From 893cf1b1ae2bc9c7987d5015a421cd2e09d06443 Mon Sep 17 00:00:00 2001 From: Baptiste Coudurier Date: Sun, 26 Jun 2011 14:01:00 -0700 Subject: [PATCH 01/21] ffmpeg: fix prototypes of functions after the removal of OPT_FUNC2. (cherry picked from commit 90a40b226a5c90e48da8041294c3782de6ee61fc) --- ffmpeg.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index c6885d886b..a00d94ec70 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -4074,13 +4074,13 @@ static void parse_matrix_coeffs(uint16_t *dest, const char *str) } } -static void opt_inter_matrix(const char *arg) +static void opt_inter_matrix(const char *opt, const char *arg) { inter_matrix = av_mallocz(sizeof(uint16_t) * 64); parse_matrix_coeffs(inter_matrix, arg); } -static void opt_intra_matrix(const char *arg) +static void opt_intra_matrix(const char *opt, const char *arg) { intra_matrix = av_mallocz(sizeof(uint16_t) * 64); parse_matrix_coeffs(intra_matrix, arg); @@ -4378,7 +4378,7 @@ static void log_callback_null(void* ptr, int level, const char* fmt, va_list vl) { } -static void opt_passlogfile(const char *arg) +static void opt_passlogfile(const char *opt, const char *arg) { pass_logfilename_prefix = arg; opt_default("passlogfile", arg); From 7e33a66c0e178c3576c1ba1648be4295809adca8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Jul 2011 14:59:54 +0200 Subject: [PATCH 02/21] Fix several security issues in matroskadec.c (MSVR-11-0080). Whitespace of the patch cleaned up by Aurel Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR) Signed-off-by: Michael Niedermayer (cherry picked from commit 956c901c68eff78288f40e3c8f41ee2fa081d4a8) --- libavformat/matroskadec.c | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index f0fa4dab4d..0451071a57 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -826,11 +826,15 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska, uint32_t id = syntax->id; uint64_t length; int res; + void *newelem; data = (char *)data + syntax->data_offset; if (syntax->list_elem_size) { EbmlList *list = data; - list->elem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size); + newelem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size); + if (!newelem) + return AVERROR(ENOMEM); + list->elem = newelem; data = (char*)list->elem + list->nb_elem*syntax->list_elem_size; memset(data, 0, syntax->list_elem_size); list->nb_elem++; @@ -992,7 +996,10 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, pkt_data = av_realloc(pkt_data, pkt_size); zstream.avail_out = pkt_size - zstream.total_out; zstream.next_out = pkt_data + zstream.total_out; - result = inflate(&zstream, Z_NO_FLUSH); + if (pkt_data) { + result = inflate(&zstream, Z_NO_FLUSH); + } else + result = Z_MEM_ERROR; } while (result==Z_OK && pkt_size<10000000); pkt_size = zstream.total_out; inflateEnd(&zstream); @@ -1013,7 +1020,10 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, pkt_data = av_realloc(pkt_data, pkt_size); bzstream.avail_out = pkt_size - bzstream.total_out_lo32; bzstream.next_out = pkt_data + bzstream.total_out_lo32; - result = BZ2_bzDecompress(&bzstream); + if (pkt_data) { + result = BZ2_bzDecompress(&bzstream); + } else + result = BZ_MEM_ERROR; } while (result==BZ_OK && pkt_size<10000000); pkt_size = bzstream.total_out_lo32; BZ2_bzDecompressEnd(&bzstream); @@ -1066,13 +1076,17 @@ static void matroska_fix_ass_packet(MatroskaDemuxContext *matroska, } } -static void matroska_merge_packets(AVPacket *out, AVPacket *in) +static int matroska_merge_packets(AVPacket *out, AVPacket *in) { - out->data = av_realloc(out->data, out->size+in->size); + void *newdata = av_realloc(out->data, out->size+in->size); + if (!newdata) + return AVERROR(ENOMEM); + out->data = newdata; memcpy(out->data+out->size, in->data, in->size); out->size += in->size; av_destruct_packet(in); av_free(in); + return 0; } static void matroska_convert_tag(AVFormatContext *s, EbmlList *list, @@ -1626,11 +1640,13 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska, memcpy(pkt, matroska->packets[0], sizeof(AVPacket)); av_free(matroska->packets[0]); if (matroska->num_packets > 1) { + void *newpackets; memmove(&matroska->packets[0], &matroska->packets[1], (matroska->num_packets - 1) * sizeof(AVPacket *)); - matroska->packets = - av_realloc(matroska->packets, (matroska->num_packets - 1) * - sizeof(AVPacket *)); + newpackets = av_realloc(matroska->packets, + (matroska->num_packets - 1) * sizeof(AVPacket *)); + if (newpackets) + matroska->packets = newpackets; } else { av_freep(&matroska->packets); } From 2ff36ef521a551b99ea69dda0aa82dc9fa49a131 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Jul 2011 18:32:26 +0200 Subject: [PATCH 03/21] ffmpeg: fix passlogfile regression Signed-off-by: Michael Niedermayer --- ffmpeg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ffmpeg.c b/ffmpeg.c index a00d94ec70..18ee782344 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -4381,7 +4381,9 @@ static void log_callback_null(void* ptr, int level, const char* fmt, va_list vl) static void opt_passlogfile(const char *opt, const char *arg) { pass_logfilename_prefix = arg; +#if CONFIG_LIBX264_ENCODER opt_default("passlogfile", arg); +#endif } static const OptionDef options[] = { From a0352d01e95ed084e777d0c259bad1f4cee4f402 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 17 Jul 2011 13:03:57 +0200 Subject: [PATCH 04/21] Bink: clip AC coefficients during dequantization. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes artefacts with Neverwinter Nights WOTCLogo.bik (http://drmccoy.de/zeugs/WOTCLogo.bik). Fixes trac ticket #352. Signed-off-by: Reimar Döffinger (cherry picked from commit 47b71eea099b3fe2c7e16644878ad9b7067974e3) --- libavcodec/bink.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index ef07747dbc..4328a43525 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -571,6 +571,22 @@ static inline int binkb_get_value(BinkContext *c, int bundle_num) return ret; } +static inline DCTELEM dequant(DCTELEM in, uint32_t quant, int dc) +{ + /* Note: multiplication is unsigned but we want signed shift + * otherwise clipping breaks. + * TODO: The official decoder does not use clipping at all + * but instead uses the full 32-bit result. + * However clipping at least gets rid of the case that a + * half-black half-white intra block gets black and white swapped + * and should cause at most minor differences (except for DC). */ + int32_t res = in * quant; + res >>= 11; + if (!dc) + res = av_clip_int16(res); + return res; +} + /** * Read 8x8 block of DCT coefficients. * @@ -669,10 +685,10 @@ static int read_dct_coeffs(GetBitContext *gb, DCTELEM block[64], const uint8_t * quant = quant_matrices[quant_idx]; - block[0] = (block[0] * quant[0]) >> 11; + block[0] = dequant(block[0], quant[0], 1); for (i = 0; i < coef_count; i++) { int idx = coef_idx[i]; - block[scan[idx]] = (block[scan[idx]] * quant[idx]) >> 11; + block[scan[idx]] = dequant(block[scan[idx]], quant[idx], 0); } return 0; From 08ddfb77a1aff378345026ba49fea9fb93ff1e70 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 4 Aug 2011 11:06:43 +0200 Subject: [PATCH 05/21] Fix possible crash when decoding mpeg streams. This reverts 2cf8355f98681bdd726b739008acd5483f82f8d7, fixes ticket 329. --- ffmpeg.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 18ee782344..c6374df949 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -343,6 +343,7 @@ typedef struct AVInputFile { int eof_reached; /* true if eof reached */ int ist_index; /* index of first stream in ist_table */ int buffer_size; /* current total buffer size */ + int nb_streams; } AVInputFile; #if HAVE_TERMIOS_H @@ -2045,7 +2046,7 @@ static int transcode(AVFormatContext **output_files, int si = stream_maps[i].stream_index; if (fi < 0 || fi > nb_input_files - 1 || - si < 0 || si > input_files[fi].ctx->nb_streams - 1) { + si < 0 || si > input_files[fi].nb_streams - 1) { fprintf(stderr,"Could not find input stream #%d.%d\n", fi, si); ret = AVERROR(EINVAL); goto fail; @@ -2731,7 +2732,7 @@ static int transcode(AVFormatContext **output_files, } /* the following test is needed in case new streams appear dynamically in stream : we ignore them */ - if (pkt.stream_index >= input_files[file_index].ctx->nb_streams) + if (pkt.stream_index >= input_files[file_index].nb_streams) goto discard_packet; ist_index = input_files[file_index].ist_index + pkt.stream_index; ist = &input_streams[ist_index]; @@ -3468,6 +3469,7 @@ static int opt_input_file(const char *opt, const char *filename) input_files = grow_array(input_files, sizeof(*input_files), &nb_input_files, nb_input_files + 1); input_files[nb_input_files - 1].ctx = ic; input_files[nb_input_files - 1].ist_index = nb_input_streams - ic->nb_streams; + input_files[nb_input_files - 1].nb_streams = ic->nb_streams; top_field_first = -1; video_channel = 0; From 91d5da9321c52e8197fb14046ebb335f3e6ff4a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Aug 2011 13:28:36 +0200 Subject: [PATCH 06/21] cavs: fix oCERT #2011-002 FFmpeg/libavcodec insufficient boundary check Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index c6ccb06524..6e83a7d381 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -115,7 +115,8 @@ static inline int get_ue_code(GetBitContext *gb, int order) { static int decode_residual_block(AVSContext *h, GetBitContext *gb, const struct dec_2dvlc *r, int esc_golomb_order, int qp, uint8_t *dst, int stride) { - int i, level_code, esc_code, level, run, mask; + int i, esc_code, level, mask; + unsigned int level_code, run; DCTELEM level_buf[65]; uint8_t run_buf[65]; DCTELEM *block = h->block; From d1bc77d86c5c8b013b371c1bf027f7583aef07b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Aug 2011 13:48:30 +0200 Subject: [PATCH 07/21] 0.8.2 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index dbadd98d15..0f7de822f6 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.1 +PROJECT_NUMBER = 0.8.2 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 6f4eebdf6f..100435be13 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.1 +0.8.2 diff --git a/VERSION b/VERSION index 6f4eebdf6f..100435be13 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.1 +0.8.2 From f20f79307b837407ea2bdfe08515d45ce96898c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jul 2011 11:00:47 +0200 Subject: [PATCH 08/21] libavfilter: fix --enable-small Signed-off-by: Michael Niedermayer (cherry picked from commit 633aa01f728b3f67b420e9e34ef21a995578d613) --- libavfilter/vf_lut.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_lut.c b/libavfilter/vf_lut.c index c457972474..c72e6374df 100644 --- a/libavfilter/vf_lut.c +++ b/libavfilter/vf_lut.c @@ -345,8 +345,8 @@ static void draw_slice(AVFilterLink *inlink, int y, int h, int slice_dir) #define DEFINE_LUT_FILTER(name_, description_, init_) \ AVFilter avfilter_vf_##name_ = { \ - .name = NULL_IF_CONFIG_SMALL(#name_), \ - .description = description_, \ + .name = #name_, \ + .description = NULL_IF_CONFIG_SMALL(description_), \ .priv_size = sizeof(LutContext), \ \ .init = init_, \ From 6a57021cf96dc548b6cc2c97dedb8958225d58e3 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 16 Aug 2011 23:31:09 +0200 Subject: [PATCH 09/21] Fix compilation with --disable-avfilter. (cherry picked from commit 67a8251690a17f05630eb6f45a73db0f0e806c72) --- ffplay.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ffplay.c b/ffplay.c index 8788771491..6eefee6e00 100644 --- a/ffplay.c +++ b/ffplay.c @@ -1779,8 +1779,10 @@ static int video_thread(void *arg) if (ret < 0) goto the_end; +#if CONFIG_AVFILTER if (!picref) continue; +#endif pts = pts_int*av_q2d(is->video_st->time_base); From 00c5cf4beb0e45e936544a5766b56e241ae03234 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jun 2011 03:35:50 +0200 Subject: [PATCH 10/21] jpegdec: actually search for and parse RSTn Fixes decoding of MJPEG files produced by some UVC Logitec web cameras, such as "Notebook Pro" and "HD C910". References: http://trac.videolan.org/vlc/ticket/4215 http://ffmpeg.org/trac/ffmpeg/ticket/267 Signed-off-by: Michael Niedermayer Reviewed-by: Kostya (cherry picked from commit 8c0fa61a9713a1306fca7997dd04d72ea1f060ea) --- libavcodec/mjpegdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 391d58de6b..3f6b1f111e 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -879,9 +879,12 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i } } - if (s->restart_interval && !--s->restart_count) { + if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){ /* skip RSTn */ + --s->restart_count; align_get_bits(&s->gb); - skip_bits(&s->gb, 16); /* skip RSTn */ + while(show_bits(&s->gb, 8) == 0xFF) + skip_bits(&s->gb, 8); + skip_bits(&s->gb, 8); for (i=0; ilast_dc[i] = 1024; } From bd968d260aef322fb32e254a3de0d2036c57bd56 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 10 Aug 2011 18:52:11 +0100 Subject: [PATCH 11/21] cavs: fix some crashes with invalid bitstreams This removes all valgrind-reported invalid writes with one specific test file. Fixes http://www.ocert.org/advisories/ocert-2011-002.html Signed-off-by: Mans Rullgard (cherry picked from commit 4a71da0f3ab7f5542decd11c81994f849d5b2c78) --- libavcodec/cavsdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index a9e4d37c2a..35c37d0768 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -130,12 +130,14 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb, r++; mask = -(level_code & 1); level = (level^mask) - mask; - } else { + } else if (level_code >= 0) { level = r->rltab[level_code][0]; if(!level) //end of block signal break; run = r->rltab[level_code][1]; r += r->rltab[level_code][2]; + } else { + break; } level_buf[i] = level; run_buf[i] = run; @@ -189,7 +191,8 @@ static inline int decode_residual_inter(AVSContext *h) { static int decode_mb_i(AVSContext *h, int cbp_code) { GetBitContext *gb = &h->s.gb; - int block, pred_mode_uv; + unsigned pred_mode_uv; + int block; uint8_t top[18]; uint8_t *left = NULL; uint8_t *d; @@ -445,6 +448,8 @@ static inline int check_for_slice(AVSContext *h) { if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) { skip_bits_long(gb,24+align); h->stc = get_bits(gb,8); + if (h->stc >= h->mb_height) + return 0; decode_slice_header(h,gb); return 1; } @@ -659,7 +664,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size, buf_end = buf + buf_size; for(;;) { buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc); - if(stc & 0xFFFFFE00) + if((stc & 0xFFFFFE00) || buf_ptr == buf_end) return FFMAX(0, buf_ptr - buf - s->parse_context.last_index); input_size = (buf_end - buf_ptr)*8; switch(stc) { From b37131f798941af1eb88e2d550203bdebb8b4324 Mon Sep 17 00:00:00 2001 From: Pino Toscano Date: Fri, 12 Aug 2011 14:11:21 +0200 Subject: [PATCH 12/21] configure: add missing CFLAGS to fix building on the HURD Signed-off-by: Reinhard Tartler Signed-off-by: Luca Barbato (cherry picked from commit f60d13663742d1c695680ede83c4d646bc57d380) --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 5e40e083a0..b6e2ff964b 100755 --- a/configure +++ b/configure @@ -2504,6 +2504,7 @@ case $target_os in add_cppflags -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_BSD_SOURCE ;; gnu) + add_cppflags -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 ;; qnx) add_cppflags -D_QNX_SOURCE From 1de90fd3758a71c5ff012e9288de07aa1b2915e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Sep 2011 18:00:31 +0200 Subject: [PATCH 13/21] mpeg4: adjust dummy frame threashold for packed divx. Fixes Ticket427 Signed-off-by: Michael Niedermayer (cherry picked from commit 3e7e1f1509e6a84bd7873586a66de1ee43c8ef88) --- libavcodec/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index f079557759..5a15bc4a44 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -681,7 +681,7 @@ frame_end: int current_pos= s->gb.buffer == s->bitstream_buffer ? 0 : (get_bits_count(&s->gb)>>3); int startcode_found=0; - if(buf_size - current_pos > 5){ + if(buf_size - current_pos > 7){ int i; for(i=current_pos; i Date: Tue, 6 Sep 2011 04:09:43 +0200 Subject: [PATCH 14/21] mpeg4: fix another packed divx issue. Fixes getting_stuck.avi Signed-off-by: Michael Niedermayer (cherry picked from commit 6dbac85f8d20c77283e3d01f42a7c2154bbf976d) --- libavcodec/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 5a15bc4a44..e142c339c5 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -380,7 +380,7 @@ uint64_t time= rdtsc(); retry: - if(s->divx_packed && s->xvid_build>=0 && s->bitstream_buffer_size){ + if(s->divx_packed && s->bitstream_buffer_size){ int i; for(i=0; i Date: Thu, 1 Sep 2011 23:43:56 +0200 Subject: [PATCH 15/21] jpegdec: better rst skiping Fixes Ticket426 Signed-off-by: Michael Niedermayer (cherry picked from commit 94c2478d90c1b8c007591b8daba13e65d393d2e8) --- libavcodec/mjpegdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 5c6d84a07d..cb5bc2387f 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -881,14 +881,18 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i } } + if (s->restart_interval) --s->restart_count; if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){ /* skip RSTn */ - --s->restart_count; + int pos= get_bits_count(&s->gb); align_get_bits(&s->gb); while(show_bits(&s->gb, 8) == 0xFF) skip_bits(&s->gb, 8); - skip_bits(&s->gb, 8); - for (i=0; ilast_dc[i] = 1024; + if((get_bits(&s->gb, 8)&0xF8) == 0xD0){ + for (i=0; ilast_dc[i] = 1024; + }else{ + skip_bits_long(&s->gb, pos - get_bits_count(&s->gb)); + } } } } From eb975b1c8bfc0d881479a5ba5c4ace4122191687 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Sep 2011 18:20:34 +0200 Subject: [PATCH 16/21] mjpegdec; even better RSTn skiping Fixes Ticket426 Signed-off-by: Michael Niedermayer (cherry picked from commit be7eed72c89368de70dbf8749eca1dac7443e51a) --- libavcodec/mjpegdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index cb5bc2387f..e64ea5cd68 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -882,7 +882,8 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i } if (s->restart_interval) --s->restart_count; - if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){ /* skip RSTn */ + i= 8+((-get_bits_count(&s->gb))&7); + if (s->restart_interval && show_bits(&s->gb, i) == (1<gb); align_get_bits(&s->gb); while(show_bits(&s->gb, 8) == 0xFF) From 7d704f5127c8163a04026e3f53d082505c92c851 Mon Sep 17 00:00:00 2001 From: Jeff Downs Date: Wed, 29 Jun 2011 12:38:46 -0400 Subject: [PATCH 17/21] Make all option parsing functions match the function pointer type through which they are called. All option parsing functions now match the function pointer signature through which they are called (int f(const char *, const char *), thereby working reliably on all platforms. Prefix all option processing functions with opt_ --- cmdutils.c | 24 ++++++++++++++++-------- cmdutils.h | 26 +++++++++++++++++--------- cmdutils_common_opts.h | 24 ++++++++++++------------ ffmpeg.c | 17 +++++++++++------ ffplay.c | 5 +++-- ffprobe.c | 3 ++- ffserver.c | 3 ++- 7 files changed, 63 insertions(+), 39 deletions(-) diff --git a/cmdutils.c b/cmdutils.c index cd6d13346d..62fe6e96ab 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -574,12 +574,13 @@ void show_banner(void) print_all_libs_info(stderr, INDENT|SHOW_VERSION); } -void show_version(void) { +int opt_version(const char *opt, const char *arg) { printf("%s " FFMPEG_VERSION "\n", program_name); print_all_libs_info(stdout, SHOW_VERSION); + return 0; } -void show_license(void) +int opt_license(const char *opt, const char *arg) { printf( #if CONFIG_NONFREE @@ -646,9 +647,10 @@ void show_license(void) program_name, program_name, program_name #endif ); + return 0; } -void show_formats(void) +int opt_formats(const char *opt, const char *arg) { AVInputFormat *ifmt=NULL; AVOutputFormat *ofmt=NULL; @@ -695,9 +697,10 @@ void show_formats(void) name, long_name ? long_name:" "); } + return 0; } -void show_codecs(void) +int opt_codecs(const char *opt, const char *arg) { AVCodec *p=NULL, *p2; const char *last_name; @@ -771,9 +774,10 @@ void show_codecs(void) "even though both encoding and decoding are supported. For example, the h263\n" "decoder corresponds to the h263 and h263p encoders, for file formats it is even\n" "worse.\n"); + return 0; } -void show_bsfs(void) +int opt_bsfs(const char *opt, const char *arg) { AVBitStreamFilter *bsf=NULL; @@ -781,9 +785,10 @@ void show_bsfs(void) while((bsf = av_bitstream_filter_next(bsf))) printf("%s\n", bsf->name); printf("\n"); + return 0; } -void show_protocols(void) +int opt_protocols(const char *opt, const char *arg) { URLProtocol *up=NULL; @@ -799,9 +804,10 @@ void show_protocols(void) up->url_write ? 'O' : '.', up->url_seek ? 'S' : '.', up->name); + return 0; } -void show_filters(void) +int opt_filters(const char *opt, const char *arg) { AVFilter av_unused(**filter) = NULL; @@ -810,9 +816,10 @@ void show_filters(void) while ((filter = av_filter_next(filter)) && *filter) printf("%-16s %s\n", (*filter)->name, (*filter)->description); #endif + return 0; } -void show_pix_fmts(void) +int opt_pix_fmts(const char *opt, const char *arg) { enum PixelFormat pix_fmt; @@ -843,6 +850,7 @@ void show_pix_fmts(void) pix_desc->nb_components, av_get_bits_per_pixel(pix_desc)); } + return 0; } int read_yesno(void) diff --git a/cmdutils.h b/cmdutils.h index e001ab9201..b05828cd0a 100644 --- a/cmdutils.h +++ b/cmdutils.h @@ -62,7 +62,7 @@ void uninit_opts(void); /** * Trivial log callback. - * Only suitable for show_help and similar since it lacks prefix handling. + * Only suitable for opt_help and similar since it lacks prefix handling. */ void log_callback_help(void* ptr, int level, const char* fmt, va_list vl); @@ -177,50 +177,58 @@ void show_banner(void); * Print the version of the program to stdout. The version message * depends on the current versions of the repository and of the libav* * libraries. + * This option processing function does not utilize the arguments. */ -void show_version(void); +int opt_version(const char *opt, const char *arg); /** * Print the license of the program to stdout. The license depends on * the license of the libraries compiled into the program. + * This option processing function does not utilize the arguments. */ -void show_license(void); +int opt_license(const char *opt, const char *arg); /** * Print a listing containing all the formats supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_formats(void); +int opt_formats(const char *opt, const char *arg); /** * Print a listing containing all the codecs supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_codecs(void); +int opt_codecs(const char *opt, const char *arg); /** * Print a listing containing all the filters supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_filters(void); +int opt_filters(const char *opt, const char *arg); /** * Print a listing containing all the bit stream filters supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_bsfs(void); +int opt_bsfs(const char *opt, const char *arg); /** * Print a listing containing all the protocols supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_protocols(void); +int opt_protocols(const char *opt, const char *arg); /** * Print a listing containing all the pixel formats supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_pix_fmts(void); +int opt_pix_fmts(const char *opt, const char *arg); /** * Return a positive value if a line read from standard input diff --git a/cmdutils_common_opts.h b/cmdutils_common_opts.h index 9b5e5d22cd..8e680490fe 100644 --- a/cmdutils_common_opts.h +++ b/cmdutils_common_opts.h @@ -1,13 +1,13 @@ - { "L", OPT_EXIT, {(void*)show_license}, "show license" }, - { "h", OPT_EXIT, {(void*)show_help}, "show help" }, - { "?", OPT_EXIT, {(void*)show_help}, "show help" }, - { "help", OPT_EXIT, {(void*)show_help}, "show help" }, - { "-help", OPT_EXIT, {(void*)show_help}, "show help" }, - { "version", OPT_EXIT, {(void*)show_version}, "show version" }, - { "formats" , OPT_EXIT, {(void*)show_formats }, "show available formats" }, - { "codecs" , OPT_EXIT, {(void*)show_codecs }, "show available codecs" }, - { "bsfs" , OPT_EXIT, {(void*)show_bsfs }, "show available bit stream filters" }, - { "protocols", OPT_EXIT, {(void*)show_protocols}, "show available protocols" }, - { "filters", OPT_EXIT, {(void*)show_filters }, "show available filters" }, - { "pix_fmts" , OPT_EXIT, {(void*)show_pix_fmts }, "show available pixel formats" }, + { "L", OPT_EXIT, {(void*)opt_license}, "show license" }, + { "h", OPT_EXIT, {(void*)opt_help}, "show help" }, + { "?", OPT_EXIT, {(void*)opt_help}, "show help" }, + { "help", OPT_EXIT, {(void*)opt_help}, "show help" }, + { "-help", OPT_EXIT, {(void*)opt_help}, "show help" }, + { "version", OPT_EXIT, {(void*)opt_version}, "show version" }, + { "formats" , OPT_EXIT, {(void*)opt_formats }, "show available formats" }, + { "codecs" , OPT_EXIT, {(void*)opt_codecs }, "show available codecs" }, + { "bsfs" , OPT_EXIT, {(void*)opt_bsfs }, "show available bit stream filters" }, + { "protocols", OPT_EXIT, {(void*)opt_protocols}, "show available protocols" }, + { "filters", OPT_EXIT, {(void*)opt_filters }, "show available filters" }, + { "pix_fmts" , OPT_EXIT, {(void*)opt_pix_fmts }, "show available pixel formats" }, { "loglevel", HAS_ARG, {(void*)opt_loglevel}, "set libav* logging level", "loglevel" }, diff --git a/ffmpeg.c b/ffmpeg.c index c6374df949..ab5eb573a4 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2945,7 +2945,7 @@ static int opt_frame_pix_fmt(const char *opt, const char *arg) return AVERROR(EINVAL); } } else { - show_pix_fmts(); + opt_pix_fmts(NULL, NULL); ffmpeg_exit(0); } return 0; @@ -4076,16 +4076,18 @@ static void parse_matrix_coeffs(uint16_t *dest, const char *str) } } -static void opt_inter_matrix(const char *opt, const char *arg) +static int opt_inter_matrix(const char *opt, const char *arg) { inter_matrix = av_mallocz(sizeof(uint16_t) * 64); parse_matrix_coeffs(inter_matrix, arg); + return 0; } -static void opt_intra_matrix(const char *opt, const char *arg) +static int opt_intra_matrix(const char *opt, const char *arg) { intra_matrix = av_mallocz(sizeof(uint16_t) * 64); parse_matrix_coeffs(intra_matrix, arg); + return 0; } static void show_usage(void) @@ -4095,7 +4097,7 @@ static void show_usage(void) printf("\n"); } -static void show_help(void) +static int opt_help(const char *opt, const char *arg) { AVCodec *c; AVOutputFormat *oformat = NULL; @@ -4150,6 +4152,7 @@ static void show_help(void) } av_opt_show2(sws_opts, NULL, AV_OPT_FLAG_ENCODING_PARAM|AV_OPT_FLAG_DECODING_PARAM, 0); + return 0; } static int opt_target(const char *opt, const char *arg) @@ -4380,11 +4383,13 @@ static void log_callback_null(void* ptr, int level, const char* fmt, va_list vl) { } -static void opt_passlogfile(const char *opt, const char *arg) +static int opt_passlogfile(const char *opt, const char *arg) { pass_logfilename_prefix = arg; #if CONFIG_LIBX264_ENCODER - opt_default("passlogfile", arg); + return opt_default("passlogfile", arg); +#else + return 0; #endif } diff --git a/ffplay.c b/ffplay.c index 6eefee6e00..6ac8f34fa0 100644 --- a/ffplay.c +++ b/ffplay.c @@ -212,7 +212,7 @@ typedef struct VideoState { int refresh; } VideoState; -static void show_help(void); +static int opt_help(const char *opt, const char *arg); /* options specified by the user */ static AVInputFormat *file_iformat; @@ -2952,7 +2952,7 @@ static void show_usage(void) printf("\n"); } -static void show_help(void) +static int opt_help(const char *opt, const char *arg) { av_log_set_callback(log_callback_help); show_usage(); @@ -2984,6 +2984,7 @@ static void show_help(void) "down/up seek backward/forward 1 minute\n" "mouse click seek to percentage in file corresponding to fraction of width\n" ); + return 0; } /* Called from the main */ diff --git a/ffprobe.c b/ffprobe.c index a2b27c3745..fdcdf70273 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -353,7 +353,7 @@ static int opt_input_file(const char *opt, const char *arg) return 0; } -static void show_help(void) +static int opt_help(const char *opt, const char *arg) { av_log_set_callback(log_callback_help); show_usage(); @@ -361,6 +361,7 @@ static void show_help(void) printf("\n"); av_opt_show2(avformat_opts, NULL, AV_OPT_FLAG_DECODING_PARAM, 0); + return 0; } static void opt_pretty(void) diff --git a/ffserver.c b/ffserver.c index 15ea00f4f8..83dd986dc2 100644 --- a/ffserver.c +++ b/ffserver.c @@ -4654,12 +4654,13 @@ static void opt_debug(void) logfilename[0] = '-'; } -static void show_help(void) +static int opt_help(const char *opt, const char *arg) { printf("usage: ffserver [options]\n" "Hyper fast multi format Audio/Video streaming server\n"); printf("\n"); show_help_options(options, "Main options:\n", 0, 0); + return 0; } static const OptionDef options[] = { From f5978250524f03364c4c67f14dab86db66f7a908 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Aug 2011 21:24:13 +0200 Subject: [PATCH 18/21] Fix memory corruption in case of memory allocation failure in av_probe_input_buffer() Reported-by: Tanami Ohad Signed-off-by: Michael Niedermayer (cherry picked from commit 941bb552c6e08b40eb7d7842df19285cd650edd0) --- libavformat/utils.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 955aaa72a2..52b2ae95bf 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -524,13 +524,19 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) { int ret, score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0; int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1; + void *buftmp; if (probe_size < offset) { continue; } /* read probe data */ - buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE); + buftmp = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE); + if(!buftmp){ + av_free(buf); + return AVERROR(ENOMEM); + } + buf=buftmp; if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) { /* fail if error was not end of file, otherwise, lower score */ if (ret != AVERROR_EOF) { From 8af11e51f22705f37818f0aaded8bbd24dd34aac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Aug 2011 01:49:55 +0200 Subject: [PATCH 19/21] vf_scale: apply the same transform to the aspect during init that is applied per frame Signed-off-by: Michael Niedermayer (cherry picked from commit c8868f28e357e7e6ffe3254d0056b3e8033fe8e5) --- libavfilter/vf_scale.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index e172a2e586..ba8f9e1e82 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -232,6 +232,11 @@ static int config_props(AVFilterLink *outlink) if (!scale->sws) return AVERROR(EINVAL); + if (inlink->sample_aspect_ratio.num){ + outlink->sample_aspect_ratio = av_mul_q((AVRational){outlink->h * inlink->w, outlink->w * inlink->h}, inlink->sample_aspect_ratio); + } else + outlink->sample_aspect_ratio = inlink->sample_aspect_ratio; + return 0; fail: From b6187e48db484f9fe8437457bcb382c331baf8c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Aug 2011 17:29:51 +0200 Subject: [PATCH 20/21] cavsdec: avoid possible crash with crafted input Signed-off-by: Michael Niedermayer (cherry picked from commit 9f06c1c61e876e930753da200bfe835817e30a53) --- libavcodec/cavsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 222355ea5e..906afdb668 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -166,7 +166,7 @@ static inline int decode_residual_inter(AVSContext *h) { /* get coded block pattern */ int cbp= get_ue_golomb(&h->s.gb); - if(cbp > 63){ + if(cbp > 63U){ av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n"); return -1; } @@ -226,7 +226,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) { /* get coded block pattern */ if(h->pic_type == AV_PICTURE_TYPE_I) cbp_code = get_ue_golomb(gb); - if(cbp_code > 63){ + if(cbp_code > 63U){ av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n"); return -1; } From c2a2ad133eb9d42361804a568dee336992349a5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Sep 2011 14:12:42 +0200 Subject: [PATCH 21/21] rtp: Fix integer underflow that could allow remote code execution. Fixes MSVR-11-0088 Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR) Signed-off-by: Michael Niedermayer (cherry picked from commit ba9a7e0d71bd34f8b89ae99322b62a310be163a6) --- libavformat/rtpdec_asf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c index 4f776453d7..384aeb24f3 100644 --- a/libavformat/rtpdec_asf.c +++ b/libavformat/rtpdec_asf.c @@ -235,6 +235,8 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf, int prev_len = out_len; out_len += cur_len; asf->buf = av_realloc(asf->buf, out_len); + if(!asf->buf || FFMIN(cur_len, len - off)<0) + return -1; memcpy(asf->buf + prev_len, buf + off, FFMIN(cur_len, len - off)); avio_skip(pb, cur_len);