136,19 +136,19 @@ static av_always_inline void autocorrelate(const int x[40][2], SoftFloat phi[3][ if (lag) { for (i = 1; i < 38; i++) { - accu_re += (int64_t)x[i][0] * x[i+lag][0]; - accu_re += (int64_t)x[i][1] * x[i+lag][1]; - accu_im += (int64_t)x[i][0] * x[i+lag][1]; - accu_im -= (int64_t)x[i][1] * x[i+lag][0]; + accu_re += (uint64_t)x[i][0] * x[i+lag][0]; + accu_re += (uint64_t)x[i][1] * x[i+lag][1]; + accu_im += (uint64_t)x[i][0] * x[i+lag][1]; + accu_im -= (uint64_t)x[i][1] * x[i+lag][0]; } real_sum = accu_re; imag_sum = accu_im; - accu_re += (int64_t)x[ 0][0] * x[lag][0]; - accu_re += (int64_t)x[ 0][1] * x[lag][1]; - accu_im += (int64_t)x[ 0][0] * x[lag][1]; - accu_im -= (int64_t)x[ 0][1] * x[lag][0]; + accu_re += (uint64_t)x[ 0][0] * x[lag][0]; + accu_re += (uint64_t)x[ 0][1] * x[lag][1]; + accu_im += (uint64_t)x[ 0][0] * x[lag][1]; + accu_im -= (uint64_t)x[ 0][1] * x[lag][0]; phi[2-lag][1][0] = autocorr_calc(accu_re); phi[2-lag][1][1] = autocorr_calc(accu_im); @@ -156,28 +156,28 @@ static av_always_inline void autocorrelate(const int x[40][2], SoftFloat phi[3][ if (lag == 1) { accu_re = real_sum; accu_im = imag_sum; - accu_re += (int64_t)x[38][0] * x[39][0]; - accu_re += (int64_t)x[38][1] * x[39][1]; - accu_im += (int64_t)x[38][0] * x[39][1]; - accu_im -= (int64_t)x[38][1] * x[39][0]; + accu_re += (uint64_t)x[38][0] * x[39][0]; + accu_re += (uint64_t)x[38][1] * x[39][1]; + accu_im += (uint64_t)x[38][0] * x[39][1]; + accu_im -= (uint64_t)x[38][1] * x[39][0]; phi[0][0][0] = autocorr_calc(accu_re); phi[0][0][1] = autocorr_calc(accu_im); } } else { for (i = 1; i < 38; i++) { - accu_re += (int64_t)x[i][0] * x[i][0]; - accu_re += (int64_t)x[i][1] * x[i][1]; + accu_re += (uint64_t)x[i][0] * x[i][0]; + accu_re += (uint64_t)x[i][1] * x[i][1]; } real_sum = accu_re; - accu_re += (int64_t)x[ 0][0] * x[ 0][0]; - accu_re += (int64_t)x[ 0][1] * x[ 0][1]; + accu_re += (uint64_t)x[ 0][0] * x[ 0][0]; + accu_re += (uint64_t)x[ 0][1] * x[ 0][1]; phi[2][1][0] = autocorr_calc(accu_re); accu_re = real_sum; - accu_re += (int64_t)x[38][0] * x[38][0]; - accu_re += (int64_t)x[38][1] * x[38][1]; + accu_re += (uint64_t)x[38][0] * x[38][0]; + accu_re += (uint64_t)x[38][1] * x[38][1]; phi[1][0][0] = autocorr_calc(accu_re); } From f69905e2305b180086a240fb5a38862706922dc4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Aug 2017 23:59:09 +0200 Subject: [PATCH 625/658] avcodec/hevc_ps: Fix undefined shift in pcm code Fixes: runtime error: shift exponent -1 is negative Fixes: 3091/clusterfuzz-testcase-minimized-6229767969832960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a83866c9f9531eb096c9b9fe0550e742b931ad1) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index b58689ab68..c1b69a0199 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1014,10 +1014,10 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, sps->pcm.log2_min_pcm_cb_size = get_ue_golomb_long(gb) + 3; sps->pcm.log2_max_pcm_cb_size = sps->pcm.log2_min_pcm_cb_size + get_ue_golomb_long(gb); - if (sps->pcm.bit_depth > sps->bit_depth) { + if (FFMAX(sps->pcm.bit_depth, sps->pcm.bit_depth_chroma) > sps->bit_depth) { av_log(avctx, AV_LOG_ERROR, - "PCM bit depth (%d) is greater than normal bit depth (%d)\n", - sps->pcm.bit_depth, sps->bit_depth); + "PCM bit depth (%d, %d) is greater than normal bit depth (%d)\n", + sps->pcm.bit_depth, sps->pcm.bit_depth_chroma, sps->bit_depth); return AVERROR_INVALIDDATA; } From 0e4612ea68261d84d47a15aa88210abfd0184850 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Aug 2017 00:30:33 +0200 Subject: [PATCH 626/658] avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered() Fixes: runtime error: signed integer overflow: 267 * 8388608 cannot be represented in type 'int' Fixes: 2743/clusterfuzz-testcase-minimized-5820652076400640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 732f9764561558a388c05483ed6a722a5c67b05c) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 4ebfa07c6a..0ac0b55012 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -140,7 +140,7 @@ static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, sli v = b->x_coeff[new_index].coeff; x = b->x_coeff[new_index++].x; while(x < w){ - register int t= ( (v>>1)*qmul + qadd)>>QEXPSHIFT; + register int t= (int)( (v>>1)*(unsigned)qmul + qadd)>>QEXPSHIFT; register int u= -(v&1); line[x] = (t^u) - u; From 5d67851392135e3a76051b18eaf2206f79069ad2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= Date: Tue, 29 Aug 2017 23:59:21 +0200 Subject: [PATCH 627/658] avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 20170829.nsv Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit c24bcb553650b91e9eff15ef6e54ca73de2453b7) Signed-off-by: Michael Niedermayer --- libavformat/nsvdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 507fb396a5..16d2fa59e2 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -350,8 +350,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) if (!nsv->nsvs_file_offset) return AVERROR(ENOMEM); - for(i=0;insvs_file_offset[i] = avio_rl32(pb) + size; + } if(table_entries > table_entries_used && avio_rl32(pb) == MKTAG('T','O','C','2')) { From 92ec4eacf9649501dd8e06b97af87c428ca06556 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= Date: Tue, 29 Aug 2017 23:59:21 +0200 Subject: [PATCH 628/658] avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 20170829A.mxf Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 900f39692ca0337a98a7cf047e4e2611071810c2) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 5de13cca19..053ad24539 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -888,6 +888,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); + if(segment->nb_index_entries && length < 11) + return AVERROR_INVALIDDATA; if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) || !(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) || @@ -898,6 +900,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg } for (i = 0; i < segment->nb_index_entries; i++) { + if(avio_feof(pb)) + return AVERROR_INVALIDDATA; segment->temporal_offset_entries[i] = avio_r8(pb); avio_r8(pb); /* KeyFrameOffset */ segment->flag_entries[i] = avio_r8(pb); From 22dbd1eb31d6ece0f448565a25f0cdab2a919068 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= Date: Tue, 29 Aug 2017 23:59:21 +0200 Subject: [PATCH 629/658] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 20170829B.mxf Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 053ad24539..cbabd4b239 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -492,7 +492,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U avpriv_request_sample(pb, "Primer pack item length %d", item_len); return AVERROR_PATCHWELCOME; } - if (item_num > 65536) { + if (item_num > 65536 || item_num < 0) { av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num); return AVERROR_INVALIDDATA; } From 93a32c15a84936064afc89a3333ce5aea9e6c8c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Sep 2017 19:56:10 +0200 Subject: [PATCH 630/658] avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED() Fixes: runtime error: signed integer overflow: 1168175789 + 1168178473 cannot be represented in type 'int' Fixes: 3081/clusterfuzz-testcase-minimized-4807564879462400 Fixes: 2844/clusterfuzz-testcase-minimized-5561715838156800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a0823ae966be3ad40e5dba6ec4c4dc1e8c6bcad) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 6f6a0ece45..f92ff1b2ea 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -594,7 +594,7 @@ static inline void codeblock(DiracContext *s, SubBand *b, } \ INTRA_DC_PRED(8, int16_t) -INTRA_DC_PRED(10, int32_t) +INTRA_DC_PRED(10, uint32_t) /** * Dirac Specification -> From 5cc3add03695e6ebc6a924dee5fd12138e45bb45 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Sep 2017 19:56:11 +0200 Subject: [PATCH 631/658] avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting Fixes: runtime error: signed integer overflow: 1073901567 + 1073901567 cannot be represented in type 'int' Fixes: 3124/clusterfuzz-testcase-minimized-454643435752652 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f71cd44147e7a914f80fcfacca46c9e7b0374362) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index e715e53bc4..adf5178714 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ - (b1 - ((int)(1817U*(b0 + b2) + 2048) >> 12)) + (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ - (b1 - ((int)( 113U*(b0 + b2) + 64) >> 7)) + (b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ - (b1 + ((int)( 217U*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ - (b1 + ((int)(6497U*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ From 29b950521504a51f8b60dfcabe3cc141c4e01554 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Sep 2017 00:16:29 +0200 Subject: [PATCH 632/658] avformat/mov: Fix DoS in read_tfra() Fixes: Missing EOF check in loop No testcase Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 9cb4eb772839c5e1de2855d126bf74ff16d13382) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 1815a7303f..a4474b43b3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4862,6 +4862,13 @@ static int read_tfra(MOVContext *mov, AVIOContext *f) } for (i = 0; i < index->item_count; i++) { int64_t time, offset; + + if (avio_feof(f)) { + index->item_count = 0; + av_freep(&index->items); + return AVERROR_INVALIDDATA; + } + if (version == 1) { time = avio_rb64(f); offset = avio_rb64(f); From 5e7ddf0b4a697732b71cfc7e612ec0b62b75cca1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Sep 2017 00:16:29 +0200 Subject: [PATCH 633/658] avformat/asfdec: Fix DoS in asf_build_simple_index() Fixes: Missing EOF check in loop No testcase Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit afc9c683ed9db01edb357bc8c19edad4282b3a97) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 294fd345f5..2e9883b17e 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -1610,6 +1610,11 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index) int64_t pos = s->internal->data_offset + s->packet_size * (int64_t)pktnum; int64_t index_pts = FFMAX(av_rescale(itime, i, 10000) - asf->hdr.preroll, 0); + if (avio_feof(s->pb)) { + ret = AVERROR_INVALIDDATA; + goto end; + } + if (pos != last_pos) { av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d pts: %"PRId64"\n", pktnum, pktct, index_pts); From 10ae5fb2696103f46d74f069f7187883873002a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2017 01:32:50 +0200 Subject: [PATCH 634/658] avcodec/diracdec: Fix overflow in DC computation Fixes: runtime error: signed integer overflow: 11896 + 2147483646 cannot be represented in type 'int' Fixes: 3053/clusterfuzz-testcase-minimized-6355082062856192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5995856a4236c27f231210bb08d70688e045192) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index f92ff1b2ea..4f6de7af3d 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1343,7 +1343,7 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock if (!block->ref) { pred_block_dc(block, stride, x, y); for (i = 0; i < 3; i++) - block->u.dc[i] += dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); + block->u.dc[i] += (unsigned)dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); return; } From 4b43dd03eddeac40deabcbb3c73370a058251556 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2017 01:32:51 +0200 Subject: [PATCH 635/658] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels Fixes: runtime error: left shift of negative value -95 Fixes: 3077/clusterfuzz-testcase-minimized-4684917524922368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c225da68cffbea11270a758ff42859194c980863) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index b840d179c3..5bca02342d 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -599,7 +599,7 @@ static void FUNC(put_hevc_pel_bi_w_pixels)(uint8_t *_dst, ptrdiff_t _dststride, ox1 = ox1 * (1 << (BIT_DEPTH - 8)); for (y = 0; y < height; y++) { for (x = 0; x < width; x++) { - dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + (ox0 + ox1 + 1) * (1 << log2Wd)) >> (log2Wd + 1)); } src += srcstride; dst += dststride; From 33e67eb80cf2d67198828f9430815ef319ffae6e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Sep 2017 23:29:12 +0200 Subject: [PATCH 636/658] avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int() Fixes: runtime error: signed integer overflow: 22553 * -188962 cannot be represented in type 'int' Fixes: 3042/clusterfuzz-testcase-minimized-5174210131394560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2d025e742843ca3532bd49ebbfebeacd51337347) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c index c746aed924..85a12d0e9b 100644 --- a/libavcodec/jpeg2000dsp.c +++ b/libavcodec/jpeg2000dsp.c @@ -65,9 +65,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize) for (i = 0; i < csize; i++) { i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16); - i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16) + i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16) - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16); - i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16); + i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16); *src0++ = i0; *src1++ = i1; *src2++ = i2; From 19045efd0573b1c54d10db04c7f5426a2741bf14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2017 21:10:16 +0200 Subject: [PATCH 637/658] avcodec/shorten: Move buffer allocation and offset init to end of read_header() They are time consuming operations, performing them after the other checks improves the speed with damaged input dramatically. Fixes: Timeout Fixes: 2928/clusterfuzz-testcase-4992812120539136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 380659604f2692b625928a3a76a1c046f473c9f6) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index a36a77210e..b56d205932 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -453,12 +453,6 @@ static int read_header(ShortenContext *s) } s->nwrap = FFMAX(NWRAP, maxnlpc); - if ((ret = allocate_buffers(s)) < 0) - return ret; - - if ((ret = init_offset(s)) < 0) - return ret; - if (s->version > 1) s->lpcqoffset = V2LPCQOFFSET; @@ -494,6 +488,13 @@ static int read_header(ShortenContext *s) } end: + + if ((ret = allocate_buffers(s)) < 0) + return ret; + + if ((ret = init_offset(s)) < 0) + return ret; + s->cur_chan = 0; s->bitshift = 0; From 61c5c89d043896217df12455aa036ee24df49ff0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2017 21:10:17 +0200 Subject: [PATCH 638/658] avcodec/hevc_ps: Fix c?_qp_offset_list size Fixes: runtime error: index 5 out of bounds for type 'int8_t const[5]' Fixes:3175/clusterfuzz-testcase-minimized-4736774054084608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit abf3f9fa232409c00b60041464604a91fa5612c0) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index be91010378..162ca0e582 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -539,8 +539,8 @@ typedef struct HEVCPPS { uint8_t chroma_qp_offset_list_enabled_flag; uint8_t diff_cu_chroma_qp_offset_depth; uint8_t chroma_qp_offset_list_len_minus1; - int8_t cb_qp_offset_list[5]; - int8_t cr_qp_offset_list[5]; + int8_t cb_qp_offset_list[6]; + int8_t cr_qp_offset_list[6]; uint8_t log2_sao_offset_scale_luma; uint8_t log2_sao_offset_scale_chroma; From 7333799de5fca7fe8d21424557362f5eef0b9e55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Sep 2017 02:42:11 +0200 Subject: [PATCH 639/658] avcodec/pngdec: Clean up on av_frame_ref() failure Fixes: memleak Fixes: 3203/clusterfuzz-testcase-minimized-4514553595428864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 5480e82d77770e81e897a8c217f3c7f0c13a6de1) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 52b872a06a..7f0d416683 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1358,7 +1358,7 @@ static int decode_frame_png(AVCodecContext *avctx, } if ((ret = av_frame_ref(data, s->picture.f)) < 0) - return ret; + goto the_end; *got_frame = 1; From bfb7744aaffa551093d2e39ff9f08b6b95e05006 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Sep 2017 17:03:55 +0200 Subject: [PATCH 640/658] avcodec/svq3: Fix overflow in svq3_add_idct_c() Fixes: runtime error: signed integer overflow: 2147392585 + 524288 cannot be represented in type 'int' Fixes: 3348/clusterfuzz-testcase-minimized-4809500517203968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c933c51687db958d8045d25ed87848342e869f6) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 5bde666936..6ef63912a2 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -272,7 +272,7 @@ static void svq3_add_idct_c(uint8_t *dst, int16_t *block, const unsigned z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); const unsigned z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; const unsigned z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; - const int rr = (dc + 0x80000); + const int rr = (dc + 0x80000u); dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((int)((z0 + z3) * qmul + rr) >> 20)); dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((int)((z1 + z2) * qmul + rr) >> 20)); From b9f0979e16c02a60a9482b1c330220e89fd9cd8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Sep 2017 17:26:09 +0200 Subject: [PATCH 641/658] avcodec/ffv1dec: Fix integer overflow in read_quant_table() Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 3361/clusterfuzz-testcase-minimized-5065842955911168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d00fc952b6c261dd8eb0f7552b9ccf985dbc2b20) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 3ddef24556..c532eb227c 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -483,7 +483,7 @@ static int read_quant_table(RangeCoder *c, int16_t *quant_table, int scale) memset(state, 128, sizeof(state)); for (v = 0; i < 128; v++) { - unsigned len = get_symbol(c, state, 0) + 1; + unsigned len = get_symbol(c, state, 0) + 1U; if (len > 128 - i || !len) return AVERROR_INVALIDDATA; From 743354358b314bd8f1137ce2225aa317781a07b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Sep 2017 02:53:25 +0200 Subject: [PATCH 642/658] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*() Fixes: runtime error: signed integer overflow: 161 * 13872281 cannot be represented in type 'int' Fixes: 3295/clusterfuzz-testcase-minimized-4738998142500864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 67da2685e03805230207daab83ab43a390fbb887) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index adf5178714..755d5e5d2d 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -111,10 +111,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b0 + b1) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 - ((-8*(b0+b8) + 21*(b1+b7) - 46*(b2+b6) + 161*(b3+b5) + 128) >> 8)) + (b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) + (b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) From c7ad616ddaaacbcd84dd52ea0500146879357d2d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Sep 2017 20:45:26 +0200 Subject: [PATCH 643/658] avcodec/takdec: Fix integer overflows in decode_subframe() Fixes: runtime error: signed integer overflow: -1562477869 + -691460395 cannot be represented in type 'int' Fixes: 3196/clusterfuzz-testcase-minimized-4528307146063872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3dabb9c69db114b1f30c30e0a2788cffc50bac40) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index c74e952562..76814b4511 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -484,10 +484,10 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, v += (unsigned)s->adsp.scalarproduct_int16(&s->residues[i], s->filter, filter_order & -16); for (j = filter_order & -16; j < filter_order; j += 4) { - v += s->residues[i + j + 3] * s->filter[j + 3] + - s->residues[i + j + 2] * s->filter[j + 2] + - s->residues[i + j + 1] * s->filter[j + 1] + - s->residues[i + j ] * s->filter[j ]; + v += s->residues[i + j + 3] * (unsigned)s->filter[j + 3] + + s->residues[i + j + 2] * (unsigned)s->filter[j + 2] + + s->residues[i + j + 1] * (unsigned)s->filter[j + 1] + + s->residues[i + j ] * (unsigned)s->filter[j ]; } v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - (unsigned)*decoded; *decoded++ = v; From dc5240a4d797cb8c89112e248cfcab92e749a0c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Sep 2017 20:45:28 +0200 Subject: [PATCH 644/658] avcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift Fixes: runtime error: shift exponent 42 is too large for 32-bit type 'unsigned int' Fixes: 3410/clusterfuzz-testcase-minimized-5313377960198144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f5eaf0b5956e492ee5023929669b1d09aaf6299) Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index a3a1ebdecb..3ed9478211 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -267,6 +267,8 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons \ if (q > switch_bits) { /* exp golomb */ \ bits = exp_order - switch_bits + (q<<1); \ + if (bits > MIN_CACHE_BITS) \ + return AVERROR_INVALIDDATA; \ val = SHOW_UBITS(re, gb, bits) - (1 << exp_order) + \ ((switch_bits + 1) << rice_order); \ SKIP_BITS(re, gb, bits); \ @@ -286,7 +288,7 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons static const uint8_t dc_codebook[7] = { 0x04, 0x28, 0x28, 0x4D, 0x4D, 0x70, 0x70}; -static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out, +static av_always_inline int decode_dc_coeffs(GetBitContext *gb, int16_t *out, int blocks_per_slice) { int16_t prev_dc; @@ -310,6 +312,7 @@ static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out, out[0] = prev_dc; } CLOSE_READER(re, gb); + return 0; } // adaptive codebook switching lut according to previous run/level values @@ -376,7 +379,8 @@ static int decode_slice_luma(AVCodecContext *avctx, SliceContext *slice, init_get_bits(&gb, buf, buf_size << 3); - decode_dc_coeffs(&gb, blocks, blocks_per_slice); + if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0) + return ret; if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0) return ret; @@ -409,7 +413,8 @@ static int decode_slice_chroma(AVCodecContext *avctx, SliceContext *slice, init_get_bits(&gb, buf, buf_size << 3); - decode_dc_coeffs(&gb, blocks, blocks_per_slice); + if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0) + return ret; if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0) return ret; From 27505de3b9fe75a749a6c3c91f66fe1bc404e51c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Sep 2017 20:45:27 +0200 Subject: [PATCH 645/658] avcodec/takdec: Fix integer overflow in decode_lpc() Fixes: runtime error: signed integer overflow: 16748560 + 2143729712 cannot be represented in type 'int' Fixes: 3202/clusterfuzz-testcase-minimized-4988291642294272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d31f03a0264cac24434c8108daef4ccba6d28f9) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 76814b4511..b422dd1b07 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -204,7 +204,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length) int a1 = *coeffs++; for (i = 0; i < length - 1 >> 1; i++) { *coeffs += a1; - coeffs[1] += *coeffs; + coeffs[1] += (unsigned)*coeffs; a1 = coeffs[1]; coeffs += 2; } From 38c1df15c6a3358a22aaf753320988a95c977ce7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Sep 2017 11:12:38 +0200 Subject: [PATCH 646/658] Update for 3.1.11 Signed-off-by: Michael Niedermayer --- Changelog | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 51 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index d6c9ce1723..ff11803c9c 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,55 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.1.11: +- avcodec/takdec: Fix integer overflow in decode_lpc() +- avcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift +- avcodec/takdec: Fix integer overflows in decode_subframe() +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*() +- avcodec/ffv1dec: Fix integer overflow in read_quant_table() +- avcodec/svq3: Fix overflow in svq3_add_idct_c() +- avcodec/pngdec: Clean up on av_frame_ref() failure +- avcodec/hevc_ps: Fix c?_qp_offset_list size +- avcodec/shorten: Move buffer allocation and offset init to end of read_header() +- avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels +- avcodec/diracdec: Fix overflow in DC computation +- avformat/asfdec: Fix DoS in asf_build_simple_index() +- avformat/mov: Fix DoS in read_tfra() +- avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting +- avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED() +- avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() +- avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() +- avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. +- avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered() +- avcodec/hevc_ps: Fix undefined shift in pcm code +- avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate() +- avformat/mvdec: Fix DoS due to lack of eof check +- avformat/rl2: Fix DoS due to lack of eof check +- avformat/rmdec: Fix DoS due to lack of eof check +- avformat/cinedec: Fix DoS due to lack of eof check +- avformat/asfdec: Fix DoS due to lack of eof check +- avformat/hls: Fix DoS due to infinite loop +- ffprobe: Fix NULL pointer handling in color parameter printing +- ffprobe: Fix null pointer dereference with color primaries +- avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps() +- avformat/rtpdec_h264: Fix heap-buffer-overflow +- avformat/aviobuf: Fix signed integer overflow in avio_seek() +- avformat/mov: Fix signed integer overflows with total_size +- avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization +- avcodec/aacdec_template: Fix running cleanup in decode_ics_info() +- avcodec/me_cmp: Fix crashes on ARM due to misalignment +- avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0() +- avcodec/fic: Fixes signed integer overflow +- avcodec/snowdec: Fix off by 1 error +- avcodec/diracdec: Check perspective_exp and zrs_exp. +- avcodec/mpeg4videodec: Clear mcsel before decoding an image +- avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97* +- avcodec/aacdec_fixed: fix invalid shift in predict() +- avcodec/h264_slice: Fix overflow in slice offset +- avformat/utils: fix memory leak in avformat_free_context +- avfilter/vf_ssim: fix temp size calculation + version 3.1.10: - avcodec/diracdec: Check weight_log2denom diff --git a/RELEASE b/RELEASE index c7a249882e..efd03d130b 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.1.10 +3.1.11 diff --git a/doc/Doxyfile b/doc/Doxyfile index f750ee5495..2d5bc2c67b 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.1.10 +PROJECT_NUMBER = 3.1.11 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 7cce800930556e691e23a092a442102bb68e0f6f Mon Sep 17 00:00:00 2001 From: Rostislav Pehlivanov Date: Wed, 8 Nov 2017 23:50:04 +0000 Subject: [PATCH 647/658] vc2enc_dwt: pad the temporary buffer by the slice size Since non-Haar wavelets need to look into pixels outside the frame, we need to pad the buffer. The old factor of two seemed to be a workaround that fact and only padded to the left and bottom. This correctly pads by the slice size and as such reduces memory usage and potential exploits. Reported by Liu Bingchang. Ideally, there should be no temporary buffer but the encoder is designed to deinterleave the coefficients into the classical wavelet structure with the lower frequency values in the top left corner. Signed-off-by: Rostislav Pehlivanov (cherry picked from commit 3228ac730c11eca49d5680d5550128e397061c85) --- libavcodec/vc2enc.c | 3 ++- libavcodec/vc2enc_dwt.c | 12 +++++++++--- libavcodec/vc2enc_dwt.h | 4 +++- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index bbbeaa090e..e291047538 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -1193,7 +1193,8 @@ static av_cold int vc2_encode_init(AVCodecContext *avctx) /* DWT init */ if (ff_vc2enc_init_transforms(&s->transform_args[i].t, s->plane[i].coef_stride, - s->plane[i].dwt_height)) + s->plane[i].dwt_height, + s->slice_width, s->slice_height)) goto alloc_fail; } diff --git a/libavcodec/vc2enc_dwt.c b/libavcodec/vc2enc_dwt.c index c60b003a31..d22af8a313 100644 --- a/libavcodec/vc2enc_dwt.c +++ b/libavcodec/vc2enc_dwt.c @@ -255,21 +255,27 @@ static void vc2_subband_dwt_haar_shift(VC2TransformContext *t, dwtcoef *data, dwt_haar(t, data, stride, width, height, 1); } -av_cold int ff_vc2enc_init_transforms(VC2TransformContext *s, int p_width, int p_height) +av_cold int ff_vc2enc_init_transforms(VC2TransformContext *s, int p_stride, + int p_height, int slice_w, int slice_h) { s->vc2_subband_dwt[VC2_TRANSFORM_9_7] = vc2_subband_dwt_97; s->vc2_subband_dwt[VC2_TRANSFORM_5_3] = vc2_subband_dwt_53; s->vc2_subband_dwt[VC2_TRANSFORM_HAAR] = vc2_subband_dwt_haar; s->vc2_subband_dwt[VC2_TRANSFORM_HAAR_S] = vc2_subband_dwt_haar_shift; - s->buffer = av_malloc(2*p_width*p_height*sizeof(dwtcoef)); + /* Pad by the slice size, only matters for non-Haar wavelets */ + s->buffer = av_calloc((p_stride + slice_w)*(p_height + slice_h), sizeof(dwtcoef)); if (!s->buffer) return 1; + s->padding = (slice_h >> 1)*p_stride + (slice_w >> 1); + s->buffer += s->padding; + return 0; } av_cold void ff_vc2enc_free_transforms(VC2TransformContext *s) { - av_freep(&s->buffer); + av_free(s->buffer - s->padding); + s->buffer = NULL; } diff --git a/libavcodec/vc2enc_dwt.h b/libavcodec/vc2enc_dwt.h index 7fbbfbe0ed..a6932bcdaf 100644 --- a/libavcodec/vc2enc_dwt.h +++ b/libavcodec/vc2enc_dwt.h @@ -41,12 +41,14 @@ enum VC2TransformType { typedef struct VC2TransformContext { dwtcoef *buffer; + int padding; void (*vc2_subband_dwt[VC2_TRANSFORMS_NB])(struct VC2TransformContext *t, dwtcoef *data, ptrdiff_t stride, int width, int height); } VC2TransformContext; -int ff_vc2enc_init_transforms(VC2TransformContext *t, int p_width, int p_height); +int ff_vc2enc_init_transforms(VC2TransformContext *t, int p_stride, int p_height, + int slice_w, int slice_h); void ff_vc2enc_free_transforms(VC2TransformContext *t); #endif /* AVCODEC_VC2ENC_DWT_H */ From da113226410403a65833a6c1b83ea6977ffccdb3 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 11 Jun 2017 14:17:30 -0300 Subject: [PATCH 648/658] avformat/libssh: check the user provided a password before trying to use it Fixes ticket #6413 Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 8ddb6820bd52df6ed616abc3d8be200b126aa8c1) --- libavformat/libssh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/libssh.c b/libavformat/libssh.c index 49e92e7516..9e3d4da45e 100644 --- a/libavformat/libssh.c +++ b/libavformat/libssh.c @@ -103,7 +103,7 @@ static av_cold int libssh_authentication(LIBSSHContext *libssh, const char *user } } - if (!authorized && (auth_methods & SSH_AUTH_METHOD_PASSWORD)) { + if (!authorized && password && (auth_methods & SSH_AUTH_METHOD_PASSWORD)) { if (ssh_userauth_password(libssh->session, NULL, password) == SSH_AUTH_SUCCESS) { av_log(libssh, AV_LOG_DEBUG, "Authentication successful with password.\n"); authorized = 1; From 13deb0c1f6af43c4975f12478544ef718f0a7582 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Wed, 8 Feb 2017 23:37:42 +0100 Subject: [PATCH 649/658] avdevice/iec61883: free packet on buffer allocation error Fixes Coverity CID 1396416. Signed-off-by: Marton Balint (cherry picked from commit 4556dad2b7379a527134db519ab60111abefaf10) --- libavdevice/iec61883.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavdevice/iec61883.c b/libavdevice/iec61883.c index c45ae9ae5c..721dca38ee 100644 --- a/libavdevice/iec61883.c +++ b/libavdevice/iec61883.c @@ -120,6 +120,7 @@ static int iec61883_callback(unsigned char *data, int length, packet->buf = av_malloc(length); if (!packet->buf) { + av_free(packet); ret = -1; goto exit; } From 86d6fca94be70f23a8a27d3bc35d2fa7a914a4b9 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 18 Apr 2018 15:19:40 -0300 Subject: [PATCH 650/658] avdevice/iec61883: return reference counted packets Fixes part of ticket #7146, dealing with leaks of packet data since commit 87c88122703f2befcf96383d05bdf14373c22df9. Signed-off-by: James Almer (cherry picked from commit b8629654c6460a28c507f816a977914e3a6f2520) --- libavdevice/iec61883.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/libavdevice/iec61883.c b/libavdevice/iec61883.c index 721dca38ee..aeca7616df 100644 --- a/libavdevice/iec61883.c +++ b/libavdevice/iec61883.c @@ -118,7 +118,7 @@ static int iec61883_callback(unsigned char *data, int length, goto exit; } - packet->buf = av_malloc(length); + packet->buf = av_malloc(length + AV_INPUT_BUFFER_PADDING_SIZE); if (!packet->buf) { av_free(packet); ret = -1; @@ -127,6 +127,7 @@ static int iec61883_callback(unsigned char *data, int length, packet->len = length; memcpy(packet->buf, data, length); + memset(packet->buf + length, 0, AV_INPUT_BUFFER_PADDING_SIZE); if (dv->queue_first) { dv->queue_last->next = packet; @@ -200,13 +201,21 @@ static int iec61883_parse_queue_dv(struct iec61883_data *dv, AVPacket *pkt) size = avpriv_dv_produce_packet(dv->dv_demux, pkt, packet->buf, packet->len, -1); dv->queue_first = packet->next; + if (size < 0) + av_free(packet->buf); av_free(packet); dv->packets--; - if (size > 0) - return size; + if (size < 0) + return -1; - return -1; + if (av_packet_from_data(pkt, pkt->data, pkt->size) < 0) { + av_freep(&pkt->data); + av_packet_unref(pkt); + return -1; + } + + return size; } static int iec61883_parse_queue_hdv(struct iec61883_data *dv, AVPacket *pkt) From ac1ddc6361f3798bb168179df8f26ffb37cc3fdc Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 18 Apr 2018 15:32:10 -0300 Subject: [PATCH 651/658] avdevice/iec61883: free the private context at the end Fixes part of ticket #7146. Signed-off-by: James Almer (cherry picked from commit 5079e96bcc7aaa9cae82a58397ce986e124028e4) --- libavdevice/iec61883.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavdevice/iec61883.c b/libavdevice/iec61883.c index aeca7616df..382b989fb1 100644 --- a/libavdevice/iec61883.c +++ b/libavdevice/iec61883.c @@ -463,6 +463,7 @@ static int iec61883_close(AVFormatContext *context) } else { iec61883_dv_fb_stop(dv->iec61883_dv); iec61883_dv_fb_close(dv->iec61883_dv); + av_freep(&dv->dv_demux); } while (dv->queue_first) { DVPacket *packet = dv->queue_first; From a9c1ef2626363fbc0987cc34e615e07052b9ba5a Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 28 Jul 2018 00:51:57 -0300 Subject: [PATCH 652/658] avcodec/bitstream_filters: check the input argument of av_bsf_get_by_name() for NULL Fixes crashes like "ffmpeg -h bsf" caused by passing NULL to strcmp() Signed-off-by: James Almer (cherry picked from commit 3258cc6507a2012d54889ce5f8efbde7e81d927d) --- libavcodec/bitstream_filters.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/bitstream_filters.c b/libavcodec/bitstream_filters.c index 840bb43e4d..462cacf02c 100644 --- a/libavcodec/bitstream_filters.c +++ b/libavcodec/bitstream_filters.c @@ -58,6 +58,9 @@ const AVBitStreamFilter *av_bsf_get_by_name(const char *name) { int i; + if (!name) + return NULL; + for (i = 0; bitstream_filters[i]; i++) { const AVBitStreamFilter *f = bitstream_filters[i]; if (!strcmp(f->name, name)) From 7653e8db4deb063ffbbfb9c14ed60f9bb56acff0 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 27 Nov 2017 16:32:54 +0100 Subject: [PATCH 653/658] avfilter/af_silenceremove: fix possible crash if supplied duration is negative Signed-off-by: Paul B Mahol Fixes ticket #7697. (cherry picked from commit 2d1594a8d6a754a426cb53184dccf9cf8c8a94b0) --- libavfilter/af_silenceremove.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavfilter/af_silenceremove.c b/libavfilter/af_silenceremove.c index f156d1883d..3d3651a76f 100644 --- a/libavfilter/af_silenceremove.c +++ b/libavfilter/af_silenceremove.c @@ -186,8 +186,17 @@ static int config_input(AVFilterLink *inlink) s->start_duration = av_rescale(s->start_duration, inlink->sample_rate, AV_TIME_BASE); + if (s->start_duration < 0) { + av_log(ctx, AV_LOG_WARNING, "start duration must be non-negative\n"); + s->start_duration = -s->start_duration; + } + s->stop_duration = av_rescale(s->stop_duration, inlink->sample_rate, AV_TIME_BASE); + if (s->stop_duration < 0) { + av_log(ctx, AV_LOG_WARNING, "stop duration must be non-negative\n"); + s->stop_duration = -s->stop_duration; + } s->start_holdoff = av_malloc_array(FFMAX(s->start_duration, 1), sizeof(*s->start_holdoff) * From f8e254716b622926d781bc4b20ee53537bd174c4 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 18 Mar 2019 17:25:58 -0300 Subject: [PATCH 654/658] avcodec/hevcdec: decode at most one slice reporting being the first in the picture Fixes deadlocks when decoding packets containing more than one of the aforementioned slices when using frame threads. Tested-by: Derek Buitenhuis Signed-off-by: James Almer (cherry picked from commit 70c8c8a818f39bc262565ec29fae2baffb3e1660) --- libavcodec/hevc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index c1fa67f67b..de734310dc 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2792,6 +2792,10 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) } if (s->sh.first_slice_in_pic_flag) { + if (s->ref) { + av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); + goto fail; + } ret = hevc_frame_start(s); if (ret < 0) return ret; From 6f6cd2e29df5ba0c957772a101790db22c7cab94 Mon Sep 17 00:00:00 2001 From: Mark Harris Date: Sat, 24 Nov 2018 13:02:02 -0800 Subject: [PATCH 655/658] avutil/mem: Fix invalid use of av_alloc_size The alloc_size attribute is valid only on functions that return a pointer. GCC 9 (not yet released) warns about invalid usage: ./libavutil/mem.h:342:1: warning: 'alloc_size' attribute ignored on a function returning int' [-Wattributes] 342 | av_alloc_size(2, 3) int av_reallocp_array(void *ptr, size_t nmemb, size_t size); | ^~~~~~~~~~~~~ Signed-off-by: Michael Niedermayer (cherry picked from commit 4361293fcf59edb56879c36edcd25f0a91e0edf8) --- libavutil/mem.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/mem.h b/libavutil/mem.h index d25b3229b7..376fd2e07c 100644 --- a/libavutil/mem.h +++ b/libavutil/mem.h @@ -183,7 +183,7 @@ av_alloc_size(2, 3) void *av_realloc_array(void *ptr, size_t nmemb, size_t size) * The situation is undefined according to POSIX and may crash with * some libc implementations. */ -av_alloc_size(2, 3) int av_reallocp_array(void *ptr, size_t nmemb, size_t size); +int av_reallocp_array(void *ptr, size_t nmemb, size_t size); /** * Free a memory block which has been allocated with av_malloc(z)() or From 24b4c4c5baa397b7ad39cecddec0124b15ef74ec Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 20 Nov 2019 13:26:59 +0100 Subject: [PATCH 656/658] avformat/matroskadec: Fix default value of BlockAddID Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit dbc50f8a935043243232b2e01f3c012ab6d49928) --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 1d83068f88..8a392c7b9a 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -660,7 +660,7 @@ static const EbmlSyntax matroska_segments[] = { }; static const EbmlSyntax matroska_blockmore[] = { - { MATROSKA_ID_BLOCKADDID, EBML_UINT, 0, offsetof(MatroskaBlock,additional_id) }, + { MATROSKA_ID_BLOCKADDID, EBML_UINT, 0, offsetof(MatroskaBlock,additional_id), { .u = 1 } }, { MATROSKA_ID_BLOCKADDITIONAL, EBML_BIN, 0, offsetof(MatroskaBlock,additional) }, { 0 } }; From 526628058e0339971c5b520659d721e619830623 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 23 May 2020 11:40:23 +0200 Subject: [PATCH 657/658] avcodec/libopusenc: Don't free user-provided AVPacket Reviewed-by: James Almer Signed-off-by: Andreas Rheinhardt (cherry picked from commit b803993b6d99423c8c1e01e7e206e3916a98d5d5) --- libavcodec/libopusenc.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/libopusenc.c b/libavcodec/libopusenc.c index 3f3e80d4a0..c1dcd0456a 100644 --- a/libavcodec/libopusenc.c +++ b/libavcodec/libopusenc.c @@ -362,7 +362,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, // Check if subtraction resulted in an overflow if ((discard_padding < opus->opts.packet_size) != (avpkt->duration > 0)) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(EINVAL); } if (discard_padding > 0) { @@ -371,7 +370,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, 10); if(!side_data) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(ENOMEM); } AV_WL32(side_data + 4, discard_padding); From 29584733e6de3e1f901761b19dccddb533461ccb Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 23 May 2020 12:13:26 +0200 Subject: [PATCH 658/658] libavcodec/libvpxenc: Don't free user-provided AVPacket Signed-off-by: Andreas Rheinhardt (cherry picked from commit 26b45096906097a73ba587bf3b98dada4e795224) --- libavcodec/libvpxenc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index 4ea932d779..542add4ceb 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -805,7 +805,6 @@ FF_ENABLE_DEPRECATION_WARNINGS cx_frame->sz_alpha + 8); if(!side_data) { av_packet_unref(pkt); - av_free(pkt); return AVERROR(ENOMEM); } AV_WB64(side_data, 1);