From b00fc80d406fef0acd54619a7c82e2a31e00c06c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Sep 2011 02:29:11 +0200 Subject: [PATCH 001/290] update version numbers for 0.8.4 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index eca888d1d8..4f45f3417e 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.3 +PROJECT_NUMBER = 0.8.4 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index ee94dd834b..b60d71966a 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.3 +0.8.4 diff --git a/VERSION b/VERSION index ee94dd834b..b60d71966a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.3 +0.8.4 From 47be9f5bd50e9c388adca6f8991cde7b4612db56 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 26 Jun 2011 15:52:00 -0700 Subject: [PATCH 002/290] swscale: don't use planar output functions to write to NV12/21. This prevents a crash when converting to NV12/21 without the bitexact flags enabled. (cherry picked from commit 0d994b2f45c08794899057ee7ca54f48218c0a53) Signed-off-by: Anton Khirnov --- libswscale/x86/swscale_template.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/swscale_template.c b/libswscale/x86/swscale_template.c index 8fad257ddf..dc92cddff5 100644 --- a/libswscale/x86/swscale_template.c +++ b/libswscale/x86/swscale_template.c @@ -2203,7 +2203,8 @@ static av_cold void RENAME(sws_init_swScale)(SwsContext *c) enum PixelFormat srcFormat = c->srcFormat, dstFormat = c->dstFormat; - if (!is16BPS(dstFormat) && !is9_OR_10BPS(dstFormat)) { + if (!is16BPS(dstFormat) && !is9_OR_10BPS(dstFormat) && + dstFormat != PIX_FMT_NV12 && dstFormat != PIX_FMT_NV21) { if (!(c->flags & SWS_BITEXACT)) { if (c->flags & SWS_ACCURATE_RND) { c->yuv2yuv1 = RENAME(yuv2yuv1_ar ); From 8ad1f0852b26468cb681ad49be83e2bc25d07934 Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Mon, 4 Jul 2011 06:05:34 -0700 Subject: [PATCH 003/290] H.264: fix overreads of qscale_table filter_mb_fast assumed that qscale_table was padded like many of the other tables. (cherry picked from commit 5029a406334ad0eaf92130e23d596e405a8a5aa0) Signed-off-by: Anton Khirnov --- libavcodec/mpegvideo.c | 5 +++-- libavcodec/mpegvideo.h | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 4978d28b49..ceed41f230 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -285,9 +285,10 @@ int ff_alloc_picture(MpegEncContext *s, Picture *pic, int shared){ } FF_ALLOCZ_OR_GOTO(s->avctx, pic->mbskip_table , mb_array_size * sizeof(uint8_t)+2, fail) //the +2 is for the slice end check - FF_ALLOCZ_OR_GOTO(s->avctx, pic->qscale_table , mb_array_size * sizeof(uint8_t) , fail) + FF_ALLOCZ_OR_GOTO(s->avctx, pic->qscale_table_base , (big_mb_num + s->mb_stride) * sizeof(uint8_t) , fail) FF_ALLOCZ_OR_GOTO(s->avctx, pic->mb_type_base , (big_mb_num + s->mb_stride) * sizeof(uint32_t), fail) pic->mb_type= pic->mb_type_base + 2*s->mb_stride+1; + pic->qscale_table = pic->qscale_table_base + 2*s->mb_stride + 1; if(s->out_format == FMT_H264){ for(i=0; i<2; i++){ FF_ALLOCZ_OR_GOTO(s->avctx, pic->motion_val_base[i], 2 * (b4_array_size+4) * sizeof(int16_t), fail) @@ -339,7 +340,7 @@ static void free_picture(MpegEncContext *s, Picture *pic){ av_freep(&pic->mc_mb_var); av_freep(&pic->mb_mean); av_freep(&pic->mbskip_table); - av_freep(&pic->qscale_table); + av_freep(&pic->qscale_table_base); av_freep(&pic->mb_type_base); av_freep(&pic->dct_coeff); av_freep(&pic->pan_scan); diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index 6ce7faa235..f37977c941 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -88,6 +88,7 @@ typedef struct Picture{ * halfpel luma planes. */ uint8_t *interpolated[3]; + int8_t *qscale_table_base; int16_t (*motion_val_base[2])[2]; uint32_t *mb_type_base; #define MB_TYPE_INTRA MB_TYPE_INTRA4x4 //default mb_type if there is just one type From 06318968853ff8c628bbc75fb126483c08f22fd9 Mon Sep 17 00:00:00 2001 From: John Stebbins Date: Mon, 4 Jul 2011 09:55:19 -0700 Subject: [PATCH 004/290] dca: set AVCodecContext frame_size for DTS audio Set the frame size when decoding DTS audio. This has the side effect of fixing the computation of timestamps for DTS-HD in compute_pkt_fields. Since frame_size is not currently set, the duration of a frame is being guessed based on the streams bitrate. But for DTS-HD, the bitrate currently used is the rate of the DTS core which is much different than the whole DTS-HD stream and leads to a wildly inaccurate frame duration estimate. Signed-off-by: Ronald S. Bultje (cherry picked from commit 49c7006c7e815d4330247624a9e6ba30e288cd02) Signed-off-by: Anton Khirnov --- libavcodec/dca.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index a9b2c9b0c9..fad6bce7a9 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -1650,6 +1650,7 @@ static int dca_decode_frame(AVCodecContext * avctx, //set AVCodec values with parsed data avctx->sample_rate = s->sample_rate; avctx->bit_rate = s->bit_rate; + avctx->frame_size = s->sample_blocks * 32; s->profile = FF_PROFILE_DTS; From 776603b650485f4f2d45f383b772ac5a4f03ebfb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Mon, 4 Jul 2011 10:19:46 +0200 Subject: [PATCH 005/290] mxfenc: fix ignored drop flag in binary timecode representation. Signed-off-by: Ronald S. Bultje (cherry picked from commit 4d5e7ab5c48451404038706ef3113c9925a83087) Signed-off-by: Anton Khirnov --- libavformat/mxfenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index c448e14b00..387263e1a1 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1539,7 +1539,7 @@ static const uint8_t system_metadata_package_set_key[] = { 0x06,0x0E,0x2B,0x34,0 static uint32_t ff_framenum_to_12m_time_code(unsigned frame, int drop, int fps) { return (0 << 31) | // color frame flag - (0 << 30) | // drop frame flag + (drop << 30) | // drop frame flag ( ((frame % fps) / 10) << 28) | // tens of frames ( ((frame % fps) % 10) << 24) | // units of frames (0 << 23) | // field phase (NTSC), b0 (PAL) From 15355f9af2a415bbfbffdace04a4341c8af050e7 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Tue, 5 Jul 2011 18:29:35 +0100 Subject: [PATCH 006/290] ARM: workaround for bug in GNU assembler Some versions of the GNU assembler do not handle 64-bit immediate operands containing arithmetic. Writing the value out in full works correctly. Signed-off-by: Mans Rullgard (cherry picked from commit fce1e43410bdc032c4cf2b1c66166a9ed99cc8f1) Signed-off-by: Anton Khirnov --- libavcodec/arm/fft_fixed_neon.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/arm/fft_fixed_neon.S b/libavcodec/arm/fft_fixed_neon.S index 14884d3736..63d8159359 100644 --- a/libavcodec/arm/fft_fixed_neon.S +++ b/libavcodec/arm/fft_fixed_neon.S @@ -56,7 +56,7 @@ vhsub.s16 \r0, \d0, \d1 @ t3, t4, t8, t7 vhsub.s16 \r1, \d1, \d0 vhadd.s16 \d0, \d0, \d1 @ t1, t2, t6, t5 - vmov.i64 \d1, #0xffff<<32 + vmov.i64 \d1, #0xffff00000000 vbit \r0, \r1, \d1 vrev64.16 \r1, \r0 @ t7, t8, t4, t3 vtrn.32 \r0, \r1 @ t3, t4, t7, t8 From e9520db07e1e4a795523726329d448d168b188d5 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 5 Jul 2011 18:10:48 -0700 Subject: [PATCH 007/290] eval: fix memleak. (cherry picked from commit fe277b16f0861a327e1f6c00c0dbb8b00806d60d) Signed-off-by: Anton Khirnov --- libavutil/eval.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/eval.c b/libavutil/eval.c index a3788210e3..8bcba3632d 100644 --- a/libavutil/eval.c +++ b/libavutil/eval.c @@ -488,6 +488,7 @@ int av_expr_parse(AVExpr **expr, const char *s, if ((ret = parse_expr(&e, &p)) < 0) goto end; if (*p.s) { + av_expr_free(e); av_log(&p, AV_LOG_ERROR, "Invalid chars '%s' at the end of expression '%s'\n", p.s, s0); ret = AVERROR(EINVAL); goto end; From 6107543d4e4f6bfa7810e3696ab57553f7257b4b Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 29 Jun 2011 13:41:47 -0700 Subject: [PATCH 008/290] adts: Fix PCE copying. Parse the extension flag bit when reading the MPEG4 AudioSpecificConfig. This has nothing to do with SBR/PS contradictory to what was noted when it was removed. (cherry picked from commit 7f01a4192cdf4565eadee457f76e6b5196e35e0b) Signed-off-by: Anton Khirnov --- libavformat/adtsenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/adtsenc.c b/libavformat/adtsenc.c index e858a81d92..75649e24dc 100644 --- a/libavformat/adtsenc.c +++ b/libavformat/adtsenc.c @@ -59,6 +59,10 @@ int ff_adts_decode_extradata(AVFormatContext *s, ADTSContext *adts, uint8_t *buf av_log(s, AV_LOG_ERROR, "Scalable configurations are not allowed in ADTS\n"); return -1; } + if (get_bits(&gb, 1)) { + av_log(s, AV_LOG_ERROR, "Extension flag is not allowed in ADTS\n"); + return -1; + } if (!adts->channel_conf) { init_put_bits(&pb, adts->pce_data, MAX_PCE_SIZE); From 94177614747ebb8a8e1b7e70cfd5229cbac56c04 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 11 Sep 2011 12:27:51 +0200 Subject: [PATCH 009/290] Revert "ffmpeg: get rid of useless AVInputStream.nb_streams." This reverts commit 2cf8355f98681bdd726b739008acd5483f82f8d7. AVInputStream.nb_streams tracks number of streams found at the beginning, new streams may appear that ffmpeg doesn't know about. Fixes crash in this case. Signed-off-by: Anton Khirnov --- ffmpeg.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index c1db3d5679..76d1cf363c 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -329,6 +329,7 @@ typedef struct AVInputFile { int eof_reached; /* true if eof reached */ int ist_index; /* index of first stream in ist_table */ int buffer_size; /* current total buffer size */ + int nb_streams; /* nb streams we are aware of */ } AVInputFile; static AVInputStream *input_streams = NULL; @@ -1983,7 +1984,7 @@ static int transcode(AVFormatContext **output_files, int si = stream_maps[i].stream_index; if (fi < 0 || fi > nb_input_files - 1 || - si < 0 || si > input_files[fi].ctx->nb_streams - 1) { + si < 0 || si > input_files[fi].nb_streams - 1) { fprintf(stderr,"Could not find input stream #%d.%d\n", fi, si); ret = AVERROR(EINVAL); goto fail; @@ -1991,7 +1992,7 @@ static int transcode(AVFormatContext **output_files, fi = stream_maps[i].sync_file_index; si = stream_maps[i].sync_stream_index; if (fi < 0 || fi > nb_input_files - 1 || - si < 0 || si > input_files[fi].ctx->nb_streams - 1) { + si < 0 || si > input_files[fi].nb_streams - 1) { fprintf(stderr,"Could not find sync stream #%d.%d\n", fi, si); ret = AVERROR(EINVAL); goto fail; @@ -2607,7 +2608,7 @@ static int transcode(AVFormatContext **output_files, } /* the following test is needed in case new streams appear dynamically in stream : we ignore them */ - if (pkt.stream_index >= input_files[file_index].ctx->nb_streams) + if (pkt.stream_index >= input_files[file_index].nb_streams) goto discard_packet; ist_index = input_files[file_index].ist_index + pkt.stream_index; ist = &input_streams[ist_index]; @@ -3365,6 +3366,7 @@ static int opt_input_file(const char *opt, const char *filename) input_files = grow_array(input_files, sizeof(*input_files), &nb_input_files, nb_input_files + 1); input_files[nb_input_files - 1].ctx = ic; input_files[nb_input_files - 1].ist_index = nb_input_streams - ic->nb_streams; + input_files[nb_input_files - 1].nb_streams = ic->nb_streams; frame_rate = (AVRational){0, 0}; frame_pix_fmt = PIX_FMT_NONE; From c75ba07f6eb83439bc44e5504152f8ca03097bec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomas=20H=C3=A4rdin?= Date: Thu, 23 Jun 2011 15:59:33 +0200 Subject: [PATCH 010/290] gxf: Fix 25 fps DV material in GXF being misdetected as 50 fps Set DV packet durations using fields_per_frame. This requires turning gxf_stream_info into the demuxer's context for access to the value in gxf_packet(). Since MPEG-2 seems to work fine this done only for DV. Signed-off-by: Anton Khirnov (cherry picked from commit 99fecc64b064a013559d3d61f7d9790e3c95c80e) Signed-off-by: Anton Khirnov --- libavformat/gxf.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/libavformat/gxf.c b/libavformat/gxf.c index 74d925fe60..d77fd18b37 100644 --- a/libavformat/gxf.c +++ b/libavformat/gxf.c @@ -264,7 +264,7 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) { int map_len; int len; AVRational main_timebase = {0, 0}; - struct gxf_stream_info si; + struct gxf_stream_info *si = s->priv_data; int i; if (!parse_packet_header(pb, &pkt_type, &map_len) || pkt_type != PKT_MAP) { av_log(s, AV_LOG_ERROR, "map packet not found\n"); @@ -282,7 +282,7 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) { return 0; } map_len -= len; - gxf_material_tags(pb, &len, &si); + gxf_material_tags(pb, &len, si); avio_skip(pb, len); map_len -= 2; len = avio_rb16(pb); // length of track description @@ -300,7 +300,7 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) { track_id = avio_r8(pb); track_len = avio_rb16(pb); len -= track_len; - gxf_track_tags(pb, &track_len, &si); + gxf_track_tags(pb, &track_len, si); avio_skip(pb, track_len); if (!(track_type & 0x80)) { av_log(s, AV_LOG_ERROR, "invalid track type %x\n", track_type); @@ -316,12 +316,12 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) { if (idx < 0) continue; st = s->streams[idx]; if (!main_timebase.num || !main_timebase.den) { - main_timebase.num = si.frames_per_second.den; - main_timebase.den = si.frames_per_second.num * 2; + main_timebase.num = si->frames_per_second.den; + main_timebase.den = si->frames_per_second.num * 2; } - st->start_time = si.first_field; - if (si.first_field != AV_NOPTS_VALUE && si.last_field != AV_NOPTS_VALUE) - st->duration = si.last_field - si.first_field; + st->start_time = si->first_field; + if (si->first_field != AV_NOPTS_VALUE && si->last_field != AV_NOPTS_VALUE) + st->duration = si->last_field - si->first_field; } if (len < 0) av_log(s, AV_LOG_ERROR, "invalid track description length specified\n"); @@ -422,6 +422,8 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) { AVIOContext *pb = s->pb; GXFPktType pkt_type; int pkt_len; + struct gxf_stream_info *si = s->priv_data; + while (!pb->eof_reached) { AVStream *st; int track_type, track_id, ret; @@ -473,6 +475,11 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) { avio_skip(pb, skip); pkt->stream_index = stream_index; pkt->dts = field_nr; + + //set duration manually for DV or else lavf misdetects the frame rate + if (st->codec->codec_id == CODEC_ID_DVVIDEO) + pkt->duration = si->fields_per_frame; + return ret; } return AVERROR(EIO); @@ -518,7 +525,7 @@ static int64_t gxf_read_timestamp(AVFormatContext *s, int stream_index, AVInputFormat ff_gxf_demuxer = { "gxf", NULL_IF_CONFIG_SMALL("GXF format"), - 0, + sizeof(struct gxf_stream_info), gxf_probe, gxf_header, gxf_packet, From 6ed533f56137f678ff8507012de14d277aded9cc Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 22 Jun 2011 15:33:56 -0400 Subject: [PATCH 011/290] alsa: fallback to buffer_size/4 for period_size. buffer_size/4 is the value used by aplay. This fixes output to null devices, e.g. writing ALSA output to a file. (cherry picked from commit 8bfd7f6a475225a0595bf657f8b99a8fffb461e4) Signed-off-by: Anton Khirnov --- libavdevice/alsa-audio-common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavdevice/alsa-audio-common.c b/libavdevice/alsa-audio-common.c index baa6ac79ca..4c7c881300 100644 --- a/libavdevice/alsa-audio-common.c +++ b/libavdevice/alsa-audio-common.c @@ -146,6 +146,8 @@ av_cold int ff_alsa_open(AVFormatContext *ctx, snd_pcm_stream_t mode, } snd_pcm_hw_params_get_period_size_min(hw_params, &period_size, NULL); + if (!period_size) + period_size = buffer_size / 4; res = snd_pcm_hw_params_set_period_size_near(h, hw_params, &period_size, NULL); if (res < 0) { av_log(ctx, AV_LOG_ERROR, "cannot set ALSA period size (%s)\n", From 0c039db4d8aa0928d9b7466c635247e6439df015 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 22 Jun 2011 16:38:20 -0400 Subject: [PATCH 012/290] alsa: limit buffer_size to 32768 frames. In testing, the file output plugin gave a max buffer size of about 20 million frames, which is way more than what is really needed and causes a memory allocation error on my system. (cherry picked from commit e35c674d13a7f180412cfe058530a2e7f1d49a90) Signed-off-by: Anton Khirnov --- libavdevice/alsa-audio-common.c | 1 + libavdevice/alsa-audio.h | 2 ++ 2 files changed, 3 insertions(+) diff --git a/libavdevice/alsa-audio-common.c b/libavdevice/alsa-audio-common.c index 4c7c881300..825fcb1dbd 100644 --- a/libavdevice/alsa-audio-common.c +++ b/libavdevice/alsa-audio-common.c @@ -137,6 +137,7 @@ av_cold int ff_alsa_open(AVFormatContext *ctx, snd_pcm_stream_t mode, } snd_pcm_hw_params_get_buffer_size_max(hw_params, &buffer_size); + buffer_size = FFMIN(buffer_size, ALSA_BUFFER_SIZE_MAX); /* TODO: maybe use ctx->max_picture_buffer somehow */ res = snd_pcm_hw_params_set_buffer_size_near(h, hw_params, &buffer_size); if (res < 0) { diff --git a/libavdevice/alsa-audio.h b/libavdevice/alsa-audio.h index 32c07426ef..c8c6ea4aff 100644 --- a/libavdevice/alsa-audio.h +++ b/libavdevice/alsa-audio.h @@ -40,6 +40,8 @@ other formats */ #define DEFAULT_CODEC_ID AV_NE(CODEC_ID_PCM_S16BE, CODEC_ID_PCM_S16LE) +#define ALSA_BUFFER_SIZE_MAX 32768 + typedef struct { AVClass *class; snd_pcm_t *h; From b772a757dd5e58ce94b56daee0deba78ab2e205e Mon Sep 17 00:00:00 2001 From: Jindrich Makovicka Date: Thu, 30 Jun 2011 09:03:15 +0000 Subject: [PATCH 013/290] mpegts: fix Continuity Counter error detection According to MPEG-TS specs, the continuity_counter shall not be incremented when the adaptation_field_control of the packet equals '00' or '10'. Signed-off-by: Jindrich Makovicka Signed-off-by: Anton Khirnov (cherry picked from commit 8923cfa328e8eb565aebcfe8672b276fd1c19bf7) Signed-off-by: Anton Khirnov --- libavformat/mpegts.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index e9b8b3513a..608cbe710f 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1247,7 +1247,7 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet) { AVFormatContext *s = ts->stream; MpegTSFilter *tss; - int len, pid, cc, cc_ok, afc, is_start; + int len, pid, cc, expected_cc, cc_ok, afc, is_start; const uint8_t *p, *p_end; int64_t pos; @@ -1265,7 +1265,8 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet) /* continuity check (currently not used) */ cc = (packet[3] & 0xf); - cc_ok = (tss->last_cc < 0) || ((((tss->last_cc + 1) & 0x0f) == cc)); + expected_cc = (packet[3] & 0x10) ? (tss->last_cc + 1) & 0x0f : tss->last_cc; + cc_ok = (tss->last_cc < 0) || (expected_cc == cc); tss->last_cc = cc; /* skip adaptation field */ From f8521560fa95c83bfbd95bb1b5adc8ded62a5104 Mon Sep 17 00:00:00 2001 From: Oskar Arvidsson Date: Tue, 12 Jul 2011 10:52:19 +0200 Subject: [PATCH 014/290] pix_fmt: Fix number of bits per component in yuv444p9be Signed-off-by: Ronald S. Bultje (cherry picked from commit e59d6b4d7255d6d3dc89580f534e18af1433fe25) Signed-off-by: Anton Khirnov --- libavutil/pixdesc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/pixdesc.c b/libavutil/pixdesc.c index efc7c7ea0e..c70a41347b 100644 --- a/libavutil/pixdesc.c +++ b/libavutil/pixdesc.c @@ -918,9 +918,9 @@ const AVPixFmtDescriptor av_pix_fmt_descriptors[PIX_FMT_NB] = { .log2_chroma_w= 0, .log2_chroma_h= 0, .comp = { - {0,1,1,0,9}, /* Y */ - {1,1,1,0,9}, /* U */ - {2,1,1,0,9}, /* V */ + {0,1,1,0,8}, /* Y */ + {1,1,1,0,8}, /* U */ + {2,1,1,0,8}, /* V */ }, .flags = PIX_FMT_BE, }, From 9c2a02466053dd4762d474d89d9be9a957eaaefe Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 12 Jul 2011 22:42:18 +0200 Subject: [PATCH 015/290] lavf: fix segfault in av_open_input_stream() ic is NULL in case of error. (cherry picked from commit 13551ad1e336573e3732fdeaf25607c47244bb80) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 0e6b00195b..2cb096e373 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -465,7 +465,8 @@ int av_open_input_stream(AVFormatContext **ic_ptr, else ic->pb = pb; - err = avformat_open_input(&ic, filename, fmt, &opts); + if ((err = avformat_open_input(&ic, filename, fmt, &opts)) < 0) + goto fail; ic->pb = ic->pb ? ic->pb : pb; // don't leak custom pb if it wasn't set above *ic_ptr = ic; From f7831bb104c48118b38d4ba86a7d594fe4fa0f2c Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Fri, 15 Jul 2011 22:38:10 +0100 Subject: [PATCH 016/290] aacps: skip some memcpy() if src and dst would be equal Signed-off-by: Mans Rullgard (cherry picked from commit e5902d60ce8f7cf10b6e87a57eec536b316261a3) Signed-off-by: Anton Khirnov --- libavcodec/aacps.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 724c13256a..3f1424bcf2 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -813,14 +813,17 @@ static void stereo_processing(PSContext *ps, float (*l)[32][2], float (*r)[32][2 const float (*H_LUT)[8][4] = (PS_BASELINE || ps->icc_mode < 3) ? HA : HB; //Remapping - memcpy(H11[0][0], H11[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[0][0][0])); - memcpy(H11[1][0], H11[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[1][0][0])); - memcpy(H12[0][0], H12[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[0][0][0])); - memcpy(H12[1][0], H12[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[1][0][0])); - memcpy(H21[0][0], H21[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[0][0][0])); - memcpy(H21[1][0], H21[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[1][0][0])); - memcpy(H22[0][0], H22[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[0][0][0])); - memcpy(H22[1][0], H22[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[1][0][0])); + if (ps->num_env_old) { + memcpy(H11[0][0], H11[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[0][0][0])); + memcpy(H11[1][0], H11[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[1][0][0])); + memcpy(H12[0][0], H12[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[0][0][0])); + memcpy(H12[1][0], H12[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[1][0][0])); + memcpy(H21[0][0], H21[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[0][0][0])); + memcpy(H21[1][0], H21[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[1][0][0])); + memcpy(H22[0][0], H22[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[0][0][0])); + memcpy(H22[1][0], H22[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[1][0][0])); + } + if (is34) { remap34(&iid_mapped, ps->iid_par, ps->nr_iid_par, ps->num_env, 1); remap34(&icc_mapped, ps->icc_par, ps->nr_icc_par, ps->num_env, 1); From 3ed12b97bed7f0cd430c4304f166e549b4dad634 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C3=ABl=20Carr=C3=A9?= Date: Sat, 16 Jul 2011 11:41:08 -0400 Subject: [PATCH 017/290] Do not decode RV30 files if the extradata is too small Signed-off-by: Diego Biurrun (cherry picked from commit 289c60001fb0a9a1d7a97c876d8a42b84c6874ac) Signed-off-by: Anton Khirnov --- libavcodec/rv30.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c index 62177dda78..2b423cc0d2 100644 --- a/libavcodec/rv30.c +++ b/libavcodec/rv30.c @@ -256,6 +256,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx) if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){ av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n", 6 + r->rpr * 2, avctx->extradata_size); + return EINVAL; } r->parse_slice_header = rv30_parse_slice_header; r->decode_intra_types = rv30_decode_intra_types; From 99ec59adbdaced97d892da73e5c881ac122bd27b Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 20 Jul 2011 09:55:48 +0100 Subject: [PATCH 018/290] Fix incorrect max_lowres values Signed-off-by: Mans Rullgard (cherry picked from commit e23a05ab0605693aa715b95120bc0132079ded06) Signed-off-by: Anton Khirnov --- libavcodec/cdgraphics.c | 1 - libavcodec/kgv1dec.c | 1 - libavcodec/pngdec.c | 1 - libavcodec/pnmdec.c | 5 ----- libavcodec/sp5xdec.c | 2 +- 5 files changed, 1 insertion(+), 9 deletions(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index 2f8e98ca3d..bcfb6e9be5 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -377,6 +377,5 @@ AVCodec ff_cdgraphics_decoder = { cdg_decode_end, cdg_decode_frame, CODEC_CAP_DR1, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("CD Graphics video"), }; diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index 57684340af..88c54bf817 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -173,6 +173,5 @@ AVCodec ff_kgv1_decoder = { NULL, decode_end, decode_frame, - .max_lowres = 1, .long_name = NULL_IF_CONFIG_SMALL("Kega Game Video"), }; diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 7477f6746b..1268c9e781 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -667,6 +667,5 @@ AVCodec ff_png_decoder = { decode_frame, CODEC_CAP_DR1 /*| CODEC_CAP_DRAW_HORIZ_BAND*/, NULL, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PNG image"), }; diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index b9f20c0569..988ea0c267 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -199,7 +199,6 @@ AVCodec ff_pgm_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_GRAY8, PIX_FMT_GRAY16BE, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PGM (Portable GrayMap) image"), }; #endif @@ -216,7 +215,6 @@ AVCodec ff_pgmyuv_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_YUV420P, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PGMYUV (Portable GrayMap YUV) image"), }; #endif @@ -233,7 +231,6 @@ AVCodec ff_ppm_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_RGB24, PIX_FMT_RGB48BE, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PPM (Portable PixelMap) image"), }; #endif @@ -250,7 +247,6 @@ AVCodec ff_pbm_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_MONOWHITE, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PBM (Portable BitMap) image"), }; #endif @@ -267,7 +263,6 @@ AVCodec ff_pam_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_RGB24, PIX_FMT_RGB32, PIX_FMT_GRAY8, PIX_FMT_MONOWHITE, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PAM (Portable AnyMap) image"), }; #endif diff --git a/libavcodec/sp5xdec.c b/libavcodec/sp5xdec.c index 6726c18ca9..ae25733530 100644 --- a/libavcodec/sp5xdec.c +++ b/libavcodec/sp5xdec.c @@ -104,7 +104,7 @@ AVCodec ff_sp5x_decoder = { sp5x_decode_frame, CODEC_CAP_DR1, NULL, - .max_lowres = 5, + .max_lowres = 3, .long_name = NULL_IF_CONFIG_SMALL("Sunplus JPEG (SP5X)"), }; From 44c718cf7116203e4e86ff2b92d7dcfd9c77e4b3 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Thu, 21 Jul 2011 14:25:01 +0200 Subject: [PATCH 019/290] rv30: return AVERROR(EINVAL) instead of EINVAL On some platforms EINVAL could be positive, ensure we return negative values. (cherry picked from commit e5985185d2eda942333ebbb72bd7d043ffe40be7) Signed-off-by: Anton Khirnov --- libavcodec/rv30.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c index 2b423cc0d2..b7f43a4bd0 100644 --- a/libavcodec/rv30.c +++ b/libavcodec/rv30.c @@ -256,7 +256,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx) if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){ av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n", 6 + r->rpr * 2, avctx->extradata_size); - return EINVAL; + return AVERROR(EINVAL); } r->parse_slice_header = rv30_parse_slice_header; r->decode_intra_types = rv30_decode_intra_types; From b3b97559bb47fceaaa7fc5aa25a351c9de7f60d6 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 26 Jul 2011 10:58:29 -0700 Subject: [PATCH 020/290] vp3/theora: flush after seek. (cherry picked from commit 8dcf5184307f072d55fb29373be05ef8b0fd02df) Signed-off-by: Anton Khirnov --- libavcodec/vp3.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index c3dff7f89f..c117a64084 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2321,6 +2321,26 @@ static av_cold int theora_decode_init(AVCodecContext *avctx) return vp3_decode_init(avctx); } +static void vp3_decode_flush(AVCodecContext *avctx) +{ + Vp3DecodeContext *s = avctx->priv_data; + + if (s->golden_frame.data[0]) { + if (s->golden_frame.data[0] == s->last_frame.data[0]) + memset(&s->last_frame, 0, sizeof(AVFrame)); + if (s->current_frame.data[0] == s->golden_frame.data[0]) + memset(&s->current_frame, 0, sizeof(AVFrame)); + ff_thread_release_buffer(avctx, &s->golden_frame); + } + if (s->last_frame.data[0]) { + if (s->current_frame.data[0] == s->last_frame.data[0]) + memset(&s->current_frame, 0, sizeof(AVFrame)); + ff_thread_release_buffer(avctx, &s->last_frame); + } + if (s->current_frame.data[0]) + ff_thread_release_buffer(avctx, &s->current_frame); +} + AVCodec ff_theora_decoder = { "theora", AVMEDIA_TYPE_VIDEO, @@ -2332,6 +2352,7 @@ AVCodec ff_theora_decoder = { vp3_decode_frame, CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS, NULL, + .flush = vp3_decode_flush, .long_name = NULL_IF_CONFIG_SMALL("Theora"), .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) }; @@ -2348,6 +2369,7 @@ AVCodec ff_vp3_decoder = { vp3_decode_frame, CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS, NULL, + .flush = vp3_decode_flush, .long_name = NULL_IF_CONFIG_SMALL("On2 VP3"), .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) }; From c613a891433df18f5188efbab504942be8c809c0 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 29 Jul 2011 15:27:36 -0700 Subject: [PATCH 021/290] mxfdec: Include FF_INPUT_BUFFER_PADDING_SIZE when allocating extradata. This prevents out of bounds reads when extradata is being decoded. (cherry picked from commit 1f6f58d5855288492fc2640a9f1035c01c75d356) Signed-off-by: Anton Khirnov --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 82daa2a002..fcee7a7b83 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -599,7 +599,7 @@ static int mxf_read_generic_descriptor(void *arg, AVIOContext *pb, int tag, int default: /* Private uid used by SONY C0023S01.mxf */ if (IS_KLV_KEY(uid, mxf_sony_mpeg4_extradata)) { - descriptor->extradata = av_malloc(size); + descriptor->extradata = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE); if (!descriptor->extradata) return -1; descriptor->extradata_size = size; From 96a453eb85a2d565681842a07ab759a52f1353fd Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 29 Jul 2011 15:49:11 -0700 Subject: [PATCH 022/290] aac: Remove some suspicious illegal memcpy()s from LTP. (cherry picked from commit a6c49f18abacb9bf52d4d808a2a56561a5b5445c) Signed-off-by: Anton Khirnov --- libavcodec/aacdec.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 69aacb86d6..f94b109de5 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -1753,12 +1753,10 @@ static void windowing_and_mdct_ltp(AACContext *ac, float *out, } else { memset(in, 0, 448 * sizeof(float)); ac->dsp.vector_fmul(in + 448, in + 448, swindow_prev, 128); - memcpy(in + 576, in + 576, 448 * sizeof(float)); } if (ics->window_sequence[0] != LONG_START_SEQUENCE) { ac->dsp.vector_fmul_reverse(in + 1024, in + 1024, lwindow, 1024); } else { - memcpy(in + 1024, in + 1024, 448 * sizeof(float)); ac->dsp.vector_fmul_reverse(in + 1024 + 448, in + 1024 + 448, swindow, 128); memset(in + 1024 + 576, 0, 448 * sizeof(float)); } From 67163d751ba1ffa89e61eff224158828d5f673a4 Mon Sep 17 00:00:00 2001 From: Baptiste Coudurier Date: Sat, 29 Jan 2011 17:05:42 -0800 Subject: [PATCH 023/290] libx264: do not set pic quality if no frame is output Avoids uninitialized reads. Signed-off-by: Anton Khirnov (cherry picked from commit 5caa2de19ece830e32c95731bc92a423d55cff0c) Signed-off-by: Anton Khirnov --- libavcodec/libx264.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index e5fac00469..74ee1d45e0 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -138,7 +138,8 @@ static int X264_frame(AVCodecContext *ctx, uint8_t *buf, } x4->out_pic.key_frame = pic_out.b_keyframe; - x4->out_pic.quality = (pic_out.i_qpplus1 - 1) * FF_QP2LAMBDA; + if (bufsize) + x4->out_pic.quality = (pic_out.i_qpplus1 - 1) * FF_QP2LAMBDA; return bufsize; } From 042934e78676a7854038be560e8f8a7d05552b84 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 10 Aug 2011 14:07:35 -0400 Subject: [PATCH 024/290] Remove incorrect info in documentation of AVCodecContext.bits_per_raw_sample. bits_per_raw_sample is used in video as well, where sample_fmt is not used. (cherry picked from commit d271d5b2152cafe540f3ab71d3be6ce8636d2fd6) Signed-off-by: Anton Khirnov --- libavcodec/avcodec.h | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 9a3076ae27..0269892028 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -2559,7 +2559,6 @@ typedef struct AVCodecContext { /** * Bits per sample/pixel of internal libavcodec pixel/sample format. - * This field is applicable only when sample_fmt is AV_SAMPLE_FMT_S32. * - encoding: set by user. * - decoding: set by libavcodec. */ From 59a22afa0b50b9037133a7bc26bdc5023e7e1df9 Mon Sep 17 00:00:00 2001 From: Dustin Brody Date: Thu, 11 Aug 2011 08:57:58 -0400 Subject: [PATCH 025/290] h264: notice memory allocation failure Signed-off-by: Ronald S. Bultje (cherry picked from commit bac3ab13ea6a9dd8853e79ef3eacf51d234c8774) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 2c000a3420..99be210d13 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1165,7 +1165,10 @@ static int decode_update_thread_context(AVCodecContext *dst, const AVCodecContex memcpy(&h->s + 1, &h1->s + 1, sizeof(H264Context) - sizeof(MpegEncContext)); //copy all fields after MpegEnc memset(h->sps_buffers, 0, sizeof(h->sps_buffers)); memset(h->pps_buffers, 0, sizeof(h->pps_buffers)); - ff_h264_alloc_tables(h); + if (ff_h264_alloc_tables(h) < 0) { + av_log(dst, AV_LOG_ERROR, "Could not allocate memory for h264\n"); + return AVERROR(ENOMEM); + } context_init(h); for(i=0; i<2; i++){ @@ -2635,7 +2638,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ h->prev_interlaced_frame = 1; init_scan_tables(h); - ff_h264_alloc_tables(h); + if (ff_h264_alloc_tables(h) < 0) { + av_log(h->s.avctx, AV_LOG_ERROR, "Could not allocate memory for h264\n"); + return AVERROR(ENOMEM); + } if (!HAVE_THREADS || !(s->avctx->active_thread_type&FF_THREAD_SLICE)) { if (context_init(h) < 0) { From 28321b777f76528b061646a3555d08b94ff667bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sat, 13 Aug 2011 11:58:18 +0200 Subject: [PATCH 026/290] VC-1: fix reading of custom PAR. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Custom PAR num/denum are in 1-256 range. Signed-off-by: Reimar Döffinger Signed-off-by: Diego Biurrun (cherry picked from commit 0e8696551414d4ea0aab2559f9475d1fe49d08f3) Signed-off-by: Anton Khirnov --- libavcodec/vc1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 32869b97d1..5e53680ec6 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -485,8 +485,8 @@ static int decode_sequence_header_adv(VC1Context *v, GetBitContext *gb) if(ar && ar < 14){ v->s.avctx->sample_aspect_ratio = ff_vc1_pixel_aspect[ar]; }else if(ar == 15){ - w = get_bits(gb, 8); - h = get_bits(gb, 8); + w = get_bits(gb, 8) + 1; + h = get_bits(gb, 8) + 1; v->s.avctx->sample_aspect_ratio = (AVRational){w, h}; } av_log(v->s.avctx, AV_LOG_DEBUG, "Aspect: %i:%i\n", v->s.avctx->sample_aspect_ratio.num, v->s.avctx->sample_aspect_ratio.den); From fe3e7297fe56a383baca484dea2c0d603ae305f8 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 8 Jun 2011 14:32:07 +0000 Subject: [PATCH 027/290] flvenc: use int64_t to store offsets Metadata currently is written only at the start of the file in normal cases, when transcoding from a rtmp source metadata could be written later and the offset recorded can exceed 32bit. Signed-off-by: Anton Khirnov (cherry picked from commit 7f5bf4fbaf1f2142547321a16358f9871fabdcc6) Signed-off-by: Anton Khirnov --- libavformat/flvenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index 487993cd9a..bd1a1f49fe 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -177,7 +177,7 @@ static int flv_write_header(AVFormatContext *s) AVCodecContext *audio_enc = NULL, *video_enc = NULL; int i; double framerate = 0.0; - int metadata_size_pos, data_size; + int64_t metadata_size_pos, data_size; AVDictionaryEntry *tag = NULL; for(i=0; inb_streams; i++){ From dec458b900439316ebdefa0de2bd1249440859cf Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 17 Aug 2011 10:36:33 +0200 Subject: [PATCH 028/290] rv10/20: tell decoder to use edge emulation This removes out-of-edge motion compensation artifacts (easily spotted green blocks in avplay, gray blocks in transcoding), for example here: http://samples.libav.org/samples/real/tv_watching_t1.rm Signed-off-by: Diego Biurrun (cherry picked from commit 331971116d7d36743601bd2dc5384c5211d3bb48) Signed-off-by: Anton Khirnov --- libavcodec/rv10.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 6227dc6f6c..78f97b16b1 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -438,6 +438,7 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) s->avctx= avctx; s->out_format = FMT_H263; s->codec_id= avctx->codec_id; + avctx->flags |= CODEC_FLAG_EMU_EDGE; s->orig_width = s->width = avctx->coded_width; s->orig_height= s->height = avctx->coded_height; From b4099a6dc539c54156a788c7020356c54bc6485e Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 16 Aug 2011 11:03:26 -0700 Subject: [PATCH 029/290] aac: Only output configure if audio was found. Audio found is not triggered on a CCE because a CCE alone has no output. Signed-off-by: Luca Barbato (cherry picked from commit d8425ed4af6d8fce62ff363cc590f85e57bac06b) Signed-off-by: Anton Khirnov --- libavcodec/aacdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index f94b109de5..2958ddbe72 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -2074,7 +2074,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, ChannelElement *che = NULL, *che_prev = NULL; enum RawDataBlockType elem_type, elem_type_prev = TYPE_END; int err, elem_id, data_size_tmp; - int samples = 0, multiplier; + int samples = 0, multiplier, audio_found = 0; if (show_bits(gb, 12) == 0xfff) { if (parse_adts_frame_header(ac, gb) < 0) { @@ -2105,10 +2105,12 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, case TYPE_SCE: err = decode_ics(ac, &che->ch[0], gb, 0, 0); + audio_found = 1; break; case TYPE_CPE: err = decode_cpe(ac, gb, che); + audio_found = 1; break; case TYPE_CCE: @@ -2117,6 +2119,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, case TYPE_LFE: err = decode_ics(ac, &che->ch[0], gb, 0, 0); + audio_found = 1; break; case TYPE_DSE: @@ -2193,7 +2196,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, samples, avctx->channels); } - if (ac->output_configured) + if (ac->output_configured && audio_found) ac->output_configured = OC_LOCKED; return 0; From 8ad6555f820cc8db5debd5f76d8779cd329def20 Mon Sep 17 00:00:00 2001 From: Jeff Downs Date: Tue, 5 Jul 2011 14:21:54 -0400 Subject: [PATCH 030/290] h264: correct the check for invalid long term frame index in MMCO decode The current check on MMCO parameters prohibits a "max long term frame index plus 1" of 16 (frame idx of 15) for the "set max long term frame index" MMCO. Fix this off-by-one error to allow the full range of legal values. Signed-off-by: Diego Biurrun (cherry picked from commit 29a09eae9a827f4dbc9c4517180d8fe2ecef321a) Signed-off-by: Anton Khirnov --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index a025f7d352..b1c27ec810 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -678,7 +678,7 @@ int ff_h264_decode_ref_pic_marking(H264Context *h, GetBitContext *gb){ } if(opcode==MMCO_SHORT2LONG || opcode==MMCO_LONG2UNUSED || opcode==MMCO_LONG || opcode==MMCO_SET_MAX_LONG){ unsigned int long_arg= get_ue_golomb_31(gb); - if(long_arg >= 32 || (long_arg >= 16 && !(opcode == MMCO_LONG2UNUSED && FIELD_PICTURE))){ + if(long_arg >= 32 || (long_arg >= 16 && !(opcode == MMCO_SET_MAX_LONG && long_arg == 16) && !(opcode == MMCO_LONG2UNUSED && FIELD_PICTURE))){ av_log(h->s.avctx, AV_LOG_ERROR, "illegal long ref in memory management control operation %d\n", opcode); return -1; } From 45b3f7c71ec213a2f4177e866586660fcbc68ecd Mon Sep 17 00:00:00 2001 From: Jeff Downs Date: Wed, 6 Jul 2011 11:54:36 -0400 Subject: [PATCH 031/290] h264: correct implicit weight table computation for long ref pics Correct computation of implicit weight tables when referencing pictures that are marked for long reference. Signed-off-by: Diego Biurrun (cherry picked from commit 87cf70eb237e7586cc7399627dafa1b980ec0b7d) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 99be210d13..1c60de7023 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2198,15 +2198,17 @@ static void implicit_weight_table(H264Context *h, int field){ for(ref0=ref_start; ref0 < ref_count0; ref0++){ int poc0 = h->ref_list[0][ref0].poc; for(ref1=ref_start; ref1 < ref_count1; ref1++){ - int poc1 = h->ref_list[1][ref1].poc; - int td = av_clip(poc1 - poc0, -128, 127); - int w= 32; - if(td){ - int tb = av_clip(cur_poc - poc0, -128, 127); - int tx = (16384 + (FFABS(td) >> 1)) / td; - int dist_scale_factor = (tb*tx + 32) >> 8; - if(dist_scale_factor >= -64 && dist_scale_factor <= 128) - w = 64 - dist_scale_factor; + int w = 32; + if (!h->ref_list[0][ref0].long_ref && !h->ref_list[1][ref1].long_ref) { + int poc1 = h->ref_list[1][ref1].poc; + int td = av_clip(poc1 - poc0, -128, 127); + if(td){ + int tb = av_clip(cur_poc - poc0, -128, 127); + int tx = (16384 + (FFABS(td) >> 1)) / td; + int dist_scale_factor = (tb*tx + 32) >> 8; + if(dist_scale_factor >= -64 && dist_scale_factor <= 128) + w = 64 - dist_scale_factor; + } } if(field<0){ h->implicit_weight[ref0][ref1][0]= From ce8f40a7b9e9fd8bc47181dc4a2b4de0042dac72 Mon Sep 17 00:00:00 2001 From: Jeff Downs Date: Tue, 5 Jul 2011 13:20:06 -0400 Subject: [PATCH 032/290] h264: fix PCM intra-coded blocks in monochrome case Signed-off-by: Diego Biurrun (cherry picked from commit 6581e161c5f46733a5619208483de29416eb9a51) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 46 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 1c60de7023..75075f6b3c 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1851,15 +1851,30 @@ static av_always_inline void hl_decode_mb_internal(H264Context *h, int simple, i tmp_y[j] = get_bits(&gb, bit_depth); } if(simple || !CONFIG_GRAY || !(s->flags&CODEC_FLAG_GRAY)){ - for (i = 0; i < 8; i++) { - uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize); - for (j = 0; j < 8; j++) - tmp_cb[j] = get_bits(&gb, bit_depth); - } - for (i = 0; i < 8; i++) { - uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize); - for (j = 0; j < 8; j++) - tmp_cr[j] = get_bits(&gb, bit_depth); + if (!h->sps.chroma_format_idc) { + for (i = 0; i < 8; i++) { + uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize); + for (j = 0; j < 8; j++) { + tmp_cb[j] = 1 << (bit_depth - 1); + } + } + for (i = 0; i < 8; i++) { + uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize); + for (j = 0; j < 8; j++) { + tmp_cr[j] = 1 << (bit_depth - 1); + } + } + } else { + for (i = 0; i < 8; i++) { + uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize); + for (j = 0; j < 8; j++) + tmp_cb[j] = get_bits(&gb, bit_depth); + } + for (i = 0; i < 8; i++) { + uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize); + for (j = 0; j < 8; j++) + tmp_cr[j] = get_bits(&gb, bit_depth); + } } } } else { @@ -1867,9 +1882,16 @@ static av_always_inline void hl_decode_mb_internal(H264Context *h, int simple, i memcpy(dest_y + i* linesize, h->mb + i*8, 16); } if(simple || !CONFIG_GRAY || !(s->flags&CODEC_FLAG_GRAY)){ - for (i=0; i<8; i++) { - memcpy(dest_cb+ i*uvlinesize, h->mb + 128 + i*4, 8); - memcpy(dest_cr+ i*uvlinesize, h->mb + 160 + i*4, 8); + if (!h->sps.chroma_format_idc) { + for (i = 0; i < 8; i++) { + memset(dest_cb + i*uvlinesize, 128, 8); + memset(dest_cr + i*uvlinesize, 128, 8); + } + } else { + for (i = 0; i < 8; i++) { + memcpy(dest_cb + i*uvlinesize, h->mb + 128 + i*4, 8); + memcpy(dest_cr + i*uvlinesize, h->mb + 160 + i*4, 8); + } } } } From 97ce2a29b623f785f6b542846746f51018230df4 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 24 Aug 2011 14:36:16 -0700 Subject: [PATCH 033/290] vc1: properly zero coded_block[] edges on new slice entry. Previously, we would leave the left edge uninitialized, which led to CBP prediction errors on slice edges, e.g. in SA10098.vc1. (cherry picked from commit d4b9974465baf893e90527a366e7a7411ded1ef8) Signed-off-by: Anton Khirnov --- libavcodec/vc1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 8fca2da738..b17ce30b5c 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -3020,7 +3020,7 @@ static void vc1_decode_i_blocks_adv(VC1Context *v) s->mb_x = 0; ff_init_block_index(s); memset(&s->coded_block[s->block_index[0]-s->b8_stride], 0, - s->b8_stride * sizeof(*s->coded_block)); + (1 + s->b8_stride) * sizeof(*s->coded_block)); } for(; s->mb_y < s->end_mb_y; s->mb_y++) { s->mb_x = 0; From db5e27f94ed8e74c2cca45b61085ebad7180e22d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alberto=20Delm=C3=A1s?= Date: Thu, 25 Aug 2011 11:00:37 +0200 Subject: [PATCH 034/290] VC1: Fix first/last row checks with slices In some places 0/mb_height were used in place of start_mb_y/end_mb_y. Fixes SA00049, SA00058, SA10091, SA10097, SA10131, SA20021, SA30030 Improves PSNR in SA00054, SA00059, SA00060, SA10096, SA10098, SA20022, SA30031, SA30032, SA40012, SA40013 Signed-off-by: Ronald S. Bultje (cherry picked from commit 1cf82cab0840d669198ea76ab0363aa661950647) Signed-off-by: Anton Khirnov --- libavcodec/vc1dec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index b17ce30b5c..c87558bc50 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -243,7 +243,7 @@ static void vc1_loop_filter_iblk(VC1Context *v, int pq) } v->vc1dsp.vc1_v_loop_filter16(s->dest[0] + 8*s->linesize, s->linesize, pq); - if (s->mb_y == s->mb_height-1) { + if (s->mb_y == s->end_mb_y-1) { if (s->mb_x) { v->vc1dsp.vc1_h_loop_filter16(s->dest[0], s->linesize, pq); v->vc1dsp.vc1_h_loop_filter8(s->dest[1], s->uvlinesize, pq); @@ -295,7 +295,7 @@ static void vc1_loop_filter_iblk_delayed(VC1Context *v, int pq) v->vc1dsp.vc1_v_loop_filter16(s->dest[0] - 8 * s->linesize, s->linesize, pq); } - if (s->mb_y == s->mb_height) { + if (s->mb_y == s->end_mb_y) { if (s->mb_x) { if (s->mb_x >= 2) v->vc1dsp.vc1_h_loop_filter16(s->dest[0] - 16 * s->linesize - 16, s->linesize, pq); @@ -2330,7 +2330,7 @@ static av_always_inline void vc1_apply_p_v_loop_filter(VC1Context *v, int block_ } else { dst = s->dest[0] + (block_num & 1) * 8 + ((block_num & 2) * 4 - 8) * linesize; } - if (s->mb_y != s->mb_height || block_num < 2) { + if (s->mb_y != s->end_mb_y || block_num < 2) { int16_t (*mv)[2]; int mv_stride; @@ -3096,7 +3096,7 @@ static void vc1_decode_i_blocks_adv(VC1Context *v) if(v->s.loop_filter) vc1_loop_filter_iblk_delayed(v, v->pq); } if (v->s.loop_filter) - ff_draw_horiz_band(s, (s->mb_height-1)*16, 16); + ff_draw_horiz_band(s, (s->end_mb_y-1)*16, 16); ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, (AC_END|DC_END|MV_END)); } @@ -3219,7 +3219,7 @@ static void vc1_decode_b_blocks(VC1Context *v) s->first_slice_line = 0; } if (v->s.loop_filter) - ff_draw_horiz_band(s, (s->mb_height-1)*16, 16); + ff_draw_horiz_band(s, (s->end_mb_y-1)*16, 16); ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, (AC_END|DC_END|MV_END)); } @@ -3227,9 +3227,9 @@ static void vc1_decode_skip_blocks(VC1Context *v) { MpegEncContext *s = &v->s; - ff_er_add_slice(s, 0, 0, s->mb_width - 1, s->mb_height - 1, (AC_END|DC_END|MV_END)); + ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, (AC_END|DC_END|MV_END)); s->first_slice_line = 1; - for(s->mb_y = 0; s->mb_y < s->mb_height; s->mb_y++) { + for(s->mb_y = s->start_mb_y; s->mb_y < s->end_mb_y; s->mb_y++) { s->mb_x = 0; ff_init_block_index(s); ff_update_block_index(s); From 2b74db8d2781202742535a466a371a10a108b141 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Mar 2011 03:30:24 +0100 Subject: [PATCH 035/290] vf_scale: don't leak SWS context. Signed-off-by: Anton Khirnov (cherry picked from commit 52982dbe474663709033e1ad259f8ff7a5a2eefa) Signed-off-by: Anton Khirnov --- libavfilter/vf_scale.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 65fe01c9ae..5288d32116 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -205,6 +205,8 @@ static int config_props(AVFilterLink *outlink) scale->input_is_pal = av_pix_fmt_descriptors[inlink->format].flags & PIX_FMT_PAL; + if (scale->sws) + sws_freeContext(scale->sws); scale->sws = sws_getContext(inlink ->w, inlink ->h, inlink ->format, outlink->w, outlink->h, outlink->format, scale->flags, NULL, NULL, NULL); From 1cf3ba89711748b340c31fe018a3a72e8e9b75f1 Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Mon, 25 Jul 2011 18:51:02 -0400 Subject: [PATCH 036/290] cpu detection: avoid a signed overflow 1<<31 overflows because 1 is signed, so force it to unsigned. Signed-off-by: Ronald S. Bultje (cherry picked from commit 5938e02185430ca711106aaec9b5622dbf588af3) Signed-off-by: Anton Khirnov --- libavutil/x86/cpu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/x86/cpu.c b/libavutil/x86/cpu.c index 78aeadf0a1..f747e4dba8 100644 --- a/libavutil/x86/cpu.c +++ b/libavutil/x86/cpu.c @@ -113,7 +113,7 @@ int ff_get_cpu_flags_x86(void) if(max_ext_level >= 0x80000001){ cpuid(0x80000001, eax, ebx, ecx, ext_caps); - if (ext_caps & (1<<31)) + if (ext_caps & (1U<<31)) rval |= AV_CPU_FLAG_3DNOW; if (ext_caps & (1<<30)) rval |= AV_CPU_FLAG_3DNOWEXT; From 54f12d2889390293d59c2a9c36f1bf78fbca8dca Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 23 Aug 2011 07:46:51 +0200 Subject: [PATCH 037/290] AVOptions: fix av_set_string3() doxy to match reality. Fixes bug 28. (cherry picked from commit e955a682e125d44143415ff2b96a99a4dac78da2) Signed-off-by: Anton Khirnov --- libavutil/opt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/opt.h b/libavutil/opt.h index 30aa54f5b6..ce65865069 100644 --- a/libavutil/opt.h +++ b/libavutil/opt.h @@ -134,7 +134,7 @@ const AVOption *av_find_opt(void *obj, const char *name, const char *unit, int m * when 0 then no av_free() nor av_strdup() will be used * @return 0 if the value has been set, or an AVERROR code in case of * error: - * AVERROR(ENOENT) if no matching option exists + * AVERROR_OPTION_NOT_FOUND if no matching option exists * AVERROR(ERANGE) if the value is out of range * AVERROR(EINVAL) if the value is not valid */ From a4f2973b2dfb2efe41d4e387eb9be404511da5e0 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 4 Sep 2011 09:56:47 +0200 Subject: [PATCH 038/290] lavc: fix type for thread_type option It should be flags, not int. (cherry picked from commit fb47997edb9d8ff16fc380d005a08c0545624aa6) Signed-off-by: Anton Khirnov --- libavcodec/options.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/options.c b/libavcodec/options.c index ae9e0c902d..6f25ebe6d4 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -446,7 +446,7 @@ static const AVOption options[]={ {"lpc_passes", "deprecated, use flac-specific options", OFFSET(lpc_passes), FF_OPT_TYPE_INT, {.dbl = -1 }, INT_MIN, INT_MAX, A|E}, #endif {"slices", "number of slices, used in parallelized decoding", OFFSET(slices), FF_OPT_TYPE_INT, {.dbl = 0 }, 0, INT_MAX, V|E}, -{"thread_type", "select multithreading type", OFFSET(thread_type), FF_OPT_TYPE_INT, {.dbl = FF_THREAD_SLICE|FF_THREAD_FRAME }, 0, INT_MAX, V|E|D, "thread_type"}, +{"thread_type", "select multithreading type", OFFSET(thread_type), FF_OPT_TYPE_FLAGS, {.dbl = FF_THREAD_SLICE|FF_THREAD_FRAME }, 0, INT_MAX, V|E|D, "thread_type"}, {"slice", NULL, 0, FF_OPT_TYPE_CONST, {.dbl = FF_THREAD_SLICE }, INT_MIN, INT_MAX, V|E|D, "thread_type"}, {"frame", NULL, 0, FF_OPT_TYPE_CONST, {.dbl = FF_THREAD_FRAME }, INT_MIN, INT_MAX, V|E|D, "thread_type"}, {"vbv_delay", "initial buffer fill time in periods of 27Mhz clock", 0, FF_OPT_TYPE_INT64, {.dbl = 0 }, 0, INT64_MAX}, From aee461277a54736511fdcb6298f0e7f9d90e0672 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 23:12:32 +0200 Subject: [PATCH 039/290] Fixed invalid access in wavpack decoder on corrupted extra bits sub-blocks. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit beefafda639dd53fc59c21d8a7cf8334da9a1062) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index e4fe217f59..64725c72c0 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -385,7 +385,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, in if(s->extra_bits){ S <<= s->extra_bits; - if(s->got_extra_bits){ + if(s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits){ S |= get_bits(&s->gb_extra_bits, s->extra_bits); *crc = *crc * 9 + (S&0xffff) * 3 + ((unsigned)S>>16); } From 685940da4c843beb9283a21718cbd2fa4fa5d796 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 22:17:39 +0200 Subject: [PATCH 040/290] Fixed invalid writes in wavpack decoder on corrupted bitstreams. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 0aedab03405849962b469277afe047aa2c61a87f) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 64725c72c0..5bd677e45e 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1113,7 +1113,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int16_t *dst = (int16_t*)samples + 1; int16_t *src = (int16_t*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1122,7 +1122,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int32_t *dst = (int32_t*)samples + 1; int32_t *src = (int32_t*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1131,7 +1131,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, float *dst = (float*)samples + 1; float *src = (float*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; From 4b84e995ad88f3bfa533c38218f2791c14fd72f0 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 22:02:55 +0200 Subject: [PATCH 041/290] Fixed invalid access in wavpack decoder on corrupted bitstream. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 55354b7de21e7bb4bbeb1c12ff55ea17f807c70c) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 49 +++++++++++++++++++++++++++++++------------- 1 file changed, 35 insertions(+), 14 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 5bd677e45e..343120f494 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -292,7 +292,14 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } }else{ t = get_unary_0_33(gb); - if(t >= 2) t = get_bits(gb, t - 1) | (1 << (t-1)); + if(t >= 2){ + if(get_bits_left(gb) < t-1) + goto error; + t = get_bits(gb, t - 1) | (1 << (t-1)); + }else{ + if(get_bits_left(gb) < 0) + goto error; + } ctx->zeroes = t; if(ctx->zeroes){ memset(ctx->ch[0].median, 0, sizeof(ctx->ch[0].median)); @@ -303,24 +310,24 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } } - if(get_bits_count(gb) >= ctx->data_size){ - *last = 1; - return 0; - } - if(ctx->zero){ t = 0; ctx->zero = 0; }else{ t = get_unary_0_33(gb); - if(get_bits_count(gb) >= ctx->data_size){ - *last = 1; - return 0; - } + if(get_bits_left(gb) < 0) + goto error; if(t == 16) { t2 = get_unary_0_33(gb); - if(t2 < 2) t += t2; - else t += get_bits(gb, t2 - 1) | (1 << (t2 - 1)); + if(t2 < 2){ + if(get_bits_left(gb) < 0) + goto error; + t += t2; + }else{ + if(get_bits_left(gb) < t2 - 1) + goto error; + t += get_bits(gb, t2 - 1) | (1 << (t2 - 1)); + } } if(ctx->one){ @@ -360,9 +367,13 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } if(!c->error_limit){ ret = base + get_tail(gb, add); + if (get_bits_left(gb) <= 0) + goto error; }else{ int mid = (base*2 + add + 1) >> 1; while(add > c->error_limit){ + if(get_bits_left(gb) <= 0) + goto error; if(get_bits1(gb)){ add -= (mid - base); base = mid; @@ -376,6 +387,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel if(ctx->hybrid_bitrate) c->slow_level += wp_log2(ret) - LEVEL_DECAY(c->slow_level); return sign ? ~ret : ret; + +error: + *last = 1; + return 0; } static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, int S) @@ -580,7 +595,10 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, vo count++; }while(!last && count < s->max_samples); - s->samples_left -= count; + if (last) + s->samples_left = 0; + else + s->samples_left -= count; if(!s->samples_left){ if(crc != s->CRC){ av_log(s->avctx, AV_LOG_ERROR, "CRC error\n"); @@ -658,7 +676,10 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, void count++; }while(!last && count < s->max_samples); - s->samples_left -= count; + if (last) + s->samples_left = 0; + else + s->samples_left -= count; if(!s->samples_left){ if(crc != s->CRC){ av_log(s->avctx, AV_LOG_ERROR, "CRC error\n"); From 5d4c065476da547fd1a8a604e3047e1b3a7a29d8 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 8 Sep 2011 11:02:43 -0700 Subject: [PATCH 042/290] wavpack: Check error codes rather than working around error conditions. (cherry picked from commit dba2b63a98bdcac7bda1a8a2c48950518c075e17) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 343120f494..f614c7afec 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1119,6 +1119,10 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_S32); else samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); + + if (samplecount < 0) + return -1; + samplecount >>= 1; }else{ const int channel_stride = avctx->channels; @@ -1130,11 +1134,14 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, else samplecount = wv_unpack_mono(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); + if (samplecount < 0) + return -1; + if(s->stereo && avctx->sample_fmt == AV_SAMPLE_FMT_S16){ int16_t *dst = (int16_t*)samples + 1; int16_t *src = (int16_t*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1143,7 +1150,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int32_t *dst = (int32_t*)samples + 1; int32_t *src = (int32_t*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1152,7 +1159,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, float *dst = (float*)samples + 1; float *src = (float*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; From 07b3c4cde582a91377372d1dd2afe7c79230f56e Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 9 Sep 2011 22:04:09 +0200 Subject: [PATCH 043/290] ffv1: Fixed size given to init_get_bits() in decoder. init_get_bits() takes a number of bits and not a number of bytes as its size argument. Signed-off-by: Alex Converse (cherry picked from commit 46b004959bb7870a361a57272cd5fa7eea34250b) Signed-off-by: Anton Khirnov --- libavcodec/ffv1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 50f1062ad4..ab2cc6e7cd 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -1765,7 +1765,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac bytes_read = c->bytestream - c->bytestream_start - 1; if(bytes_read ==0) av_log(avctx, AV_LOG_ERROR, "error at end of AC stream\n"); //FIXME //printf("pos=%d\n", bytes_read); - init_get_bits(&f->slice_context[0]->gb, buf + bytes_read, buf_size - bytes_read); + init_get_bits(&f->slice_context[0]->gb, buf + bytes_read, (buf_size - bytes_read) * 8); } else { bytes_read = 0; /* avoid warning */ } @@ -1782,7 +1782,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac if(fs->ac){ ff_init_range_decoder(&fs->c, buf_p, v); }else{ - init_get_bits(&fs->gb, buf_p, v); + init_get_bits(&fs->gb, buf_p, v * 8); } } From af32fa929a81188c4c451f8648f2f650dcf5228a Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 13:24:19 -0700 Subject: [PATCH 044/290] indeo2: init_get_bits size in bits instead of bytes (cherry picked from commit 68ca330cbd479111db9cb7649d7530ad59f04cc8) Signed-off-by: Anton Khirnov --- libavcodec/indeo2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 0e588c3966..6cf893b15e 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -165,7 +165,7 @@ static int ir2_decode_frame(AVCodecContext *avctx, #endif start = 48; /* hardcoded for now */ - init_get_bits(&s->gb, buf + start, buf_size - start); + init_get_bits(&s->gb, buf + start, (buf_size - start) * 8); if (s->decode_delta) { /* intraframe */ ir2_decode_plane(s, avctx->width, avctx->height, From 6550e2b5c51cf7d3d40f666f6966b57f622ffffc Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 13:26:49 -0700 Subject: [PATCH 045/290] indeo2: fail if input buffer too small (cherry picked from commit b7ce4f1d1c3add86ece7ca595ea6c4a10b471055) Signed-off-by: Anton Khirnov --- libavcodec/indeo2.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 6cf893b15e..544f476774 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -156,6 +156,13 @@ static int ir2_decode_frame(AVCodecContext *avctx, return -1; } + start = 48; /* hardcoded for now */ + + if (start >= buf_size) { + av_log(s->avctx, AV_LOG_ERROR, "input buffer size too small (%d)\n", buf_size); + return AVERROR_INVALIDDATA; + } + s->decode_delta = buf[18]; /* decide whether frame uses deltas or not */ @@ -163,7 +170,6 @@ static int ir2_decode_frame(AVCodecContext *avctx, for (i = 0; i < buf_size; i++) buf[i] = av_reverse[buf[i]]; #endif - start = 48; /* hardcoded for now */ init_get_bits(&s->gb, buf + start, (buf_size - start) * 8); From 384ed15c2a81812757ecd182f01256f7426af290 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 14:50:33 -0700 Subject: [PATCH 046/290] cljr: init_get_bits size in bits instead of bytes (cherry picked from commit 0c1f5b93d9b97c4cc3684ba91a040e90bfc760d2) Signed-off-by: Anton Khirnov --- libavcodec/cljr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cljr.c b/libavcodec/cljr.c index e2b01e2a6a..b83919e71d 100644 --- a/libavcodec/cljr.c +++ b/libavcodec/cljr.c @@ -67,7 +67,7 @@ static int decode_frame(AVCodecContext *avctx, p->pict_type= AV_PICTURE_TYPE_I; p->key_frame= 1; - init_get_bits(&a->gb, buf, buf_size); + init_get_bits(&a->gb, buf, buf_size * 8); for(y=0; yheight; y++){ uint8_t *luma= &a->picture.data[0][ y*a->picture.linesize[0] ]; From 9b30b7b9bfc83df9ba7c9a39fd0dcd74dfc063f3 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 21:43:03 +0200 Subject: [PATCH 047/290] Fixed segfault with wavpack decoder on corrupted decorrelation terms sub-blocks. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 8bfea4ab4e2cb32bc7bf6f697ee30a238c65d296) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index f614c7afec..155633f3ac 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -862,12 +862,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, } switch(id & WP_IDF_MASK){ case WP_ID_DECTERMS: - s->terms = size; - if(s->terms > MAX_TERMS){ + if(size > MAX_TERMS){ av_log(avctx, AV_LOG_ERROR, "Too many decorrelation terms\n"); + s->terms = 0; buf += ssize; continue; } + s->terms = size; for(i = 0; i < s->terms; i++) { s->decorr[s->terms - i - 1].value = (*buf & 0x1F) - 5; s->decorr[s->terms - i - 1].delta = *buf >> 5; From 0b9b3570a3e3f3eff088ee061dbab165ff3eff2f Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Mon, 12 Sep 2011 09:40:42 +0200 Subject: [PATCH 048/290] smacker demuxer: handle possible av_realloc() failure. Signed-off-by: Anton Khirnov (cherry picked from commit 47a8589f7bc69d1a29da1dfdfbd0dfa78a9e31fd) Signed-off-by: Anton Khirnov --- libavformat/smacker.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index db9a02bb6c..135b4ae708 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -286,11 +286,16 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) for(i = 0; i < 7; i++) { if(flags & 1) { int size; + uint8_t *tmpbuf; + size = avio_rl32(s->pb) - 4; frame_size -= size; frame_size -= 4; smk->curstream++; - smk->bufs[smk->curstream] = av_realloc(smk->bufs[smk->curstream], size); + tmpbuf = av_realloc(smk->bufs[smk->curstream], size); + if (!tmpbuf) + return AVERROR(ENOMEM); + smk->bufs[smk->curstream] = tmpbuf; smk->buf_sizes[smk->curstream] = size; ret = avio_read(s->pb, smk->bufs[smk->curstream], size); if(ret != size) From e6694dce1cbaa1ecd2cbe547c9bf45745986e2c1 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 10 Sep 2011 00:32:12 +0200 Subject: [PATCH 049/290] Fixed size given to init_get_bits() in xan decoder. (cherry picked from commit 393d5031c6aaaf8c2dda4eb5d676974c349fae85) Signed-off-by: Anton Khirnov --- libavcodec/xan.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 876a9a5558..521764fd1c 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -95,17 +95,18 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) return 0; } -static int xan_huffman_decode(unsigned char *dest, const unsigned char *src, - int dest_len) +static int xan_huffman_decode(unsigned char *dest, int dest_len, + const unsigned char *src, int src_len) { unsigned char byte = *src++; unsigned char ival = byte + 0x16; const unsigned char * ptr = src + byte*2; + int ptr_len = src_len - 1 - byte*2; unsigned char val = ival; unsigned char *dest_end = dest + dest_len; GetBitContext gb; - init_get_bits(&gb, ptr, 0); // FIXME: no src size available + init_get_bits(&gb, ptr, ptr_len * 8); while ( val != 0x16 ) { val = src[val - 0x17 + get_bits1(&gb) * byte]; @@ -270,7 +271,8 @@ static void xan_wc3_decode_frame(XanContext *s) { vector_segment = s->buf + AV_RL16(&s->buf[4]); imagedata_segment = s->buf + AV_RL16(&s->buf[6]); - xan_huffman_decode(opcode_buffer, huffman_segment, opcode_buffer_size); + xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - (huffman_segment - s->buf) ); if (imagedata_segment[0] == 2) xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); From 61ddc8271d61b0e4ebb3b6954fc32f10799da228 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 16:10:03 -0700 Subject: [PATCH 050/290] xan: Add some buffer checks (cherry picked from commit 0872bb23b4bd2d94a8ba91070f706d1bc1c3ced8) Signed-off-by: Anton Khirnov --- libavcodec/xan.c | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 521764fd1c..88a9adbc30 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -106,6 +106,9 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, unsigned char *dest_end = dest + dest_len; GetBitContext gb; + if (ptr_len < 0) + return AVERROR_INVALIDDATA; + init_get_bits(&gb, ptr, ptr_len * 8); while ( val != 0x16 ) { @@ -245,7 +248,7 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, } } -static void xan_wc3_decode_frame(XanContext *s) { +static int xan_wc3_decode_frame(XanContext *s) { int width = s->avctx->width; int height = s->avctx->height; @@ -265,14 +268,30 @@ static void xan_wc3_decode_frame(XanContext *s) { const unsigned char *size_segment; const unsigned char *vector_segment; const unsigned char *imagedata_segment; + int huffman_offset, size_offset, vector_offset, imagedata_offset; - huffman_segment = s->buf + AV_RL16(&s->buf[0]); - size_segment = s->buf + AV_RL16(&s->buf[2]); - vector_segment = s->buf + AV_RL16(&s->buf[4]); - imagedata_segment = s->buf + AV_RL16(&s->buf[6]); + if (s->size < 8) + return AVERROR_INVALIDDATA; - xan_huffman_decode(opcode_buffer, opcode_buffer_size, - huffman_segment, s->size - (huffman_segment - s->buf) ); + huffman_offset = AV_RL16(&s->buf[0]); + size_offset = AV_RL16(&s->buf[2]); + vector_offset = AV_RL16(&s->buf[4]); + imagedata_offset = AV_RL16(&s->buf[6]); + + if (huffman_offset >= s->size || + size_offset >= s->size || + vector_offset >= s->size || + imagedata_offset >= s->size) + return AVERROR_INVALIDDATA; + + huffman_segment = s->buf + huffman_offset; + size_segment = s->buf + size_offset; + vector_segment = s->buf + vector_offset; + imagedata_segment = s->buf + imagedata_offset; + + if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - huffman_offset) < 0) + return AVERROR_INVALIDDATA; if (imagedata_segment[0] == 2) xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); @@ -358,6 +377,7 @@ static void xan_wc3_decode_frame(XanContext *s) { y += (x + size) / width; x = (x + size) % width; } + return 0; } #if RUNTIME_GAMMA @@ -519,7 +539,8 @@ static int xan_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; - xan_wc3_decode_frame(s); + if (xan_wc3_decode_frame(s) < 0) + return AVERROR_INVALIDDATA; /* release the last frame if it is allocated */ if (s->last_frame.data[0]) From 4ee014309c377f7cfaa9578a393864ae500136f6 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 11 Sep 2011 19:17:40 +0200 Subject: [PATCH 051/290] ape demuxer: fix segfault on memory allocation failure. Signed-off-by: Anton Khirnov (cherry picked from commit 273aab99bf7be2bcda95dd64101c2317ee0fcb99) Signed-off-by: Anton Khirnov --- libavformat/ape.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ape.c b/libavformat/ape.c index 90b02619e0..b0841002a2 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -270,6 +270,8 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap) if (ape->seektablelength > 0) { ape->seektable = av_malloc(ape->seektablelength); + if (!ape->seektable) + return AVERROR(ENOMEM); for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++) ape->seektable[i] = avio_rl32(pb); } From 4e7905fa9ee75eed404db4d2cca69f833452bf72 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 20:50:13 +0200 Subject: [PATCH 052/290] Check for invalid packet size in the smacker demuxer. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit e055932f5636a82275837968eea9c8fcb5bca474) Signed-off-by: Anton Khirnov --- libavformat/smacker.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 135b4ae708..87c59a3049 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -304,6 +304,8 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) } flags >>= 1; } + if (frame_size < 0) + return AVERROR_INVALIDDATA; if (av_new_packet(pkt, frame_size + 768)) return AVERROR(ENOMEM); if(smk->frm_size[smk->cur_frame] & 1) From 9f391c4971d4ce2e849a6465a19d1f9da1488194 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 20:50:34 +0200 Subject: [PATCH 053/290] Fixed off by one packet size allocation in the smacker demuxer. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit a92d0fa5d234582583d41b67dddecffc2c819573) Signed-off-by: Anton Khirnov --- libavformat/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 87c59a3049..a817c31355 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -306,7 +306,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) } if (frame_size < 0) return AVERROR_INVALIDDATA; - if (av_new_packet(pkt, frame_size + 768)) + if (av_new_packet(pkt, frame_size + 769)) return AVERROR(ENOMEM); if(smk->frm_size[smk->cur_frame] & 1) palchange |= 2; From 5b1f79b092a4684c1e700ea21d5da77c68ca7d44 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 23:46:49 +0200 Subject: [PATCH 054/290] Check and propagate errors when VLC trees cannot be built in smacker decoder. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 9676ffba8346791f494451e68d2a3b37a2918a9b) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 8060e1cee7..e8de0d89c5 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -134,10 +134,10 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx return -1; } b1 = get_bits_count(gb); - i1 = get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3); + i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0; b1 = get_bits_count(gb) - b1; b2 = get_bits_count(gb); - i2 = get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3); + i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0; b2 = get_bits_count(gb) - b2; val = ctx->recode1[i1] | (ctx->recode2[i2] << 8); if(val == ctx->escapes[0]) { @@ -290,7 +290,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->mmap_tbl[0] = 0; smk->mmap_last[0] = smk->mmap_last[1] = smk->mmap_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size); + if (smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size)) + return -1; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping MCLR tree\n"); @@ -298,7 +299,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->mclr_tbl[0] = 0; smk->mclr_last[0] = smk->mclr_last[1] = smk->mclr_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size); + if (smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size)) + return -1; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping FULL tree\n"); @@ -306,7 +308,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->full_tbl[0] = 0; smk->full_last[0] = smk->full_last[1] = smk->full_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size); + if (smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size)) + return -1; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping TYPE tree\n"); @@ -314,7 +317,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->type_tbl[0] = 0; smk->type_last[0] = smk->type_last[1] = smk->type_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size); + if (smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size)) + return -1; } return 0; @@ -522,8 +526,8 @@ static av_cold int decode_init(AVCodecContext *avctx) return -1; } - decode_header_trees(c); - + if (decode_header_trees(c)) + return -1; return 0; } From 0d93b03e6861fafd3eddd9ee164cf56630c9d899 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 23:49:36 +0200 Subject: [PATCH 055/290] Check for invalid VLC value in smacker decoder. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 6489455495fc5bfbebcfe3f57e5d4fdd6a781091) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index e8de0d89c5..9628b07492 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -139,6 +139,8 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx b2 = get_bits_count(gb); i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0; b2 = get_bits_count(gb) - b2; + if (i1 < 0 || i2 < 0) + return -1; val = ctx->recode1[i1] | (ctx->recode2[i2] << 8); if(val == ctx->escapes[0]) { ctx->last[0] = hc->current; From 78cd2e18a4aa2835f6d04cf145121fc82099c1a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Sep 2011 23:24:56 +0200 Subject: [PATCH 056/290] smacker: fix a few off by 1 errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit stereo & 16bit is untested due to lack of samples Signed-off-by: Martin Storsjö (cherry picked from commit 5166376f24545207607f61ed8ff4e1b0572ff320) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 8 +-- tests/ref/fate/smacker | 160 ++++++++++++++++++++--------------------- 2 files changed, 84 insertions(+), 84 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 9628b07492..1fa40def62 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -624,9 +624,9 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if(bits) { //decode 16-bit data for(i = stereo; i >= 0; i--) pred[i] = av_bswap16(get_bits(&gb, 16)); - for(i = 0; i < stereo; i++) + for(i = 0; i <= stereo; i++) *samples++ = pred[i]; - for(i = 0; i < unp_size / 2; i++) { + for(; i < unp_size / 2; i++) { if(i & stereo) { if(vlc[2].table) res = get_vlc2(&gb, vlc[2].table, SMKTREE_BITS, 3); @@ -658,9 +658,9 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } else { //8-bit data for(i = stereo; i >= 0; i--) pred[i] = get_bits(&gb, 8); - for(i = 0; i < stereo; i++) + for(i = 0; i <= stereo; i++) *samples8++ = pred[i]; - for(i = 0; i < unp_size; i++) { + for(; i < unp_size; i++) { if(i & stereo){ if(vlc[1].table) res = get_vlc2(&gb, vlc[1].table, SMKTREE_BITS, 3); diff --git a/tests/ref/fate/smacker b/tests/ref/fate/smacker index 85c4a9817c..df88a4ae8a 100644 --- a/tests/ref/fate/smacker +++ b/tests/ref/fate/smacker @@ -1,5 +1,5 @@ 0, 0, 192000, 0x8926d7fc -1, 0, 47240, 0xad778a78 +1, 0, 47240, 0x9974897c 0, 6390, 192000, 0x2506d384 0, 12780, 192000, 0x9a8dc93a 0, 19170, 192000, 0x4badb7f2 @@ -15,163 +15,163 @@ 0, 83070, 192000, 0x1a3d7971 0, 89460, 192000, 0xa1a65bd5 0, 95850, 192000, 0x344957b9 -1, 96408, 3128, 0x4c1564ae +1, 96408, 3128, 0x7e4064b4 0, 102240, 192000, 0xe23b5f4e -1, 102792, 3128, 0x34553309 +1, 102792, 3128, 0x80883301 0, 108630, 192000, 0xb5c2710b -1, 109176, 3136, 0xb474d246 +1, 109176, 3136, 0x2ad2d341 0, 115020, 192000, 0x7a25938f -1, 115576, 3128, 0x87b868ea +1, 115576, 3128, 0xda8468e3 0, 121410, 192000, 0x0a84e4c9 -1, 121959, 3136, 0xf1516dc3 +1, 121959, 3136, 0x9d6f6cdf 0, 127800, 192000, 0x94209b0d -1, 128359, 3128, 0x867563cb +1, 128359, 3128, 0x1aaa64b5 0, 134190, 192000, 0xf940e51f -1, 134743, 3128, 0x5200728c +1, 134743, 3128, 0x9182728b 0, 140580, 192000, 0xb9fdec42 -1, 141127, 3136, 0xeda118a0 +1, 141127, 3136, 0xfa8e17b3 0, 146970, 192000, 0x7b04a376 -1, 147527, 3128, 0x03e2c1d6 +1, 147527, 3128, 0x0dc3c1cf 0, 153360, 192000, 0x5fe0026b -1, 153910, 3136, 0xc3e862b6 +1, 153910, 3136, 0x0109639d 0, 159750, 192000, 0x775aca39 -1, 160310, 3128, 0x937a13be +1, 160310, 3128, 0x6d8a12d9 0, 166140, 192000, 0xae14fb32 -1, 166694, 3128, 0x7b1b9577 +1, 166694, 3128, 0x4b9a9597 0, 172530, 192000, 0x661106e5 -1, 173078, 3136, 0x042c7113 +1, 173078, 3136, 0x9112710e 0, 178920, 192000, 0xe8658dbf -1, 179478, 3128, 0xac48f451 +1, 179478, 3128, 0x8cccf522 0, 185310, 192000, 0x5359f0f9 -1, 185861, 3128, 0x018fbbe9 +1, 185861, 3128, 0x6594bbf3 0, 191700, 192000, 0xc1ec80f4 -1, 192245, 3136, 0xc62aa7ce +1, 192245, 3136, 0xd878a7d5 0, 198090, 192000, 0xca53806b -1, 198645, 3128, 0x106e3924 +1, 198645, 3128, 0xaa6e3905 0, 204480, 192000, 0xf0766b2e -1, 205029, 3136, 0xfeb82ecc +1, 205029, 3136, 0x2a062e04 0, 210870, 192000, 0x39962da8 -1, 211429, 3128, 0x7e7c005b +1, 211429, 3128, 0x84e4006a 0, 217260, 192000, 0x4171c37f -1, 217812, 3128, 0x949d3560 +1, 217812, 3128, 0x85183633 0, 223650, 192000, 0x3abf3b46 -1, 224196, 3136, 0x02bd4aff +1, 224196, 3136, 0xb62d4b02 0, 230040, 192000, 0xecc68313 -1, 230596, 3128, 0x4aaf4715 +1, 230596, 3128, 0xe209462a 0, 236430, 192000, 0xea339baf -1, 236980, 3136, 0x2958825f +1, 236980, 3136, 0x57c4824b 0, 242820, 192000, 0x616b8f16 -1, 243380, 3128, 0x99a5914d +1, 243380, 3128, 0x664a9163 0, 249210, 192000, 0xf77a8581 -1, 249763, 3128, 0xe67277a4 +1, 249763, 3128, 0xb4287874 0, 255600, 192000, 0xb315678b -1, 256147, 3136, 0x11296973 +1, 256147, 3136, 0xde626885 0, 261990, 192000, 0x0a4a5218 -1, 262547, 3128, 0x5cc362f7 +1, 262547, 3128, 0x919763c2 0, 268380, 192000, 0x98802be4 -1, 268931, 3128, 0x0c5e6586 +1, 268931, 3128, 0xa4f664e1 0, 274770, 192000, 0xa2f0fd94 -1, 275314, 3136, 0xe940b0f9 +1, 275314, 3136, 0xa0bab0d4 0, 281160, 192000, 0x6671c84f -1, 281714, 3128, 0x2c9292cc +1, 281714, 3128, 0xe938939c 0, 287550, 192000, 0x38327e31 -1, 288098, 3136, 0xa807c096 +1, 288098, 3136, 0x3679bfc7 0, 293940, 192000, 0xb85d3e08 -1, 294498, 3128, 0x9d2254d8 +1, 294498, 3128, 0xc96c55c3 0, 300330, 192000, 0xdc69eba9 -1, 300882, 3128, 0xe68015b0 +1, 300882, 3128, 0x119114d6 0, 306720, 192000, 0x8955a0b3 -1, 307265, 3136, 0x65d58029 +1, 307265, 3136, 0x42f3800f 0, 313110, 192000, 0x714a548b -1, 313665, 3128, 0xcffcc48c +1, 313665, 3128, 0x4250c4ad 0, 319500, 192000, 0xc0471de9 -1, 320049, 3136, 0x8c704944 +1, 320049, 3136, 0x5cdd4925 0, 325890, 192000, 0x2e16e039 -1, 326449, 3128, 0x1459231d +1, 326449, 3128, 0xa4c12360 0, 332280, 192000, 0x9fa4b033 -1, 332833, 3128, 0x7dde4839 +1, 332833, 3128, 0x849f48de 0, 338670, 192000, 0x4a0f9402 -1, 339216, 3136, 0xbb6890e2 +1, 339216, 3136, 0x6acd8ff9 0, 345060, 192000, 0x1f3e6843 -1, 345616, 3128, 0xcd9a8524 +1, 345616, 3128, 0xb2758556 0, 351450, 192000, 0x31774850 -1, 352000, 3128, 0xa244fc31 +1, 352000, 3128, 0x10f2fcb1 0, 357840, 192000, 0x9d5336a2 -1, 358384, 3136, 0x504e2bd9 +1, 358384, 3136, 0xf0f02b23 0, 364230, 192000, 0xf7de27a2 -1, 364784, 3128, 0x655858d8 +1, 364784, 3128, 0x64f759c6 0, 370620, 192000, 0x98c717ce -1, 371167, 3136, 0x46027610 +1, 371167, 3136, 0x7ec075e3 0, 377010, 192000, 0x615b10b8 -1, 377567, 3128, 0x4192d5e3 +1, 377567, 3128, 0xf981d51e 0, 383400, 192000, 0xd5bc0e7e -1, 383951, 3128, 0x21d2e7fe +1, 383951, 3128, 0xc622e8b9 0, 389790, 192000, 0xd5bc0e7e -1, 390335, 3136, 0x7c93e329 +1, 390335, 3136, 0xf632e2f8 0, 396180, 192000, 0xd5bc0e7e -1, 396735, 3128, 0xa67718c0 +1, 396735, 3128, 0xda561864 0, 402570, 192000, 0xd5bc0e7e -1, 403118, 3136, 0x9bb6e8a3 +1, 403118, 3136, 0x14d2e888 0, 408960, 192000, 0xd5bc0e7e -1, 409518, 3128, 0x0933b7a6 +1, 409518, 3128, 0x015bb869 0, 415350, 192000, 0xd5bc0e7e -1, 415902, 3128, 0x07f1fb57 +1, 415902, 3128, 0xedb1fb62 0, 421740, 192000, 0xd5bc0e7e -1, 422286, 3136, 0x8a050cfd +1, 422286, 3136, 0xe0560c41 0, 428130, 192000, 0xd5bc0e7e -1, 428686, 3128, 0xdb773c0b +1, 428686, 3128, 0x14773c9a 0, 434520, 192000, 0xd5bc0e7e -1, 435069, 3136, 0xd1281c53 +1, 435069, 3136, 0x850f1c82 0, 440910, 192000, 0xd5bc0e7e -1, 441469, 3128, 0x9f395324 +1, 441469, 3128, 0xb0bd5347 0, 447300, 192000, 0xd5bc0e7e -1, 447853, 3128, 0x5f13edec +1, 447853, 3128, 0x8f82edbf 0, 453690, 192000, 0xd5bc0e7e -1, 454237, 3136, 0x871cbecf +1, 454237, 3136, 0x493abee2 0, 460080, 192000, 0xd5bc0e7e -1, 460637, 3128, 0x799eff3e +1, 460637, 3128, 0xf5daff3f 0, 466470, 192000, 0xd5bc0e7e -1, 467020, 3128, 0x3f902762 +1, 467020, 3128, 0x78ad2690 0, 472860, 192000, 0xd5bc0e7e -1, 473404, 3136, 0x29f8bb04 +1, 473404, 3136, 0x490ebafc 0, 479250, 192000, 0xd5bc0e7e -1, 479804, 3128, 0xf3523ee9 +1, 479804, 3128, 0x70333fd2 0, 485640, 192000, 0xd5bc0e7e -1, 486188, 3136, 0x4405c435 +1, 486188, 3136, 0x8cb1c350 0, 492030, 192000, 0xd5bc0e7e -1, 492588, 3128, 0x892957cb +1, 492588, 3128, 0x8bd057cb 0, 498420, 192000, 0xd5bc0e7e -1, 498971, 3128, 0xdf483dbd +1, 498971, 3128, 0x161b3dbc 0, 504810, 192000, 0xd5bc0e7e -1, 505355, 3136, 0x5e8ab797 +1, 505355, 3136, 0xb47fb88a 0, 511200, 192000, 0xd5bc0e7e -1, 511755, 3128, 0x92e13820 +1, 511755, 3128, 0x474b381e 0, 517590, 192000, 0xd5bc0e7e -1, 518139, 3136, 0xfde719b6 +1, 518139, 3136, 0x07c519bb 0, 523980, 192000, 0xd5bc0e7e -1, 524539, 3128, 0x442f17ae +1, 524539, 3128, 0x15b916c8 0, 530370, 192000, 0xd5bc0e7e -1, 530922, 3128, 0x011af61f +1, 530922, 3128, 0x0ed7f6fb 0, 536760, 192000, 0xd5bc0e7e -1, 537306, 3136, 0x4e3e3a6d +1, 537306, 3136, 0x54d6397b 0, 543150, 192000, 0xd5bc0e7e -1, 543706, 3128, 0xc11242b9 +1, 543706, 3128, 0x437242bb 0, 549540, 192000, 0xd5bc0e7e -1, 550090, 3128, 0x01415b59 +1, 550090, 3128, 0x38f05c4d 0, 555930, 192000, 0xd5bc0e7e -1, 556473, 3136, 0x302e0e55 +1, 556473, 3136, 0x5d000e59 0, 562320, 192000, 0xd5bc0e7e -1, 562873, 3128, 0x20522d04 +1, 562873, 3128, 0xdeab2d04 0, 568710, 192000, 0xd5bc0e7e -1, 569257, 3136, 0x316a697d +1, 569257, 3136, 0x77de6880 0, 575100, 192000, 0xd5bc0e7e -1, 575657, 3128, 0x6d75ee27 +1, 575657, 3128, 0xbc87ef25 0, 581490, 192000, 0xd5bc0e7e -1, 582041, 3128, 0xcb008ae8 +1, 582041, 3128, 0xc1638ade 0, 587880, 192000, 0xd5bc0e7e -1, 588424, 3136, 0xd2664b51 +1, 588424, 3136, 0xcfb64a5f 0, 594270, 192000, 0xd5bc0e7e -1, 594824, 3128, 0xdfcab728 +1, 594824, 3128, 0x90b1b826 0, 600660, 192000, 0xd5bc0e7e 1, 601208, 3136, 0x00000000 0, 607050, 192000, 0xd5bc0e7e From 54a178f28ff5caf8cac5493cc3f1c22ac2323fcf Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 9 Sep 2011 23:46:00 +0200 Subject: [PATCH 057/290] Fixed size given to init_get_bits(). init_get_bits() takes a number of bits and not a number of bytes as its size argument. Signed-off-by: Alex Converse (cherry picked from commit b59efc94347ccf0cbc2ff14a5a9e99819c5bdc4d) Signed-off-by: Anton Khirnov --- libavcodec/aac_adtstoasc_bsf.c | 2 +- libavcodec/avs.c | 2 +- libavcodec/jvdec.c | 2 +- libavcodec/rv34.c | 2 +- libavcodec/tta.c | 2 +- libavformat/movenc.c | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/aac_adtstoasc_bsf.c b/libavcodec/aac_adtstoasc_bsf.c index fbb86f8af7..d1310c4149 100644 --- a/libavcodec/aac_adtstoasc_bsf.c +++ b/libavcodec/aac_adtstoasc_bsf.c @@ -72,7 +72,7 @@ static int aac_adtstoasc_filter(AVBitStreamFilterContext *bsfc, int pce_size = 0; uint8_t pce_data[MAX_PCE_SIZE]; if (!hdr.chan_config) { - init_get_bits(&gb, buf, buf_size); + init_get_bits(&gb, buf, buf_size * 8); if (get_bits(&gb, 3) != 5) { av_log_missing_feature(avctx, "PCE based channel configuration, where the PCE is not the first syntax element is", 0); return -1; diff --git a/libavcodec/avs.c b/libavcodec/avs.c index 1c2682b338..1a5e44401c 100644 --- a/libavcodec/avs.c +++ b/libavcodec/avs.c @@ -117,7 +117,7 @@ avs_decode_frame(AVCodecContext * avctx, table = buf + (256 * vect_w * vect_h); if (sub_type != AVS_I_FRAME) { int map_size = ((318 / vect_w + 7) / 8) * (198 / vect_h); - init_get_bits(&change_map, table, map_size); + init_get_bits(&change_map, table, map_size * 8); table += map_size; } diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index 0c346486f5..5249764347 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -150,7 +150,7 @@ static int decode_frame(AVCodecContext *avctx, if (video_type == 0 || video_type == 1) { GetBitContext gb; - init_get_bits(&gb, buf, FFMIN(video_size, buf_end - buf)); + init_get_bits(&gb, buf, FFMIN(video_size, (buf_end - buf) * 8)); for (j = 0; j < avctx->height; j += 8) for (i = 0; i < avctx->width; i += 8) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index c5dcfdcba4..910b933dd9 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1444,7 +1444,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); return -1; } - init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), buf_size-get_slice_offset(avctx, slices_hdr, 0)); + init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){ av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n"); return -1; diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 57f5818d7b..fd5aa46670 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -216,7 +216,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) if (avctx->extradata_size < 30) return -1; - init_get_bits(&s->gb, avctx->extradata, avctx->extradata_size); + init_get_bits(&s->gb, avctx->extradata, avctx->extradata_size * 8); if (show_bits_long(&s->gb, 32) == AV_RL32("TTA1")) { /* signature */ diff --git a/libavformat/movenc.c b/libavformat/movenc.c index dcc5581443..0cf837c9b1 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -206,7 +206,7 @@ static int mov_write_ac3_tag(AVIOContext *pb, MOVTrack *track) avio_wb32(pb, 11); ffio_wfourcc(pb, "dac3"); - init_get_bits(&gbc, track->vosData+4, track->vosLen-4); + init_get_bits(&gbc, track->vosData+4, (track->vosLen-4) * 8); fscod = get_bits(&gbc, 2); frmsizecod = get_bits(&gbc, 6); bsid = get_bits(&gbc, 5); From a3d471e500674c31fa4f52a62ef789d5e7fdbd3c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 11 Sep 2011 23:26:12 +0200 Subject: [PATCH 058/290] oggdec: fix out of bound write in the ogg demuxer Between ogg_save() and ogg_restore() calls, the number of streams could have been reduced. Signed-off-by: Luca Barbato (cherry picked from commit 0e7efb9d23c3641d50caa288818e8c27647ce74d) Signed-off-by: Anton Khirnov --- libavformat/oggdec.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 25f5cd8b2d..18201677b8 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -92,14 +92,24 @@ static int ogg_restore(AVFormatContext *s, int discard) ogg->state = ost->next; if (!discard){ + struct ogg_stream *old_streams = ogg->streams; + for (i = 0; i < ogg->nstreams; i++) av_free (ogg->streams[i].buf); avio_seek (bc, ost->pos, SEEK_SET); ogg->curidx = ost->curidx; ogg->nstreams = ost->nstreams; - memcpy(ogg->streams, ost->streams, - ost->nstreams * sizeof(*ogg->streams)); + ogg->streams = av_realloc (ogg->streams, + ogg->nstreams * sizeof (*ogg->streams)); + + if (ogg->streams) { + memcpy(ogg->streams, ost->streams, + ost->nstreams * sizeof(*ogg->streams)); + } else { + av_free(old_streams); + ogg->nstreams = 0; + } } av_free (ost); From 9973ca992e8499848b8d5b0b536e709109dc65e2 Mon Sep 17 00:00:00 2001 From: David Goldwich Date: Sat, 17 Sep 2011 13:50:35 +0200 Subject: [PATCH 059/290] lavf: Fix context pointer in av_open_input_stream when avformat_open_input fails Signed-off-by: David Goldwich Signed-off-by: Anton Khirnov (cherry picked from commit 63d64228a7f31d534e3bcae87cbd37f4a0ae2dd6) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 2cb096e373..d9d154e3ab 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -469,8 +469,8 @@ int av_open_input_stream(AVFormatContext **ic_ptr, goto fail; ic->pb = ic->pb ? ic->pb : pb; // don't leak custom pb if it wasn't set above - *ic_ptr = ic; fail: + *ic_ptr = ic; av_dict_free(&opts); return err; } From 28d948ac44e38e8bec2f6268ccf4747ff4d992a9 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 18 Sep 2011 00:03:08 +0200 Subject: [PATCH 060/290] rv10: Reject slices that does not have the same type as the first one MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This prevents crashes with some corrupted bitstreams. Signed-off-by: Martin Storsjö (cherry picked from commit 4a29b471869353c3077fb4b25b6518eb1047afb7) Signed-off-by: Anton Khirnov --- libavcodec/rv10.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 78f97b16b1..223500c356 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -543,6 +543,11 @@ static int rv10_decode_packet(AVCodecContext *avctx, if(MPV_frame_start(s, avctx) < 0) return -1; ff_er_frame_start(s); + } else { + if (s->current_picture_ptr->pict_type != s->pict_type) { + av_log(s->avctx, AV_LOG_ERROR, "Slice type mismatch\n"); + return -1; + } } av_dlog(avctx, "qscale=%d\n", s->qscale); From f0bcba238a540793adc514fb84e74282b04d2418 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 17 Sep 2011 23:43:58 +0200 Subject: [PATCH 061/290] rv34: Avoid NULL dereference on corrupted bitstream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit rv34_decode_slice() can return without allocating any pictures. Signed-off-by: Martin Storsjö (cherry picked from commit d0f6ab0298f2309c6104626787ed73416298b019) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 910b933dd9..2383903625 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1486,7 +1486,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, break; } - if(last){ + if(last && s->current_picture_ptr){ if(r->loop_filter) r->loop_filter(r, s->mb_height - 1); ff_er_frame_end(s); From b4a1bf0bbf53cc6a736a608732b2ac1de5c2447b Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 17 Sep 2011 16:56:30 +0200 Subject: [PATCH 062/290] rv34: Fix potential overreads MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit b4ed3d78cb6c41c9d3ee5918c326ab925edd6a89) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 2383903625..87fca5c23e 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1436,6 +1436,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, slice_count = (*buf++) + 1; slices_hdr = buf + 4; buf += 8 * slice_count; + buf_size -= 1 + 8 * slice_count; }else slice_count = avctx->slice_count; @@ -1454,7 +1455,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, if( (avctx->skip_frame >= AVDISCARD_NONREF && si.type==AV_PICTURE_TYPE_B) || (avctx->skip_frame >= AVDISCARD_NONKEY && si.type!=AV_PICTURE_TYPE_I) || avctx->skip_frame >= AVDISCARD_ALL) - return buf_size; + return avpkt->size; for(i=0; icurrent_picture_ptr= NULL; //so we can detect if frame_end wasnt called (find some nicer solution...) } - return buf_size; + return avpkt->size; } av_cold int ff_rv34_decode_end(AVCodecContext *avctx) From 2bbb142a140173e1870017b66c439f4d430a6f67 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 19 Sep 2011 22:48:53 +0200 Subject: [PATCH 063/290] rv34: Check for invalid slice offsets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 4cc7732386eb36661ed22d1200339b38a5fa60bc) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 87fca5c23e..70c35ef4ff 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1441,8 +1441,9 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, slice_count = avctx->slice_count; //parse first slice header to check whether this frame can be decoded - if(get_slice_offset(avctx, slices_hdr, 0) > buf_size){ - av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); + if(get_slice_offset(avctx, slices_hdr, 0) < 0 || + get_slice_offset(avctx, slices_hdr, 0) > buf_size){ + av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); return -1; } init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); @@ -1465,8 +1466,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, else size= get_slice_offset(avctx, slices_hdr, i+1) - offset; - if(offset > buf_size){ - av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); + if(offset < 0 || offset > buf_size || size < 0){ + av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } From ecda54a640a7de55274ad2a86d58d0b483097aac Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 25 Sep 2011 12:53:44 +0100 Subject: [PATCH 064/290] ppc: fix 32-bit PIC build On 32-bit ppc, the GOT pointer must be loaded manually. This adds a "get_got" assembler macro to compute the GOT address. The "movrel" macro is updated to take an additional parameter containing the GOT address since no register is reserved for this purpose on ppc32. These changes have no effect on ppc64 builds. Signed-off-by: Mans Rullgard (cherry picked from commit 6e4a35ced96cdf31a9d3bd82fd147554750af839) Signed-off-by: Reinhard Tartler --- libavcodec/ppc/asm.S | 19 ++++++++++++++++--- libavcodec/ppc/fft_altivec_s.S | 7 ++++--- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/libavcodec/ppc/asm.S b/libavcodec/ppc/asm.S index 5cbbf97b64..4d4285b6d3 100644 --- a/libavcodec/ppc/asm.S +++ b/libavcodec/ppc/asm.S @@ -44,10 +44,13 @@ X(\name): L(\name): .endm -.macro movrel rd, sym +.macro movrel rd, sym, gp ld \rd, \sym@got(r2) .endm +.macro get_got rd +.endm + #else /* ARCH_PPC64 */ #define PTR .int @@ -65,15 +68,25 @@ X(\name): \name: .endm -.macro movrel rd, sym +.macro movrel rd, sym, gp #if CONFIG_PIC - lwz \rd, \sym@got(r2) + lwz \rd, \sym@got(\gp) #else lis \rd, \sym@ha la \rd, \sym@l(\rd) #endif .endm +.macro get_got rd +#if CONFIG_PIC + bcl 20, 31, .Lgot\@ +.Lgot\@: + mflr \rd + addis \rd, \rd, _GLOBAL_OFFSET_TABLE_ - .Lgot\@@ha + addi \rd, \rd, _GLOBAL_OFFSET_TABLE_ - .Lgot\@@l +#endif +.endm + #endif /* ARCH_PPC64 */ #if HAVE_IBM_ASM diff --git a/libavcodec/ppc/fft_altivec_s.S b/libavcodec/ppc/fft_altivec_s.S index ab33900582..958d7df0ee 100644 --- a/libavcodec/ppc/fft_altivec_s.S +++ b/libavcodec/ppc/fft_altivec_s.S @@ -353,6 +353,7 @@ extfunc ff_fft_calc\interleave\()_altivec mflr r0 stp r0, 2*PS(r1) stpu r1, -(160+16*PS)(r1) + get_got r11 addi r6, r1, 16*PS stvm r6, v20, v21, v22, v23, v24, v25, v26, v27, v28, v29 mfvrsave r0 @@ -360,14 +361,14 @@ extfunc ff_fft_calc\interleave\()_altivec li r6, 0xfffffffc mtvrsave r6 - movrel r6, fft_data + movrel r6, fft_data, r11 lvm r6, v14, v15, v16, v17, v18, v19, v20, v21 lvm r6, v22, v23, v24, v25, v26, v27, v28, v29 li r9, 16 - movrel r12, X(ff_cos_tabs) + movrel r12, X(ff_cos_tabs), r11 - movrel r6, fft_dispatch_tab\interleave\()_altivec + movrel r6, fft_dispatch_tab\interleave\()_altivec, r11 lwz r3, 0(r3) subi r3, r3, 2 slwi r3, r3, 2+ARCH_PPC64 From dde0fb4aeaf855fc38fb002c23dbbeba06407a09 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 25 Sep 2011 18:27:47 +0100 Subject: [PATCH 065/290] ppc: fix some pointer to integer casts Use uintptr_t instead of plain int. Without this change, the comparisons will come out wrong for pointers in certain ranges. Fixes random failures on ppc64. Also fixes some compiler warnings. Signed-off-by: Mans Rullgard (cherry picked from commit d853e571ad5e7e12c6a68cfde390daced7d85fbb) Signed-off-by: Reinhard Tartler --- libswscale/ppc/swscale_altivec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libswscale/ppc/swscale_altivec.c b/libswscale/ppc/swscale_altivec.c index 42e965de95..4476e1cf67 100644 --- a/libswscale/ppc/swscale_altivec.c +++ b/libswscale/ppc/swscale_altivec.c @@ -36,13 +36,13 @@ altivec_packIntArrayToCharArray(int *val, uint8_t* dest, int dstW) register int i; vector unsigned int altivec_vectorShiftInt19 = vec_add(vec_splat_u32(10), vec_splat_u32(9)); - if ((unsigned int)dest % 16) { + if ((uintptr_t)dest % 16) { /* badly aligned store, we force store alignment */ /* and will handle load misalignment on val w/ vec_perm */ vector unsigned char perm1; vector signed int v1; for (i = 0 ; (i < dstW) && - (((unsigned int)dest + i) % 16) ; i++) { + (((uintptr_t)dest + i) % 16) ; i++) { int t = val[i] >> 19; dest[i] = (t < 0) ? 0 : ((t > 255) ? 255 : t); } @@ -251,7 +251,7 @@ static void hScale_altivec_real(int16_t *dst, int dstW, vector unsigned char src_v1, src_vF; vector signed short src_v, filter_v; vector signed int val_vEven, val_s; - if ((((int)src + srcPos)% 16) > 12) { + if ((((uintptr_t)src + srcPos) % 16) > 12) { src_v1 = vec_ld(srcPos + 16, src); } src_vF = vec_perm(src_v0, src_v1, vec_lvsl(srcPos, src)); @@ -290,7 +290,7 @@ static void hScale_altivec_real(int16_t *dst, int dstW, vector unsigned char src_v1, src_vF; vector signed short src_v, filter_v; vector signed int val_v, val_s; - if ((((int)src + srcPos)% 16) > 8) { + if ((((uintptr_t)src + srcPos) % 16) > 8) { src_v1 = vec_ld(srcPos + 16, src); } src_vF = vec_perm(src_v0, src_v1, vec_lvsl(srcPos, src)); @@ -376,7 +376,7 @@ static void hScale_altivec_real(int16_t *dst, int dstW, //vector unsigned char src_v0 = vec_ld(srcPos + j, src); vector unsigned char src_v1, src_vF; vector signed short src_v, filter_v1R, filter_v; - if ((((int)src + srcPos)% 16) > 8) { + if ((((uintptr_t)src + srcPos) % 16) > 8) { src_v1 = vec_ld(srcPos + j + 16, src); } src_vF = vec_perm(src_v0, src_v1, permS); From fed7f5b04f0ddde81fe1de1af725a63461a31f6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Sep 2011 18:57:31 +0300 Subject: [PATCH 066/290] flvdec: Check for overflow before allocating arrays MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On allocation, the array length is multiplied by sizeof(int64_t), this prevents the multiplication from overflowing. Signed-off-by: Martin Storsjö (cherry picked from commit a246cefa75aed2ade315d6d09068aacb6b0fe76b) Signed-off-by: Reinhard Tartler --- libavformat/flvdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index c6b386e28f..5f442f7265 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -147,6 +147,9 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, AVStream break; arraylen = avio_rb32(ioc); + if (arraylen >> 28) + break; + /* * Expect only 'times' or 'filepositions' sub-arrays in other case refuse to use such metadata * for indexing From 42c8fdb943b210b2f79e2510a91ca0f542c9bad0 Mon Sep 17 00:00:00 2001 From: Sascha Sommer Date: Sat, 24 Sep 2011 20:56:41 +0200 Subject: [PATCH 067/290] Fix segfault in save_bits: use put_bits_count to get the buffer fill state instead of num_saved_bits as num_saved_bits is sometimes reset when frames are lost (Ticket 495) (cherry picked from commit 780d45473c32fa356c8ce385c3ea4692567c3228) Signed-off-by: Michael Niedermayer (cherry picked from commit 4f6187c7356111540024901932294e9807061dd0) --- libavcodec/wmaprodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index e1d942dca2..b0b98f1d98 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1436,7 +1436,7 @@ static void save_bits(WMAProDecodeCtx *s, GetBitContext* gb, int len, init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE); } - buflen = (s->num_saved_bits + len + 8) >> 3; + buflen = (put_bits_count(&s->pb) + len + 8) >> 3; if (len <= 0 || buflen > MAX_FRAMESIZE) { av_log_ask_for_sample(s->avctx, "input buffer too small\n"); From 9960710b872e2d1c7d9d8730c4b6ca2c2cdf183e Mon Sep 17 00:00:00 2001 From: Sascha Sommer Date: Sat, 24 Sep 2011 20:56:41 +0200 Subject: [PATCH 068/290] Fix segfault in save_bits: use put_bits_count to get the buffer fill state instead of num_saved_bits as num_saved_bits is sometimes reset when frames are lost (Ticket 495) (cherry picked from commit 780d45473c32fa356c8ce385c3ea4692567c3228) Signed-off-by: Michael Niedermayer (cherry picked from commit 4f6187c7356111540024901932294e9807061dd0) --- libavcodec/wmaprodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index e1d942dca2..b0b98f1d98 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1436,7 +1436,7 @@ static void save_bits(WMAProDecodeCtx *s, GetBitContext* gb, int len, init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE); } - buflen = (s->num_saved_bits + len + 8) >> 3; + buflen = (put_bits_count(&s->pb) + len + 8) >> 3; if (len <= 0 || buflen > MAX_FRAMESIZE) { av_log_ask_for_sample(s->avctx, "input buffer too small\n"); From ad47a5ec854d2ec6e451690622a3484010094aa2 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 16 Sep 2011 16:06:45 +0200 Subject: [PATCH 069/290] movenc: create an alternate group for each media type Partially fixes bug 44. (cherry picked from commit 7574cacbd5343bc303ee8333956274716e2444d5) Signed-off-by: Reinhard Tartler --- libavformat/movenc.c | 3 ++- tests/ref/acodec/alac | 2 +- tests/ref/acodec/pcm | 8 ++++---- tests/ref/lavf/mov | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 0cf837c9b1..5d9d3d1bfe 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1214,7 +1214,8 @@ static int mov_write_tkhd_tag(AVIOContext *pb, MOVTrack *track, AVStream *st) avio_wb32(pb, 0); /* reserved */ avio_wb32(pb, 0); /* reserved */ - avio_wb32(pb, 0x0); /* reserved (Layer & Alternate group) */ + avio_wb16(pb, 0); /* layer */ + avio_wb16(pb, st->codec->codec_type); /* alternate group) */ /* Volume, only for audio */ if(track->enc->codec_type == AVMEDIA_TYPE_AUDIO) avio_wb16(pb, 0x0100); diff --git a/tests/ref/acodec/alac b/tests/ref/acodec/alac index 1f4b264b87..35a1d8e1bf 100644 --- a/tests/ref/acodec/alac +++ b/tests/ref/acodec/alac @@ -1,4 +1,4 @@ -c68f649777ab8e7c9a0f1f221451d3ad *./tests/data/acodec/alac.m4a +b25bcc7ec3f5c19cdfc01a6bbd32edb8 *./tests/data/acodec/alac.m4a 389386 ./tests/data/acodec/alac.m4a 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/alac.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 diff --git a/tests/ref/acodec/pcm b/tests/ref/acodec/pcm index 033f8bc8c6..fc9dd8f29d 100644 --- a/tests/ref/acodec/pcm +++ b/tests/ref/acodec/pcm @@ -6,7 +6,7 @@ f443a8eeb1647ec1eeb8370c939e52d4 *./tests/data/acodec/pcm_mulaw.wav 529256 ./tests/data/acodec/pcm_mulaw.wav 1c3eeaa8814ebd4916780dff80ed6dc5 *./tests/data/pcm.acodec.out.wav stddev: 103.38 PSNR: 56.04 MAXDIFF: 644 bytes: 1058400/ 1058400 -b7936d7170e0efefb379349d81aed360 *./tests/data/acodec/pcm_s8.mov +760f85fb9f4e8aba326fb44ae84c9507 *./tests/data/acodec/pcm_s8.mov 530837 ./tests/data/acodec/pcm_s8.mov 652edf30f35ad89bf27bcc9d2f9c7b53 *./tests/data/pcm.acodec.out.wav stddev: 147.89 PSNR: 52.93 MAXDIFF: 255 bytes: 1058400/ 1058400 @@ -14,7 +14,7 @@ stddev: 147.89 PSNR: 52.93 MAXDIFF: 255 bytes: 1058400/ 1058400 529244 ./tests/data/acodec/pcm_u8.wav 652edf30f35ad89bf27bcc9d2f9c7b53 *./tests/data/pcm.acodec.out.wav stddev: 147.89 PSNR: 52.93 MAXDIFF: 255 bytes: 1058400/ 1058400 -c42b9c04305455250366c84e17c1023f *./tests/data/acodec/pcm_s16be.mov +a4e18d1ca9ef5b8132a84d43625ddc47 *./tests/data/acodec/pcm_s16be.mov 1060037 ./tests/data/acodec/pcm_s16be.mov 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 @@ -30,7 +30,7 @@ c4f51bf32fad2f7af8ea5beedb56168b *./tests/data/acodec/pcm_s16le.mkv 1060638 ./tests/data/acodec/pcm_s16le.mkv 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 -07ffe7ffb78f3648b6524debdde5aec1 *./tests/data/acodec/pcm_s24be.mov +971d2d2633e41a0326fe2d04a2d0350f *./tests/data/acodec/pcm_s24be.mov 1589237 ./tests/data/acodec/pcm_s24be.mov 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 @@ -38,7 +38,7 @@ a85380fb79b0d4fff38e24ac1e34bb94 *./tests/data/acodec/pcm_s24le.wav 1587668 ./tests/data/acodec/pcm_s24le.wav 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 -d7792f0343cd66fda8b50b569e2bcc48 *./tests/data/acodec/pcm_s32be.mov +fc4f4e3e195bbde037ed31021d229f12 *./tests/data/acodec/pcm_s32be.mov 2118437 ./tests/data/acodec/pcm_s32be.mov 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 diff --git a/tests/ref/lavf/mov b/tests/ref/lavf/mov index 22aac3600e..07404aa862 100644 --- a/tests/ref/lavf/mov +++ b/tests/ref/lavf/mov @@ -1,3 +1,3 @@ -439684b82ccc1fdd24a23392c238ae53 *./tests/data/lavf/lavf.mov +4a3ad13f0355cb5d119109778d555207 *./tests/data/lavf/lavf.mov 357681 ./tests/data/lavf/lavf.mov ./tests/data/lavf/lavf.mov CRC=0x2f6a9b26 From 9f9b731a3a2f873b3fb1e4f52e181a43fab6b89b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 19 Sep 2011 15:15:56 +0200 Subject: [PATCH 070/290] movenc: fix NULL reference in mov_write_tkhd_tag st may be NULL when there are more mov streams than AVStreams, e.g. when chapters are present. (cherry picked from commit c92a2a4eb8b883e82871c2415f757153d263b6b3) Signed-off-by: Reinhard Tartler --- libavformat/movenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 5d9d3d1bfe..b171c2dc14 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1215,7 +1215,7 @@ static int mov_write_tkhd_tag(AVIOContext *pb, MOVTrack *track, AVStream *st) avio_wb32(pb, 0); /* reserved */ avio_wb32(pb, 0); /* reserved */ avio_wb16(pb, 0); /* layer */ - avio_wb16(pb, st->codec->codec_type); /* alternate group) */ + avio_wb16(pb, st ? st->codec->codec_type : 0); /* alternate group) */ /* Volume, only for audio */ if(track->enc->codec_type == AVMEDIA_TYPE_AUDIO) avio_wb16(pb, 0x0100); From a2443e89d740204c960da0d29c979a9283071a65 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Jul 2011 14:59:54 +0200 Subject: [PATCH 071/290] Fix memory (re)allocation in matroskadec.c, related to MSVR-11-0080. Whitespace of the patch cleaned up by Aurel Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR) Signed-off-by: Michael Niedermayer (cherry picked from commit 956c901c68eff78288f40e3c8f41ee2fa081d4a8) Further suggestions from Kostya have been implemented by Reinhard Tartler (cherry picked from commit 77d2ef13a8fa630e5081f14bde3fd20f84c90aec) Signed-off-by: Reinhard Tartler --- libavformat/matroskadec.c | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index f74f76cb8a..59dce4f59f 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -798,11 +798,15 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska, uint32_t id = syntax->id; uint64_t length; int res; + void *newelem; data = (char *)data + syntax->data_offset; if (syntax->list_elem_size) { EbmlList *list = data; - list->elem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size); + newelem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size); + if (!newelem) + return AVERROR(ENOMEM); + list->elem = newelem; data = (char*)list->elem + list->nb_elem*syntax->list_elem_size; memset(data, 0, syntax->list_elem_size); list->nb_elem++; @@ -932,6 +936,7 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, uint8_t* data = *buf; int isize = *buf_size; uint8_t* pkt_data = NULL; + uint8_t* newpktdata; int pkt_size = isize; int result = 0; int olen; @@ -961,7 +966,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, zstream.avail_in = isize; do { pkt_size *= 3; - pkt_data = av_realloc(pkt_data, pkt_size); + newpktdata = av_realloc(pkt_data, pkt_size); + if (!newpktdata) { + inflateEnd(&zstream); + goto failed; + } + pkt_data = newpktdata; zstream.avail_out = pkt_size - zstream.total_out; zstream.next_out = pkt_data + zstream.total_out; result = inflate(&zstream, Z_NO_FLUSH); @@ -982,7 +992,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, bzstream.avail_in = isize; do { pkt_size *= 3; - pkt_data = av_realloc(pkt_data, pkt_size); + newpktdata = av_realloc(pkt_data, pkt_size); + if (!newpktdata) { + BZ2_bzDecompressEnd(&bzstream); + goto failed; + } + pkt_data = newpktdata; bzstream.avail_out = pkt_size - bzstream.total_out_lo32; bzstream.next_out = pkt_data + bzstream.total_out_lo32; result = BZ2_bzDecompress(&bzstream); @@ -1037,13 +1052,17 @@ static void matroska_fix_ass_packet(MatroskaDemuxContext *matroska, } } -static void matroska_merge_packets(AVPacket *out, AVPacket *in) +static int matroska_merge_packets(AVPacket *out, AVPacket *in) { - out->data = av_realloc(out->data, out->size+in->size); + void *newdata = av_realloc(out->data, out->size+in->size); + if (!newdata) + return AVERROR(ENOMEM); + out->data = newdata; memcpy(out->data+out->size, in->data, in->size); out->size += in->size; av_destruct_packet(in); av_free(in); + return 0; } static void matroska_convert_tag(AVFormatContext *s, EbmlList *list, @@ -1568,11 +1587,13 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska, memcpy(pkt, matroska->packets[0], sizeof(AVPacket)); av_free(matroska->packets[0]); if (matroska->num_packets > 1) { + void *newpackets; memmove(&matroska->packets[0], &matroska->packets[1], (matroska->num_packets - 1) * sizeof(AVPacket *)); - matroska->packets = - av_realloc(matroska->packets, (matroska->num_packets - 1) * - sizeof(AVPacket *)); + newpackets = av_realloc(matroska->packets, + (matroska->num_packets - 1) * sizeof(AVPacket *)); + if (newpackets) + matroska->packets = newpackets; } else { av_freep(&matroska->packets); } From be9183de2ec54aab2f3e613b53ead369b6cf22fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Sep 2011 22:22:56 +0200 Subject: [PATCH 072/290] h264: More correct ref_count check in decode_slice_header() Signed-off-by: Michael Niedermayer (cherry picked from commit dc9ce40069bde3d28f8d0b3e5bd733ae255fecb5) --- libavcodec/h264.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index f227ddfedf..b844c38b56 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2872,6 +2872,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ h->ref_count[1]= h->pps.ref_count[1]; if(h->slice_type_nos != AV_PICTURE_TYPE_I){ + unsigned max= (16<<(s->picture_structure != PICT_FRAME))-1; if(h->slice_type_nos == AV_PICTURE_TYPE_B){ h->direct_spatial_mv_pred= get_bits1(&s->gb); } @@ -2882,11 +2883,11 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ if(h->slice_type_nos==AV_PICTURE_TYPE_B) h->ref_count[1]= get_ue_golomb(&s->gb) + 1; - if(h->ref_count[0]-1 > 32-1 || h->ref_count[1]-1 > 32-1){ - av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); - h->ref_count[0]= h->ref_count[1]= 1; - return -1; - } + } + if(h->ref_count[0]-1 > max || h->ref_count[1]-1 > max){ + av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); + h->ref_count[0]= h->ref_count[1]= 1; + return -1; } if(h->slice_type_nos == AV_PICTURE_TYPE_B) h->list_count= 2; From ceede3a802478b6cf0c1cd7d54b76b4af8d00d56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Sep 2011 22:24:05 +0200 Subject: [PATCH 073/290] h264: fix FIXME and use list_count in ff_h264_fill_mbaff_ref_list() Signed-off-by: Michael Niedermayer (cherry picked from commit 237d31e0b98b95eef687e612177ca3ea24b709fc) --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 83a5564e4c..063ac97955 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -301,7 +301,7 @@ int ff_h264_decode_ref_pic_list_reordering(H264Context *h){ void ff_h264_fill_mbaff_ref_list(H264Context *h){ int list, i, j; - for(list=0; list<2; list++){ //FIXME try list_count + for(list=0; listlist_count; list++){ for(i=0; iref_count[list]; i++){ Picture *frame = &h->ref_list[list][i]; Picture *field = &h->ref_list[list][16+2*i]; From 783f45de4f3ee03a661c7d1479fe1b513bc0a863 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 17 Jul 2011 15:40:05 +0100 Subject: [PATCH 074/290] fate: separate lavf-mxf_d10 test from lavf-mxf Signed-off-by: Mans Rullgard (cherry picked from commit 0218808d4980b794c78f57931d671508aed500b5) required to unbreak fate with --disable-avfilter Signed-off-by: Reinhard Tartler --- configure | 2 +- tests/lavf-regression.sh | 3 +++ tests/ref/lavf/mxf | 3 --- tests/ref/lavf/mxf_d10 | 3 +++ 4 files changed, 7 insertions(+), 4 deletions(-) create mode 100644 tests/ref/lavf/mxf_d10 diff --git a/configure b/configure index b6e2ff964b..981b0fdffb 100755 --- a/configure +++ b/configure @@ -1576,7 +1576,7 @@ test_deps _muxer _demuxer \ mmf \ mov \ pcm_mulaw=mulaw \ - mxf \ + mxf="mxf mxf_d10" \ nut \ ogg \ rawvideo=pixfmt \ diff --git a/tests/lavf-regression.sh b/tests/lavf-regression.sh index 39e752b3c6..07dedb2ef2 100755 --- a/tests/lavf-regression.sh +++ b/tests/lavf-regression.sh @@ -66,6 +66,9 @@ fi if [ -n "$do_mxf" ] ; then do_lavf mxf "-ar 48000 -bf 2 -timecode_frame_start 264363" +fi + +if [ -n "$do_mxf_d10" ]; then do_lavf mxf_d10 "-ar 48000 -ac 2 -r 25 -s 720x576 -vf pad=720:608:0:32 -vcodec mpeg2video -intra -flags +ildct+low_delay -dc 10 -flags2 +ivlc+non_linear_q -qscale 1 -ps 1 -qmin 1 -rc_max_vbv_use 1 -rc_min_vbv_use 1 -pix_fmt yuv422p -minrate 30000k -maxrate 30000k -b 30000k -bufsize 1200000 -top 1 -rc_init_occupancy 1200000 -qmax 12 -f mxf_d10" fi diff --git a/tests/ref/lavf/mxf b/tests/ref/lavf/mxf index d4bbe2f25e..b5aea3c17e 100644 --- a/tests/ref/lavf/mxf +++ b/tests/ref/lavf/mxf @@ -1,6 +1,3 @@ 6e9bd63c5cadd7550ad313553ebf665f *./tests/data/lavf/lavf.mxf 525881 ./tests/data/lavf/lavf.mxf ./tests/data/lavf/lavf.mxf CRC=0x4ace0849 -e7168856f2b54c6272685967e707fb21 *./tests/data/lavf/lavf.mxf_d10 -5330989 ./tests/data/lavf/lavf.mxf_d10 -./tests/data/lavf/lavf.mxf_d10 CRC=0xc3f4f92e diff --git a/tests/ref/lavf/mxf_d10 b/tests/ref/lavf/mxf_d10 new file mode 100644 index 0000000000..f59a99ee0f --- /dev/null +++ b/tests/ref/lavf/mxf_d10 @@ -0,0 +1,3 @@ +e7168856f2b54c6272685967e707fb21 *./tests/data/lavf/lavf.mxf_d10 +5330989 ./tests/data/lavf/lavf.mxf_d10 +./tests/data/lavf/lavf.mxf_d10 CRC=0xc3f4f92e From 9bb7a128a34fb5e4abcd265e5dfcb61787ad2f0f Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Wed, 28 Sep 2011 00:50:08 +0200 Subject: [PATCH 075/290] fate: allow testing with libavfilter disabled This declares dependencies to skip tests using libavfilter when it is disabled. Signed-off-by: Mans Rullgard (cherry picked from commit 908f12f342341785bf0458e88a06d97a1af90339) Conflicts: configure tests/Makefile tests/fate.mak Signed-off-by: Reinhard Tartler --- Makefile | 7 +++++-- configure | 5 ++++- tests/fate.mak | 2 +- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index d6bae7680b..d29872f277 100644 --- a/Makefile +++ b/Makefile @@ -252,9 +252,12 @@ FATE_SEEK = $(SEEK_TESTS:seek_%=fate-seek-%) FATE = $(FATE_ACODEC) \ $(FATE_VCODEC) \ $(FATE_LAVF) \ - $(FATE_LAVFI) \ $(FATE_SEEK) \ +FATE-$(CONFIG_AVFILTER) += $(FATE_LAVFI) + +FATE += $(FATE-yes) + $(filter-out %-aref,$(FATE_ACODEC)): $(AREF) $(filter-out %-vref,$(FATE_VCODEC)): $(VREF) $(FATE_LAVF): $(REFS) @@ -276,7 +279,7 @@ fate-lavfi: $(FATE_LAVFI) fate-seek: $(FATE_SEEK) ifdef SAMPLES -FATE += $(FATE_TESTS) +FATE += $(FATE_TESTS) $(FATE_TESTS-yes) fate-rsync: rsync -vaLW rsync://fate-suite.libav.org/fate-suite/ $(SAMPLES) else diff --git a/configure b/configure index 981b0fdffb..f4c327439a 100755 --- a/configure +++ b/configure @@ -1504,7 +1504,7 @@ test_deps(){ dep=${v%=*} tests=${v#*=} for name in ${tests}; do - eval ${name}_test_deps="'${dep}$suf1 ${dep}$suf2'" + append ${name}_test_deps ${dep}$suf1 ${dep}$suf2 done done } @@ -1514,6 +1514,9 @@ set_ne_test_deps(){ eval ${1}_le_test_deps="!bigendian" } +mxf_d10_test_deps="avfilter" +seek_lavf_mxf_d10_test_deps="mxf_d10_test" + test_deps _encoder _decoder \ adpcm_g726=g726 \ adpcm_ima_qt \ diff --git a/tests/fate.mak b/tests/fate.mak index 0e3331178b..cf6c44e8e4 100644 --- a/tests/fate.mak +++ b/tests/fate.mak @@ -128,7 +128,7 @@ FATE_TESTS += fate-id-cin-video fate-id-cin-video: CMD = framecrc -i $(SAMPLES)/idcin/idlog-2MB.cin -pix_fmt rgb24 FATE_TESTS += fate-idroq-video-dpcm fate-idroq-video-dpcm: CMD = framecrc -i $(SAMPLES)/idroq/idlogo.roq -FATE_TESTS += fate-idroq-video-encode +FATE_TESTS-$(CONFIG_AVFILTER) += fate-idroq-video-encode fate-idroq-video-encode: CMD = md5 -t 0.2 -f image2 -vcodec pgmyuv -i $(SAMPLES)/ffmpeg-synthetic/vsynth1/%02d.pgm -sws_flags +bitexact -vf pad=512:512:80:112 -f RoQ FATE_TESTS += fate-iff-byterun1 fate-iff-byterun1: CMD = framecrc -i $(SAMPLES)/iff/ASH.LBM -pix_fmt rgb24 From e257eebd17fbb7e880cfdde8a80c089434b6cf1f Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 17 Jul 2011 16:02:33 +0100 Subject: [PATCH 076/290] lavf: do not set codec_tag for rawvideo If the demuxer did not set a codec_tag, there is none and inventing one makes no sense. This change stops the rawvideo "decoder" over-writing user-supplied pixfmt with one derived from the codec_tag. The pixfmt-codec_tag-pixfmt round-trip is lossy since several pixfmts map to the same codec_tag. This fixes fate-lavf-pixfmt with avfilter disabled. Signed-off-by: Mans Rullgard (cherry picked from commit bb416bd68ca46b4a3f1901533064d56a6b8ac95e) Signed-off-by: Reinhard Tartler --- libavformat/utils.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index d9d154e3ab..e3c7d4aa84 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2405,9 +2405,6 @@ int av_find_stream_info(AVFormatContext *ic) (st->codec_info_nb_frames-2)*(int64_t)st->time_base.den, st->info->codec_info_duration*(int64_t)st->time_base.num, 60000); if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO) { - if(st->codec->codec_id == CODEC_ID_RAWVIDEO && !st->codec->codec_tag && !st->codec->bits_per_coded_sample) - st->codec->codec_tag= avcodec_pix_fmt_to_codec_tag(st->codec->pix_fmt); - // the check for tb_unreliable() is not completely correct, since this is not about handling // a unreliable/inexact time base, but a time base that is finer than necessary, as e.g. // ipmovie.c produces. From 35feff418aabd9964509e2c718c65314606545e3 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 30 Sep 2011 15:44:19 +0200 Subject: [PATCH 077/290] Update RELEASE file for 0.7.2 --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 39e898a4f9..7486fdbc50 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.1 +0.7.2 From 58decdb639e8582063807b5ddfb86dada6731f74 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 30 Sep 2011 18:14:12 +0200 Subject: [PATCH 078/290] Update Changelog for 0.7.2 release --- Changelog | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/Changelog b/Changelog index 1598336e55..ab02a02bf5 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,48 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.7.2: + +- check buffer and input values in various parts of the code: + H.264, VC-1, APE, FLV, Indeo 2, XAN, Ogg, MXF, wavpack, ffv1, MOV, + cavs (OCERT-2011-002, CVE-2011-3362), Smacker, cpu detection, lavf, + Matroska (CVE-2011-3504), RV10, RV30/RV40 +- memory leaks: vf_scale, eval + +- ARM: workaround for bug in GNU assembler +- AVOptions: fix av_set_string3() doxy to match reality. (Bug #28) +- Reintroduce AVInputStream.nb_streams to avoid crashes +- aac: Only output configure if audio was found +- aac: Remove some suspicious illegal memcpy()s from LTP +- aacps: skip some memcpy() if src and dst would be equal +- adts: fix PCE copying +- alsa: fallback to buffer_size/4 for period_size +- alsa: limit buffer_size to 32768 frames +- cljr, indeo2: init_get_bits size in bits instead of bytes +- configure: add missing CFLAGS to fix building on the HURD +- dca: set AVCodecContext frame_size for DTS audio +- fate: allow testing with libavfilter disabled +- gxf: fix 25 fps DV material in GXF being misdetected as 50 fps +- h264: correct implicit weight table computation for long ref pics +- h264: correct the check for invalid long term frame index in MMCO decode +- h264: fix PCM intra-coded blocks in monochrome case +- jpegdec: actually search for and parse RSTn +- lavc: fix type for thread_type option +- lavf: fix context pointer in av_open_input_stream when avformat_open_input fails +- lavf: do not set codec_tag for rawvideo +- libx264: do not set pic quality if no frame is output +- movenc: create an alternate group for each media type +- mpegts: fix Continuity Counter error detection +- mxfenc: fix ignored drop flag in binary timecode representation +- fix crashes in 32-bit PIC builds (cf e.g. http://bugs.debian.org/639948) +- ppc64: fix cast related random failures +- riff: Add mpgv MPEG-2 fourcc +- swscale: don't use planar output functions to write to NV12/21 +- vc1: properly zero coded_block[] edges on new slice entry +- vp3/theora: flush after seek + +- various bug other fixes + version 0.7.1: @@ -16,6 +58,7 @@ version 0.7.1: - ffmpeg: fix operation with --disable-avfilter - fixed integer underflow in matroska decoder + version 0.7: - E-AC-3 audio encoder From e62ca1ab74a959584db80f42b49f708257abbdcb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Oct 2011 00:58:01 +0200 Subject: [PATCH 079/290] mpegvideo: increase emu edge buffer size This fixes a crash with 422 H.264 Signed-off-by: Michael Niedermayer (cherry picked from commit 7322483d72d4abefae9f5c08c611f521de7236a5) --- libavcodec/mpegvideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index d819cc083f..a505b9071c 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -366,8 +366,8 @@ static int init_duplicate_context(MpegEncContext *s, MpegEncContext *base){ int i; // edge emu needs blocksize + filter length - 1 (=17x17 for halfpel / 21x21 for h264) - FF_ALLOCZ_OR_GOTO(s->avctx, s->allocated_edge_emu_buffer, (s->width+64)*2*21*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance - s->edge_emu_buffer= s->allocated_edge_emu_buffer + (s->width+64)*2*21; + FF_ALLOCZ_OR_GOTO(s->avctx, s->allocated_edge_emu_buffer, (s->width+64)*2*21*2*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance + s->edge_emu_buffer= s->allocated_edge_emu_buffer + (s->width+64)*2*21*2; //FIXME should be linesize instead of s->width*2 but that is not known before get_buffer() FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad, (s->width+64)*4*16*2*sizeof(uint8_t), fail) From 4d36f7cf88ccb869c2febb50c6f42d7a722a6d4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Oct 2011 01:29:30 +0200 Subject: [PATCH 080/290] avformat_free_context: favor av_freep() Signed-off-by: Michael Niedermayer (cherry picked from commit 2a93f28a4b6eef8b93046e0b4e3225f2ff1e7324) --- libavformat/utils.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 6f108fb7dd..40f0089c77 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2659,13 +2659,13 @@ void avformat_free_context(AVFormatContext *s) av_free_packet(&st->cur_pkt); } av_dict_free(&st->metadata); - av_free(st->index_entries); - av_free(st->codec->extradata); - av_free(st->codec->subtitle_header); - av_free(st->codec); - av_free(st->priv_data); - av_free(st->info); - av_free(st); + av_freep(&st->index_entries); + av_freep(&st->codec->extradata); + av_freep(&st->codec->subtitle_header); + av_freep(&st->codec); + av_freep(&st->priv_data); + av_freep(&st->info); + av_freep(&st); } for(i=s->nb_programs-1; i>=0; i--) { av_dict_free(&s->programs[i]->metadata); @@ -2676,7 +2676,7 @@ void avformat_free_context(AVFormatContext *s) av_freep(&s->priv_data); while(s->nb_chapters--) { av_dict_free(&s->chapters[s->nb_chapters]->metadata); - av_free(s->chapters[s->nb_chapters]); + av_freep(&s->chapters[s->nb_chapters]); } av_freep(&s->chapters); av_dict_free(&s->metadata); From a0acc9eff642de0f3d247a728deb320fd4cbb75f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Sep 2011 14:08:39 +0200 Subject: [PATCH 081/290] mpeg4videoenc: guess a good aspect when we cant store the exact one. Signed-off-by: Michael Niedermayer (cherry picked from commit 394781a89706479aa56749a9d69c4e74b398dd71) --- libavcodec/mpegvideo_enc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index a6e9c7c7be..d13534d4f8 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -411,8 +411,10 @@ av_cold int MPV_encode_init(AVCodecContext *avctx) if ((s->codec_id == CODEC_ID_MPEG4 || s->codec_id == CODEC_ID_H263 || s->codec_id == CODEC_ID_H263P) && (avctx->sample_aspect_ratio.num > 255 || avctx->sample_aspect_ratio.den > 255)) { - av_log(avctx, AV_LOG_ERROR, "Invalid pixel aspect ratio %i/%i, limit is 255/255\n", + av_log(avctx, AV_LOG_WARNING, "Invalid pixel aspect ratio %i/%i, limit is 255/255 reducing\n", avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den); + av_reduce(&avctx->sample_aspect_ratio.num, &avctx->sample_aspect_ratio.den, + avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den, 255); return -1; } From 0d68a6f72d8c2ff02ad3f83522ad17123bf1c4e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Sep 2011 18:16:57 +0200 Subject: [PATCH 082/290] mpeg4videoenc: remove forgotten return -1 Signed-off-by: Michael Niedermayer (cherry picked from commit f9bb7395a10ae44eb0f0f3f070f23124dfaee06e) --- libavcodec/mpegvideo_enc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index d13534d4f8..3c92aa93f4 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -415,7 +415,6 @@ av_cold int MPV_encode_init(AVCodecContext *avctx) avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den); av_reduce(&avctx->sample_aspect_ratio.num, &avctx->sample_aspect_ratio.den, avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den, 255); - return -1; } if((s->flags & (CODEC_FLAG_INTERLACED_DCT|CODEC_FLAG_INTERLACED_ME|CODEC_FLAG_ALT_SCAN)) From 3aad92f3e649dcc4f92c805291afb128c663efd3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Sep 2011 18:17:28 +0200 Subject: [PATCH 083/290] lavf/utils: only complain about aspect missmatch when the difference is "meassureable" Signed-off-by: Michael Niedermayer (cherry picked from commit e8d8517b160bd2dea1279d19ec0efd83e00c8c6c) --- libavformat/utils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 40f0089c77..eaa8bd901f 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2958,7 +2958,9 @@ int avformat_write_header(AVFormatContext *s, AVDictionary **options) ret = AVERROR(EINVAL); goto fail; } - if(av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio)){ + if(av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio) + && FFABS(av_q2d(st->sample_aspect_ratio) - av_q2d(st->codec->sample_aspect_ratio)) > 0.001 + ){ av_log(s, AV_LOG_ERROR, "Aspect ratio mismatch between encoder and muxer layer\n"); ret = AVERROR(EINVAL); goto fail; From e394f7984c6b921210e40f39868597f3627606b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Sep 2011 19:01:12 +0200 Subject: [PATCH 084/290] psxstr: improve probe to not misdetect so much. The score of 50 can probably be raised if needed Fixes Ticket490 Signed-off-by: Michael Niedermayer (cherry picked from commit 3f7dc480c1bf6abf4ac0f633a0c7e63d8eb29a55) --- libavformat/psxstr.c | 54 ++++++++++++++++++++++++++++++++++++-------- 1 file changed, 44 insertions(+), 10 deletions(-) diff --git a/libavformat/psxstr.c b/libavformat/psxstr.c index 744ae94459..b65bddd5c1 100644 --- a/libavformat/psxstr.c +++ b/libavformat/psxstr.c @@ -68,6 +68,8 @@ static const char sync_header[12] = {0x00,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xf static int str_probe(AVProbeData *p) { uint8_t *sector= p->buf; + uint8_t *end= sector + p->buf_size; + int aud=0, vid=0; if (p->buf_size < RAW_CD_SECTOR_SIZE) return 0; @@ -79,20 +81,52 @@ static int str_probe(AVProbeData *p) sector += RIFF_HEADER_SIZE; } - /* look for CD sync header (00, 0xFF x 10, 00) */ - if (memcmp(sector,sync_header,sizeof(sync_header))) - return 0; + while (end - sector >= RAW_CD_SECTOR_SIZE) { + /* look for CD sync header (00, 0xFF x 10, 00) */ + if (memcmp(sector,sync_header,sizeof(sync_header))) + return 0; - if(sector[0x11] >= 32) - return 0; - if( (sector[0x12] & CDXA_TYPE_MASK) != CDXA_TYPE_VIDEO - && (sector[0x12] & CDXA_TYPE_MASK) != CDXA_TYPE_AUDIO - && (sector[0x12] & CDXA_TYPE_MASK) != CDXA_TYPE_DATA) - return 0; + if (sector[0x11] >= 32) + return 0; + switch (sector[0x12] & CDXA_TYPE_MASK) { + case CDXA_TYPE_DATA: + case CDXA_TYPE_VIDEO: { + int current_sector = AV_RL16(§or[0x1C]); + int sector_count = AV_RL16(§or[0x1E]); + int frame_size = AV_RL32(§or[0x24]); + + if(!( frame_size>=0 + && current_sector < sector_count + && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){ + return 0; + } + + /*st->codec->width = AV_RL16(§or[0x28]); + st->codec->height = AV_RL16(§or[0x2A]);*/ + +// if (current_sector == sector_count-1) { + vid++; +// } + + } + break; + case CDXA_TYPE_AUDIO: + if(sector[0x13]&0x2A) + return 0; + aud++; + break; + default: + if(sector[0x12] & CDXA_TYPE_MASK) + return 0; + } + sector += RAW_CD_SECTOR_SIZE; + } /* MPEG files (like those ripped from VCDs) can also look like this; * only return half certainty */ - return 50; + if(vid+aud > 3) return 50; + else if(vid+aud) return 1; + else return 0; } static int str_read_header(AVFormatContext *s, From 03e7314dd8662bdc20050c03d643b579c415a628 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Sep 2011 22:30:27 +0200 Subject: [PATCH 085/290] aacsbr: add a assert0 to check for a inconsistency that occurd during debug. I dont know if this can happen normally but if so it would be quite bad. Signed-off-by: Michael Niedermayer (cherry picked from commit abe0dbea2e228621e97184e39159d189b6085fe3) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 82092b385d..10b8daf280 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -33,6 +33,7 @@ #include "fft.h" #include "aacps.h" #include "libavutil/libm.h" +#include "libavutil/avassert.h" #include #include @@ -1457,6 +1458,7 @@ static void sbr_mapping(AACContext *ac, SpectralBandReplication *sbr, uint16_t *table = ch_data->bs_freq_res[e + 1] ? sbr->f_tablehigh : sbr->f_tablelow; int k; + av_assert0(sbr->kx[1] <= table[0]); for (i = 0; i < ilim; i++) for (m = table[i]; m < table[i + 1]; m++) sbr->e_origmapped[e][m - sbr->kx[1]] = ch_data->env_facs[e+1][i]; From 92566cf6eefe62d98d9e10e66c6e294e91d493b8 Mon Sep 17 00:00:00 2001 From: Jean First Date: Fri, 23 Sep 2011 23:39:26 +0200 Subject: [PATCH 086/290] tiffenc: Add forgotten avclass to context. (cherry picked from commit 43c481e56929789883f5b078e0e86d50fcc0025e) Signed-off-by: Michael Niedermayer --- libavcodec/tiffenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/tiffenc.c b/libavcodec/tiffenc.c index f7228f128f..4a99a38831 100644 --- a/libavcodec/tiffenc.c +++ b/libavcodec/tiffenc.c @@ -42,6 +42,7 @@ static const uint8_t type_sizes2[6] = { }; typedef struct TiffEncoderContext { + AVClass *avclass; AVCodecContext *avctx; AVFrame picture; From 8c0a0f10df9bcb3494eb31cf42ab06371b68b195 Mon Sep 17 00:00:00 2001 From: Jean First Date: Fri, 23 Sep 2011 23:39:51 +0200 Subject: [PATCH 087/290] tiffenc: initialize forgotten avctx. (cherry picked from commit f7e797aa5c987c39b55666a2d41877ef2aec40bc) Signed-off-by: Michael Niedermayer --- libavcodec/tiffenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/tiffenc.c b/libavcodec/tiffenc.c index 4a99a38831..97e1dd38c4 100644 --- a/libavcodec/tiffenc.c +++ b/libavcodec/tiffenc.c @@ -217,6 +217,7 @@ static int encode_frame(AVCodecContext * avctx, unsigned char *buf, uint8_t *yuv_line = NULL; int shift_h, shift_v; + s->avctx = avctx; s->buf_start = buf; s->buf = &ptr; s->buf_size = buf_size; From 1cf6348cf7ef2bbdbd0020ebeb508c2de08a08c4 Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Mon, 19 Sep 2011 21:32:09 -0400 Subject: [PATCH 088/290] fft: avoid a signed overflow As a signed integer, 1<<31 overflows, so force it to unsigned. Signed-off-by: Alex Converse (cherry picked from commit c2d3f561072132044114588a5f56b8e1974a2af7) Signed-off-by: Michael Niedermayer --- libavcodec/x86/fft_3dn2.c | 4 ++-- libavcodec/x86/fft_sse.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/fft_3dn2.c b/libavcodec/x86/fft_3dn2.c index 2abb8cfbd7..7a6cac14c4 100644 --- a/libavcodec/x86/fft_3dn2.c +++ b/libavcodec/x86/fft_3dn2.c @@ -23,7 +23,7 @@ #include "libavcodec/dsputil.h" #include "fft.h" -DECLARE_ALIGNED(8, static const int, m1m1)[2] = { 1<<31, 1<<31 }; +DECLARE_ALIGNED(8, static const unsigned int, m1m1)[2] = { 1U<<31, 1U<<31 }; #ifdef EMULATE_3DNOWEXT #define PSWAPD(s,d)\ @@ -70,7 +70,7 @@ void ff_imdct_half_3dn2(FFTContext *s, FFTSample *output, const FFTSample *input in1 = input; in2 = input + n2 - 1; #ifdef EMULATE_3DNOWEXT - __asm__ volatile("movd %0, %%mm7" ::"r"(1<<31)); + __asm__ volatile("movd %0, %%mm7" ::"r"(1U<<31)); #endif for(k = 0; k < n4; k++) { // FIXME a single block is faster, but gcc 2.95 and 3.4.x on 32bit can't compile it diff --git a/libavcodec/x86/fft_sse.c b/libavcodec/x86/fft_sse.c index 26b933c810..43f19fff3b 100644 --- a/libavcodec/x86/fft_sse.c +++ b/libavcodec/x86/fft_sse.c @@ -24,8 +24,8 @@ #include "fft.h" #include "config.h" -DECLARE_ASM_CONST(16, int, ff_m1m1m1m1)[4] = - { 1 << 31, 1 << 31, 1 << 31, 1 << 31 }; +DECLARE_ASM_CONST(16, unsigned int, ff_m1m1m1m1)[4] = + { 1U << 31, 1U << 31, 1U << 31, 1U << 31 }; void ff_fft_dispatch_sse(FFTComplex *z, int nbits); void ff_fft_dispatch_interleave_sse(FFTComplex *z, int nbits); From 101e38e08a0745a1b99d83d17358c6e81a464f8d Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 16:44:14 +0200 Subject: [PATCH 089/290] h264: Check for out of bounds reads in ff_h264_decode_extradata(). Signed-off-by: Michael Niedermayer (cherry picked from commit 57764c699671b32f0c70795feafc0c6d7491f198) --- libavcodec/h264.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index b844c38b56..8d44337b5b 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1040,6 +1040,8 @@ int ff_h264_decode_extradata(H264Context *h) p += 6; for (i = 0; i < cnt; i++) { nalsize = AV_RB16(p) + 2; + if(nalsize > size - (p-buf)) + return -1; if(decode_nal_units(h, p, nalsize) < 0) { av_log(avctx, AV_LOG_ERROR, "Decoding sps %d from avcC failed\n", i); return -1; @@ -1050,6 +1052,8 @@ int ff_h264_decode_extradata(H264Context *h) cnt = *(p++); // Number of pps for (i = 0; i < cnt; i++) { nalsize = AV_RB16(p) + 2; + if(nalsize > size - (p-buf)) + return -1; if (decode_nal_units(h, p, nalsize) < 0) { av_log(avctx, AV_LOG_ERROR, "Decoding pps %d from avcC failed\n", i); return -1; From f71c761a9e2e528b739e6c86f624ac66357d2327 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Sep 2011 05:42:45 +0200 Subject: [PATCH 090/290] h264: pass buffer & size to ff_h264_decode_extradata() Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 14 +++++++------- libavcodec/h264.h | 2 +- libavcodec/h264_parser.c | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 8d44337b5b..4a2b0f0a92 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1018,17 +1018,17 @@ static av_cold void common_init(H264Context *h){ memset(h->pps.scaling_matrix8, 16, 2*64*sizeof(uint8_t)); } -int ff_h264_decode_extradata(H264Context *h) +int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size) { AVCodecContext *avctx = h->s.avctx; - if(avctx->extradata[0] == 1){ + if(buf[0] == 1){ int i, cnt, nalsize; - unsigned char *p = avctx->extradata; + const unsigned char *p = buf; h->is_avc = 1; - if(avctx->extradata_size < 7) { + if(size < 7) { av_log(avctx, AV_LOG_ERROR, "avcC too short\n"); return -1; } @@ -1061,10 +1061,10 @@ int ff_h264_decode_extradata(H264Context *h) p += nalsize; } // Now store right nal length size, that will be use to parse all other nals - h->nal_length_size = (avctx->extradata[4] & 0x03) + 1; + h->nal_length_size = (buf[4] & 0x03) + 1; } else { h->is_avc = 0; - if(decode_nal_units(h, avctx->extradata, avctx->extradata_size) < 0) + if(decode_nal_units(h, buf, size) < 0) return -1; } return 0; @@ -1108,7 +1108,7 @@ av_cold int ff_h264_decode_init(AVCodecContext *avctx){ } if(avctx->extradata_size > 0 && avctx->extradata && - ff_h264_decode_extradata(h)) + ff_h264_decode_extradata(h, avctx->extradata, avctx->extradata_size)) return -1; if(h->sps.bitstream_restriction_flag && s->avctx->has_b_frames < h->sps.num_reorder_frames){ diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 76e9832975..822ba0271a 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -663,7 +663,7 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode); void ff_h264_write_back_intra_pred_mode(H264Context *h); void ff_h264_hl_decode_mb(H264Context *h); int ff_h264_frame_start(H264Context *h); -int ff_h264_decode_extradata(H264Context *h); +int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size); av_cold int ff_h264_decode_init(AVCodecContext *avctx); av_cold int ff_h264_decode_end(AVCodecContext *avctx); av_cold void ff_h264_decode_init_vlc(void); diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index 080b6a93b5..d560d3f86a 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -251,7 +251,7 @@ static int h264_parse(AVCodecParserContext *s, h->got_first = 1; if (avctx->extradata_size) { h->s.avctx = avctx; - ff_h264_decode_extradata(h); + ff_h264_decode_extradata(h, avctx->extradata, avctx->extradata_size); } } From 35f8ad420a0b7ebcade81c2be3ca5968a5861ddc Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 16:19:25 +0200 Subject: [PATCH 091/290] vp6:Reset the internal state when aborting key frames header parsing in vp6 decoder. It prevents leaving the state only half initialized. Signed-off-by: Michael Niedermayer (cherry picked from commit 91f104496bb7632ed5ff03798e06dd8af014f0d9) --- libavcodec/vp6.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index d05a3618f7..3721d52192 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -137,8 +137,11 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, if (coeff_offset) { buf += coeff_offset; buf_size -= coeff_offset; - if (buf_size < 0) + if (buf_size < 0) { + if (s->framep[VP56_FRAME_CURRENT]->key_frame) + avcodec_set_dimensions(s->avctx, 0, 0); return 0; + } if (s->use_huffman) { s->parse_coeff = vp6_parse_coeff_huffman; init_get_bits(&s->gb, buf, buf_size<<3); From be22dc60f55bb99dcb0a90ad2e8773612a63a288 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 16:16:40 +0200 Subject: [PATCH 092/290] vp56:Fix error recovery code on size changes in vp5/6 decoder Signed-off-by: Michael Niedermayer (cherry picked from commit 1aad9cd9d26adcca1d398a4cb3d67f89a6fa8967) --- libavcodec/vp56.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 30f3efbc46..5b787b6135 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -465,6 +465,7 @@ static int vp56_size_changed(AVCodecContext *avctx) s->mb_height = (avctx->coded_height+15) / 16; if (s->mb_width > 1000 || s->mb_height > 1000) { + avcodec_set_dimensions(avctx, 0, 0); av_log(avctx, AV_LOG_ERROR, "picture too big\n"); return -1; } @@ -519,8 +520,10 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if (s->frames[i].data[0]) avctx->release_buffer(avctx, &s->frames[i]); } - if (is_alpha) + if (is_alpha) { + avcodec_set_dimensions(avctx, 0, 0); return -1; + } } if (!is_alpha) { From 21c9d92646f375f0c3ff9b2bc7b2f5f07a150e74 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 23:16:17 +0200 Subject: [PATCH 093/290] Fix potential overread in vmd audio decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 00cbe9e4053fd562b6f21e76aca6636ff926b637) --- libavcodec/vmdav.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index b9acfe921c..ebc8c7eb1d 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -523,7 +523,10 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx, silent_chunks = 0; if (block_type == BLOCK_TYPE_INITIAL) { - uint32_t flags = AV_RB32(buf); + uint32_t flags; + if (buf_size < 4) + return -1; + flags = AV_RB32(buf); silent_chunks = av_popcount(flags); buf += 4; buf_size -= 4; From 1ed90c84f6ab75af91b08436cefb8ea464f8495b Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 23:16:18 +0200 Subject: [PATCH 094/290] Check for invalid update parameters in vmd video decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit e7aed1280ea14b60fceae04d71dfd03e1daf2d04) --- libavcodec/vmdav.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index ebc8c7eb1d..d7cd3bbb87 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -204,6 +204,16 @@ static void vmd_decode(VmdVideoContext *s) frame_y = AV_RL16(&s->buf[8]); frame_width = AV_RL16(&s->buf[10]) - frame_x + 1; frame_height = AV_RL16(&s->buf[12]) - frame_y + 1; + if (frame_x < 0 || frame_width < 0 || + frame_x >= s->avctx->width || + frame_width > s->avctx->width || + frame_x + frame_width > s->avctx->width) + return; + if (frame_y < 0 || frame_height < 0 || + frame_y >= s->avctx->height || + frame_height > s->avctx->height || + frame_y + frame_height > s->avctx->height) + return; if ((frame_width == s->avctx->width && frame_height == s->avctx->height) && (frame_x || frame_y)) { From d92bfc98f9f64fa891ee4a3640ba6c55e90540ef Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 23:16:19 +0200 Subject: [PATCH 095/290] Prevent NULL dereferences when the previous frame is missing in vmd video decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 6a6383bebcb03a785797007031ad1c9786a508a5) --- libavcodec/vmdav.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index d7cd3bbb87..f5f8598919 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -226,8 +226,9 @@ static void vmd_decode(VmdVideoContext *s) /* if only a certain region will be updated, copy the entire previous * frame before the decode */ - if (frame_x || frame_y || (frame_width != s->avctx->width) || - (frame_height != s->avctx->height)) { + if (s->prev_frame.data[0] && + (frame_x || frame_y || (frame_width != s->avctx->width) || + (frame_height != s->avctx->height))) { memcpy(s->frame.data[0], s->prev_frame.data[0], s->avctx->height * s->frame.linesize[0]); @@ -272,7 +273,7 @@ static void vmd_decode(VmdVideoContext *s) ofs += len; } else { /* interframe pixel copy */ - if (ofs + len + 1 > frame_width) + if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) return; memcpy(&dp[ofs], &pp[ofs], len + 1); ofs += len + 1; @@ -312,7 +313,7 @@ static void vmd_decode(VmdVideoContext *s) ofs += len; } else { /* interframe pixel copy */ - if (ofs + len + 1 > frame_width) + if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) return; memcpy(&dp[ofs], &pp[ofs], len + 1); ofs += len + 1; From f40b04e9178c0a5246271c857437c6745276479c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 23:52:23 +0200 Subject: [PATCH 096/290] Prevent out of bound read in lz_unpack in vmd video decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 5127f465bd3e2cf9cbf66dea3cf7b481b522d266) --- libavcodec/vmdav.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index f5f8598919..d7cf18d62b 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -72,9 +72,11 @@ typedef struct VmdVideoContext { #define QUEUE_SIZE 0x1000 #define QUEUE_MASK 0x0FFF -static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_len) +static void lz_unpack(const unsigned char *src, int src_len, + unsigned char *dest, int dest_len) { const unsigned char *s; + const unsigned char *s_end; unsigned char *d; unsigned char *d_end; unsigned char queue[QUEUE_SIZE]; @@ -87,8 +89,12 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le unsigned int i, j; s = src; + s_end = src + src_len; d = dest; d_end = d + dest_len; + + if (s_end - s < 8) + return; dataleft = AV_RL32(s); s += 4; memset(queue, 0x20, QUEUE_SIZE); @@ -101,10 +107,10 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le speclen = 100; /* no speclen */ } - while (dataleft > 0) { + while (s_end - s > 0 && dataleft > 0) { tag = *s++; if ((tag == 0xFF) && (dataleft > 8)) { - if (d + 8 > d_end) + if (d + 8 > d_end || s_end - s < 8) return; for (i = 0; i < 8; i++) { queue[qpos++] = *d++ = *s++; @@ -116,17 +122,22 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le if (dataleft == 0) break; if (tag & 0x01) { - if (d + 1 > d_end) + if (d + 1 > d_end || s_end - s < 1) return; queue[qpos++] = *d++ = *s++; qpos &= QUEUE_MASK; dataleft--; } else { + if (s_end - s < 2) + return; chainofs = *s++; chainofs |= ((*s & 0xF0) << 4); chainlen = (*s++ & 0x0F) + 3; - if (chainlen == speclen) + if (chainlen == speclen) { + if (s_end - s < 1) + return; chainlen = *s++ + 0xF + 3; + } if (d + chainlen > d_end) return; for (j = 0; j < chainlen; j++) { @@ -189,6 +200,7 @@ static void vmd_decode(VmdVideoContext *s) /* point to the start of the encoded data */ const unsigned char *p = s->buf + 16; + const unsigned char *p_end = s->buf + s->size; const unsigned char *pb; unsigned char meth; @@ -251,7 +263,7 @@ static void vmd_decode(VmdVideoContext *s) pb = p; meth = *pb++; if (meth & 0x80) { - lz_unpack(pb, s->unpack_buffer, s->unpack_buffer_size); + lz_unpack(pb, p_end - pb, s->unpack_buffer, s->unpack_buffer_size); meth &= 0x7F; pb = s->unpack_buffer; } From 08657a2a8a5f7dc420c41ffe0e1c7eb4878741fb Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 23:52:24 +0200 Subject: [PATCH 097/290] Fix potential pointer arithmetic overflows in lz_unpack of vmd video decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 78cb39d2b2ad731dd3b984b0c0711b9f1d6de004) --- libavcodec/vmdav.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index d7cf18d62b..0a91d73ebe 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -110,7 +110,7 @@ static void lz_unpack(const unsigned char *src, int src_len, while (s_end - s > 0 && dataleft > 0) { tag = *s++; if ((tag == 0xFF) && (dataleft > 8)) { - if (d + 8 > d_end || s_end - s < 8) + if (d_end - d < 8 || s_end - s < 8) return; for (i = 0; i < 8; i++) { queue[qpos++] = *d++ = *s++; @@ -122,7 +122,7 @@ static void lz_unpack(const unsigned char *src, int src_len, if (dataleft == 0) break; if (tag & 0x01) { - if (d + 1 > d_end || s_end - s < 1) + if (d_end - d < 1 || s_end - s < 1) return; queue[qpos++] = *d++ = *s++; qpos &= QUEUE_MASK; @@ -138,7 +138,7 @@ static void lz_unpack(const unsigned char *src, int src_len, return; chainlen = *s++ + 0xF + 3; } - if (d + chainlen > d_end) + if (d_end - d < chainlen) return; for (j = 0; j < chainlen; j++) { *d = queue[chainofs++ & QUEUE_MASK]; From 55efeba2b554f8f2ea134d3d82d01062e0343828 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 25 Sep 2011 00:08:49 +0200 Subject: [PATCH 098/290] Check for out of bound reads in vmd_decode() of vmd video decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit e07377e7366d038d6f28792c46745463a0542650) --- libavcodec/vmdav.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index 0a91d73ebe..eb2d208389 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -203,6 +203,7 @@ static void vmd_decode(VmdVideoContext *s) const unsigned char *p_end = s->buf + s->size; const unsigned char *pb; + const unsigned char *pb_end; unsigned char meth; unsigned char *dp; /* pointer to current frame */ unsigned char *pp; /* pointer to previous frame */ @@ -248,6 +249,8 @@ static void vmd_decode(VmdVideoContext *s) /* check if there is a new palette */ if (s->buf[15] & 0x02) { + if (p_end - p < 2 + 3 * PALETTE_COUNT) + return; p += 2; palette32 = (unsigned int *)s->palette; for (i = 0; i < PALETTE_COUNT; i++) { @@ -256,16 +259,17 @@ static void vmd_decode(VmdVideoContext *s) b = *p++ * 4; palette32[i] = (r << 16) | (g << 8) | (b); } - s->size -= (256 * 3 + 2); } - if (s->size >= 0) { + if (p < p_end) { /* originally UnpackFrame in VAG's code */ pb = p; + pb_end = p_end; meth = *pb++; if (meth & 0x80) { lz_unpack(pb, p_end - pb, s->unpack_buffer, s->unpack_buffer_size); meth &= 0x7F; pb = s->unpack_buffer; + pb_end = s->unpack_buffer + s->unpack_buffer_size; } dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x]; @@ -275,10 +279,12 @@ static void vmd_decode(VmdVideoContext *s) for (i = 0; i < frame_height; i++) { ofs = 0; do { + if (pb_end - pb < 1) + return; len = *pb++; if (len & 0x80) { len = (len & 0x7F) + 1; - if (ofs + len > frame_width) + if (ofs + len > frame_width || pb_end - pb < len) return; memcpy(&dp[ofs], pb, len); pb += len; @@ -303,6 +309,8 @@ static void vmd_decode(VmdVideoContext *s) case 2: for (i = 0; i < frame_height; i++) { + if (pb_end -pb < frame_width) + return; memcpy(dp, pb, frame_width); pb += frame_width; dp += s->frame.linesize[0]; @@ -314,13 +322,20 @@ static void vmd_decode(VmdVideoContext *s) for (i = 0; i < frame_height; i++) { ofs = 0; do { + if (pb_end - pb < 1) + return; len = *pb++; if (len & 0x80) { len = (len & 0x7F) + 1; + if (pb_end - pb < 1) + return; if (*pb++ == 0xFF) len = rle_unpack(pb, &dp[ofs], len, frame_width - ofs); - else + else { + if (pb_end - pb < len) + return; memcpy(&dp[ofs], pb, len); + } pb += len; ofs += len; } else { From 02bdeff1ef4915e1794a19184d567ef27e05c9c5 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 25 Sep 2011 00:08:50 +0200 Subject: [PATCH 099/290] Fix out of bound reads in rle_unpack() of vmd video decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 4749e074987d45cb98935a683a7ee8e1ee376d86) --- libavcodec/vmdav.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index eb2d208389..90cbab8b3d 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -153,32 +153,39 @@ static void lz_unpack(const unsigned char *src, int src_len, } } -static int rle_unpack(const unsigned char *src, unsigned char *dest, - int src_len, int dest_len) +static int rle_unpack(const unsigned char *src, int src_len, int src_count, + unsigned char *dest, int dest_len) { const unsigned char *ps; + const unsigned char *ps_end; unsigned char *pd; int i, l; unsigned char *dest_end = dest + dest_len; ps = src; + ps_end = src + src_len; pd = dest; - if (src_len & 1) + if (src_count & 1) { + if (ps_end - ps < 1) + return 0; *pd++ = *ps++; + } - src_len >>= 1; + src_count >>= 1; i = 0; do { + if (ps_end - ps < 1) + break; l = *ps++; if (l & 0x80) { l = (l & 0x7F) * 2; - if (pd + l > dest_end) + if (pd + l > dest_end || ps_end - ps < l) return ps - src; memcpy(pd, ps, l); ps += l; pd += l; } else { - if (pd + i > dest_end) + if (pd + i > dest_end || ps_end - ps < 2) return ps - src; for (i = 0; i < l; i++) { *pd++ = ps[0]; @@ -187,7 +194,7 @@ static int rle_unpack(const unsigned char *src, unsigned char *dest, ps += 2; } i += l; - } while (i < src_len); + } while (i < src_count); return ps - src; } @@ -330,7 +337,7 @@ static void vmd_decode(VmdVideoContext *s) if (pb_end - pb < 1) return; if (*pb++ == 0xFF) - len = rle_unpack(pb, &dp[ofs], len, frame_width - ofs); + len = rle_unpack(pb, pb_end - pb, len, &dp[ofs], frame_width - ofs); else { if (pb_end - pb < len) return; From 1b26a734b23829f0756500f9cec2ac47baa65cd7 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 25 Sep 2011 00:08:51 +0200 Subject: [PATCH 100/290] Fix potential pointer arithmetic overflows in rle_unpack() of vmd video decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 35cb6854bb76b4a5b6f2aea2dce81e18d7ab61cd) --- libavcodec/vmdav.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index 90cbab8b3d..1f9694ea29 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -179,13 +179,13 @@ static int rle_unpack(const unsigned char *src, int src_len, int src_count, l = *ps++; if (l & 0x80) { l = (l & 0x7F) * 2; - if (pd + l > dest_end || ps_end - ps < l) + if (dest_end - pd < l || ps_end - ps < l) return ps - src; memcpy(pd, ps, l); ps += l; pd += l; } else { - if (pd + i > dest_end || ps_end - ps < 2) + if (dest_end - pd < i || ps_end - ps < 2) return ps - src; for (i = 0; i < l; i++) { *pd++ = ps[0]; From 5681d74aaf7e241303aa8785dcdc9b6b437e1573 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 18:39:13 +0200 Subject: [PATCH 101/290] Add av_calloc() helper. Signed-off-by: Michael Niedermayer (cherry picked from commit ccecab4a0d7f3f4f296551c2e22bbf12af7d14e8) --- libavutil/mem.c | 7 +++++++ libavutil/mem.h | 12 ++++++++++++ 2 files changed, 19 insertions(+) diff --git a/libavutil/mem.c b/libavutil/mem.c index 87c2008a27..44bfc8c34d 100644 --- a/libavutil/mem.c +++ b/libavutil/mem.c @@ -168,6 +168,13 @@ void *av_mallocz(size_t size) return ptr; } +void *av_calloc(size_t nmemb, size_t size) +{ + if (size <= 0 || nmemb >= INT_MAX / size) + return NULL; + return av_mallocz(nmemb * size); +} + char *av_strdup(const char *s) { char *ptr= NULL; diff --git a/libavutil/mem.h b/libavutil/mem.h index 7c30e160fb..be8a8bf222 100644 --- a/libavutil/mem.h +++ b/libavutil/mem.h @@ -106,6 +106,18 @@ void av_free(void *ptr); */ void *av_mallocz(size_t size) av_malloc_attrib av_alloc_size(1); +/** + * Allocate a block of nmemb * size bytes with alignment suitable for all + * memory accesses (including vectors if available on the CPU) and + * zero all the bytes of the block. + * The allocation will fail if nmemb * size is greater than or equal + * to INT_MAX. + * @param nmemb + * @param size + * @return Pointer to the allocated block, NULL if it cannot be allocated. + */ +void *av_calloc(size_t nmemb, size_t size) av_malloc_attrib; + /** * Duplicate the string s. * @param s string to be duplicated From 6109974cd95cc75a72704029e5608beaaf6691d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Sep 2011 16:13:07 +0200 Subject: [PATCH 102/290] ffmpeg: increase bit_buffer_size, the header size is clearly too small for rgb48 raw based formats Signed-off-by: Michael Niedermayer (cherry picked from commit d8289ff9a9a3d0af416e70a1c864e1c6ce095656) --- ffmpeg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 29060cf025..29a337ac2d 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2379,9 +2379,9 @@ static int transcode(AVFormatContext **output_files, } } if(codec->codec_type == AVMEDIA_TYPE_VIDEO){ - /* maximum video buffer size is 6-bytes per pixel, plus DPX header size */ + /* maximum video buffer size is 6-bytes per pixel, plus DPX header size (1664)*/ int size= codec->width * codec->height; - bit_buffer_size= FFMAX(bit_buffer_size, 6*size + 1664); + bit_buffer_size= FFMAX(bit_buffer_size, 7*size + 10000); } } From 02affe2f0e8603533a80be9a1864cce0039e9c63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Wed, 21 Sep 2011 19:10:58 +0200 Subject: [PATCH 103/290] Compile x86/swscale_template with -mno-red-zone. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces a very hackish hack to fix the same issue (call instruction overwriting stack variables). Signed-off-by: Reimar Döffinger (cherry picked from commit 424bcc46b5fb0d662e0fb9ad6319c5b9ef3d770f) --- configure | 5 +++++ libswscale/Makefile | 2 ++ libswscale/x86/swscale_template.c | 10 ---------- 3 files changed, 7 insertions(+), 10 deletions(-) diff --git a/configure b/configure index ef3697e3c4..b9badcafc6 100755 --- a/configure +++ b/configure @@ -3073,6 +3073,10 @@ else fi check_cflags -fno-math-errno check_cflags -fno-signed-zeros +check_cc -mno-red-zone < Date: Sat, 24 Sep 2011 18:00:16 +0200 Subject: [PATCH 104/290] h264: ff_h264_decode_extradata: check buffer args The buffer size and pointer were not checked prior to testing the first byte of the buffer. These were sometimes checked before calling, but it is better to add it inside the function as it takes buf and size arguments. Signed-off-by: Alexander Strasser (cherry picked from commit 715f259bf949b06df1b5ed0307606dc258754c99) --- libavcodec/h264.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 4a2b0f0a92..9c7bf24b5f 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1022,6 +1022,9 @@ int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size) { AVCodecContext *avctx = h->s.avctx; + if(!buf || size <= 0) + return -1; + if(buf[0] == 1){ int i, cnt, nalsize; const unsigned char *p = buf; From 521dbccc1137fdf3c7ebdd75afe64a4d2567ba22 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 25 Sep 2011 13:43:37 +0200 Subject: [PATCH 105/290] Fix return value on EOF in mpc v8 demuxer. Signed-off-by: Michael Niedermayer (cherry picked from commit 7ec5ea437fc88ca58d7ac3cd12dfa2f0fbd4011f) --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index b18726c6db..db23781613 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -264,7 +264,7 @@ static int mpc8_read_packet(AVFormatContext *s, AVPacket *pkt) return AVERROR(EIO); mpc8_handle_chunk(s, tag, pos, size); } - return 0; + return AVERROR_EOF; } static int mpc8_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) From cdb72c827c4fc3d8a2dfe939654fa885aaedbbd1 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 25 Sep 2011 13:43:38 +0200 Subject: [PATCH 106/290] Check for out of bound bands limit in mpc v8 decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 508e47a5751b063e5b3d1d6aceda8a19ad8b1d37) --- libavcodec/mpc8.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index 2864b1a010..bca57451ca 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -127,6 +127,8 @@ static av_cold int mpc8_decode_init(AVCodecContext * avctx) skip_bits(&gb, 3);//sample rate c->maxbands = get_bits(&gb, 5) + 1; + if (c->maxbands >= BANDS) + return AVERROR_INVALIDDATA; channels = get_bits(&gb, 4) + 1; if (channels > 2) { av_log_missing_feature(avctx, "Multichannel MPC SV8", 1); @@ -260,6 +262,8 @@ static int mpc8_decode_frame(AVCodecContext * avctx, maxband = c->last_max_band + get_vlc2(gb, band_vlc.table, MPC8_BANDS_BITS, 2); if(maxband > 32) maxband -= 33; } + if(maxband > c->maxbands) + return AVERROR_INVALIDDATA; c->last_max_band = maxband; /* read subband indexes */ From be1ae17ec0e03b494e0ab9f1eedefe83cebd7f4e Mon Sep 17 00:00:00 2001 From: tipok Date: Mon, 26 Sep 2011 02:28:21 +0200 Subject: [PATCH 107/290] libaac+ support Signed-off-by: Michael Niedermayer --- Changelog | 1 + LICENSE | 6 +- configure | 7 +++ doc/general.texi | 4 +- libavcodec/Makefile | 1 + libavcodec/allcodecs.c | 1 + libavcodec/libaacplus.c | 136 ++++++++++++++++++++++++++++++++++++++++ 7 files changed, 152 insertions(+), 4 deletions(-) create mode 100644 libavcodec/libaacplus.c diff --git a/Changelog b/Changelog index 0b38b880f6..2a2089d98a 100644 --- a/Changelog +++ b/Changelog @@ -61,6 +61,7 @@ version 0.7_beta1: - Demuxer for On2's IVF format - Pictor/PC Paint decoder - HE-AAC v2 decoder +- HE-AAC v2 encoding with libaacplus - libfaad2 wrapper removed - DTS-ES extension (XCh) decoding support - native VP8 decoder diff --git a/LICENSE b/LICENSE index 8d4d6515b0..7272b90f8d 100644 --- a/LICENSE +++ b/LICENSE @@ -41,6 +41,6 @@ is incompatible with the LGPL v2.1 and the GPL v2, but not with version 3 of those licenses. So to combine the OpenCORE libraries with FFmpeg, the license version needs to be upgraded by passing --enable-version3 to configure. -The nonfree external library libfaac can be hooked up in FFmpeg. You need to -pass --enable-nonfree to configure to enable it. Employ this option with care -as FFmpeg then becomes nonfree and unredistributable. +The nonfree external libraries libfaac and libaacplus can be hooked up in FFmpeg. +You need to pass --enable-nonfree to configure to enable it. Employ this option +with care as FFmpeg then becomes nonfree and unredistributable. diff --git a/configure b/configure index b9badcafc6..d1169d4863 100755 --- a/configure +++ b/configure @@ -162,6 +162,7 @@ External library support: --enable-bzlib enable bzlib [autodetect] --enable-libcelt enable CELT/Opus decoding via libcelt [no] --enable-frei0r enable frei0r video filtering + --enable-libaacplus enable AAC+ encoding via libaacplus [no] --enable-libopencore-amrnb enable AMR-NB de/encoding via libopencore-amrnb [no] --enable-libopencore-amrwb enable AMR-WB decoding via libopencore-amrwb [no] --enable-libopencv enable video filtering via libopencv [no] @@ -927,6 +928,8 @@ CONFIG_LIST=" h264pred hardcoded_tables huffman + libaacplus + libcdio libcelt libdc1394 libdirac @@ -1401,6 +1404,7 @@ vdpau_deps="vdpau_vdpau_h vdpau_vdpau_x11_h" h264_parser_select="golomb h264dsp h264pred" # external libraries +libaacplus_encoder_deps="libaacplus" libcelt_decoder_deps="libcelt" libdirac_decoder_deps="libdirac !libschroedinger" libdirac_encoder_deps="libdirac" @@ -2584,6 +2588,7 @@ die_license_disabled gpl libxavs die_license_disabled gpl libxvid die_license_disabled gpl x11grab +die_license_disabled nonfree libaacplus die_license_disabled nonfree libfaac die_license_disabled version3 libopencore_amrnb @@ -2916,6 +2921,7 @@ check_mathfunc truncf enabled avisynth && require2 vfw32 "windows.h vfw.h" AVIFileInit -lavifil32 enabled libcelt && require libcelt celt/celt.h celt_decode -lcelt0 enabled frei0r && { check_header frei0r.h || die "ERROR: frei0r.h header not found"; } +enabled libaacplus && require "libaacplus >= 2.0.0" aacplus.h aacplusEncOpen -laacplus enabled libdc1394 && require_pkg_config libdc1394-2 dc1394/dc1394.h dc1394_new enabled libdirac && require_pkg_config dirac \ "libdirac_decoder/dirac_parser.h libdirac_encoder/dirac_encoder.h" \ @@ -3227,6 +3233,7 @@ echo "frei0r enabled ${frei0r-no}" echo "libdc1394 support ${libdc1394-no}" echo "libdirac enabled ${libdirac-no}" echo "libfaac enabled ${libfaac-no}" +echo "libaacplus enabled ${libaacplus-no}" echo "libgsm enabled ${libgsm-no}" echo "libmp3lame enabled ${libmp3lame-no}" echo "libnut enabled ${libnut-no}" diff --git a/doc/general.texi b/doc/general.texi index b193240b01..db78efef78 100644 --- a/doc/general.texi +++ b/doc/general.texi @@ -542,6 +542,8 @@ following image formats are supported: @multitable @columnfractions .4 .1 .1 .4 @item Name @tab Encoding @tab Decoding @tab Comments @item 8SVX audio @tab @tab X +@item AAC+ @tab E @tab X + @tab encoding supported through external library libaacplus @item AAC @tab E @tab X @tab encoding supported through external library libfaac and libvo-aacenc @item AC-3 @tab IX @tab X @@ -1060,7 +1062,7 @@ These library packages are only available from Cygwin Ports (@url{http://sourceware.org/cygwinports/}) : @example -yasm, libSDL-devel, libdirac-devel, libfaac-devel, libgsm-devel, +yasm, libSDL-devel, libdirac-devel, libfaac-devel, libaacplus-devel, libgsm-devel, libmp3lame-devel, libschroedinger1.0-devel, speex-devel, libtheora-devel, libxvidcore-devel @end example diff --git a/libavcodec/Makefile b/libavcodec/Makefile index 738fb264c0..5c6bedc27c 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -567,6 +567,7 @@ OBJS-$(CONFIG_WEBM_MUXER) += xiph.o mpeg4audio.o \ OBJS-$(CONFIG_WTV_DEMUXER) += mpeg4audio.o mpegaudiodata.o # external codec libraries +OBJS-$(CONFIG_LIBAACPLUS_ENCODER) += libaacplus.o OBJS-$(CONFIG_LIBCELT_DECODER) += libcelt_dec.o OBJS-$(CONFIG_LIBDIRAC_DECODER) += libdiracdec.o OBJS-$(CONFIG_LIBDIRAC_ENCODER) += libdiracenc.o libdirac_libschro.o diff --git a/libavcodec/allcodecs.c b/libavcodec/allcodecs.c index f1c664f5d1..c038524f75 100644 --- a/libavcodec/allcodecs.c +++ b/libavcodec/allcodecs.c @@ -370,6 +370,7 @@ void avcodec_register_all(void) REGISTER_ENCDEC (XSUB, xsub); /* external libraries */ + REGISTER_ENCODER (LIBAACPLUS, libaacplus); REGISTER_DECODER (LIBCELT, libcelt); REGISTER_ENCDEC (LIBDIRAC, libdirac); REGISTER_ENCODER (LIBFAAC, libfaac); diff --git a/libavcodec/libaacplus.c b/libavcodec/libaacplus.c new file mode 100644 index 0000000000..c8c87be549 --- /dev/null +++ b/libavcodec/libaacplus.c @@ -0,0 +1,136 @@ +/* + * Interface to libaacplus for aac+ (sbr+ps) encoding + * Copyright (c) 2010 tipok + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/** + * @file + * Interface to libaacplus for aac+ (sbr+ps) encoding. + */ + +#include "avcodec.h" +#include + +typedef struct aacPlusAudioContext { + aacplusEncHandle aacplus_handle; +} aacPlusAudioContext; + +static av_cold int aacPlus_encode_init(AVCodecContext *avctx) +{ + aacPlusAudioContext *s = avctx->priv_data; + aacplusEncConfiguration *aacplus_cfg; + unsigned long samples_input, max_bytes_output; + + /* number of channels */ + if (avctx->channels < 1 || avctx->channels > 2) { + av_log(avctx, AV_LOG_ERROR, "encoding %d channel(s) is not allowed\n", avctx->channels); + return -1; + } + + s->aacplus_handle = aacplusEncOpen(avctx->sample_rate, + avctx->channels, + &samples_input, &max_bytes_output); + if(!s->aacplus_handle) { + av_log(avctx, AV_LOG_ERROR, "can't open encoder\n"); + return -1; + } + + /* check aacplus version */ + aacplus_cfg = aacplusEncGetCurrentConfiguration(s->aacplus_handle); + + /* put the options in the configuration struct */ + if(avctx->profile != FF_PROFILE_AAC_LOW && avctx->profile != FF_PROFILE_UNKNOWN) { + av_log(avctx, AV_LOG_ERROR, "invalid AAC profile: %d, only LC supported\n", avctx->profile); + aacplusEncClose(s->aacplus_handle); + return -1; + } + + aacplus_cfg->bitRate = avctx->bit_rate; + aacplus_cfg->bandWidth = avctx->cutoff; + if (avctx->flags & CODEC_FLAG_GLOBAL_HEADER) { + aacplus_cfg->outputFormat = 0; //raw aac + } + aacplus_cfg->inputFormat = AACPLUS_INPUT_16BIT; + if (!aacplusEncSetConfiguration(s->aacplus_handle, aacplus_cfg)) { + av_log(avctx, AV_LOG_ERROR, "libaacplus doesn't support this output format!\n"); + return -1; + } + + avctx->frame_size = samples_input / avctx->channels; + + avctx->coded_frame= avcodec_alloc_frame(); + avctx->coded_frame->key_frame= 1; + + /* Set decoder specific info */ + avctx->extradata_size = 0; + if (avctx->flags & CODEC_FLAG_GLOBAL_HEADER) { + + unsigned char *buffer = NULL; + unsigned long decoder_specific_info_size; + + if (aacplusEncGetDecoderSpecificInfo(s->aacplus_handle, &buffer, + &decoder_specific_info_size) == 1) { + avctx->extradata = av_malloc(decoder_specific_info_size + FF_INPUT_BUFFER_PADDING_SIZE); + avctx->extradata_size = decoder_specific_info_size; + memcpy(avctx->extradata, buffer, avctx->extradata_size); + } +#undef free + free(buffer); +#define free please_use_av_free + } + return 0; +} + +static int aacPlus_encode_frame(AVCodecContext *avctx, + unsigned char *frame, int buf_size, void *data) +{ + aacPlusAudioContext *s = avctx->priv_data; + int bytes_written; + + bytes_written = aacplusEncEncode(s->aacplus_handle, + data, + avctx->frame_size * avctx->channels, + frame, + buf_size); + + return bytes_written; +} + +static av_cold int aacPlus_encode_close(AVCodecContext *avctx) +{ + aacPlusAudioContext *s = avctx->priv_data; + + av_freep(&avctx->coded_frame); + av_freep(&avctx->extradata); + + aacplusEncClose(s->aacplus_handle); + return 0; +} + +AVCodec ff_libaacplus_encoder = { + "libaacplus", + AVMEDIA_TYPE_AUDIO, + CODEC_ID_AAC, + sizeof(aacPlusAudioContext), + aacPlus_encode_init, + aacPlus_encode_frame, + aacPlus_encode_close, + .sample_fmts = (const enum SampleFormat[]){SAMPLE_FMT_S16,SAMPLE_FMT_NONE}, + .long_name = NULL_IF_CONFIG_SMALL("libaacplus AAC+ (Advanced Audio Codec with SBR+PS)"), +}; From 7e362df304121003fda7705917d5e797b48a0920 Mon Sep 17 00:00:00 2001 From: Mike Scheutzow Date: Mon, 26 Sep 2011 10:57:53 -0400 Subject: [PATCH 108/290] Fix a buffer overflow in libx264 interface to x264 encoder. Previous code ignored the compressed buffer size passed in. This change returns as many complete NALs as can fit in the buffer, and logs an error message. Signed-off-by: Mike Scheutzow Signed-off-by: Michael Niedermayer (cherry picked from commit e2dae1faa84ada5746ac2114de7eb68abd824131) --- libavcodec/libx264.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index cc5b9837f8..bf542accdf 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -70,9 +70,14 @@ static int encode_nals(AVCodecContext *ctx, uint8_t *buf, int size, /* Write the SEI as part of the first frame. */ if (x4->sei_size > 0 && nnal > 0) { + if (x4->sei_size > size) { + av_log(ctx, AV_LOG_ERROR, "Error: nal buffer is too small\n"); + return -1; + } memcpy(p, x4->sei, x4->sei_size); p += x4->sei_size; x4->sei_size = 0; + // why is x4->sei not freed? } for (i = 0; i < nnal; i++){ @@ -83,6 +88,11 @@ static int encode_nals(AVCodecContext *ctx, uint8_t *buf, int size, memcpy(x4->sei, nals[i].p_payload, nals[i].i_payload); continue; } + if (nals[i].i_payload > (size - (p - buf))) { + // return only complete nals which fit in buf + av_log(ctx, AV_LOG_ERROR, "Error: nal buffer is too small\n"); + break; + } memcpy(p, nals[i].p_payload, nals[i].i_payload); p += nals[i].i_payload; } From 20047f77b9592da17e8bc56e54d3b2e2ca6959a9 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 13 Sep 2011 15:13:44 -0400 Subject: [PATCH 109/290] flacdec: fix buffer size checking in get_metadata_size() Adds an additional check before reading the next block header and avoids a potential integer overflow when checking the metadata size against the remaining buffer size. (cherry picked from commit 4c5e7b27d57dd2be777780e840eef9be63242158) --- libavcodec/flacdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index ece095cf09..011c75faae 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -228,9 +228,11 @@ static int get_metadata_size(const uint8_t *buf, int buf_size) buf += 4; do { + if (buf_end - buf < 4) + return 0; ff_flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size); buf += 4; - if (buf + metadata_size > buf_end) { + if (buf_end - buf < metadata_size) { /* need more data in order to read the complete header */ return 0; } From 4db466db9703fc348cc976387312afd6c283debe Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Mon, 12 Sep 2011 08:55:43 -0400 Subject: [PATCH 110/290] ws_snd: decode to AV_SAMPLE_FMT_U8 instead of S16. 8-bit unsigned is the native sample format. (cherry picked from commit 2322ced8da990835717a176b8d2c32961cfecd3e) --- libavcodec/ws-snd1.c | 47 ++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c index d6a60d441f..1fb294d753 100644 --- a/libavcodec/ws-snd1.c +++ b/libavcodec/ws-snd1.c @@ -37,13 +37,11 @@ static const int8_t ws_adpcm_4bit[] = { -9, -8, -6, -5, -4, -3, -2, -1, 0, 1, 2, 3, 4, 5, 6, 8 }; -#define CLIP8(a) if(a>127)a=127;if(a<-128)a=-128; - static av_cold int ws_snd_decode_init(AVCodecContext * avctx) { // WSSNDContext *c = avctx->priv_data; - avctx->sample_fmt = AV_SAMPLE_FMT_S16; + avctx->sample_fmt = AV_SAMPLE_FMT_U8; return 0; } @@ -56,15 +54,14 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, // WSSNDContext *c = avctx->priv_data; int in_size, out_size; - int sample = 0; + int sample = 128; int i; - short *samples = data; + uint8_t *samples = data; if (!buf_size) return 0; out_size = AV_RL16(&buf[0]); - *data_size = out_size * 2; in_size = AV_RL16(&buf[2]); buf += 4; @@ -76,9 +73,12 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "Frame data is larger than input buffer\n"); return -1; } + + *data_size = out_size; + if (in_size == out_size) { for (i = 0; i < out_size; i++) - *samples++ = (*buf++ - 0x80) << 8; + *samples++ = *buf++; return buf_size; } @@ -93,17 +93,17 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, for (count++; count > 0; count--) { code = *buf++; sample += ws_adpcm_2bit[code & 0x3]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; sample += ws_adpcm_2bit[(code >> 2) & 0x3]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; sample += ws_adpcm_2bit[(code >> 4) & 0x3]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; sample += ws_adpcm_2bit[(code >> 6) & 0x3]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; out_size -= 4; } break; @@ -111,11 +111,11 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, for (count++; count > 0; count--) { code = *buf++; sample += ws_adpcm_4bit[code & 0xF]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; sample += ws_adpcm_4bit[code >> 4]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; out_size -= 2; } break; @@ -125,19 +125,20 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, t = count; t <<= 3; sample += t >> 3; - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; out_size--; } else { /* copy */ for (count++; count > 0; count--) { - *samples++ = (*buf++ - 0x80) << 8; + *samples++ = *buf++; out_size--; } - sample = buf[-1] - 0x80; + sample = buf[-1]; } break; default: /* run */ for(count++; count > 0; count--) { - *samples++ = sample << 8; + *samples++ = sample; out_size--; } } From 915b905a1b7ee9bd1a1526387abf009a755a8df2 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Mon, 12 Sep 2011 09:41:06 -0400 Subject: [PATCH 111/290] ws_snd: add some checks to prevent buffer overread or overwrite. (cherry picked from commit 417364ce1f979031ef6fee661fc15e1869bdb1b4) --- libavcodec/ws-snd1.c | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c index 1fb294d753..48414c7201 100644 --- a/libavcodec/ws-snd1.c +++ b/libavcodec/ws-snd1.c @@ -61,6 +61,11 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, if (!buf_size) return 0; + if (buf_size < 4) { + av_log(avctx, AV_LOG_ERROR, "packet is too small\n"); + return AVERROR(EINVAL); + } + out_size = AV_RL16(&buf[0]); in_size = AV_RL16(&buf[2]); buf += 4; @@ -74,20 +79,37 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, return -1; } - *data_size = out_size; - if (in_size == out_size) { for (i = 0; i < out_size; i++) *samples++ = *buf++; + *data_size = out_size; return buf_size; } - while (out_size > 0) { - int code; + while (out_size > 0 && buf - avpkt->data < buf_size) { + int code, smp, size; uint8_t count; code = (*buf) >> 6; count = (*buf) & 0x3F; buf++; + + /* make sure we don't write more than out_size samples */ + switch (code) { + case 0: smp = 4; break; + case 1: smp = 2; break; + case 2: smp = (count & 0x20) ? 1 : count + 1; break; + default: smp = count + 1; break; + } + if (out_size < smp) { + out_size = 0; + break; + } + + /* make sure we don't read past the input buffer */ + size = ((code == 2 && (count & 0x20)) || code == 3) ? 0 : count + 1; + if ((buf - avpkt->data) + size > buf_size) + break; + switch(code) { case 0: /* ADPCM 2-bit */ for (count++; count > 0; count--) { @@ -144,6 +166,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, } } + *data_size = samples - (uint8_t *)data; + return buf_size; } From 857c7e122b102da5c635852a32ba067157575311 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Mon, 12 Sep 2011 09:44:21 -0400 Subject: [PATCH 112/290] ws_snd: make sure number of channels is 1 (cherry picked from commit 6a818cb3ff2056d43361e5fd09e318cd2ca2a7b4) --- libavcodec/ws-snd1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c index 48414c7201..f92c3531e0 100644 --- a/libavcodec/ws-snd1.c +++ b/libavcodec/ws-snd1.c @@ -41,6 +41,11 @@ static av_cold int ws_snd_decode_init(AVCodecContext * avctx) { // WSSNDContext *c = avctx->priv_data; + if (avctx->channels != 1) { + av_log_ask_for_sample(avctx, "unsupported number of channels\n"); + return AVERROR(EINVAL); + } + avctx->sample_fmt = AV_SAMPLE_FMT_U8; return 0; } From 9770127cd8b16053b23a3f9fa693f23e18f410c6 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 26 Sep 2011 23:37:29 +0200 Subject: [PATCH 113/290] Validate the number of audio channels before using it in wmapro decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit fc64434030a8e214fed4179733e49026e7550da5) --- libavcodec/wmaprodec.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index b0b98f1d98..03fb4a67e1 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -309,10 +309,6 @@ static av_cold int decode_init(AVCodecContext *avctx) s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate, 3, s->decode_flags); - /** init previous block len */ - for (i = 0; i < avctx->channels; i++) - s->channel[i].prev_block_len = s->samples_per_frame; - /** subframe info */ log2_max_num_subframes = ((s->decode_flags & 0x38) >> 3); s->max_num_subframes = 1 << log2_max_num_subframes; @@ -332,6 +328,18 @@ static av_cold int decode_init(AVCodecContext *avctx) s->num_channels = avctx->channels; + if (s->num_channels < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", s->num_channels); + return AVERROR_INVALIDDATA; + } else if (s->num_channels > WMAPRO_MAX_CHANNELS) { + av_log_ask_for_sample(avctx, "unsupported number of channels\n"); + return AVERROR_PATCHWELCOME; + } + + /** init previous block len */ + for (i = 0; i < s->num_channels; i++) + s->channel[i].prev_block_len = s->samples_per_frame; + /** extract lfe channel position */ s->lfe_channel = -1; @@ -343,14 +351,6 @@ static av_cold int decode_init(AVCodecContext *avctx) } } - if (s->num_channels < 0) { - av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", s->num_channels); - return AVERROR_INVALIDDATA; - } else if (s->num_channels > WMAPRO_MAX_CHANNELS) { - av_log_ask_for_sample(avctx, "unsupported number of channels\n"); - return AVERROR_PATCHWELCOME; - } - INIT_VLC_STATIC(&sf_vlc, SCALEVLCBITS, HUFF_SCALE_SIZE, scale_huffbits, 1, 1, scale_huffcodes, 2, 2, 616); From 9851184d304c85b6863dd3a7553e81f4cba32cfa Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 26 Sep 2011 23:37:30 +0200 Subject: [PATCH 114/290] Reset internal state on corrupted blocks in wavpack decoder. wavpack_decode_block() supposes that it is called back with the exact same buffer unless it has returned with an error. With multi-channels files, wavpack_decode_frame() was breaking this assumption. Signed-off-by: Michael Niedermayer (cherry picked from commit c2a016ad4d9c29285813ba5806189e63e063e0fb) --- libavcodec/wavpack.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index a785b90046..28e866356d 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1173,6 +1173,15 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, return samplecount * bpp; } +static void wavpack_decode_flush(AVCodecContext *avctx) +{ + WavpackContext *s = avctx->priv_data; + int i; + + for (i = 0; i < s->fdec_num; i++) + wv_reset_saved_context(s->fdec[i]); +} + static int wavpack_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) @@ -1205,11 +1214,14 @@ static int wavpack_decode_frame(AVCodecContext *avctx, if(frame_size < 0 || frame_size > buf_size){ av_log(avctx, AV_LOG_ERROR, "Block %d has invalid size (size %d vs. %d bytes left)\n", s->block, frame_size, buf_size); + wavpack_decode_flush(avctx); return -1; } if((samplecount = wavpack_decode_block(avctx, s->block, data, - data_size, buf, frame_size)) < 0) + data_size, buf, frame_size)) < 0) { + wavpack_decode_flush(avctx); return -1; + } s->block++; buf += frame_size; buf_size -= frame_size; } From 184a156f7aac93cc0e354f526f9842f648c0b433 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 01:02:16 +0200 Subject: [PATCH 115/290] Check for various out of bound writes in the bink decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 36bf135d4c32973933000a819208df7da9dd3e16) --- libavcodec/bink.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index 4328a43525..b3e53b8a32 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -343,14 +343,14 @@ static int read_motion_values(AVCodecContext *avctx, GetBitContext *gb, Bundle * memset(b->cur_dec, v, t); b->cur_dec += t; } else { - do { + while (b->cur_dec < dec_end) { v = GET_HUFF(gb, b->tree); if (v) { sign = -get_bits1(gb); v = (v ^ sign) - sign; } *b->cur_dec++ = v; - } while (b->cur_dec < dec_end); + } } return 0; } @@ -374,7 +374,7 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b) memset(b->cur_dec, v, t); b->cur_dec += t; } else { - do { + while (b->cur_dec < dec_end) { v = GET_HUFF(gb, b->tree); if (v < 12) { last = v; @@ -382,10 +382,12 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b) } else { int run = bink_rlelens[v - 12]; + if (dec_end - b->cur_dec < run) + return -1; memset(b->cur_dec, last, run); b->cur_dec += run; } - } while (b->cur_dec < dec_end); + } } return 0; } @@ -456,6 +458,7 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b, { int i, j, len, len2, bsize, sign, v, v2; int16_t *dst = (int16_t*)b->cur_dec; + int16_t *dst_end =( int16_t*)b->data_end; CHECK_READ_VAL(gb, b, len); v = get_bits(gb, start_bits - has_sign); @@ -463,10 +466,14 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b, sign = -get_bits1(gb); v = (v ^ sign) - sign; } + if (dst_end - dst < 1) + return -1; *dst++ = v; len--; for (i = 0; i < len; i += 8) { len2 = FFMIN(len - i, 8); + if (dst_end - dst < len2) + return -1; bsize = get_bits(gb, 4); if (bsize) { for (j = 0; j < len2; j++) { @@ -534,6 +541,8 @@ static int binkb_read_bundle(BinkContext *c, GetBitContext *gb, int bundle_num) int i, len; CHECK_READ_VAL(gb, b, len); + if (b->data_end - b->cur_dec < len * (1 + (bits > 8))) + return -1; if (bits <= 8) { if (!issigned) { for (i = 0; i < len; i++) From 1860053820a4a3a9cefa5131dbd263645944bc77 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 01:02:17 +0200 Subject: [PATCH 116/290] Check for out of bound writes when building tree in bink decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 254af56dd101bc756194dd080bb99e8f123500dd) --- libavcodec/bink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index b3e53b8a32..f4fa44b761 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -246,7 +246,7 @@ static void read_tree(GetBitContext *gb, Tree *tree) tree->syms[i] = get_bits(gb, 4); tmp1[tree->syms[i]] = 1; } - for (i = 0; i < 16; i++) + for (i = 0; i < 16 && len < 16 - 1; i++) if (!tmp1[i]) tree->syms[++len] = i; } else { From 08decaeb95f20821df993a7c3b1692ce654ad390 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 20:22:13 +0200 Subject: [PATCH 117/290] Prevent NULL dereferences when missing the reference frame in the bink decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 66aae97a60fcd8658f18c484b5af898a48d0e3f9) --- libavcodec/bink.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index f4fa44b761..63f17eb577 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -973,8 +973,9 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx, for (i = 0; i < BINK_NB_SRC; i++) read_bundle(gb, c, i); - ref_start = c->last.data[plane_idx]; - ref_end = c->last.data[plane_idx] + ref_start = c->last.data[plane_idx] ? c->last.data[plane_idx] + : c->pic.data[plane_idx]; + ref_end = ref_start + (bw - 1 + c->last.linesize[plane_idx] * (bh - 1)) * 8; for (i = 0; i < 64; i++) @@ -1003,7 +1004,8 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx, if (by == bh) break; dst = c->pic.data[plane_idx] + 8*by*stride; - prev = c->last.data[plane_idx] + 8*by*stride; + prev = (c->last.data[plane_idx] ? c->last.data[plane_idx] + : c->pic.data[plane_idx]) + 8*by*stride; for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) { blk = get_value(c, BINK_SRC_BLOCK_TYPES); // 16x16 block type on odd line means part of the already decoded block, so skip it From 70727e16ca6840873145332bc16c0cfab1a3cdd5 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 23:43:51 +0200 Subject: [PATCH 118/290] Check for out of bound writes in the wmavoice decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit e09ae22ab7d9af7f1cbfd2445fa71ad9e7c28ee3) --- libavcodec/wmavoice.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 002c529a30..6cefb9a84d 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1880,6 +1880,8 @@ static void copy_bits(PutBitContext *pb, rmn_bits = rmn_bytes = get_bits_left(gb); if (rmn_bits < nbits) return; + if (nbits > pb->size_in_bits - put_bits_count(pb)) + return; rmn_bits &= 7; rmn_bytes >>= 3; if ((rmn_bits = FFMIN(rmn_bits, nbits)) > 0) put_bits(pb, rmn_bits, get_bits(gb, rmn_bits)); From 0a5e269f03cc812d0309ebe9c4ba5053a804635a Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 23:43:52 +0200 Subject: [PATCH 119/290] Check for corrupted extra data in wmavoice decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 61930119cbff7572ebe7ade6cd9268becbec37f4) --- libavcodec/wmavoice.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 6cefb9a84d..c343080b36 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -401,6 +401,10 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx) s->min_pitch_val = ((ctx->sample_rate << 8) / 400 + 50) >> 8; s->max_pitch_val = ((ctx->sample_rate << 8) * 37 / 2000 + 50) >> 8; pitch_range = s->max_pitch_val - s->min_pitch_val; + if (pitch_range <= 0) { + av_log(ctx, AV_LOG_ERROR, "Invalid pitch range; broken extradata?\n"); + return -1; + } s->pitch_nbits = av_ceil_log2(pitch_range); s->last_pitch_val = 40; s->last_acb_type = ACB_TYPE_NONE; @@ -422,6 +426,10 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx) s->block_conv_table[2] = (pitch_range * 44) >> 6; s->block_conv_table[3] = s->max_pitch_val - 1; s->block_delta_pitch_hrange = (pitch_range >> 3) & ~0xF; + if (s->block_delta_pitch_hrange <= 0) { + av_log(ctx, AV_LOG_ERROR, "Invalid delta pitch hrange; broken extradata?\n"); + return -1; + } s->block_delta_pitch_nbits = 1 + av_ceil_log2(s->block_delta_pitch_hrange); s->block_pitch_range = s->block_conv_table[2] + s->block_conv_table[3] + 1 + From 23197f546762e906837fb3293ce8243852b294dd Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 23:43:53 +0200 Subject: [PATCH 120/290] Check for out of bounds reads in sun rasterfile decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 039f3c33fffd2f4ae376b662ea4ec67c1d6a4c04) --- libavcodec/sunrast.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 558b0edd8f..7ab8e2c3f6 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -46,6 +46,7 @@ static av_cold int sunrast_init(AVCodecContext *avctx) { static int sunrast_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; SUNRASTContext * const s = avctx->priv_data; AVFrame *picture = data; AVFrame * const p = &s->picture; @@ -53,6 +54,9 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, uint8_t *ptr; const uint8_t *bufstart = buf; + if (avpkt->size < 32) + return AVERROR_INVALIDDATA; + if (AV_RB32(buf) != 0x59a66a95) { av_log(avctx, AV_LOG_ERROR, "this is not sunras encoded data\n"); return -1; @@ -109,6 +113,9 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, p->pict_type = AV_PICTURE_TYPE_I; + if (buf_end - buf < maplength) + return AVERROR_INVALIDDATA; + if (depth != 8 && maplength) { av_log(avctx, AV_LOG_WARNING, "useless colormap found or file is corrupted, trying to recover\n"); @@ -143,8 +150,11 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, uint8_t *end = ptr + h*stride; x = 0; - while (ptr != end) { + while (ptr != end && buf < buf_end) { run = 1; + if (buf_end - buf < 1) + return AVERROR_INVALIDDATA; + if ((value = *buf++) == 0x80) { run = *buf++ + 1; if (run != 1) @@ -163,6 +173,8 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, } } else { for (y=0; y Date: Tue, 27 Sep 2011 23:43:57 +0200 Subject: [PATCH 121/290] Prevent NULL dereferences when missing the reference frame in the xan decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 19e95b88459e879d3e67a66350d937c32ed762ca) --- libavcodec/xan.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 357593bf2d..404f4d10c6 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -222,6 +222,8 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, palette_plane = s->current_frame.data[0]; prev_palette_plane = s->last_frame.data[0]; + if (!prev_palette_plane) + prev_palette_plane = palette_plane; stride = s->current_frame.linesize[0]; line_inc = stride - width; curframe_index = y * stride + x; From df0d418ce0efd2d59c60518c4b09995948bd5faf Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 21:24:03 +0200 Subject: [PATCH 122/290] Check for invalid/corrupted bitstream in sun raster decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit b9596a503760ccbd82ca3c03d1c0d5b9449be12b) --- libavcodec/sunrast.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 7ab8e2c3f6..209d2c0ad3 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -68,13 +68,14 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, type = AV_RB32(buf+20); maptype = AV_RB32(buf+24); maplength = AV_RB32(buf+28); + buf += 32; - if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) { - av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n"); + if (type < RT_OLD || type > RT_FORMAT_IFF) { + av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n"); return -1; } - if (type > RT_FORMAT_IFF) { - av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n"); + if (av_image_check_size(w, h, 0, avctx)) { + av_log(avctx, AV_LOG_ERROR, "invalid image size\n"); return -1; } if (maptype & ~1) { @@ -82,7 +83,10 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, return -1; } - buf += 32; + if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) { + av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n"); + return -1; + } switch (depth) { case 1: @@ -102,8 +106,6 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, if (p->data[0]) avctx->release_buffer(avctx, p); - if (av_image_check_size(w, h, 0, avctx)) - return -1; if (w != avctx->width || h != avctx->height) avcodec_set_dimensions(avctx, w, h); if (avctx->get_buffer(avctx, p) < 0) { From 03a4b489f10c2ed3cb004e1d0bbe9515ebf0e586 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 23:53:47 +0200 Subject: [PATCH 123/290] Prevent out of bound accesses in the xan decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit feca3ba053499e0d38f48910cef9bc431036956f) --- libavcodec/xan.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 404f4d10c6..141fccae77 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -220,6 +220,10 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, int width = s->avctx->width; unsigned char *palette_plane, *prev_palette_plane; + if ( y + motion_y < 0 || y + motion_y >= s->avctx->height || + x + motion_x < 0 || x + motion_x >= s->avctx->width) + return; + palette_plane = s->current_frame.data[0]; prev_palette_plane = s->last_frame.data[0]; if (!prev_palette_plane) @@ -230,7 +234,9 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, curframe_x = x; prevframe_index = (y + motion_y) * stride + x + motion_x; prevframe_x = x + motion_x; - while(pixel_count && (curframe_index < s->frame_size)) { + while(pixel_count && + curframe_index < s->frame_size && + prevframe_index < s->frame_size) { int count = FFMIN3(pixel_count, width - curframe_x, width - prevframe_x); memcpy(palette_plane + curframe_index, prev_palette_plane + prevframe_index, count); @@ -264,6 +270,7 @@ static int xan_wc3_decode_frame(XanContext *s) { int x, y; unsigned char *opcode_buffer = s->buffer1; + unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size; int opcode_buffer_size = s->buffer1_size; const unsigned char *imagedata_buffer = s->buffer2; @@ -272,7 +279,7 @@ static int xan_wc3_decode_frame(XanContext *s) { const unsigned char *size_segment; const unsigned char *vector_segment; const unsigned char *imagedata_segment; - int huffman_offset, size_offset, vector_offset, imagedata_offset; + int huffman_offset, size_offset, vector_offset, imagedata_offset, imagedata_size; if (s->size < 8) return AVERROR_INVALIDDATA; @@ -297,14 +304,17 @@ static int xan_wc3_decode_frame(XanContext *s) { huffman_segment, s->size - huffman_offset) < 0) return AVERROR_INVALIDDATA; - if (imagedata_segment[0] == 2) + if (imagedata_segment[0] == 2) { xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); - else + imagedata_size = s->buffer2_size; + } else { + imagedata_size = s->size - imagedata_offset - 1; imagedata_buffer = &imagedata_segment[1]; + } /* use the decoded data segments to build the frame */ x = y = 0; - while (total_pixels) { + while (total_pixels && opcode_buffer < opcode_buffer_end) { opcode = *opcode_buffer++; size = 0; @@ -353,6 +363,8 @@ static int xan_wc3_decode_frame(XanContext *s) { size_segment += 3; break; } + if (size > total_pixels) + break; if (opcode < 12) { flag ^= 1; @@ -361,8 +373,11 @@ static int xan_wc3_decode_frame(XanContext *s) { xan_wc3_copy_pixel_run(s, x, y, size, 0, 0); } else { /* output a run of pixels from imagedata_buffer */ + if (imagedata_size < size) + break; xan_wc3_output_pixel_run(s, imagedata_buffer, x, y, size); imagedata_buffer += size; + imagedata_size -= size; } } else { /* run-based motion compensation from last frame */ From fa816e01f401585bcd06e0c3785a8e2270cf37fd Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 22:05:15 +0200 Subject: [PATCH 124/290] Check for out of bound reads in the flic decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 1f024b882094b26c85e87698faa002b8713b5f88) --- libavcodec/flicvideo.c | 44 ++++++++++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 15 deletions(-) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index 8cc72e241e..2055596503 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -132,7 +132,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, FlicDecodeContext *s = avctx->priv_data; int stream_ptr = 0; - int stream_ptr_after_color_chunk; int pixel_ptr; int palette_ptr; unsigned char palette_idx1; @@ -172,7 +171,11 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, pixels = s->frame.data[0]; pixel_limit = s->avctx->height * s->frame.linesize[0]; + if (buf_size < 16 || buf_size > INT_MAX - (3 * 256 + FF_INPUT_BUFFER_PADDING_SIZE)) + return AVERROR_INVALIDDATA; frame_size = AV_RL32(&buf[stream_ptr]); + if (frame_size > buf_size) + frame_size = buf_size; stream_ptr += 6; /* skip the magic number */ num_chunks = AV_RL16(&buf[stream_ptr]); stream_ptr += 10; /* skip padding */ @@ -180,13 +183,16 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, frame_size -= 16; /* iterate through the chunks */ - while ((frame_size > 0) && (num_chunks > 0)) { + while ((frame_size >= 6) && (num_chunks > 0)) { + int stream_ptr_after_chunk; chunk_size = AV_RL32(&buf[stream_ptr]); if (chunk_size > frame_size) { av_log(avctx, AV_LOG_WARNING, "Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size); chunk_size = frame_size; } + stream_ptr_after_chunk = stream_ptr + chunk_size; + stream_ptr += 4; chunk_type = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; @@ -194,8 +200,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, switch (chunk_type) { case FLI_256_COLOR: case FLI_COLOR: - stream_ptr_after_color_chunk = stream_ptr + chunk_size - 6; - /* check special case: If this file is from the Magic Carpet * game and uses 6-bit colors even though it reports 256-color * chunks in a 0xAF12-type file (fli_type is set to 0xAF13 during @@ -219,6 +223,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, if (color_changes == 0) color_changes = 256; + if (stream_ptr + color_changes * 3 > stream_ptr_after_chunk) + break; + for (j = 0; j < color_changes; j++) { unsigned int entry; @@ -235,13 +242,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, s->palette[palette_ptr++] = entry; } } - - /* color chunks sometimes have weird 16-bit alignment issues; - * therefore, take the hardline approach and set the stream_ptr - * to the value calculated w.r.t. the size specified by the color - * chunk header */ - stream_ptr = stream_ptr_after_color_chunk; - break; case FLI_DELTA: @@ -249,6 +249,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, compressed_lines = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; while (compressed_lines > 0) { + if (stream_ptr + 2 > stream_ptr_after_chunk) + break; line_packets = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; if ((line_packets & 0xC000) == 0xC000) { @@ -268,6 +270,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, CHECK_PIXEL_PTR(0); pixel_countdown = s->avctx->width; for (i = 0; i < line_packets; i++) { + if (stream_ptr + 2 > stream_ptr_after_chunk) + break; /* account for the skip bytes */ pixel_skip = buf[stream_ptr++]; pixel_ptr += pixel_skip; @@ -284,6 +288,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, } } else { CHECK_PIXEL_PTR(byte_run * 2); + if (stream_ptr + byte_run * 2 > stream_ptr_after_chunk) + break; for (j = 0; j < byte_run * 2; j++, pixel_countdown--) { palette_idx1 = buf[stream_ptr++]; pixels[pixel_ptr++] = palette_idx1; @@ -310,6 +316,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, CHECK_PIXEL_PTR(0); pixel_countdown = s->avctx->width; line_packets = buf[stream_ptr++]; + if (stream_ptr + 2 * line_packets > stream_ptr_after_chunk) + break; if (line_packets > 0) { for (i = 0; i < line_packets; i++) { /* account for the skip bytes */ @@ -319,6 +327,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, byte_run = (signed char)(buf[stream_ptr++]); if (byte_run > 0) { CHECK_PIXEL_PTR(byte_run); + if (stream_ptr + byte_run > stream_ptr_after_chunk) + break; for (j = 0; j < byte_run; j++, pixel_countdown--) { palette_idx1 = buf[stream_ptr++]; pixels[pixel_ptr++] = palette_idx1; @@ -356,6 +366,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, stream_ptr++; pixel_countdown = s->avctx->width; while (pixel_countdown > 0) { + if (stream_ptr + 1 > stream_ptr_after_chunk) + break; byte_run = (signed char)(buf[stream_ptr++]); if (byte_run > 0) { palette_idx1 = buf[stream_ptr++]; @@ -370,6 +382,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, } else { /* copy bytes if byte_run < 0 */ byte_run = -byte_run; CHECK_PIXEL_PTR(byte_run); + if (stream_ptr + byte_run > stream_ptr_after_chunk) + break; for (j = 0; j < byte_run; j++) { palette_idx1 = buf[stream_ptr++]; pixels[pixel_ptr++] = palette_idx1; @@ -387,10 +401,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, case FLI_COPY: /* copy the chunk (uncompressed frame) */ - if (chunk_size - 6 > s->avctx->width * s->avctx->height) { + if (chunk_size - 6 != s->avctx->width * s->avctx->height) { av_log(avctx, AV_LOG_ERROR, "In chunk FLI_COPY : source data (%d bytes) " \ - "bigger than image, skipping chunk\n", chunk_size - 6); - stream_ptr += chunk_size - 6; + "has incorrect size, skipping chunk\n", chunk_size - 6); } else { for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height; y_ptr += s->frame.linesize[0]) { @@ -403,7 +416,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, case FLI_MINI: /* some sort of a thumbnail? disregard this chunk... */ - stream_ptr += chunk_size - 6; break; default: @@ -411,6 +423,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, break; } + stream_ptr = stream_ptr_after_chunk; + frame_size -= chunk_size; num_chunks--; } From 651e21f584d92709d58242dcad49b238e54dfdd5 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Sun, 20 Mar 2011 19:39:20 +0100 Subject: [PATCH 125/290] Introduce av_size_mult. av_size_mult helps checking for overflow when computing the size of a memory area. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit b2600509fef4d77645491f208b8113c372a32110) --- libavutil/mem.h | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/libavutil/mem.h b/libavutil/mem.h index be8a8bf222..241b453257 100644 --- a/libavutil/mem.h +++ b/libavutil/mem.h @@ -27,6 +27,7 @@ #define AVUTIL_MEM_H #include "attributes.h" +#include "error.h" #include "avutil.h" #if defined(__INTEL_COMPILER) && __INTEL_COMPILER < 1110 || defined(__SUNPRO_C) @@ -144,4 +145,19 @@ void av_freep(void *ptr); */ void av_dynarray_add(void *tab_ptr, int *nb_ptr, void *elem); +/** + * Multiply two size_t values checking for overflow. + * @return 0 if success, AVERROR(EINVAL) if overflow. + */ +static inline int av_size_mult(size_t a, size_t b, size_t *r) +{ + size_t t = a * b; + /* Hack inspired from glibc: only try the division if nelem and elsize + * are both greater than sqrt(SIZE_MAX). */ + if ((a | b) >= ((size_t)1 << (sizeof(size_t) * 4)) && a && t / a != b) + return AVERROR(EINVAL); + *r = t; + return 0; +} + #endif /* AVUTIL_MEM_H */ From a75b5a89d11b80e89bb2ff723cfcc270480dc06d Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Sun, 20 Mar 2011 19:39:20 +0100 Subject: [PATCH 126/290] Introduce av_realloc_f. av_realloc_f helps avoiding memory-leaks in typical uses of realloc. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 5cd754bca290775ec2dbbf88597ab58e0482efca) --- libavutil/mem.c | 15 +++++++++++++++ libavutil/mem.h | 10 ++++++++++ 2 files changed, 25 insertions(+) diff --git a/libavutil/mem.c b/libavutil/mem.c index 44bfc8c34d..a58f432a2c 100644 --- a/libavutil/mem.c +++ b/libavutil/mem.c @@ -143,6 +143,21 @@ void *av_realloc(void *ptr, size_t size) #endif } +void *av_realloc_f(void *ptr, size_t nelem, size_t elsize) +{ + size_t size; + void *r; + + if (av_size_mult(elsize, nelem, &size)) { + av_free(ptr); + return NULL; + } + r = av_realloc(ptr, size); + if (!r && size) + av_free(ptr); + return r; +} + void av_free(void *ptr) { #if CONFIG_MEMALIGN_HACK diff --git a/libavutil/mem.h b/libavutil/mem.h index 241b453257..d3e82b2ace 100644 --- a/libavutil/mem.h +++ b/libavutil/mem.h @@ -87,6 +87,16 @@ void *av_malloc(size_t size) av_malloc_attrib av_alloc_size(1); */ void *av_realloc(void *ptr, size_t size) av_alloc_size(2); +/** + * Allocate or reallocate a block of memory. + * This function does the same thing as av_realloc, except: + * - It takes two arguments and checks the result of the multiplication for + * integer overflow. + * - It frees the input block in case of failure, thus avoiding the memory + * leak with the classic "buf = realloc(buf); if (!buf) return -1;". + */ +void *av_realloc_f(void *ptr, size_t nelem, size_t elsize); + /** * Free a memory block which has been allocated with av_malloc(z)() or * av_realloc(). From bbb191c721d7104e4fcc77b45856cc9d585b0636 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 28 Sep 2011 17:16:11 +0200 Subject: [PATCH 127/290] bitstream: Replace av_realloc by av_realloc_f when relevant. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 198ed6474d603f930430067b8b56955d443e821c) --- libavcodec/bitstream.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index f0fa9652c6..e2a3d56d05 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -109,8 +109,8 @@ static int alloc_table(VLC *vlc, int size, int use_static) if(use_static) abort(); //cant do anything, init_vlc() is used with too little memory vlc->table_allocated += (1 << vlc->bits); - vlc->table = av_realloc(vlc->table, - sizeof(VLC_TYPE) * 2 * vlc->table_allocated); + vlc->table = av_realloc_f(vlc->table, + vlc->table_allocated, sizeof(VLC_TYPE) * 2); if (!vlc->table) return -1; } From acfe2c9154899b678c7638e3e247ba188cb18cfa Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 28 Sep 2011 17:16:11 +0200 Subject: [PATCH 128/290] libvpxenc: Replace av_realloc by av_realloc_f when relevant. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 769298a6869c3b16557280a63f6502409d1b5e49) --- libavcodec/libvpxenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index ac1b79fcc7..990badb87b 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -481,8 +481,8 @@ static int queue_frames(AVCodecContext *avctx, uint8_t *buf, int buf_size, break; case VPX_CODEC_STATS_PKT: { struct vpx_fixed_buf *stats = &ctx->twopass_stats; - stats->buf = av_realloc(stats->buf, - stats->sz + pkt->data.twopass_stats.sz); + stats->buf = av_realloc_f(stats->buf, 1, + stats->sz + pkt->data.twopass_stats.sz); if (!stats->buf) { av_log(avctx, AV_LOG_ERROR, "Stat buffer realloc failed\n"); return AVERROR(ENOMEM); From 2a934e87b18030ac0b94d1761048a5d5aa9d5ed9 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 28 Sep 2011 17:16:11 +0200 Subject: [PATCH 129/290] 4xm: Replace av_realloc by av_realloc_f when relevant. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 0cc44facf17153454727c26f2f40ee2f77b90df5) --- libavformat/4xm.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 0b79c761a5..0a314dc089 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -173,8 +173,9 @@ static int fourxm_read_header(AVFormatContext *s, } if (current_track + 1 > fourxm->track_count) { fourxm->track_count = current_track + 1; - fourxm->tracks = av_realloc(fourxm->tracks, - fourxm->track_count * sizeof(AudioTrack)); + fourxm->tracks = av_realloc_f(fourxm->tracks, + sizeof(AudioTrack), + fourxm->track_count); if (!fourxm->tracks) { ret= AVERROR(ENOMEM); goto fail; From 1537f86a9347ec7c17cb4be0d6657c583d316d40 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 28 Sep 2011 17:16:11 +0200 Subject: [PATCH 130/290] avidec: Replace av_realloc by av_realloc_f when relevant. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 71e23d39a396f45bbdf258735b02a4bd5e25fd49) --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 6fedaf7f8e..7394bbc3a8 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -639,7 +639,7 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap) if(st->codec->codec_tag==0 && st->codec->height > 0 && st->codec->extradata_size < 1U<<30){ st->codec->extradata_size+= 9; - st->codec->extradata= av_realloc(st->codec->extradata, st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); + st->codec->extradata= av_realloc_f(st->codec->extradata, 1, st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); if(st->codec->extradata) memcpy(st->codec->extradata + st->codec->extradata_size - 9, "BottomUp", 9); } From 7bc9c32573ab482d44f62bc08f9e508c81adae33 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 28 Sep 2011 17:16:11 +0200 Subject: [PATCH 131/290] avienc: Replace av_realloc by av_realloc_f when relevant. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit e47cfe9e5c10eee3c8d0b6aff81792c0f10e66e1) --- libavformat/avienc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avienc.c b/libavformat/avienc.c index 8a53bb53d3..deff1c8d20 100644 --- a/libavformat/avienc.c +++ b/libavformat/avienc.c @@ -558,7 +558,7 @@ static int avi_write_packet(AVFormatContext *s, AVPacket *pkt) int cl = idx->entry / AVI_INDEX_CLUSTER_SIZE; int id = idx->entry % AVI_INDEX_CLUSTER_SIZE; if (idx->ents_allocated <= idx->entry) { - idx->cluster = av_realloc(idx->cluster, (cl+1)*sizeof(void*)); + idx->cluster = av_realloc_f(idx->cluster, sizeof(void*), cl+1); if (!idx->cluster) return -1; idx->cluster[cl] = av_malloc(AVI_INDEX_CLUSTER_SIZE*sizeof(AVIIentry)); From 431937883f5d10b461fd8c6ee5a11abc7af8c9b2 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 28 Sep 2011 17:16:11 +0200 Subject: [PATCH 132/290] aviobuf: Replace av_realloc by av_realloc_f when relevant. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 247a1dc84716cb033b538a5bd5ba8b33de0e8260) --- libavformat/aviobuf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index aad0240d53..c6a67c3acc 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -921,7 +921,7 @@ int ffio_rewind_with_probe_data(AVIOContext *s, unsigned char *buf, int buf_size alloc_size = FFMAX(s->buffer_size, new_size); if (alloc_size > buf_size) - if (!(buf = av_realloc(buf, alloc_size))) + if (!(buf = av_realloc_f(buf, 1, alloc_size))) return AVERROR(ENOMEM); if (new_size > buf_size) { @@ -1090,7 +1090,7 @@ static int dyn_buf_write(void *opaque, uint8_t *buf, int buf_size) } if (new_allocated_size > d->allocated_size) { - d->buffer = av_realloc(d->buffer, new_allocated_size); + d->buffer = av_realloc_f(d->buffer, 1, new_allocated_size); if(d->buffer == NULL) return AVERROR(ENOMEM); d->allocated_size = new_allocated_size; From cfff8db7298e31bc4322af1f1de6fe142d2abd90 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 28 Sep 2011 17:16:11 +0200 Subject: [PATCH 133/290] gxfenc: Replace av_realloc by av_realloc_f when relevant. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit af84d9bb9e8a69a715fc7596d6cbaa00ad00dc29) --- libavformat/gxfenc.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavformat/gxfenc.c b/libavformat/gxfenc.c index 3f7d7851f7..36e2c91ef6 100644 --- a/libavformat/gxfenc.c +++ b/libavformat/gxfenc.c @@ -340,8 +340,9 @@ static int gxf_write_map_packet(AVFormatContext *s, int rewrite) if (!rewrite) { if (!(gxf->map_offsets_nb % 30)) { - gxf->map_offsets = av_realloc(gxf->map_offsets, - (gxf->map_offsets_nb+30)*sizeof(*gxf->map_offsets)); + gxf->map_offsets = av_realloc_f(gxf->map_offsets, + sizeof(*gxf->map_offsets), + gxf->map_offsets_nb+30); if (!gxf->map_offsets) { av_log(s, AV_LOG_ERROR, "could not realloc map offsets\n"); return -1; @@ -876,8 +877,9 @@ static int gxf_write_packet(AVFormatContext *s, AVPacket *pkt) if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO) { if (!(gxf->flt_entries_nb % 500)) { - gxf->flt_entries = av_realloc(gxf->flt_entries, - (gxf->flt_entries_nb+500)*sizeof(*gxf->flt_entries)); + gxf->flt_entries = av_realloc_f(gxf->flt_entries, + sizeof(*gxf->flt_entries), + gxf->flt_entries_nb+500); if (!gxf->flt_entries) { av_log(s, AV_LOG_ERROR, "could not reallocate flt entries\n"); return -1; From 17b6abab50a42f1b81b8ae2207f86f2c76564380 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 28 Sep 2011 17:16:11 +0200 Subject: [PATCH 134/290] movenc: Replace av_realloc by av_realloc_f when relevant. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 194c2432eecd97c36914956f3bf7781ac4fc6f3d) --- libavformat/movenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 463dd5b601..076f2e3c69 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -2058,7 +2058,7 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) } if (!(trk->entry % MOV_INDEX_CLUSTER_SIZE)) { - trk->cluster = av_realloc(trk->cluster, (trk->entry + MOV_INDEX_CLUSTER_SIZE) * sizeof(*trk->cluster)); + trk->cluster = av_realloc_f(trk->cluster, sizeof(*trk->cluster), (trk->entry + MOV_INDEX_CLUSTER_SIZE)); if (!trk->cluster) return -1; } From 485b4317bba908f58ffa62181000c6180c31f698 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 01:04:49 +0200 Subject: [PATCH 135/290] Fixed out of bound accesses in xan_unpack() of the xan decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 5279141c1d7a72c467b7e0666fc2275cbcec4668) --- libavcodec/xan.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 141fccae77..52f3a3f64a 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -132,13 +132,16 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, * * @param dest destination buffer of dest_len, must be padded with at least 130 bytes */ -static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_len) +static void xan_unpack(unsigned char *dest, int dest_len, + const unsigned char *src, int src_len) { unsigned char opcode; int size; + unsigned char *dest_org = dest; unsigned char *dest_end = dest + dest_len; + const unsigned char *src_end = src + src_len; - while (dest < dest_end) { + while (dest < dest_end && src < src_end) { opcode = *src++; if (opcode < 0xe0) { @@ -163,9 +166,11 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l back = ((opcode & 0x10) << 12) + bytestream_get_be16(&src) + 1; size2 = ((opcode & 0x0c) << 6) + *src++ + 5; - if (size + size2 > dest_end - dest) - return; } + if (dest_end - dest < size + size2 || + dest + size - dest_org < back || + src_end - src < size) + return; memcpy(dest, src, size); dest += size; src += size; av_memcpy_backptr(dest, back, size2); dest += size2; @@ -173,6 +178,8 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l int finish = opcode >= 0xfc; size = finish ? opcode & 3 : ((opcode & 0x1f) << 2) + 4; + if (dest_end - dest < size || src_end - src < size) + return; memcpy(dest, src, size); dest += size; src += size; if (finish) return; @@ -305,7 +312,8 @@ static int xan_wc3_decode_frame(XanContext *s) { return AVERROR_INVALIDDATA; if (imagedata_segment[0] == 2) { - xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); + xan_unpack(s->buffer2, s->buffer2_size, + &imagedata_segment[1], s->size - imagedata_offset - 1); imagedata_size = s->buffer2_size; } else { imagedata_size = s->size - imagedata_offset - 1; From 14617fa7b8e688f5688d3679c906c8cb75ff42ed Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 01:04:51 +0200 Subject: [PATCH 136/290] Prevent NULL dereference when the palette is missing in the xan decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 56ee5a9ad1b385129c40ba4773f99bc5943ae8af) --- libavcodec/xan.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 52f3a3f64a..b90353967d 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -552,6 +552,9 @@ static int xan_decode_frame(AVCodecContext *avctx, } buf_size = buf_end - buf; } + if (s->palettes_count <= 0) + return AVERROR_INVALIDDATA; + if ((ret = avctx->get_buffer(avctx, &s->current_frame))) { av_log(s->avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; From f8eabfc16ed260ae33bd2c15c240eaf2129dba47 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 01:04:52 +0200 Subject: [PATCH 137/290] Prevent calling init_vlc() with invalid parameters in motionpixels decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 41b7389cade702383e59343561776f83bb26e17f) --- libavcodec/motionpixels.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index b18efa6b9c..4bd83cb2ae 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -279,6 +279,8 @@ static int mp_decode_frame(AVCodecContext *avctx, if (sz == 0) goto end; + if (mp->max_codes_bits <= 0) + goto end; if (init_vlc(&mp->vlc, mp->max_codes_bits, mp->codes_count, &mp->codes[0].size, sizeof(HuffCode), 1, &mp->codes[0].code, sizeof(HuffCode), 4, 0)) goto end; mp_decode_frame_helper(mp, &gb); From dc9b708f4d79162771d893532fe35159fad0c21d Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 01:04:53 +0200 Subject: [PATCH 138/290] Check for out of bound reads in jpeg 2000 decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 02660a871301adada14b0e0fe64c66f73c2e4541) --- libavcodec/j2kdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c index 73af6a73df..96b4f64098 100644 --- a/libavcodec/j2kdec.c +++ b/libavcodec/j2kdec.c @@ -961,18 +961,20 @@ static int decode_codestream(J2kDecoderContext *s) static int jp2_find_codestream(J2kDecoderContext *s) { - int32_t atom_size; + uint32_t atom_size; int found_codestream = 0, search_range = 10; // skip jpeg2k signature atom s->buf += 12; - while(!found_codestream && search_range) { + while(!found_codestream && search_range && s->buf_end - s->buf >= 8) { atom_size = AV_RB32(s->buf); if(AV_RB32(s->buf + 4) == JP2_CODESTREAM) { found_codestream = 1; s->buf += 8; } else { + if (s->buf_end - s->buf < atom_size) + return 0; s->buf += atom_size; search_range--; } @@ -1005,7 +1007,8 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR(EINVAL); // check if the image is in jp2 format - if((AV_RB32(s->buf) == 12) && (AV_RB32(s->buf + 4) == JP2_SIG_TYPE) && + if(s->buf_end - s->buf >= 12 && + (AV_RB32(s->buf) == 12) && (AV_RB32(s->buf + 4) == JP2_SIG_TYPE) && (AV_RB32(s->buf + 8) == JP2_SIG_VALUE)) { if(!jp2_find_codestream(s)) { av_log(avctx, AV_LOG_ERROR, "couldn't find jpeg2k codestream atom\n"); From d414c77ded5e8896e3a63dbdbd09bd96e70fbf6e Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 01:04:54 +0200 Subject: [PATCH 139/290] Check for unsupported parameters in ff_j2k_dwt_init() Signed-off-by: Michael Niedermayer (cherry picked from commit b4483a531a139f304f4370f470325facb107202f) --- libavcodec/j2k_dwt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/j2k_dwt.c b/libavcodec/j2k_dwt.c index 9ba770ad83..ab7a1ab757 100644 --- a/libavcodec/j2k_dwt.c +++ b/libavcodec/j2k_dwt.c @@ -321,6 +321,8 @@ int ff_j2k_dwt_init(DWTContext *s, uint16_t border[2][2], int decomp_levels, int int i, j, lev = decomp_levels, maxlen, b[2][2]; + if (decomp_levels >= FF_DWT_MAX_DECLVLS) + return AVERROR_INVALIDDATA; s->ndeclevels = decomp_levels; s->type = type; From d155fdefb88ac45d90600252cd2348d3d6d2cf36 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Fri, 12 Aug 2011 08:42:35 +0200 Subject: [PATCH 140/290] vf_unsharp: fix out-of-buffer read In apply_unsharp(), when y is >= height, prevent out-of-buffer reading from src, read from the last buffer line in src2 instead. The check was implemented in the original unsharp libmpcodecs code and lost in the port. This also fixes output discrepancy between the two filters. Signed-off-by: Anton Khirnov (cherry picked from commit 998e8519efbc772994c5ba19c0d39573998be9db) --- libavfilter/vf_unsharp.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_unsharp.c b/libavfilter/vf_unsharp.c index 3542ca3eac..2bc090f26a 100644 --- a/libavfilter/vf_unsharp.c +++ b/libavfilter/vf_unsharp.c @@ -70,6 +70,7 @@ static void unsharpen(uint8_t *dst, const uint8_t *src, int dst_stride, int src_ int32_t res; int x, y, z; + const uint8_t *src2; if (!fp->amount) { if (dst_stride == src_stride) @@ -84,9 +85,12 @@ static void unsharpen(uint8_t *dst, const uint8_t *src, int dst_stride, int src_ memset(sc[y], 0, sizeof(sc[y][0]) * (width + 2 * fp->steps_x)); for (y = -fp->steps_y; y < height + fp->steps_y; y++) { + if (y < height) + src2 = src; + memset(sr, 0, sizeof(sr[0]) * (2 * fp->steps_x - 1)); for (x = -fp->steps_x; x < width + fp->steps_x; x++) { - tmp1 = x <= 0 ? src[0] : x >= width ? src[width-1] : src[x]; + tmp1 = x <= 0 ? src2[0] : x >= width ? src2[width-1] : src2[x]; for (z = 0; z < fp->steps_x * 2; z += 2) { tmp2 = sr[z + 0] + tmp1; sr[z + 0] = tmp1; tmp1 = sr[z + 1] + tmp2; sr[z + 1] = tmp2; From 8d61c684423c0b78d8ab076fef00d7095e339a97 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Sat, 13 Aug 2011 16:30:44 +0200 Subject: [PATCH 141/290] vf_unsharp: set default chroma size value to 5x5 The previous default value 0x0 was not good, since it is not even valid. Signed-off-by: Anton Khirnov (cherry picked from commit 1ee20141900c98f9dc25eca121c66c3ff468c1e4) --- doc/filters.texi | 6 +++--- libavfilter/vf_unsharp.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/filters.texi b/doc/filters.texi index eb31714486..e4873fafb2 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -1683,7 +1683,7 @@ It accepts the following parameters: Negative values for the amount will blur the input video, while positive values will sharpen. All parameters are optional and default to the -equivalent of the string '5:5:1.0:0:0:0.0'. +equivalent of the string '5:5:1.0:5:5:0.0'. @table @option @@ -1701,11 +1701,11 @@ and 5.0, default value is 1.0. @item chroma_msize_x Set the chroma matrix horizontal size. It can be an integer between 3 -and 13, default value is 0. +and 13, default value is 5. @item chroma_msize_y Set the chroma matrix vertical size. It can be an integer between 3 -and 13, default value is 0. +and 13, default value is 5. @item luma_amount Set the chroma effect strength. It can be a float number between -2.0 diff --git a/libavfilter/vf_unsharp.c b/libavfilter/vf_unsharp.c index 2bc090f26a..3a58a480b9 100644 --- a/libavfilter/vf_unsharp.c +++ b/libavfilter/vf_unsharp.c @@ -129,8 +129,8 @@ static void set_filter_param(FilterParam *fp, int msize_x, int msize_y, double a static av_cold int init(AVFilterContext *ctx, const char *args, void *opaque) { UnsharpContext *unsharp = ctx->priv; - int lmsize_x = 5, cmsize_x = 0; - int lmsize_y = 5, cmsize_y = 0; + int lmsize_x = 5, cmsize_x = 5; + int lmsize_y = 5, cmsize_y = 5; double lamount = 1.0f, camount = 0.0f; if (args) From 626f11b3bc92011896ae2502788adb423cbd74d9 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 28 Sep 2011 21:00:35 +0100 Subject: [PATCH 142/290] dca: clear inactive subbands only once in qmf_32_subbands() Writing zeros to the high entries in the array need only be done once as the cutoff position is constant throughout the loop. Signed-off-by: Mans Rullgard (cherry picked from commit bf00a73ace9b1aba790b75dcb26d43adfceb769f) --- libavcodec/dca.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index 5166fc5337..69df8f4597 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -898,6 +898,9 @@ static void qmf_32_subbands(DCAContext * s, int chans, else /* Perfect reconstruction */ prCoeff = fir_32bands_perfect; + for (i = sb_act; i < 32; i++) + s->raXin[i] = 0.0; + /* Reconstructed channel sample index */ for (subindex = 0; subindex < 8; subindex++) { /* Load in one sample from each subband and clear inactive subbands */ @@ -905,8 +908,6 @@ static void qmf_32_subbands(DCAContext * s, int chans, uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ ((i-1)&2)<<30; AV_WN32A(&s->raXin[i], v); } - for (; i < 32; i++) - s->raXin[i] = 0.0; s->synth.synth_filter_float(&s->imdct, s->subband_fir_hist[chans], &s->hist_index[chans], From f9efe1d76e2c7fc302337506c42c5fd50ea36b5a Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 28 Sep 2011 00:45:54 +0200 Subject: [PATCH 143/290] Check for out of bound reads in xan_huffman_decode() of the xan decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit c8b835954ae4aef797112afda3b52f8dfe3c7b74) --- libavcodec/xan.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index b90353967d..fe9eece61a 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -114,7 +114,10 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, init_get_bits(&gb, ptr, ptr_len * 8); while ( val != 0x16 ) { - val = src[val - 0x17 + get_bits1(&gb) * byte]; + unsigned idx = val - 0x17 + get_bits1(&gb) * byte; + if (idx >= 2 * byte) + return -1; + val = src[idx]; if ( val < 0x16 ) { if (dest >= dest_end) From 2451228b0c2685ec4b09b7beeaa34c4bad6f37cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomas=20H=C3=A4rdin?= Date: Wed, 28 Sep 2011 10:34:51 +0200 Subject: [PATCH 144/290] mov: Only touch extradata in mov_read_extradata() if codec_id is what we expect Extradata should only be parsed from the avss, fiel, jp2h and alac atoms for AVS, MJPEG, Motion JPEG 2000 and ALAC respectively. This also fixes the mov demuxer coming up with bogus extradata for some AVC-Intra samples due to the presence of fiel atoms. (cherry picked from commit e571305a71494af195891e314b05936f040f89d3) --- libavformat/mov.c | 36 +++++++++++++++++++++++++++++++----- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 773760c98a..cdba33dcb0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -755,7 +755,8 @@ static int mov_read_enda(MOVContext *c, AVIOContext *pb, MOVAtom atom) } /* FIXME modify qdm2/svq3/h264 decoders to take full atom as extradata */ -static int mov_read_extradata(MOVContext *c, AVIOContext *pb, MOVAtom atom) +static int mov_read_extradata(MOVContext *c, AVIOContext *pb, MOVAtom atom, + enum CodecID codec_id) { AVStream *st; uint64_t size; @@ -764,6 +765,10 @@ static int mov_read_extradata(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (c->fc->nb_streams < 1) // will happen with jp2 files return 0; st= c->fc->streams[c->fc->nb_streams-1]; + + if (st->codec->codec_id != codec_id) + return 0; /* unexpected codec_id - don't mess with extradata */ + size= (uint64_t)st->codec->extradata_size + atom.size + 8 + FF_INPUT_BUFFER_PADDING_SIZE; if(size > INT_MAX || (uint64_t)atom.size > INT_MAX) return -1; @@ -779,6 +784,27 @@ static int mov_read_extradata(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; } +/* wrapper functions for reading ALAC/AVS/MJPEG/MJPEG2000 extradata atoms only for those codecs */ +static int mov_read_alac(MOVContext *c, AVIOContext *pb, MOVAtom atom) +{ + return mov_read_extradata(c, pb, atom, CODEC_ID_ALAC); +} + +static int mov_read_avss(MOVContext *c, AVIOContext *pb, MOVAtom atom) +{ + return mov_read_extradata(c, pb, atom, CODEC_ID_AVS); +} + +static int mov_read_fiel(MOVContext *c, AVIOContext *pb, MOVAtom atom) +{ + return mov_read_extradata(c, pb, atom, CODEC_ID_MJPEG); +} + +static int mov_read_jp2h(MOVContext *c, AVIOContext *pb, MOVAtom atom) +{ + return mov_read_extradata(c, pb, atom, CODEC_ID_JPEG2000); +} + static int mov_read_wave(MOVContext *c, AVIOContext *pb, MOVAtom atom) { AVStream *st; @@ -2228,7 +2254,7 @@ static int mov_read_chan(MOVContext *c, AVIOContext *pb, MOVAtom atom) } static const MOVParseTableEntry mov_default_parse_table[] = { -{ MKTAG('a','v','s','s'), mov_read_extradata }, +{ MKTAG('a','v','s','s'), mov_read_avss }, { MKTAG('c','h','p','l'), mov_read_chpl }, { MKTAG('c','o','6','4'), mov_read_stco }, { MKTAG('c','t','t','s'), mov_read_ctts }, /* composition time to sample */ @@ -2237,12 +2263,12 @@ static const MOVParseTableEntry mov_default_parse_table[] = { { MKTAG('e','d','t','s'), mov_read_default }, { MKTAG('e','l','s','t'), mov_read_elst }, { MKTAG('e','n','d','a'), mov_read_enda }, -{ MKTAG('f','i','e','l'), mov_read_extradata }, +{ MKTAG('f','i','e','l'), mov_read_fiel }, { MKTAG('f','t','y','p'), mov_read_ftyp }, { MKTAG('g','l','b','l'), mov_read_glbl }, { MKTAG('h','d','l','r'), mov_read_hdlr }, { MKTAG('i','l','s','t'), mov_read_ilst }, -{ MKTAG('j','p','2','h'), mov_read_extradata }, +{ MKTAG('j','p','2','h'), mov_read_jp2h }, { MKTAG('m','d','a','t'), mov_read_mdat }, { MKTAG('m','d','h','d'), mov_read_mdhd }, { MKTAG('m','d','i','a'), mov_read_default }, @@ -2253,7 +2279,7 @@ static const MOVParseTableEntry mov_default_parse_table[] = { { MKTAG('m','v','e','x'), mov_read_default }, { MKTAG('m','v','h','d'), mov_read_mvhd }, { MKTAG('S','M','I',' '), mov_read_smi }, /* Sorenson extension ??? */ -{ MKTAG('a','l','a','c'), mov_read_extradata }, /* alac specific atom */ +{ MKTAG('a','l','a','c'), mov_read_alac }, /* alac specific atom */ { MKTAG('a','v','c','C'), mov_read_glbl }, { MKTAG('p','a','s','p'), mov_read_pasp }, { MKTAG('s','t','b','l'), mov_read_default }, From 603cb031f19bff898b99fca2234f4cebbcfd743c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 00:05:46 +0200 Subject: [PATCH 145/290] Check for out of bound reads in the QuickDraw decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 44e2f0c3cd2df68659e07ed3d5eab4974794eb33) --- libavcodec/qdrw.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index cd3146388e..6432728cb8 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -37,6 +37,7 @@ static int decode_frame(AVCodecContext *avctx, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; int buf_size = avpkt->size; QdrawContext * const a = avctx->priv_data; AVFrame * const p= (AVFrame*)&a->pic; @@ -59,6 +60,8 @@ static int decode_frame(AVCodecContext *avctx, outdata = a->pic.data[0]; + if (buf_end - buf < 0x68 + 4) + return AVERROR_INVALIDDATA; buf += 0x68; /* jump to palette */ colors = AV_RB32(buf); buf += 4; @@ -67,6 +70,8 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "Error color count - %i(0x%X)\n", colors, colors); return -1; } + if (buf_end - buf < (colors + 1) * 8) + return AVERROR_INVALIDDATA; pal = (uint32_t*)p->data[1]; for (i = 0; i <= colors; i++) { @@ -89,6 +94,8 @@ static int decode_frame(AVCodecContext *avctx, } p->palette_has_changed = 1; + if (buf_end - buf < 18) + return AVERROR_INVALIDDATA; buf += 18; /* skip unneeded data */ for (i = 0; i < avctx->height; i++) { int size, left, code, pix; @@ -100,6 +107,9 @@ static int decode_frame(AVCodecContext *avctx, out = outdata; size = AV_RB16(buf); /* size of packed line */ buf += 2; + if (buf_end - buf < size) + return AVERROR_INVALIDDATA; + left = size; next = buf + size; while (left > 0) { @@ -115,6 +125,8 @@ static int decode_frame(AVCodecContext *avctx, } else { /* copy */ if ((out + code) > (outdata + a->pic.linesize[0])) break; + if (buf_end - buf < code + 1) + return AVERROR_INVALIDDATA; memcpy(out, buf, code + 1); out += code + 1; buf += code + 1; From 18cfe0238df259e4b541d28b465688bea4781b16 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 00:05:50 +0200 Subject: [PATCH 146/290] Check for out of bounds reads in the Delphine Software International CIN decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 8e5f093c2cf13eab3d68d893bf8f30c56ba4e733) --- libavcodec/dsicinav.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index f12560714a..c33b3edc4c 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -217,6 +217,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, bitmap_frame_size = buf_size - 4; /* handle palette */ + if (bitmap_frame_size < palette_colors_count * (3 + (palette_type != 0))) + return AVERROR_INVALIDDATA; if (palette_type == 0) { for (i = 0; i < palette_colors_count; ++i) { cin->palette[i] = bytestream_get_le24(&buf); From 6e774cf67e6f30feb9b3dec11713d6b6dc0b521c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 00:05:51 +0200 Subject: [PATCH 147/290] Check for out of bounds writes in the Delphine Software International CIN decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 3035c4034b6af3ad47f921e3385196e1b9d44ddf) --- libavcodec/dsicinav.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index c33b3edc4c..faca821c7d 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -220,6 +220,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, if (bitmap_frame_size < palette_colors_count * (3 + (palette_type != 0))) return AVERROR_INVALIDDATA; if (palette_type == 0) { + if (palette_colors_count > 256) + return AVERROR_INVALIDDATA; for (i = 0; i < palette_colors_count; ++i) { cin->palette[i] = bytestream_get_le24(&buf); bitmap_frame_size -= 3; From 376b0994746cbb14438c2a58ea1bdb2c9b934610 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 00:05:48 +0200 Subject: [PATCH 148/290] Clear FF_INPUT_BUFFER_PADDING_SIZE bytes at the end of the temporary buffer used in motion pixels decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit e60619f9b4bdaf9af46887cdb2c86454567b4a61) --- libavcodec/motionpixels.c | 1 + tests/ref/fate/motionpixels | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 4bd83cb2ae..a3afc02582 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -253,6 +253,7 @@ static int mp_decode_frame(AVCodecContext *avctx, mp->dsp.bswap_buf((uint32_t *)mp->bswapbuf, (const uint32_t *)buf, buf_size / 4); if (buf_size & 3) memcpy(mp->bswapbuf + (buf_size & ~3), buf + (buf_size & ~3), buf_size & 3); + memset(mp->bswapbuf + buf_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&gb, mp->bswapbuf, buf_size * 8); memset(mp->changes_map, 0, avctx->width * avctx->height); diff --git a/tests/ref/fate/motionpixels b/tests/ref/fate/motionpixels index e588ed3e18..30651e92c6 100644 --- a/tests/ref/fate/motionpixels +++ b/tests/ref/fate/motionpixels @@ -109,4 +109,4 @@ 0, 648003, 230400, 0xb343f372 0, 654003, 230400, 0xf7f1e588 0, 660003, 230400, 0x9682bdb2 -0, 666003, 230400, 0x538a3db8 +0, 666003, 230400, 0x16f9aad8 From 9b1bf0852548bffde22b8f27f8eb32ab51559bf1 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 00:05:49 +0200 Subject: [PATCH 149/290] Fix the size of workspace buffers in the motion pixels decoder. Some buffers must be mod 4 in width and/or height. Signed-off-by: Michael Niedermayer (cherry picked from commit 62234a4d3a30f3949694781ef8a941ef55b210fa) --- libavcodec/motionpixels.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index a3afc02582..635a7d14a1 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -52,14 +52,16 @@ typedef struct MotionPixelsContext { static av_cold int mp_decode_init(AVCodecContext *avctx) { MotionPixelsContext *mp = avctx->priv_data; + int w4 = (avctx->width + 3) & ~3; + int h4 = (avctx->height + 3) & ~3; motionpixels_tableinit(); mp->avctx = avctx; dsputil_init(&mp->dsp, avctx); - mp->changes_map = av_mallocz(avctx->width * avctx->height); + mp->changes_map = av_mallocz(avctx->width * h4); mp->offset_bits_len = av_log2(avctx->width * avctx->height) + 1; mp->vpt = av_mallocz(avctx->height * sizeof(YuvPixel)); - mp->hpt = av_mallocz(avctx->height * avctx->width / 16 * sizeof(YuvPixel)); + mp->hpt = av_mallocz(h4 * w4 / 16 * sizeof(YuvPixel)); avctx->pix_fmt = PIX_FMT_RGB555; avcodec_get_frame_defaults(&mp->frame); return 0; From 375bd0cfb3d7b86bd5f70d1bc2d15bbd44e3abfe Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 00:05:47 +0200 Subject: [PATCH 150/290] Check for out of bound reads in the Tiertex Limited SEQ decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 5d7e3d71673d64a16b58430a0027afadb6b3a54e) --- libavcodec/tiertexseqv.c | 65 +++++++++++++++++++++++++++++++--------- 1 file changed, 51 insertions(+), 14 deletions(-) diff --git a/libavcodec/tiertexseqv.c b/libavcodec/tiertexseqv.c index f3a044882e..160da8c630 100644 --- a/libavcodec/tiertexseqv.c +++ b/libavcodec/tiertexseqv.c @@ -35,15 +35,19 @@ typedef struct SeqVideoContext { } SeqVideoContext; -static const unsigned char *seq_unpack_rle_block(const unsigned char *src, unsigned char *dst, int dst_size) +static const unsigned char *seq_unpack_rle_block(const unsigned char *src, + const unsigned char *src_end, + unsigned char *dst, int dst_size) { int i, len, sz; GetBitContext gb; int code_table[64]; - /* get the rle codes (at most 64 bytes) */ - init_get_bits(&gb, src, 64 * 8); + /* get the rle codes */ + init_get_bits(&gb, src, (src_end - src) * 8); for (i = 0, sz = 0; i < 64 && sz < dst_size; i++) { + if (get_bits_left(&gb) < 4) + return NULL; code_table[i] = get_sbits(&gb, 4); sz += FFABS(code_table[i]); } @@ -54,8 +58,12 @@ static const unsigned char *seq_unpack_rle_block(const unsigned char *src, unsig len = code_table[i]; if (len < 0) { len = -len; + if (src_end - src < 1) + return NULL; memset(dst, *src++, FFMIN(len, dst_size)); } else { + if (src_end - src < len) + return NULL; memcpy(dst, src, FFMIN(len, dst_size)); src += len; } @@ -65,25 +73,30 @@ static const unsigned char *seq_unpack_rle_block(const unsigned char *src, unsig return src; } -static const unsigned char *seq_decode_op1(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst) +static const unsigned char *seq_decode_op1(SeqVideoContext *seq, + const unsigned char *src, + const unsigned char *src_end, + unsigned char *dst) { const unsigned char *color_table; int b, i, len, bits; GetBitContext gb; unsigned char block[8 * 8]; + if (src_end - src < 1) + return NULL; len = *src++; if (len & 0x80) { switch (len & 3) { case 1: - src = seq_unpack_rle_block(src, block, sizeof(block)); + src = seq_unpack_rle_block(src, src_end, block, sizeof(block)); for (b = 0; b < 8; b++) { memcpy(dst, &block[b * 8], 8); dst += seq->frame.linesize[0]; } break; case 2: - src = seq_unpack_rle_block(src, block, sizeof(block)); + src = seq_unpack_rle_block(src, src_end, block, sizeof(block)); for (i = 0; i < 8; i++) { for (b = 0; b < 8; b++) dst[b * seq->frame.linesize[0]] = block[i * 8 + b]; @@ -92,9 +105,13 @@ static const unsigned char *seq_decode_op1(SeqVideoContext *seq, const unsigned break; } } else { + if (len <= 0) + return NULL; + bits = ff_log2_tab[len - 1] + 1; + if (src_end - src < len + 8 * bits) + return NULL; color_table = src; src += len; - bits = ff_log2_tab[len - 1] + 1; init_get_bits(&gb, src, bits * 8 * 8); src += bits * 8; for (b = 0; b < 8; b++) { for (i = 0; i < 8; i++) @@ -106,10 +123,16 @@ static const unsigned char *seq_decode_op1(SeqVideoContext *seq, const unsigned return src; } -static const unsigned char *seq_decode_op2(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst) +static const unsigned char *seq_decode_op2(SeqVideoContext *seq, + const unsigned char *src, + const unsigned char *src_end, + unsigned char *dst) { int i; + if (src_end - src < 8 * 8) + return NULL; + for (i = 0; i < 8; i++) { memcpy(dst, src, 8); src += 8; @@ -119,11 +142,16 @@ static const unsigned char *seq_decode_op2(SeqVideoContext *seq, const unsigned return src; } -static const unsigned char *seq_decode_op3(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst) +static const unsigned char *seq_decode_op3(SeqVideoContext *seq, + const unsigned char *src, + const unsigned char *src_end, + unsigned char *dst) { int pos, offset; do { + if (src_end - src < 2) + return NULL; pos = *src++; offset = ((pos >> 3) & 7) * seq->frame.linesize[0] + (pos & 7); dst[offset] = *src++; @@ -132,8 +160,9 @@ static const unsigned char *seq_decode_op3(SeqVideoContext *seq, const unsigned return src; } -static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int data_size) +static int seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int data_size) { + const unsigned char *data_end = data + data_size; GetBitContext gb; int flags, i, j, x, y, op; unsigned char c[3]; @@ -144,6 +173,8 @@ static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int if (flags & 1) { palette = (uint32_t *)seq->frame.data[1]; + if (data_end - data < 256 * 3) + return AVERROR_INVALIDDATA; for (i = 0; i < 256; i++) { for (j = 0; j < 3; j++, data++) c[j] = (*data << 2) | (*data >> 4); @@ -153,6 +184,8 @@ static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int } if (flags & 2) { + if (data_end - data < 128) + return AVERROR_INVALIDDATA; init_get_bits(&gb, data, 128 * 8); data += 128; for (y = 0; y < 128; y += 8) for (x = 0; x < 256; x += 8) { @@ -160,17 +193,20 @@ static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int op = get_bits(&gb, 2); switch (op) { case 1: - data = seq_decode_op1(seq, data, dst); + data = seq_decode_op1(seq, data, data_end, dst); break; case 2: - data = seq_decode_op2(seq, data, dst); + data = seq_decode_op2(seq, data, data_end, dst); break; case 3: - data = seq_decode_op3(seq, data, dst); + data = seq_decode_op3(seq, data, data_end, dst); break; } + if (!data) + return AVERROR_INVALIDDATA; } } + return 0; } static av_cold int seqvideo_decode_init(AVCodecContext *avctx) @@ -202,7 +238,8 @@ static int seqvideo_decode_frame(AVCodecContext *avctx, return -1; } - seqvideo_decode(seq, buf, buf_size); + if (seqvideo_decode(seq, buf, buf_size)) + return AVERROR_INVALIDDATA; *data_size = sizeof(AVFrame); *(AVFrame *)data = seq->frame; From 107ea3057eb8de8a38c45c2f7181c42ea694b187 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 00:05:53 +0200 Subject: [PATCH 151/290] Fix out of bound writes in fix_bitshift() of the shorten decoder. The data pointers s->decoded[*] already take into account s->nwrap. Signed-off-by: Michael Niedermayer (cherry picked from commit f42b3195d3f2692a4dfc0a8668bb4ac35301f2ed) --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index f593d0a164..5e599fd504 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -155,7 +155,7 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer) if (s->bitshift != 0) for (i = 0; i < s->blocksize; i++) - buffer[s->nwrap + i] <<= s->bitshift; + buffer[i] <<= s->bitshift; } From b8ab1adfcdb1f87e3e26425b4499046352009f29 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 23 Sep 2011 21:54:44 -0400 Subject: [PATCH 152/290] avcodec: reject audio packets with NULL data and non-zero size There is no valid reason the user should ever send such packets in the first place, but the documentation for CODEC_CAP_DELAY states that the codec is guaranteed not to get a NULL packet unless that capability is set. That isn't true without preventing this case. (cherry picked from commit 6326afd5e90cfed9df08b652a1cd6f6a948c239a) --- libavcodec/utils.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 1aa14a3381..ac559d2197 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -785,6 +785,11 @@ int attribute_align_arg avcodec_decode_audio3(AVCodecContext *avctx, int16_t *sa avctx->pkt = avpkt; + if (!avpkt->data && avpkt->size) { + av_log(avctx, AV_LOG_ERROR, "invalid packet: NULL data, size != 0\n"); + return AVERROR(EINVAL); + } + if((avctx->codec->capabilities & CODEC_CAP_DELAY) || avpkt->size){ //FIXME remove the check below _after_ ensuring that all audio check that the available space is enough if(*frame_size_ptr < AVCODEC_MAX_AUDIO_FRAME_SIZE){ From 932b5f3cbb22b9357d60914f85675020041299e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 30 Sep 2011 20:30:35 +0300 Subject: [PATCH 153/290] lavf: Avoid using av_malloc(0) in av_dump_format MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On OS X, av_malloc(0) returns pointers that cause crashes when freed. Signed-off-by: Martin Storsjö (cherry picked from commit e81e5e8ad2bb5746df0c343c396019aca165cf66) --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index eaa8bd901f..e79f98e62d 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3437,7 +3437,7 @@ void av_dump_format(AVFormatContext *ic, int is_output) { int i; - uint8_t *printed = av_mallocz(ic->nb_streams); + uint8_t *printed = ic->nb_streams ? av_mallocz(ic->nb_streams) : NULL; if (ic->nb_streams && !printed) return; From c23d5261f79671a598f32be8bc403552891af24e Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:44:54 +0200 Subject: [PATCH 154/290] Check for corrupted data in avs demuxer. Signed-off-by: Michael Niedermayer (cherry picked from commit 1cce7def0a8eff2e7db294b7d195a0fb1a5043b0) --- libavformat/avs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avs.c b/libavformat/avs.c index 355ae31f35..83023790d6 100644 --- a/libavformat/avs.c +++ b/libavformat/avs.c @@ -163,6 +163,8 @@ static int avs_read_packet(AVFormatContext * s, AVPacket * pkt) sub_type = avio_r8(s->pb); type = avio_r8(s->pb); size = avio_rl16(s->pb); + if (size < 4) + return AVERROR_INVALIDDATA; avs->remaining_frame_size -= size; switch (type) { From fa79af68453b810af94ccb0260ab38ba7b9bb04c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:44:55 +0200 Subject: [PATCH 155/290] Check for out of bound writes in the avs demuxer. Signed-off-by: Michael Niedermayer (cherry picked from commit 5d44c061cf511d97be5fac8d76be2f3915c6e798) --- libavformat/avs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avs.c b/libavformat/avs.c index 83023790d6..127639e7ee 100644 --- a/libavformat/avs.c +++ b/libavformat/avs.c @@ -169,6 +169,8 @@ static int avs_read_packet(AVFormatContext * s, AVPacket * pkt) switch (type) { case AVS_PALETTE: + if (size - 4 > sizeof(palette)) + return AVERROR_INVALIDDATA; ret = avio_read(s->pb, palette, size - 4); if (ret < size - 4) return AVERROR(EIO); From 3b840fab902e596e2f45de9046253ef955bb1979 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:44:56 +0200 Subject: [PATCH 156/290] Check for out of bound reads in AVS decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 7afe9e5638242a3210a0fc378e34e3af41e29176) --- libavcodec/avs.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/avs.c b/libavcodec/avs.c index 354b53c241..c7dcf0e2dc 100644 --- a/libavcodec/avs.c +++ b/libavcodec/avs.c @@ -47,6 +47,7 @@ avs_decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; int buf_size = avpkt->size; AvsContext *const avs = avctx->priv_data; AVFrame *picture = data; @@ -69,6 +70,8 @@ avs_decode_frame(AVCodecContext * avctx, out = avs->picture.data[0]; stride = avs->picture.linesize[0]; + if (buf_end - buf < 4) + return AVERROR_INVALIDDATA; sub_type = buf[0]; type = buf[1]; buf += 4; @@ -79,6 +82,8 @@ avs_decode_frame(AVCodecContext * avctx, first = AV_RL16(buf); last = first + AV_RL16(buf + 2); + if (first >= 256 || last > 256 || buf_end - buf < 4 + 4 + 3 * (last - first)) + return AVERROR_INVALIDDATA; buf += 4; for (i=first; i Date: Sat, 1 Oct 2011 00:44:57 +0200 Subject: [PATCH 157/290] Fix double free on error in Deluxe Paint Animation demuxer. Signed-off-by: Michael Niedermayer (cherry picked from commit d39d7122e34d2cf994d6dc474fe0c8bee2f7fcfd) --- libavformat/anm.c | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/libavformat/anm.c b/libavformat/anm.c index 269e325e42..1210e67dc7 100644 --- a/libavformat/anm.c +++ b/libavformat/anm.c @@ -134,18 +134,17 @@ static int read_header(AVFormatContext *s, /* color cycling and palette data */ st->codec->extradata_size = 16*8 + 4*256; st->codec->extradata = av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); - if (!st->codec->extradata) { - ret = AVERROR(ENOMEM); - goto close_and_return; - } + if (!st->codec->extradata) + return AVERROR(ENOMEM); + ret = avio_read(pb, st->codec->extradata, st->codec->extradata_size); if (ret < 0) - goto close_and_return; + return ret; /* read page table */ ret = avio_seek(pb, anm->page_table_offset, SEEK_SET); if (ret < 0) - goto close_and_return; + return ret; for (i = 0; i < MAX_PAGES; i++) { Page *p = &anm->pt[i]; @@ -156,21 +155,15 @@ static int read_header(AVFormatContext *s, /* find page of first frame */ anm->page = find_record(anm, 0); - if (anm->page < 0) { - ret = anm->page; - goto close_and_return; - } + if (anm->page < 0) + return anm->page; anm->record = -1; return 0; invalid: av_log_ask_for_sample(s, NULL); - ret = AVERROR_INVALIDDATA; - -close_and_return: - av_close_input_stream(s); - return ret; + return AVERROR_INVALIDDATA; } static int read_packet(AVFormatContext *s, From 1f2a93cf4b8f779da88a36e5c636db3dd481185e Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:44:58 +0200 Subject: [PATCH 158/290] Prevent infinite loop in the ANM decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 39993860e1525ca5d1b07521865b7e9e1b294ed7) --- libavcodec/anm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/anm.c b/libavcodec/anm.c index 02244f70e1..8e40059576 100644 --- a/libavcodec/anm.c +++ b/libavcodec/anm.c @@ -79,6 +79,8 @@ static inline int op(uint8_t **dst, const uint8_t *dst_end, int striplen = FFMIN(count, remaining); if (buf) { striplen = FFMIN(striplen, buf_end - *buf); + if (*buf >= buf_end) + goto exhausted; memcpy(*dst, *buf, striplen); *buf += striplen; } else if (pixel >= 0) From df39708269f5c298dea08d63de37f701295a17d3 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:44:59 +0200 Subject: [PATCH 159/290] Fix potential pointer arithmetic overflows in the Electronic Arts CMV decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit e9064c9ce8ed18c3a3aab61e58e663b8f5b0c551) --- libavcodec/eacmv.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index 408d948812..35701caadd 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -56,7 +56,7 @@ static void cmv_decode_intra(CmvContext * s, const uint8_t *buf, const uint8_t * unsigned char *dst = s->frame.data[0]; int i; - for (i=0; i < s->avctx->height && buf+s->avctx->width<=buf_end; i++) { + for (i=0; i < s->avctx->height && buf_end - buf >= s->avctx->width; i++) { memcpy(dst, buf, s->avctx->width); dst += s->frame.linesize[0]; buf += s->avctx->width; @@ -88,7 +88,7 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t * i = 0; for(y=0; yavctx->height/4; y++) - for(x=0; xavctx->width/4 && buf+iavctx->width/4 && buf_end - buf > i; x++) { if (buf[i]==0xFF) { unsigned char *dst = s->frame.data[0] + (y*4)*s->frame.linesize[0] + x*4; if (raw+16=buf_end) { + if(buf_end - buf < 16) { av_log(s->avctx, AV_LOG_WARNING, "truncated header\n"); return; } @@ -139,7 +139,7 @@ static void cmv_process_header(CmvContext *s, const uint8_t *buf, const uint8_t pal_count = AV_RL16(&buf[14]); buf += 16; - for (i=pal_start; i= 3; i++) { s->palette[i] = AV_RB24(buf); buf += 3; } From d950461f599241c770d29deea201d7438211dbbb Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:45:00 +0200 Subject: [PATCH 160/290] Prevent NULL dereferences when missing the reference frame in the Electronic Arts CMV decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 113d7be62497c4e59db8f224fdb7f0a90cf17d03) --- libavcodec/eacmv.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index 35701caadd..6e3b51998a 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -110,9 +110,10 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t * }else{ /* inter using last frame as reference */ int xoffset = (buf[i] & 0xF) - 7; int yoffset = ((buf[i] >> 4)) - 7; - cmv_motcomp(s->frame.data[0], s->frame.linesize[0], - s->last_frame.data[0], s->last_frame.linesize[0], - x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); + if (s->last_frame.data[0]) + cmv_motcomp(s->frame.data[0], s->frame.linesize[0], + s->last_frame.data[0], s->last_frame.linesize[0], + x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); } i++; } From e8fd4a43ba758adb9378afe2cde4a5b9d4bda357 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:45:01 +0200 Subject: [PATCH 161/290] Check for out of bound reads in the Electronic Arts CMV decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit a5d46235f3f70f0b620f8e54649ece45ecc5b170) --- libavcodec/eacmv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index 6e3b51998a..4cd6a6fd1f 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -158,6 +158,9 @@ static int cmv_decode_frame(AVCodecContext *avctx, CmvContext *s = avctx->priv_data; const uint8_t *buf_end = buf + buf_size; + if (buf_end - buf < EA_PREAMBLE_SIZE) + return AVERROR_INVALIDDATA; + if (AV_RL32(buf)==MVIh_TAG||AV_RB32(buf)==MVIh_TAG) { cmv_process_header(s, buf+EA_PREAMBLE_SIZE, buf_end); return buf_size; From 802045777afe0c04cc42ef11f59e273239faaa99 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:45:02 +0200 Subject: [PATCH 162/290] Fix out of bound reads due to integer overflow in the ADPCM IMA Electronic Arts EACS decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 346876ec168affe7c21be88d8f1acf1a75cc8409) --- libavcodec/adpcm.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index ba312558b0..de7bc7a45b 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1333,10 +1333,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, buf_size -= 128; } break; - case CODEC_ID_ADPCM_IMA_EA_EACS: + case CODEC_ID_ADPCM_IMA_EA_EACS: { + unsigned header_size = 4 + (8<> (1-st); - if (samples_in_chunk > buf_size-4-(8< buf_size - header_size) { src += buf_size - 4; break; } @@ -1351,6 +1352,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, *samples++ = adpcm_ima_expand_nibble(&c->status[st], *src&0x0F, 3); } break; + } case CODEC_ID_ADPCM_IMA_EA_SEAD: for (; src < buf+buf_size; src++) { *samples++ = adpcm_ima_expand_nibble(&c->status[0], src[0] >> 4, 6); From e0fb22cea9056afd30848d9d51e92f5ae24ea0f6 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:45:04 +0200 Subject: [PATCH 163/290] Fix out of bound reads in the QDM2 decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 491eaf35ae1f9b619441314bec33766e31580184) --- libavcodec/qdm2.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 6eb836456c..a6192e91c2 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1353,6 +1353,8 @@ static void qdm2_fft_decode_tones (QDM2Context *q, int duration, GetBitContext * return; local_int_14 = (offset >> local_int_8); + if (local_int_14 >= FF_ARRAY_ELEMS(fft_level_index_table)) + return; if (q->nb_channels > 1) { channel = get_bits1(gb); From b08df314dca6946ed644caacb9d3a533a054c0f6 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:45:05 +0200 Subject: [PATCH 164/290] Check for out of bound writes in the QDM2 decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 4a7876c6e4e62e94d51e364ba99aae4da7671238) --- libavcodec/qdm2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index a6192e91c2..1665c8daed 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1799,6 +1799,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) avctx->channels = s->nb_channels = s->channels = AV_RB32(extradata); extradata += 4; + if (s->channels > MPA_MAX_CHANNELS) + return AVERROR_INVALIDDATA; avctx->sample_rate = AV_RB32(extradata); extradata += 4; @@ -1820,6 +1822,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) // something like max decodable tones s->group_order = av_log2(s->group_size) + 1; s->frame_size = s->group_size / 16; // 16 iterations per super block + if (s->frame_size > FF_ARRAY_ELEMS(s->output_buffer) / 2) + return AVERROR_INVALIDDATA; s->sub_sampling = s->fft_order - 7; s->frequency_range = 255 / (1 << (2 - s->sub_sampling)); From f144a70d6011a71fe6a48ce1b67791301be9b788 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:45:03 +0200 Subject: [PATCH 165/290] Fix out of bound reads/writes in the TIFF decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 5ca5d432e028ffdd4067b87aed6702168c3207b6) --- libavcodec/tiff.c | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index c54eaee346..ed01b70147 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -170,6 +170,8 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uin } switch(s->compr){ case TIFF_RAW: + if (ssrc + size - src < width) + return AVERROR_INVALIDDATA; if (!s->fill_order) { memcpy(dst, src, width); } else { @@ -277,6 +279,8 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * uint32_t *pal; const uint8_t *rp, *gp, *bp; + if (end_buf - buf < 12) + return -1; tag = tget_short(&buf, s->le); type = tget_short(&buf, s->le); count = tget_long(&buf, s->le); @@ -336,7 +340,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * case TIFF_SHORT: case TIFF_LONG: s->bpp = 0; - for(i = 0; i < count; i++) s->bpp += tget(&buf, type, s->le); + for(i = 0; i < count && buf < end_buf; i++) s->bpp += tget(&buf, type, s->le); break; default: s->bpp = -1; @@ -450,6 +454,8 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * case TIFF_PAL: pal = (uint32_t *) s->palette; off = type_sizes[type]; + if (count / 3 > 256 || end_buf - buf < count / 3 * off * 3) + return -1; rp = buf; gp = buf + count / 3 * off; bp = buf + count / 3 * off * 2; @@ -493,12 +499,16 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *picture = data; AVFrame * const p= (AVFrame*)&s->picture; const uint8_t *orig_buf = buf, *end_buf = buf + buf_size; - int id, le, off, ret; + unsigned off; + int id, le, ret; int i, j, entries; - int stride, soff, ssize; + int stride; + unsigned soff, ssize; uint8_t *dst; //parse image header + if (end_buf - buf < 8) + return AVERROR_INVALIDDATA; id = AV_RL16(buf); buf += 2; if(id == 0x4949) le = 1; else if(id == 0x4D4D) le = 0; @@ -518,9 +528,9 @@ static int decode_frame(AVCodecContext *avctx, } /* parse image file directory */ off = tget_long(&buf, le); - if(orig_buf + off + 14 >= end_buf){ + if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) { av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n"); - return -1; + return AVERROR_INVALIDDATA; } buf = orig_buf + off; entries = tget_short(&buf, le); @@ -544,23 +554,23 @@ static int decode_frame(AVCodecContext *avctx, stride = p->linesize[0]; dst = p->data[0]; for(i = 0; i < s->height; i += s->rps){ - if(s->stripsizes) + if(s->stripsizes) { + if (s->stripsizes >= end_buf) + return AVERROR_INVALIDDATA; ssize = tget(&s->stripsizes, s->sstype, s->le); - else + } else ssize = s->stripsize; - if (ssize > buf_size) { - av_log(avctx, AV_LOG_ERROR, "Buffer size is smaller than strip size\n"); - return -1; - } - if(s->stripdata){ + if (s->stripdata >= end_buf) + return AVERROR_INVALIDDATA; soff = tget(&s->stripdata, s->sot, s->le); }else soff = s->stripoff; - if (soff < 0) { - av_log(avctx, AV_LOG_ERROR, "Invalid stripoff: %d\n", soff); - return AVERROR(EINVAL); + + if (soff > buf_size || ssize > buf_size - soff) { + av_log(avctx, AV_LOG_ERROR, "Invalid strip size/offset\n"); + return -1; } if(tiff_unpack_strip(s, dst, stride, orig_buf + soff, ssize, FFMIN(s->rps, s->height - i)) < 0) break; From 00f6cbb53df64a3a730d9c841dddb534ba562d53 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Oct 2011 03:16:32 +0200 Subject: [PATCH 166/290] vf_scale.c: propagate error code Signed-off-by: Michael Niedermayer (cherry picked from commit 8447703c16b9e6fdc48ce92553ec1cfa2e359b84) --- libavfilter/vf_scale.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index ba8f9e1e82..8f2f1d5f52 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -229,7 +229,7 @@ static int config_props(AVFilterLink *outlink) scale->isws[1] = sws_getContext(inlink ->w, inlink ->h/2, inlink ->format, outlink->w, outlink->h/2, outlink->format, scale->flags, NULL, NULL, NULL); - if (!scale->sws) + if (!scale->sws || !scale->isws[0] || !scale->isws[1]) return AVERROR(EINVAL); if (inlink->sample_aspect_ratio.num){ From 80331265cafe2e331fb47350e00b661eccbe6970 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Oct 2011 03:48:33 +0200 Subject: [PATCH 167/290] avienc: Add a limit on the number of skiped frames muxed in a row. Signed-off-by: Michael Niedermayer (cherry picked from commit 9cb9e39c41959961bdb5a1fd51cdd25e10c050f3) --- libavformat/avienc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/avienc.c b/libavformat/avienc.c index deff1c8d20..1c8eedad09 100644 --- a/libavformat/avienc.c +++ b/libavformat/avienc.c @@ -523,6 +523,11 @@ static int avi_write_packet(AVFormatContext *s, AVPacket *pkt) while(enc->block_align==0 && pkt->dts != AV_NOPTS_VALUE && pkt->dts > avist->packet_count){ AVPacket empty_packet; + if(pkt->dts - avist->packet_count > 60000){ + av_log(s, AV_LOG_ERROR, "Too large number of skiped frames %Ld\n", pkt->dts - avist->packet_count); + return AVERROR(EINVAL); + } + av_init_packet(&empty_packet); empty_packet.size= 0; empty_packet.data= NULL; From 77a7092d1c22fc49a26514c1e7a36d6a971707d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Oct 2011 22:28:16 +0200 Subject: [PATCH 168/290] fate: fix motion pixels checksum change caused by backported bugfix Signed-off-by: Michael Niedermayer --- tests/ref/fate/motionpixels | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ref/fate/motionpixels b/tests/ref/fate/motionpixels index 30651e92c6..70413880f8 100644 --- a/tests/ref/fate/motionpixels +++ b/tests/ref/fate/motionpixels @@ -109,4 +109,4 @@ 0, 648003, 230400, 0xb343f372 0, 654003, 230400, 0xf7f1e588 0, 660003, 230400, 0x9682bdb2 -0, 666003, 230400, 0x16f9aad8 +0, 666003, 230400, 0x009f4640 From 2cd7580ab51b6173f516d9658949ae3da8601039 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Oct 2011 22:12:01 +0200 Subject: [PATCH 169/290] Remove Chnagelog it has nothing to do with reality Signed-off-by: Michael Niedermayer --- Changelog | 764 ------------------------------------------------------ 1 file changed, 764 deletions(-) delete mode 100644 Changelog diff --git a/Changelog b/Changelog deleted file mode 100644 index 7360b67eed..0000000000 --- a/Changelog +++ /dev/null @@ -1,764 +0,0 @@ -Entries are sorted chronologically from oldest to youngest within each release, -releases are sorted from youngest to oldest. - -version 0.7.2: - -- check buffer and input values in various parts of the code: - H.264, VC-1, APE, FLV, Indeo 2, XAN, Ogg, MXF, wavpack, ffv1, MOV, - cavs (OCERT-2011-002, CVE-2011-3362), Smacker, cpu detection, lavf, - Matroska (CVE-2011-3504), RV10, RV30/RV40 -- memory leaks: vf_scale, eval - -- ARM: workaround for bug in GNU assembler -- AVOptions: fix av_set_string3() doxy to match reality. (Bug #28) -- Reintroduce AVInputStream.nb_streams to avoid crashes -- aac: Only output configure if audio was found -- aac: Remove some suspicious illegal memcpy()s from LTP -- aacps: skip some memcpy() if src and dst would be equal -- adts: fix PCE copying -- alsa: fallback to buffer_size/4 for period_size -- alsa: limit buffer_size to 32768 frames -- cljr, indeo2: init_get_bits size in bits instead of bytes -- configure: add missing CFLAGS to fix building on the HURD -- dca: set AVCodecContext frame_size for DTS audio -- fate: allow testing with libavfilter disabled -- gxf: fix 25 fps DV material in GXF being misdetected as 50 fps -- h264: correct implicit weight table computation for long ref pics -- h264: correct the check for invalid long term frame index in MMCO decode -- h264: fix PCM intra-coded blocks in monochrome case -- jpegdec: actually search for and parse RSTn -- lavc: fix type for thread_type option -- lavf: fix context pointer in av_open_input_stream when avformat_open_input fails -- lavf: do not set codec_tag for rawvideo -- libx264: do not set pic quality if no frame is output -- movenc: create an alternate group for each media type -- mpegts: fix Continuity Counter error detection -- mxfenc: fix ignored drop flag in binary timecode representation -- fix crashes in 32-bit PIC builds (cf e.g. http://bugs.debian.org/639948) -- ppc64: fix cast related random failures -- riff: Add mpgv MPEG-2 fourcc -- swscale: don't use planar output functions to write to NV12/21 -- vc1: properly zero coded_block[] edges on new slice entry -- vp3/theora: flush after seek - -- various bug other fixes - - -version 0.7.1: - -- added various additional FOURCC codec identifiers -- H.264 4:4:4 fixes -- build system and compilation fixes -- Doxygen and general documentation corrections and improvements -- fixed segfault in ffprobe -- behavioral fix in av_open_input_stream() -- Licensing clarification for LGPL'ed vf_gradfun -- bugfixes while seeking in multithreaded decoding -- support newer versions of OpenCV -- ffmpeg: fix operation with --disable-avfilter -- fixed integer underflow in matroska decoder - - -version 0.7: - -- many many things we forgot because we rather write code than changelogs -- libmpcodecs video filter support (3 times as many filters than before) -- mpeg2 aspect ratio dection fixed -- libxvid aspect pickiness fixed -- Frame multithreaded decoding -- E-AC-3 audio encoder -- ac3enc: add channel coupling support -- floating-point sample format support for (E-)AC-3, DCA, AAC, Vorbis decoders -- H.264/MPEG frame-level multithreading -- av_metadata_* functions renamed to av_dict_* and moved to libavutil -- 4:4:4 H.264 decoding support -- 10-bit H.264 optimizations for x86 -- lut, lutrgb, and lutyuv filters added -- buffersink libavfilter sink added -- bump libswscale for recently reported ABI break - - -version 0.7_beta2: - -- VP8 frame-level multithreading -- NEON optimizations for VP8 -- removed a lot of deprecated API cruft -- FFT and IMDCT optimizations for AVX (Sandy Bridge) processors -- showinfo filter added -- DPX image encoder -- SMPTE 302M AES3 audio decoder -- Apple Core Audio Format muxer -- 9bit and 10bit per sample support in the H.264 decoder -- 9bit and 10bit FFV1 encoding / decoding -- split filter added -- select filter added -- sdl output device added - - -version 0.7_beta1: - -- WebM support in Matroska de/muxer -- low overhead Ogg muxing -- MMS-TCP support -- VP8 de/encoding via libvpx -- Demuxer for On2's IVF format -- Pictor/PC Paint decoder -- HE-AAC v2 decoder -- HE-AAC v2 encoding with libaacplus -- libfaad2 wrapper removed -- DTS-ES extension (XCh) decoding support -- native VP8 decoder -- RTSP tunneling over HTTP -- RTP depacketization of SVQ3 -- -strict inofficial replaced by -strict unofficial -- ffplay -exitonkeydown and -exitonmousedown options added -- native GSM / GSM MS decoder -- RTP depacketization of QDM2 -- ANSI/ASCII art playback system -- Lego Mindstorms RSO de/muxer -- libavcore added -- SubRip subtitle file muxer and demuxer -- Chinese AVS encoding via libxavs -- ffprobe -show_packets option added -- RTP packetization of Theora and Vorbis -- RTP depacketization of MP4A-LATM -- RTP packetization and depacketization of VP8 -- hflip filter -- Apple HTTP Live Streaming demuxer -- a64 codec -- MMS-HTTP support -- G.722 ADPCM audio encoder/decoder -- R10k video decoder -- ocv_smooth filter -- frei0r wrapper filter -- change crop filter syntax to width:height:x:y -- make the crop filter accept parametric expressions -- make ffprobe accept AVFormatContext options -- yadif filter -- blackframe filter -- Demuxer for Leitch/Harris' VR native stream format (LXF) -- RTP depacketization of the X-QT QuickTime format -- SAP (Session Announcement Protocol, RFC 2974) muxer and demuxer -- cropdetect filter -- ffmpeg -crop* options removed -- transpose filter added -- ffmpeg -force_key_frames option added -- demuxer for receiving raw rtp:// URLs without an SDP description -- single stream LATM/LOAS decoder -- setpts filter added -- Win64 support for optimized x86 assembly functions -- MJPEG/AVI1 to JPEG/JFIF bitstream filter -- ASS subtitle encoder and decoder -- IEC 61937 encapsulation for E-AC-3, TrueHD, DTS-HD (for HDMI passthrough) -- overlay filter added -- rename aspect filter to setdar, and pixelaspect to setsar -- IEC 61937 demuxer -- Mobotix .mxg demuxer -- frei0r source added -- hqdn3d filter added -- RTP depacketization of QCELP -- FLAC parser added -- gradfun filter added -- AMR-WB decoder -- replace the ocv_smooth filter with a more generic ocv filter -- Windows Televison (WTV) demuxer -- FFmpeg metadata format muxer and demuxer -- SubRip (srt) subtitle encoder and decoder -- floating-point AC-3 encoder added -- Lagarith decoder -- ffmpeg -copytb option added -- IVF muxer added -- Wing Commander IV movies decoder added -- movie source added -- Bink version 'b' audio and video decoder -- Bitmap Brothers JV playback system -- Apple HTTP Live Streaming protocol handler -- sndio support for playback and record -- Linux framebuffer input device added -- Chronomaster DFA decoder -- DPX image encoder -- MicroDVD subtitle file muxer and demuxer -- Playstation Portable PMP format demuxer -- fieldorder video filter added -- AAC encoding via libvo-aacenc -- AMR-WB encoding via libvo-amrwbenc -- xWMA demuxer -- Mobotix MxPEG decoder - - -version 0.6: - -- PB-frame decoding for H.263 -- deprecated vhook subsystem removed -- deprecated old scaler removed -- VQF demuxer -- Alpha channel scaler -- PCX encoder -- RTP packetization of H.263 -- RTP packetization of AMR -- RTP depacketization of Vorbis -- CorePNG decoding support -- Cook multichannel decoding support -- introduced avlanguage helpers in libavformat -- 8088flex TMV demuxer and decoder -- per-stream language-tags extraction in asfdec -- V210 decoder and encoder -- remaining GPL parts in AC-3 decoder converted to LGPL -- QCP demuxer -- SoX native format muxer and demuxer -- AMR-NB decoding/encoding, AMR-WB decoding via OpenCORE libraries -- DPX image decoder -- Electronic Arts Madcow decoder -- DivX (XSUB) subtitle encoder -- nonfree libamr support for AMR-NB/WB decoding/encoding removed -- experimental AAC encoder -- RTP depacketization of ASF and RTSP from WMS servers -- RTMP support in libavformat -- noX handling for OPT_BOOL X options -- Wave64 demuxer -- IEC-61937 compatible Muxer -- TwinVQ decoder -- Bluray (PGS) subtitle decoder -- LPCM support in MPEG-TS (HDMV RID as found on Blu-ray disks) -- WMA Pro decoder -- Core Audio Format demuxer -- Atrac1 decoder -- MD STUDIO audio demuxer -- RF64 support in WAV demuxer -- MPEG-4 Audio Lossless Coding (ALS) decoder -- -formats option split into -formats, -codecs, -bsfs, and -protocols -- IV8 demuxer -- CDG demuxer and decoder -- R210 decoder -- Auravision Aura 1 and 2 decoders -- Deluxe Paint Animation playback system -- SIPR decoder -- Adobe Filmstrip muxer and demuxer -- RTP depacketization of H.263 -- Bink demuxer and audio/video decoders -- enable symbol versioning by default for linkers that support it -- IFF PBM/ILBM bitmap decoder -- concat protocol -- Indeo 5 decoder -- RTP depacketization of AMR -- WMA Voice decoder -- ffprobe tool -- AMR-NB decoder -- RTSP muxer -- HE-AAC v1 decoder -- Kega Game Video (KGV1) decoder -- VorbisComment writing for FLAC, Ogg FLAC and Ogg Speex files -- RTP depacketization of Theora -- HTTP Digest authentication -- RTMP/RTMPT/RTMPS/RTMPE/RTMPTE protocol support via librtmp -- Psygnosis YOP demuxer and video decoder -- spectral extension support in the E-AC-3 decoder -- unsharp video filter -- RTP hinting in the mov/3gp/mp4 muxer -- Dirac in Ogg demuxing -- seek to keyframes in Ogg -- 4:2:2 and 4:4:4 Theora decoding -- 35% faster VP3/Theora decoding -- faster AAC decoding -- faster H.264 decoding -- RealAudio 1.0 (14.4K) encoder - - -version 0.5: - -- DV50 AKA DVCPRO50 encoder, decoder, muxer and demuxer -- TechSmith Camtasia (TSCC) video decoder -- IBM Ultimotion (ULTI) video decoder -- Sierra Online audio file demuxer and decoder -- Apple QuickDraw (qdrw) video decoder -- Creative ADPCM audio decoder (16 bits as well as 8 bits schemes) -- Electronic Arts Multimedia (WVE/UV2/etc.) file demuxer -- Miro VideoXL (VIXL) video decoder -- H.261 video encoder -- QPEG video decoder -- Nullsoft Video (NSV) file demuxer -- Shorten audio decoder -- LOCO video decoder -- Apple Lossless Audio Codec (ALAC) decoder -- Winnov WNV1 video decoder -- Autodesk Animator Studio Codec (AASC) decoder -- Indeo 2 video decoder -- Fraps FPS1 video decoder -- Snow video encoder/decoder -- Sonic audio encoder/decoder -- Vorbis audio decoder -- Macromedia ADPCM decoder -- Duck TrueMotion 2 video decoder -- support for decoding FLX and DTA extensions in FLIC files -- H.264 custom quantization matrices support -- ffserver fixed, it should now be usable again -- QDM2 audio decoder -- Real Cooker audio decoder -- TrueSpeech audio decoder -- WMA2 audio decoder fixed, now all files should play correctly -- RealAudio 14.4 and 28.8 decoders fixed -- JPEG-LS decoder -- build system improvements -- tabs and trailing whitespace removed from the codebase -- CamStudio video decoder -- AIFF/AIFF-C audio format, encoding and decoding -- ADTS AAC file reading and writing -- Creative VOC file reading and writing -- American Laser Games multimedia (*.mm) playback system -- Zip Motion Blocks Video decoder -- improved Theora/VP3 decoder -- True Audio (TTA) decoder -- AVS demuxer and video decoder -- JPEG-LS encoder -- Smacker demuxer and decoder -- NuppelVideo/MythTV demuxer and RTjpeg decoder -- KMVC decoder -- MPEG-2 intra VLC support -- MPEG-2 4:2:2 encoder -- Flash Screen Video decoder -- GXF demuxer -- Chinese AVS decoder -- GXF muxer -- MXF demuxer -- VC-1/WMV3/WMV9 video decoder -- MacIntel support -- AVISynth support -- VMware video decoder -- VP5 video decoder -- VP6 video decoder -- WavPack lossless audio decoder -- Targa (.TGA) picture decoder -- Vorbis audio encoder -- Delphine Software .cin demuxer/audio and video decoder -- Tiertex .seq demuxer/video decoder -- MTV demuxer -- TIFF picture encoder and decoder -- GIF picture decoder -- Intel Music Coder decoder -- Zip Motion Blocks Video encoder -- Musepack decoder -- Flash Screen Video encoder -- Theora encoding via libtheora -- BMP encoder -- WMA encoder -- GSM-MS encoder and decoder -- DCA decoder -- DXA demuxer and decoder -- DNxHD decoder -- Gamecube movie (.THP) playback system -- Blackfin optimizations -- Interplay C93 demuxer and video decoder -- Bethsoft VID demuxer and video decoder -- CRYO APC demuxer -- Atrac3 decoder -- V.Flash PTX decoder -- RoQ muxer, RoQ audio encoder -- Renderware TXD demuxer and decoder -- extern C declarations for C++ removed from headers -- sws_flags command line option -- codebook generator -- RoQ video encoder -- QTRLE encoder -- OS/2 support removed and restored again -- AC-3 decoder -- NUT muxer -- additional SPARC (VIS) optimizations -- Matroska muxer -- slice-based parallel H.264 decoding -- Monkey's Audio demuxer and decoder -- AMV audio and video decoder -- DNxHD encoder -- H.264 PAFF decoding -- Nellymoser ASAO decoder -- Beam Software SIFF demuxer and decoder -- libvorbis Vorbis decoding removed in favor of native decoder -- IntraX8 (J-Frame) subdecoder for WMV2 and VC-1 -- Ogg (Theora, Vorbis and FLAC) muxer -- The "device" muxers and demuxers are now in a new libavdevice library -- PC Paintbrush PCX decoder -- Sun Rasterfile decoder -- TechnoTrend PVA demuxer -- Linux Media Labs MPEG-4 (LMLM4) demuxer -- AVM2 (Flash 9) SWF muxer -- QT variant of IMA ADPCM encoder -- VFW grabber -- iPod/iPhone compatible mp4 muxer -- Mimic decoder -- MSN TCP Webcam stream demuxer -- RL2 demuxer / decoder -- IFF demuxer -- 8SVX audio decoder -- non-recursive Makefiles -- BFI demuxer -- MAXIS EA XA (.xa) demuxer / decoder -- BFI video decoder -- OMA demuxer -- MLP/TrueHD decoder -- Electronic Arts CMV decoder -- Motion Pixels Video decoder -- Motion Pixels MVI demuxer -- removed animated GIF decoder/demuxer -- D-Cinema audio muxer -- Electronic Arts TGV decoder -- Apple Lossless Audio Codec (ALAC) encoder -- AAC decoder -- floating point PCM encoder/decoder -- MXF muxer -- DV100 AKA DVCPRO HD decoder and demuxer -- E-AC-3 support added to AC-3 decoder -- Nellymoser ASAO encoder -- ASS and SSA demuxer and muxer -- liba52 wrapper removed -- SVQ3 watermark decoding support -- Speex decoding via libspeex -- Electronic Arts TGQ decoder -- RV40 decoder -- QCELP / PureVoice decoder -- RV30 decoder -- hybrid WavPack support -- R3D REDCODE demuxer -- ALSA support for playback and record -- Electronic Arts TQI decoder -- OpenJPEG based JPEG 2000 decoder -- NC (NC4600) camera file demuxer -- Gopher client support -- MXF D-10 muxer -- generic metadata API -- flash ScreenVideo2 encoder - - -version 0.4.9-pre1: - -- DV encoder, DV muxer -- Microsoft RLE video decoder -- Microsoft Video-1 decoder -- Apple Animation (RLE) decoder -- Apple Graphics (SMC) decoder -- Apple Video (RPZA) decoder -- Cinepak decoder -- Sega FILM (CPK) file demuxer -- Westwood multimedia support (VQA & AUD files) -- Id Quake II CIN playback support -- 8BPS video decoder -- FLIC playback support -- RealVideo 2.0 (RV20) decoder -- Duck TrueMotion v1 (DUCK) video decoder -- Sierra VMD demuxer and video decoder -- MSZH and ZLIB decoder support -- SVQ1 video encoder -- AMR-WB support -- PPC optimizations -- rate distortion optimal cbp support -- rate distorted optimal ac prediction for MPEG-4 -- rate distorted optimal lambda->qp support -- AAC encoding with libfaac -- Sunplus JPEG codec (SP5X) support -- use Lagrange multipler instead of QP for ratecontrol -- Theora/VP3 decoding support -- XA and ADX ADPCM codecs -- export MPEG-2 active display area / pan scan -- Add support for configuring with IBM XLC -- floating point AAN DCT -- initial support for zygo video (not complete) -- RGB ffv1 support -- new audio/video parser API -- av_log() system -- av_read_frame() and av_seek_frame() support -- missing last frame fixes -- seek by mouse in ffplay -- noise reduction of DCT coefficients -- H.263 OBMC & 4MV support -- H.263 alternative inter vlc support -- H.263 loop filter -- H.263 slice structured mode -- interlaced DCT support for MPEG-2 encoding -- stuffing to stay above min_bitrate -- MB type & QP visualization -- frame stepping for ffplay -- interlaced motion estimation -- alternate scantable support -- SVCD scan offset support -- closed GOP support -- SSE2 FDCT -- quantizer noise shaping -- G.726 ADPCM audio codec -- MS ADPCM encoding -- multithreaded/SMP motion estimation -- multithreaded/SMP encoding for MPEG-1/MPEG-2/MPEG-4/H.263 -- multithreaded/SMP decoding for MPEG-2 -- FLAC decoder -- Metrowerks CodeWarrior suppport -- H.263+ custom pcf support -- nicer output for 'ffmpeg -formats' -- Matroska demuxer -- SGI image format, encoding and decoding -- H.264 loop filter support -- H.264 CABAC support -- nicer looking arrows for the motion vector visualization -- improved VCD support -- audio timestamp drift compensation -- MPEG-2 YUV 422/444 support -- polyphase kaiser windowed sinc and blackman nuttall windowed sinc audio resample -- better image scaling -- H.261 support -- correctly interleave packets during encoding -- VIS optimized motion compensation -- intra_dc_precision>0 encoding support -- support reuse of motion vectors/MB types/field select values of the source video -- more accurate deblock filter -- padding support -- many optimizations and bugfixes -- FunCom ISS audio file demuxer and according ADPCM decoding - - -version 0.4.8: - -- MPEG-2 video encoding (Michael) -- Id RoQ playback subsystem (Mike Melanson and Tim Ferguson) -- Wing Commander III Movie (.mve) file playback subsystem (Mike Melanson - and Mario Brito) -- Xan DPCM audio decoder (Mario Brito) -- Interplay MVE playback subsystem (Mike Melanson) -- Duck DK3 and DK4 ADPCM audio decoders (Mike Melanson) - - -version 0.4.7: - -- RealAudio 1.0 (14_4) and 2.0 (28_8) native decoders. Author unknown, code from mplayerhq - (originally from public domain player for Amiga at http://www.honeypot.net/audio) -- current version now also compiles with older GCC (Fabrice) -- 4X multimedia playback system including 4xm file demuxer (Mike - Melanson), and 4X video and audio codecs (Michael) -- Creative YUV (CYUV) decoder (Mike Melanson) -- FFV1 codec (our very simple lossless intra only codec, compresses much better - than HuffYUV) (Michael) -- ASV1 (Asus), H.264, Intel indeo3 codecs have been added (various) -- tiny PNG encoder and decoder, tiny GIF decoder, PAM decoder (PPM with - alpha support), JPEG YUV colorspace support. (Fabrice Bellard) -- ffplay has been replaced with a newer version which uses SDL (optionally) - for multiplatform support (Fabrice) -- Sorenson Version 3 codec (SVQ3) support has been added (decoding only) - donated - by anonymous -- AMR format has been added (Johannes Carlsson) -- 3GP support has been added (Johannes Carlsson) -- VP3 codec has been added (Mike Melanson) -- more MPEG-1/2 fixes -- better multiplatform support, MS Visual Studio fixes (various) -- AltiVec optimizations (Magnus Damn and others) -- SH4 processor support has been added (BERO) -- new public interfaces (avcodec_get_pix_fmt) (Roman Shaposhnick) -- VOB streaming support (Brian Foley) -- better MP3 autodetection (Andriy Rysin) -- qpel encoding (Michael) -- 4mv+b frames encoding finally fixed (Michael) -- chroma ME (Michael) -- 5 comparison functions for ME (Michael) -- B-frame encoding speedup (Michael) -- WMV2 codec (unfinished - Michael) -- user specified diamond size for EPZS (Michael) -- Playstation STR playback subsystem, still experimental (Mike and Michael) -- ASV2 codec (Michael) -- CLJR decoder (Alex) - -.. And lots more new enhancements and fixes. - - -version 0.4.6: - -- completely new integer only MPEG audio layer 1/2/3 decoder rewritten - from scratch -- Recoded DCT and motion vector search with gcc (no longer depends on nasm) -- fix quantization bug in AC3 encoder -- added PCM codecs and format. Corrected WAV/AVI/ASF PCM issues -- added prototype ffplay program -- added GOB header parsing on H.263/H.263+ decoder (Juanjo) -- bug fix on MCBPC tables of H.263 (Juanjo) -- bug fix on DC coefficients of H.263 (Juanjo) -- added Advanced Prediction Mode on H.263/H.263+ decoder (Juanjo) -- now we can decode H.263 streams found in QuickTime files (Juanjo) -- now we can decode H.263 streams found in VIVO v1 files(Juanjo) -- preliminary RTP "friendly" mode for H.263/H.263+ coding. (Juanjo) -- added GOB header for H.263/H.263+ coding on RTP mode (Juanjo) -- now H.263 picture size is returned on the first decoded frame (Juanjo) -- added first regression tests -- added MPEG-2 TS demuxer -- new demux API for libav -- more accurate and faster IDCT (Michael) -- faster and entropy-controlled motion search (Michael) -- two pass video encoding (Michael) -- new video rate control (Michael) -- added MSMPEG4V1, MSMPEGV2 and WMV1 support (Michael) -- great performance improvement of video encoders and decoders (Michael) -- new and faster bit readers and vlc parsers (Michael) -- high quality encoding mode: tries all macroblock/VLC types (Michael) -- added DV video decoder -- preliminary RTP/RTSP support in ffserver and libavformat -- H.263+ AIC decoding/encoding support (Juanjo) -- VCD MPEG-PS mode (Juanjo) -- PSNR stuff (Juanjo) -- simple stats output (Juanjo) -- 16-bit and 15-bit RGB/BGR/GBR support (Bisqwit) - - -version 0.4.5: - -- some header fixes (Zdenek Kabelac ) -- many MMX optimizations (Nick Kurshev ) -- added configure system (actually a small shell script) -- added MPEG audio layer 1/2/3 decoding using LGPL'ed mpglib by - Michael Hipp (temporary solution - waiting for integer only - decoder) -- fixed VIDIOCSYNC interrupt -- added Intel H.263 decoding support ('I263' AVI fourCC) -- added Real Video 1.0 decoding (needs further testing) -- simplified image formats again. Added PGM format (=grey - pgm). Renamed old PGM to PGMYUV. -- fixed msmpeg4 slice issues (tell me if you still find problems) -- fixed OpenDivX bugs with newer versions (added VOL header decoding) -- added support for MPlayer interface -- added macroblock skip optimization -- added MJPEG decoder -- added mmx/mmxext IDCT from libmpeg2 -- added pgmyuvpipe, ppm, and ppm_pipe formats (original patch by Celer - ) -- added pixel format conversion layer (e.g. for MJPEG or PPM) -- added deinterlacing option -- MPEG-1/2 fixes -- MPEG-4 vol header fixes (Jonathan Marsden ) -- ARM optimizations (Lionel Ulmer ). -- Windows porting of file converter -- added MJPEG raw format (input/ouput) -- added JPEG image format support (input/output) - - -version 0.4.4: - -- fixed some std header definitions (Bjorn Lindgren - ). -- added MPEG demuxer (MPEG-1 and 2 compatible). -- added ASF demuxer -- added prototype RM demuxer -- added AC3 decoding (done with libac3 by Aaron Holtzman) -- added decoding codec parameter guessing (.e.g. for MPEG, because the - header does not include them) -- fixed header generation in MPEG-1, AVI and ASF muxer: wmplayer can now - play them (only tested video) -- fixed H.263 white bug -- fixed phase rounding in img resample filter -- add MMX code for polyphase img resample filter -- added CPU autodetection -- added generic title/author/copyright/comment string handling (ASF and RM - use them) -- added SWF demux to extract MP3 track (not usable yet because no MP3 - decoder) -- added fractional frame rate support -- codecs are no longer searched by read_header() (should fix ffserver - segfault) - - -version 0.4.3: - -- BGR24 patch (initial patch by Jeroen Vreeken ) -- fixed raw yuv output -- added motion rounding support in MPEG-4 -- fixed motion bug rounding in MSMPEG4 -- added B-frame handling in video core -- added full MPEG-1 decoding support -- added partial (frame only) MPEG-2 support -- changed the FOURCC code for H.263 to "U263" to be able to see the - +AVI/H.263 file with the UB Video H.263+ decoder. MPlayer works with - this +codec ;) (JuanJo). -- Halfpel motion estimation after MB type selection (JuanJo) -- added pgm and .Y.U.V output format -- suppressed 'img:' protocol. Simply use: /tmp/test%d.[pgm|Y] as input or - output. -- added pgmpipe I/O format (original patch from Martin Aumueller - , but changed completely since we use a format - instead of a protocol) - - -version 0.4.2: - -- added H.263/MPEG-4/MSMPEG4 decoding support. MPEG-4 decoding support - (for OpenDivX) is almost complete: 8x8 MVs and rounding are - missing. MSMPEG4 support is complete. -- added prototype MPEG-1 decoder. Only I- and P-frames handled yet (it - can decode ffmpeg MPEGs :-)). -- added libavcodec API documentation (see apiexample.c). -- fixed image polyphase bug (the bottom of some images could be - greenish) -- added support for non clipped motion vectors (decoding only) - and image sizes non-multiple of 16 -- added support for AC prediction (decoding only) -- added file overwrite confirmation (can be disabled with -y) -- added custom size picture to H.263 using H.263+ (Juanjo) - - -version 0.4.1: - -- added MSMPEG4 (aka DivX) compatible encoder. Changed default codec - of AVI and ASF to DIV3. -- added -me option to set motion estimation method - (default=log). suppressed redundant -hq option. -- added options -acodec and -vcodec to force a given codec (useful for - AVI for example) -- fixed -an option -- improved dct_quantize speed -- factorized some motion estimation code - - -version 0.4.0: - -- removing grab code from ffserver and moved it to ffmpeg. Added - multistream support to ffmpeg. -- added timeshifting support for live feeds (option ?date=xxx in the - URL) -- added high quality image resize code with polyphase filter (need - mmx/see optimization). Enable multiple image size support in ffserver. -- added multi live feed support in ffserver -- suppressed master feature from ffserver (it should be done with an - external program which opens the .ffm url and writes it to another - ffserver) -- added preliminary support for video stream parsing (WAV and AVI half - done). Added proper support for audio/video file conversion in - ffmpeg. -- added preliminary support for video file sending from ffserver -- redesigning I/O subsystem: now using URL based input and output - (see avio.h) -- added WAV format support -- added "tty user interface" to ffmpeg to stop grabbing gracefully -- added MMX/SSE optimizations to SAD (Sums of Absolutes Differences) - (Juan J. Sierralta P. a.k.a. "Juanjo" ) -- added MMX DCT from mpeg2_movie 1.5 (Juanjo) -- added new motion estimation algorithms, log and phods (Juanjo) -- changed directories: libav for format handling, libavcodec for - codecs - - -version 0.3.4: - -- added stereo in MPEG audio encoder - - -version 0.3.3: - -- added 'high quality' mode which use motion vectors. It can be used in - real time at low resolution. -- fixed rounding problems which caused quality problems at high - bitrates and large GOP size - - -version 0.3.2: small fixes - -- ASF fixes -- put_seek bug fix - - -version 0.3.1: added avi/divx support - -- added AVI support -- added MPEG-4 codec compatible with OpenDivX. It is based on the H.263 codec -- added sound for flash format (not tested) - - -version 0.3: initial public release From 3e0dbb8a7ed118308cdddac803063b2cd09de37b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Oct 2011 00:45:41 +0200 Subject: [PATCH 170/290] h264: set unused ref_counts to 0 as a precautionary meassure. Signed-off-by: Michael Niedermayer (cherry picked from commit 3af2de76ac8b7aa762e4ee129ec29140e6247d81) --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 9c7bf24b5f..a889f422e1 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2901,7 +2901,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ else h->list_count= 1; }else - h->list_count= 0; + h->ref_count[1]= h->ref_count[0]= h->list_count= 0; if(!default_ref_list_done){ ff_h264_fill_default_ref_list(h); From 86491c5dbc160a10926aa1cf4fa36864b09dfb31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Oct 2011 00:47:54 +0200 Subject: [PATCH 171/290] h264: increase ref_poc size to 32 as it can be per field. Signed-off-by: Michael Niedermayer (cherry picked from commit 8c851ef5a81fb0429453c43fdcfc974ce1b6e447) --- libavcodec/mpegvideo.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index 0b233d0a20..1b8483f9d5 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -123,7 +123,7 @@ typedef struct Picture{ int pic_id; /**< h264 pic_num (short -> no wrap version of pic_num, pic_num & max_pic_num; long -> long_pic_num) */ int long_ref; ///< 1->long term reference 0->short term reference - int ref_poc[2][2][16]; ///< h264 POCs of the frames used as reference (FIXME need per slice) + int ref_poc[2][2][32]; ///< h264 POCs of the frames/fields used as reference (FIXME need per slice) int ref_count[2][2]; ///< number of entries in ref_poc (FIXME need per slice) int mbaff; ///< h264 1 -> MBAFF frame 0-> not MBAFF int field_picture; ///< whether or not the picture was encoded in seperate fields From 2e342df4a266f903084a5f705c7f2932e79067de Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:38:26 +0200 Subject: [PATCH 172/290] Fix use of uninitialized memory in 4X Technologies demuxer. Signed-off-by: Michael Niedermayer (cherry picked from commit a1876e0072aa0c69f037e0cafaca1a54bf2e189b) --- libavformat/4xm.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 0a314dc089..e3b696d57b 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -172,14 +172,16 @@ static int fourxm_read_header(AVFormatContext *s, goto fail; } if (current_track + 1 > fourxm->track_count) { - fourxm->track_count = current_track + 1; fourxm->tracks = av_realloc_f(fourxm->tracks, sizeof(AudioTrack), - fourxm->track_count); + current_track + 1); if (!fourxm->tracks) { ret= AVERROR(ENOMEM); goto fail; } + memset(&fourxm->tracks[fourxm->track_count], 0, + sizeof(AudioTrack) * (current_track + 1 - fourxm->track_count)); + fourxm->track_count = current_track + 1; } fourxm->tracks[current_track].adpcm = AV_RL32(&header[i + 12]); fourxm->tracks[current_track].channels = AV_RL32(&header[i + 36]); From 535112b3658c21d1f9c4d2b44689342a32ff6eea Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:38:28 +0200 Subject: [PATCH 173/290] Prevent NULL dereference when the huffman table is invalid in the 4xm decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 4a8ff0636d67c6df059f2ae2df49ad1181de14ca) --- libavcodec/4xm.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index d89b494b09..1ec64ae3e0 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -601,9 +601,10 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const len_tab[j]= len; } - init_vlc(&f->pre_vlc, ACDC_VLC_BITS, 257, - len_tab , 1, 1, - bits_tab, 4, 4, 0); + if (init_vlc(&f->pre_vlc, ACDC_VLC_BITS, 257, + len_tab , 1, 1, + bits_tab, 4, 4, 0)) + return NULL; return ptr; } From d2a276a3fd7b34583ee7e8e7ec4c8fb85791c674 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:38:31 +0200 Subject: [PATCH 174/290] Fix the check for missing references in ff_er_frame_end() for H264. Signed-off-by: Michael Niedermayer --- libavcodec/error_resilience.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index d6ac81f009..0e410f96e8 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -660,7 +660,7 @@ static int is_intra_more_likely(MpegEncContext *s){ if(s->codec_id == CODEC_ID_H264){ H264Context *h= (void*)s; - if(h->ref_count[0] <= 0 || !h->ref_list[0][0].data[0]) + if (h->list_count <= 0 || h->ref_count[0] <= 0 || !h->ref_list[0][0].data[0]) return 1; } From f421b534007ad791df593208d7998d07500a666e Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:38:30 +0200 Subject: [PATCH 175/290] Clear FF_INPUT_BUFFER_PADDING_SIZE bytes at the end of the temporary buffers used in 4xm decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 90a69b2f61cbd2d58723d712bdf283e5e56b2ea2) --- libavcodec/4xm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 1ec64ae3e0..29cab37ada 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -399,6 +399,7 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){ if (!f->bitstream_buffer) return AVERROR(ENOMEM); f->dsp.bswap_buf(f->bitstream_buffer, (const uint32_t*)(buf + extra), bitstream_size/4); + memset((uint8_t*)f->bitstream_buffer + bitstream_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size); f->wordstream= (const uint16_t*)(buf + extra + bitstream_size); @@ -680,6 +681,7 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ if (!f->bitstream_buffer) return AVERROR(ENOMEM); f->dsp.bswap_buf(f->bitstream_buffer, (const uint32_t*)prestream, prestream_size/4); + memset((uint8_t*)f->bitstream_buffer + prestream_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&f->pre_gb, f->bitstream_buffer, 8*prestream_size); f->last_dc= 0*128*8*8; From 64a9004d0771473b10655a3779b63e4e64505aa7 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:38:32 +0200 Subject: [PATCH 176/290] Check for out of bound reads in PTX decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 581898ae882dc37967b689b6ea5f2b2a9acd257a) --- libavcodec/ptx.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/ptx.c b/libavcodec/ptx.c index 3273fd2f8e..756dbcd58b 100644 --- a/libavcodec/ptx.c +++ b/libavcodec/ptx.c @@ -39,12 +39,15 @@ static av_cold int ptx_init(AVCodecContext *avctx) { static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; PTXContext * const s = avctx->priv_data; AVFrame *picture = data; AVFrame * const p = &s->picture; unsigned int offset, w, h, y, stride, bytes_per_pixel; uint8_t *ptr; + if (buf_end - buf < 14) + return AVERROR_INVALIDDATA; offset = AV_RL16(buf); w = AV_RL16(buf+8); h = AV_RL16(buf+10); @@ -57,6 +60,9 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, avctx->pix_fmt = PIX_FMT_RGB555; + + if (buf_end - buf < offset) + return AVERROR_INVALIDDATA; if (offset != 0x2c) av_log_ask_for_sample(avctx, "offset != 0x2c\n"); @@ -80,6 +86,8 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, stride = p->linesize[0]; for (y=0; y Date: Sat, 1 Oct 2011 00:43:05 +0200 Subject: [PATCH 177/290] Prevent block size from inreasing in the shorten decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit b399cbfba5d901608c18e1a2d48a24c30541a634) --- libavcodec/shorten.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 5e599fd504..4c1abe8e4c 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -483,9 +483,15 @@ static int shorten_decode_frame(AVCodecContext *avctx, case FN_BITSHIFT: s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE); break; - case FN_BLOCKSIZE: - s->blocksize = get_uint(s, av_log2(s->blocksize)); + case FN_BLOCKSIZE: { + int blocksize = get_uint(s, av_log2(s->blocksize)); + if (blocksize > s->blocksize) { + av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n"); + return AVERROR_PATCHWELCOME; + } + s->blocksize = blocksize; break; + } case FN_QUIT: *data_size = 0; return buf_size; From 2c282e96796039b73f0a4b42c97a4432ec51fcd4 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:38:27 +0200 Subject: [PATCH 178/290] Check for out of bound accesses in the 4xm decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 9c661e952fbcbf044709f9a7031c68cc4860336b) --- libavcodec/4xm.c | 59 +++++++++++++++++++++++++++++++++++++----------- 1 file changed, 46 insertions(+), 13 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 29cab37ada..7b5df62a43 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -133,7 +133,9 @@ typedef struct FourXContext{ GetBitContext pre_gb; ///< ac/dc prefix GetBitContext gb; const uint8_t *bytestream; + const uint8_t *bytestream_end; const uint16_t *wordstream; + const uint16_t *wordstream_end; int mv[256]; VLC pre_vlc; int last_dc; @@ -328,6 +330,8 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo assert(code>=0 && code<=6); if(code == 0){ + if (f->bytestream_end - f->bytestream < 1) + return; src += f->mv[ *f->bytestream++ ]; if(start > src || src > end){ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); @@ -345,15 +349,23 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo }else if(code == 3 && f->version<2){ mcdc(dst, src, log2w, h, stride, 1, 0); }else if(code == 4){ + if (f->bytestream_end - f->bytestream < 1) + return; src += f->mv[ *f->bytestream++ ]; if(start > src || src > end){ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); return; } + if (f->wordstream_end - f->wordstream < 1) + return; mcdc(dst, src, log2w, h, stride, 1, av_le2ne16(*f->wordstream++)); }else if(code == 5){ + if (f->wordstream_end - f->wordstream < 1) + return; mcdc(dst, src, log2w, h, stride, 0, av_le2ne16(*f->wordstream++)); }else if(code == 6){ + if (f->wordstream_end - f->wordstream < 2) + return; if(log2w){ dst[0] = av_le2ne16(*f->wordstream++); dst[1] = av_le2ne16(*f->wordstream++); @@ -375,6 +387,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){ if(f->version>1){ extra=20; + if (length < extra) + return -1; bitstream_size= AV_RL32(buf+8); wordstream_size= AV_RL32(buf+12); bytestream_size= AV_RL32(buf+16); @@ -385,11 +399,10 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){ bytestream_size= FFMAX(length - bitstream_size - wordstream_size, 0); } - if(bitstream_size+ bytestream_size+ wordstream_size + extra != length - || bitstream_size > (1<<26) - || bytestream_size > (1<<26) - || wordstream_size > (1<<26) - ){ + if (bitstream_size > length || + bytestream_size > length - bitstream_size || + wordstream_size > length - bytestream_size - bitstream_size || + extra > length - bytestream_size - bitstream_size - wordstream_size){ av_log(f->avctx, AV_LOG_ERROR, "lengths %d %d %d %d\n", bitstream_size, bytestream_size, wordstream_size, bitstream_size+ bytestream_size+ wordstream_size - length); return -1; @@ -403,7 +416,9 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){ init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size); f->wordstream= (const uint16_t*)(buf + extra + bitstream_size); + f->wordstream_end= f->wordstream + wordstream_size/2; f->bytestream= buf + extra + bitstream_size + wordstream_size; + f->bytestream_end = f->bytestream + bytestream_size; init_mv(f); @@ -532,7 +547,7 @@ static int decode_i_mb(FourXContext *f){ return 0; } -static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf){ +static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf, int buf_size){ int frequency[512]; uint8_t flag[512]; int up[512]; @@ -540,6 +555,7 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const int bits_tab[257]; int start, end; const uint8_t *ptr= buf; + const uint8_t *ptr_end = buf + buf_size; int j; memset(frequency, 0, sizeof(frequency)); @@ -550,6 +566,8 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const for(;;){ int i; + if (start <= end && ptr_end - ptr < end - start + 1 + 1) + return NULL; for(i=start; i<=end; i++){ frequency[i]= *ptr++; } @@ -623,10 +641,13 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){ const int height= f->avctx->height; uint16_t *dst= (uint16_t*)f->current_picture.data[0]; const int stride= f->current_picture.linesize[0]>>1; + const uint8_t *buf_end = buf + length; for(y=0; ycurrent_picture.data[0]; const int stride= f->current_picture.linesize[0]>>1; const unsigned int bitstream_size= AV_RL32(buf); - const int token_count av_unused = AV_RL32(buf + bitstream_size + 8); - unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4); - const uint8_t *prestream= buf + bitstream_size + 12; + unsigned int prestream_size; + const uint8_t *prestream; - if(prestream_size + bitstream_size + 12 != length - || bitstream_size > (1<<26) - || prestream_size > (1<<26)){ + if (bitstream_size > (1<<26) || length < bitstream_size + 12) + return -1; + prestream_size = 4*AV_RL32(buf + bitstream_size + 4); + prestream = buf + bitstream_size + 12; + + if (prestream_size > (1<<26) || + prestream_size != length - (bitstream_size + 12)){ av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length); return -1; } - prestream= read_huffman_tables(f, prestream); + prestream= read_huffman_tables(f, prestream, buf + length - prestream); + if (!prestream) + return -1; init_get_bits(&f->gb, buf + 4, 8*bitstream_size); @@ -713,6 +739,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p, temp; int i, frame_4cc, frame_size; + if (buf_size < 12) + return AVERROR_INVALIDDATA; frame_4cc= AV_RL32(buf); if(buf_size != AV_RL32(buf+4)+8 || buf_size < 20){ av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf+4)); @@ -725,6 +753,9 @@ static int decode_frame(AVCodecContext *avctx, const int whole_size= AV_RL32(buf+16); CFrameBuffer *cfrm; + if (data_size < 0 || whole_size < 0) + return AVERROR_INVALIDDATA; + for(i=0; icfrm[i].id && f->cfrm[i].id < avctx->frame_number) av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id); @@ -741,6 +772,8 @@ static int decode_frame(AVCodecContext *avctx, } cfrm= &f->cfrm[i]; + if (data_size > UINT_MAX - cfrm->size - FF_INPUT_BUFFER_PADDING_SIZE) + return AVERROR_INVALIDDATA; cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE); if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL av_log(f->avctx, AV_LOG_ERROR, "realloc falure"); From 54a1e7b0f28ad4d5d9d50969df2cf786a9aa7e27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Oct 2011 03:39:59 +0200 Subject: [PATCH 179/290] 4xm decoder: print some error messages in case of errors. Signed-off-by: Michael Niedermayer (cherry picked from commit 1008f639e2ebaa2b3d48ac765ca49c8869042d75) --- libavcodec/4xm.c | 36 +++++++++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 7b5df62a43..92717d0fef 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -330,8 +330,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo assert(code>=0 && code<=6); if(code == 0){ - if (f->bytestream_end - f->bytestream < 1) + if (f->bytestream_end - f->bytestream < 1){ + av_log(f->avctx, AV_LOG_ERROR, "bytestream overread\n"); return; + } src += f->mv[ *f->bytestream++ ]; if(start > src || src > end){ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); @@ -349,23 +351,31 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo }else if(code == 3 && f->version<2){ mcdc(dst, src, log2w, h, stride, 1, 0); }else if(code == 4){ - if (f->bytestream_end - f->bytestream < 1) + if (f->bytestream_end - f->bytestream < 1){ + av_log(f->avctx, AV_LOG_ERROR, "bytestream overread\n"); return; + } src += f->mv[ *f->bytestream++ ]; if(start > src || src > end){ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); return; } - if (f->wordstream_end - f->wordstream < 1) + if (f->wordstream_end - f->wordstream < 1){ + av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n"); return; + } mcdc(dst, src, log2w, h, stride, 1, av_le2ne16(*f->wordstream++)); }else if(code == 5){ - if (f->wordstream_end - f->wordstream < 1) + if (f->wordstream_end - f->wordstream < 1){ + av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n"); return; + } mcdc(dst, src, log2w, h, stride, 0, av_le2ne16(*f->wordstream++)); }else if(code == 6){ - if (f->wordstream_end - f->wordstream < 2) + if (f->wordstream_end - f->wordstream < 2){ + av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n"); return; + } if(log2w){ dst[0] = av_le2ne16(*f->wordstream++); dst[1] = av_le2ne16(*f->wordstream++); @@ -753,8 +763,10 @@ static int decode_frame(AVCodecContext *avctx, const int whole_size= AV_RL32(buf+16); CFrameBuffer *cfrm; - if (data_size < 0 || whole_size < 0) + if (data_size < 0 || whole_size < 0){ + av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n"); return AVERROR_INVALIDDATA; + } for(i=0; icfrm[i].id && f->cfrm[i].id < avctx->frame_number) @@ -817,12 +829,16 @@ static int decode_frame(AVCodecContext *avctx, if(frame_4cc == AV_RL32("ifr2")){ p->pict_type= AV_PICTURE_TYPE_I; - if(decode_i2_frame(f, buf-4, frame_size) < 0) + if(decode_i2_frame(f, buf-4, frame_size) < 0){ + av_log(f->avctx, AV_LOG_ERROR, "decode i2 frame failed\n"); return -1; + } }else if(frame_4cc == AV_RL32("ifrm")){ p->pict_type= AV_PICTURE_TYPE_I; - if(decode_i_frame(f, buf, frame_size) < 0) + if(decode_i_frame(f, buf, frame_size) < 0){ + av_log(f->avctx, AV_LOG_ERROR, "decode i frame failed\n"); return -1; + } }else if(frame_4cc == AV_RL32("pfrm") || frame_4cc == AV_RL32("pfr2")){ if(!f->last_picture.data[0]){ f->last_picture.reference= 1; @@ -833,8 +849,10 @@ static int decode_frame(AVCodecContext *avctx, } p->pict_type= AV_PICTURE_TYPE_P; - if(decode_p_frame(f, buf, frame_size) < 0) + if(decode_p_frame(f, buf, frame_size) < 0){ + av_log(f->avctx, AV_LOG_ERROR, "decode p frame failed\n"); return -1; + } }else if(frame_4cc == AV_RL32("snd_")){ av_log(avctx, AV_LOG_ERROR, "ignoring snd_ chunk length:%d\n", buf_size); }else{ From 55a070870facd6bc72f9b943baba2833ce24f075 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Oct 2011 03:40:26 +0200 Subject: [PATCH 180/290] 4xm decoder: fix data size for i2 frames. Signed-off-by: Michael Niedermayer (cherry picked from commit 0a19b4b0bae772cac7f8341e94c319c96356ee69) --- libavcodec/4xm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 92717d0fef..98169fd8ab 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -829,7 +829,7 @@ static int decode_frame(AVCodecContext *avctx, if(frame_4cc == AV_RL32("ifr2")){ p->pict_type= AV_PICTURE_TYPE_I; - if(decode_i2_frame(f, buf-4, frame_size) < 0){ + if(decode_i2_frame(f, buf-4, frame_size+4) < 0){ av_log(f->avctx, AV_LOG_ERROR, "decode i2 frame failed\n"); return -1; } From 6b998720b29b5fd1c94b01903b0d05c1141fb0c2 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 02:04:45 +0200 Subject: [PATCH 181/290] Reject video with non multiple of 16 width/height in the 4xm decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit db5b4875514eb7740844f514dbf236c9179a6a93) --- libavcodec/4xm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 98169fd8ab..7344f4cd1f 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -885,6 +885,10 @@ static av_cold int decode_init(AVCodecContext *avctx){ av_log(avctx, AV_LOG_ERROR, "extradata wrong or missing\n"); return 1; } + if((avctx->width % 16) || (avctx->height % 16)) { + av_log(avctx, AV_LOG_ERROR, "unsupported width/height\n"); + return AVERROR_INVALIDDATA; + } avcodec_get_frame_defaults(&f->current_picture); avcodec_get_frame_defaults(&f->last_picture); From cf0052931d5776eafacd7771bc9c40da86e31b09 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 16:06:37 +0200 Subject: [PATCH 182/290] h264: do not let invalid values in h->ref_count on ff_h264_decode_ref_pic_list_reordering() errors. Signed-off-by: Michael Niedermayer (cherry picked from commit 2428b53f6d306d8d71dec34fa7b0af733d76cfac) --- libavcodec/h264.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index a889f422e1..dcca6bd73c 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2907,8 +2907,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ ff_h264_fill_default_ref_list(h); } - if(h->slice_type_nos!=AV_PICTURE_TYPE_I && ff_h264_decode_ref_pic_list_reordering(h) < 0) + if(h->slice_type_nos!=AV_PICTURE_TYPE_I && ff_h264_decode_ref_pic_list_reordering(h) < 0) { + h->ref_count[1]= h->ref_count[0]= 0; return -1; + } if(h->slice_type_nos!=AV_PICTURE_TYPE_I){ s->last_picture_ptr= &h->ref_list[0][0]; From bfd7238adbec83981ddd259e26e9e8f90d78f472 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 16:06:38 +0200 Subject: [PATCH 183/290] h264: fix the check for invalid SPS:num_ref_frames. This patch set the limit to 16. For information, thoses previous commits: 41f7e2d11d2dca23842ee89d530ca9fa15cec9d8 5cbb0e70a0a2ee99eb3cb09e837b9a1f7355b9bc assumed it was either 30 or 32. Signed-off-by: Michael Niedermayer (cherry picked from commit bcf881a6858760ecbd9ff4352a38813dc4232dd6) --- libavcodec/h264_ps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 61fb12ce0c..4bb02e0948 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -365,7 +365,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ } sps->ref_frame_count= get_ue_golomb_31(&s->gb); - if(sps->ref_frame_count > MAX_PICTURE_COUNT-2 || sps->ref_frame_count >= 32U){ + if(sps->ref_frame_count > MAX_PICTURE_COUNT-2 || sps->ref_frame_count > 16U){ av_log(h->s.avctx, AV_LOG_ERROR, "too many reference frames\n"); goto fail; } From 46edabac3c97669d491016903d0f9014692dfcaa Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 18:29:30 +0200 Subject: [PATCH 184/290] h264: add entries for 11 and 12 bits in ff_h264_chroma_qp[][] Signed-off-by: Michael Niedermayer (cherry picked from commit 27d3361e34cf19ad5c0bfb7cfacae0db99b26064) --- libavcodec/h264.h | 4 ++-- libavcodec/h264_ps.c | 15 ++++++++++++++- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 822ba0271a..5b07f3775d 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -101,7 +101,7 @@ */ #define DELAYED_PIC_REF 4 -#define QP_MAX_NUM (51 + 2*6) // The maximum supported qp +#define QP_MAX_NUM (51 + 4*6) // The maximum supported qp /* NAL unit types */ enum { @@ -584,7 +584,7 @@ typedef struct H264Context{ }H264Context; -extern const uint8_t ff_h264_chroma_qp[3][QP_MAX_NUM+1]; ///< One chroma qp table for each supported bit depth (8, 9, 10). +extern const uint8_t ff_h264_chroma_qp[5][QP_MAX_NUM+1]; ///< One chroma qp table for each possible bit depth (8-12). /** * Decode SEI diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 4bb02e0948..4342c4b1ec 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -70,7 +70,7 @@ static const AVRational pixel_aspect[17]={ QP(37,d), QP(37,d), QP(37,d), QP(38,d), QP(38,d), QP(38,d),\ QP(39,d), QP(39,d), QP(39,d), QP(39,d) -const uint8_t ff_h264_chroma_qp[3][QP_MAX_NUM+1] = { +const uint8_t ff_h264_chroma_qp[5][QP_MAX_NUM+1] = { { CHROMA_QP_TABLE_END(8) }, @@ -83,6 +83,19 @@ const uint8_t ff_h264_chroma_qp[3][QP_MAX_NUM+1] = { 6, 7, 8, 9, 10, 11, CHROMA_QP_TABLE_END(10) }, + { + 0, 1, 2, 3, 4, 5, + 6, 7, 8, 9, 10, 11, + 12,13,14,15, 16, 17, + CHROMA_QP_TABLE_END(11) + }, + { + 0, 1, 2, 3, 4, 5, + 6, 7, 8, 9, 10, 11, + 12,13,14,15, 16, 17, + 18,19,20,21, 22, 23, + CHROMA_QP_TABLE_END(12) + }, }; static const uint8_t default_scaling4[2][16]={ From efedf09378e82cc75d56e881842c5bf14b2c9d05 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 18:29:31 +0200 Subject: [PATCH 185/290] h264: check for invalid bit depth value. Signed-off-by: Michael Niedermayer (cherry picked from commit c2b7f7748be447e1446f63b13da472ba7e00f329) --- libavcodec/h264_ps.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 4342c4b1ec..423f54b324 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -346,6 +346,11 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ sps->residual_color_transform_flag = get_bits1(&s->gb); sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8; sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8; + if (sps->bit_depth_luma > 12U || sps->bit_depth_chroma > 12U) { + av_log(h->s.avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n", + sps->bit_depth_luma, sps->bit_depth_chroma); + goto fail; + } sps->transform_bypass = get_bits1(&s->gb); decode_scaling_matrices(h, sps, NULL, 1, sps->scaling_matrix4, sps->scaling_matrix8); }else{ From b89a0c9d7f4c4a23d709761033ad5e2f9c2881fa Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 21:07:41 +0200 Subject: [PATCH 186/290] h264: fix intra 16x16 mode check when using mbaff and constrained_intra_pred. Signed-off-by: Michael Niedermayer (cherry picked from commit a4fd95b5d511384ed3ce388d8d20a16b1c4c0530) --- libavcodec/h264.c | 26 ++++++++++++++++++++------ libavcodec/h264.h | 7 ++++++- libavcodec/h264_cabac.c | 4 ++-- libavcodec/h264_cavlc.c | 4 ++-- libavcodec/svq3.c | 4 ++-- 5 files changed, 32 insertions(+), 13 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index dcca6bd73c..bab032b300 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -106,12 +106,9 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h){ } return 0; -} //FIXME cleanup like ff_h264_check_intra_pred_mode +} //FIXME cleanup like check_intra_pred_mode -/** - * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks. - */ -int ff_h264_check_intra_pred_mode(H264Context *h, int mode){ +static int check_intra_pred_mode(H264Context *h, int mode, int is_chroma){ MpegEncContext * const s = &h->s; static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1}; static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8}; @@ -131,7 +128,7 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode){ if((h->left_samples_available&0x8080) != 0x8080){ mode= left[ mode ]; - if(h->left_samples_available&0x8080){ //mad cow disease mode, aka MBAFF + constrained_intra_pred + if(is_chroma && (h->left_samples_available&0x8080)){ //mad cow disease mode, aka MBAFF + constrained_intra_pred mode= ALZHEIMER_DC_L0T_PRED8x8 + (!(h->left_samples_available&0x8000)) + 2*(mode == DC_128_PRED8x8); } if(mode<0){ @@ -143,6 +140,23 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode){ return mode; } +/** + * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks. + */ +int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode) +{ + return check_intra_pred_mode(h, mode, 0); +} + +/** + * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks. + */ +int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode) +{ + return check_intra_pred_mode(h, mode, 1); +} + + const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src, int *dst_length, int *consumed, int length){ int i, si, di; uint8_t *dst; diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 5b07f3775d..0a380e03c1 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -658,7 +658,12 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h); /** * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks. */ -int ff_h264_check_intra_pred_mode(H264Context *h, int mode); +int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode); + +/** + * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks. + */ +int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode); void ff_h264_write_back_intra_pred_mode(H264Context *h); void ff_h264_hl_decode_mb(H264Context *h); diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 3975a61699..7aaecf3c2e 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2003,14 +2003,14 @@ decode_intra_mb: ff_h264_write_back_intra_pred_mode(h); if( ff_h264_check_intra4x4_pred_mode(h) < 0 ) return -1; } else { - h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode ); + h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode( h, h->intra16x16_pred_mode ); if( h->intra16x16_pred_mode < 0 ) return -1; } if(decode_chroma){ h->chroma_pred_mode_table[mb_xy] = pred_mode = decode_cabac_mb_chroma_pre_mode( h ); - pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode ); + pred_mode= ff_h264_check_intra_chroma_pred_mode( h, pred_mode ); if( pred_mode < 0 ) return -1; h->chroma_pred_mode= pred_mode; } else { diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 0ddc430661..92cae7fa93 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -735,12 +735,12 @@ decode_intra_mb: if( ff_h264_check_intra4x4_pred_mode(h) < 0) return -1; }else{ - h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode); + h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode(h, h->intra16x16_pred_mode); if(h->intra16x16_pred_mode < 0) return -1; } if(decode_chroma){ - pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb)); + pred_mode= ff_h264_check_intra_chroma_pred_mode(h, get_ue_golomb_31(&s->gb)); if(pred_mode < 0) return -1; h->chroma_pred_mode= pred_mode; diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index e5c18c59c2..812ac962f2 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -612,7 +612,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) dir = i_mb_type_info[mb_type - 8].pred_mode; dir = (dir >> 1) ^ 3*(dir & 1) ^ 1; - if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir)) == -1){ + if ((h->intra16x16_pred_mode = ff_h264_check_intra16x16_pred_mode(h, dir)) == -1){ av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n"); return -1; } @@ -711,7 +711,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) s->current_picture.mb_type[mb_xy] = mb_type; if (IS_INTRA(mb_type)) { - h->chroma_pred_mode = ff_h264_check_intra_pred_mode(h, DC_PRED8x8); + h->chroma_pred_mode = ff_h264_check_intra_chroma_pred_mode(h, DC_PRED8x8); } return 0; From b38b6b27981aa13b5fad9b540b1ff6a7b3e8d04a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Oct 2011 22:01:44 +0200 Subject: [PATCH 187/290] Update for 0.7.6 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index bcb13563a5..24ceb58ecd 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.5 +PROJECT_NUMBER = 0.7.6 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 8bd6ba8c5c..c006218557 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.5 +0.7.6 diff --git a/VERSION b/VERSION index 8bd6ba8c5c..c006218557 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.5 +0.7.6 From 09d8f515b90d8acd71b4b897622927287e863346 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Oct 2011 22:02:45 +0200 Subject: [PATCH 188/290] Update for 0.8.5 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 4f45f3417e..7b5b0df3c2 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.4 +PROJECT_NUMBER = 0.8.5 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index b60d71966a..7ada0d303f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.4 +0.8.5 diff --git a/VERSION b/VERSION index b60d71966a..7ada0d303f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.4 +0.8.5 From 57f51e843e55815da5bb75ed32a81f60b7b45212 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Oct 2011 16:32:17 +0200 Subject: [PATCH 189/290] lavf/utils: fix overestimation of the rational number density. Fixes Ticket498 Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 3490270395..591a121ec2 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3049,7 +3049,7 @@ int avformat_write_header(AVFormatContext *s, AVDictionary **options) goto fail; } if(av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio) - && FFABS(av_q2d(st->sample_aspect_ratio) - av_q2d(st->codec->sample_aspect_ratio)) > 0.001 + && FFABS(av_q2d(st->sample_aspect_ratio) - av_q2d(st->codec->sample_aspect_ratio)) > 0.004*av_q2d(st->sample_aspect_ratio) ){ av_log(s, AV_LOG_ERROR, "Aspect ratio mismatch between encoder and muxer layer\n"); ret = AVERROR(EINVAL); From a39b603bf6d8c6f47c1864100bcd4d656445194c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Oct 2011 16:32:17 +0200 Subject: [PATCH 190/290] lavf/utils: fix overestimation of the rational number density. Fixes Ticket498 Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index e79f98e62d..b15582acb1 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2959,7 +2959,7 @@ int avformat_write_header(AVFormatContext *s, AVDictionary **options) goto fail; } if(av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio) - && FFABS(av_q2d(st->sample_aspect_ratio) - av_q2d(st->codec->sample_aspect_ratio)) > 0.001 + && FFABS(av_q2d(st->sample_aspect_ratio) - av_q2d(st->codec->sample_aspect_ratio)) > 0.004*av_q2d(st->sample_aspect_ratio) ){ av_log(s, AV_LOG_ERROR, "Aspect ratio mismatch between encoder and muxer layer\n"); ret = AVERROR(EINVAL); From 60171d8fa68e90bd623daba970a65c4171cac502 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 28 Aug 2011 23:13:17 +0200 Subject: [PATCH 191/290] Do not set codec_tag property for matroska muxers. Fixes ticket #8, #537. --- libavformat/matroskaenc.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index e9c977a59f..986373c4cd 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -1209,7 +1209,6 @@ AVOutputFormat ff_matroska_muxer = { mkv_write_packet, mkv_write_trailer, .flags = AVFMT_GLOBALHEADER | AVFMT_VARIABLE_FPS, - .codec_tag = (const AVCodecTag* const []){ff_codec_bmp_tags, ff_codec_wav_tags, 0}, .subtitle_codec = CODEC_ID_TEXT, }; #endif @@ -1243,6 +1242,5 @@ AVOutputFormat ff_matroska_audio_muxer = { mkv_write_packet, mkv_write_trailer, .flags = AVFMT_GLOBALHEADER, - .codec_tag = (const AVCodecTag* const []){ff_codec_wav_tags, 0}, }; #endif From 638e183d11367f0ccc46bee6228e5b271fda5a8e Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 28 Aug 2011 23:13:17 +0200 Subject: [PATCH 192/290] Do not set codec_tag property for matroska muxers. Fixes ticket #8, #537. (cherry picked from commit 60171d8fa68e90bd623daba970a65c4171cac502) --- libavformat/matroskaenc.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index e9c977a59f..986373c4cd 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -1209,7 +1209,6 @@ AVOutputFormat ff_matroska_muxer = { mkv_write_packet, mkv_write_trailer, .flags = AVFMT_GLOBALHEADER | AVFMT_VARIABLE_FPS, - .codec_tag = (const AVCodecTag* const []){ff_codec_bmp_tags, ff_codec_wav_tags, 0}, .subtitle_codec = CODEC_ID_TEXT, }; #endif @@ -1243,6 +1242,5 @@ AVOutputFormat ff_matroska_audio_muxer = { mkv_write_packet, mkv_write_trailer, .flags = AVFMT_GLOBALHEADER, - .codec_tag = (const AVCodecTag* const []){ff_codec_wav_tags, 0}, }; #endif From b981c5d4e0f0dd26fd1c03d70a38aef85d6131bc Mon Sep 17 00:00:00 2001 From: Loren Osborn Date: Mon, 3 Oct 2011 16:03:29 +0200 Subject: [PATCH 193/290] mpegtsenc: Lift limit on PMT PID Fixes Ticket518 (cherry picked from commit bf5c3bac51e422580aad011fcd927c818542f054) --- libavformat/mpegtsenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 7e9647257f..32dedfbae6 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -84,7 +84,7 @@ static const AVOption options[] = { { "mpegts_service_id", "Set service_id field.", offsetof(MpegTSWrite, service_id), FF_OPT_TYPE_INT, {.dbl = 0x0001 }, 0x0001, 0xffff, AV_OPT_FLAG_ENCODING_PARAM}, { "mpegts_pmt_start_pid", "Set the first pid of the PMT.", - offsetof(MpegTSWrite, pmt_start_pid), FF_OPT_TYPE_INT, {.dbl = 0x1000 }, 0x1000, 0x1f00, AV_OPT_FLAG_ENCODING_PARAM}, + offsetof(MpegTSWrite, pmt_start_pid), FF_OPT_TYPE_INT, {.dbl = 0x1000 }, 0x0010, 0x1f00, AV_OPT_FLAG_ENCODING_PARAM}, { "mpegts_start_pid", "Set the first pid.", offsetof(MpegTSWrite, start_pid), FF_OPT_TYPE_INT, {.dbl = 0x0100 }, 0x0100, 0x0f00, AV_OPT_FLAG_ENCODING_PARAM}, { NULL }, From 09a288476fecb855b77c2b13f939310467735af0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Oct 2011 00:14:48 +0200 Subject: [PATCH 194/290] H264: hotfix for speedloss on frame threading and h264 files with slices. This fix is not ideal as it still limits the multithreading on field pictures to the 2nd field only. Ill try to fix it properly to allow both fields to decode concurrently but this needs more work. This bug exists since and was caused by: commit ea6331f8bbaf3343faec6ffe77a6218a016a3af5 Author: Ronald S. Bultje Date: Mon Jun 20 10:24:33 2011 -0400 h264-mt: fix deadlock in packets with multiple slices (e.g. MP4). (cherry picked from commit eaa21b6870ba8bba4b0370e91f1941307c1c9681) --- libavcodec/h264.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index bab032b300..f6e93bd58d 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3753,9 +3753,13 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ switch (hx->nal_unit_type) { case NAL_SPS: case NAL_PPS: + nals_needed = nal_index; + break; case NAL_IDR_SLICE: case NAL_SLICE: - nals_needed = nal_index; + init_get_bits(&hx->s.gb, ptr, bit_length); + if(!get_ue_golomb(&hx->s.gb)) + nals_needed = nal_index; } continue; } From 414409e6c5260ff8a409a05b34f72ba3d44c61a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Tue, 4 Oct 2011 21:34:55 +0200 Subject: [PATCH 195/290] configure: remove bashism equality check for target_os. (cherry picked from commit e39be59b85de63e036bd6db9b79a9a9f29a838f7) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 576daf045b..be2f721f7a 100755 --- a/configure +++ b/configure @@ -3164,7 +3164,7 @@ check_deps $CONFIG_LIST \ enabled asm || { arch=c; disable $ARCH_LIST $ARCH_EXT_LIST; } -if test $target_os == "haiku"; then +if test $target_os = "haiku"; then disable memalign disable posix_memalign fi From e49abd1d92f4ef2258c82f233e138901839eee0c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Oct 2011 23:21:52 +0200 Subject: [PATCH 196/290] libx264: Fix loop failure due to bufsize becoming 0 Signed-off-by: Michael Niedermayer (cherry picked from commit 751a4efd4d754b15ebc6027b09051f27860bb1e8) --- libavcodec/libx264.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index bf542accdf..6477f3fbe0 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -101,13 +101,14 @@ static int encode_nals(AVCodecContext *ctx, uint8_t *buf, int size, } static int X264_frame(AVCodecContext *ctx, uint8_t *buf, - int bufsize, void *data) + int orig_bufsize, void *data) { X264Context *x4 = ctx->priv_data; AVFrame *frame = data; x264_nal_t *nal; int nnal, i; x264_picture_t pic_out; + int bufsize; x264_picture_init( &x4->pic ); x4->pic.img.i_csp = X264_CSP_I420; @@ -138,6 +139,7 @@ static int X264_frame(AVCodecContext *ctx, uint8_t *buf, } do { + bufsize = orig_bufsize; if (x264_encoder_encode(x4->enc, &nal, &nnal, frame? &x4->pic: NULL, &pic_out) < 0) return -1; From f74d1c6de7ef810544edae947db1eb1e2c7b6361 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 4 Oct 2011 22:13:58 +0200 Subject: [PATCH 197/290] h264: do not let invalid values in h->ref_count after a decoder reset. Signed-off-by: Michael Niedermayer (cherry picked from commit 0333d234b0355b375762447e93674e3fe3c5bff1) --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index f6e93bd58d..96d8ecf77a 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2633,6 +2633,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ free_tables(h, 0); flush_dpb(s->avctx); MPV_common_end(s); + h->list_count = 0; } if (!s->context_initialized) { if (h != h0) { From 7275dc28f6eec4168dbef79275b605bc73dbc0e4 Mon Sep 17 00:00:00 2001 From: Gwenole Beauchesne Date: Thu, 6 Oct 2011 15:19:33 +0200 Subject: [PATCH 198/290] vaapi: fix VC-1 decoding (reconstruct bitstream TTFRM correctly). (cherry picked from commit 825dd135d829d85778e6c37f685a6088fef01b2e) --- libavcodec/vaapi_vc1.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavcodec/vaapi_vc1.c b/libavcodec/vaapi_vc1.c index d4d76c815f..09bef4a5f9 100644 --- a/libavcodec/vaapi_vc1.c +++ b/libavcodec/vaapi_vc1.c @@ -116,6 +116,18 @@ static inline VAMvModeVC1 vc1_get_MVMODE2(VC1Context *v) return 0; } +/** Reconstruct bitstream TTFRM (7.1.1.41, Table-53) */ +static inline int vc1_get_TTFRM(VC1Context *v) +{ + switch (v->ttfrm) { + case TT_8X8: return 0; + case TT_8X4: return 1; + case TT_4X8: return 2; + case TT_4X4: return 3; + } + return 0; +} + /** Pack FFmpeg bitplanes into a VABitPlaneBuffer element */ static inline void vc1_pack_bitplanes(uint8_t *bitplane, int n, const uint8_t *ff_bp[3], int x, int y, int stride) { @@ -239,7 +251,7 @@ static int vaapi_vc1_start_frame(AVCodecContext *avctx, av_unused const uint8_t pic_param->transform_fields.value = 0; /* reset all bits */ pic_param->transform_fields.bits.variable_sized_transform_flag = v->vstransform; pic_param->transform_fields.bits.mb_level_transform_type_flag = v->ttmbf; - pic_param->transform_fields.bits.frame_level_transform_type = v->ttfrm; + pic_param->transform_fields.bits.frame_level_transform_type = vc1_get_TTFRM(v); pic_param->transform_fields.bits.transform_ac_codingset_idx1 = v->c_ac_table_index; pic_param->transform_fields.bits.transform_ac_codingset_idx2 = v->y_ac_table_index; pic_param->transform_fields.bits.intra_transform_dc_table = v->s.dc_table_index; From 7d52ed686b2ccbb2e72d3930cfba69448c346204 Mon Sep 17 00:00:00 2001 From: Gwenole Beauchesne Date: Thu, 6 Oct 2011 15:19:33 +0200 Subject: [PATCH 199/290] vaapi: fix VC-1 decoding (reconstruct bitstream TTFRM correctly). (cherry picked from commit 825dd135d829d85778e6c37f685a6088fef01b2e) --- libavcodec/vaapi_vc1.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavcodec/vaapi_vc1.c b/libavcodec/vaapi_vc1.c index d4d76c815f..09bef4a5f9 100644 --- a/libavcodec/vaapi_vc1.c +++ b/libavcodec/vaapi_vc1.c @@ -116,6 +116,18 @@ static inline VAMvModeVC1 vc1_get_MVMODE2(VC1Context *v) return 0; } +/** Reconstruct bitstream TTFRM (7.1.1.41, Table-53) */ +static inline int vc1_get_TTFRM(VC1Context *v) +{ + switch (v->ttfrm) { + case TT_8X8: return 0; + case TT_8X4: return 1; + case TT_4X8: return 2; + case TT_4X4: return 3; + } + return 0; +} + /** Pack FFmpeg bitplanes into a VABitPlaneBuffer element */ static inline void vc1_pack_bitplanes(uint8_t *bitplane, int n, const uint8_t *ff_bp[3], int x, int y, int stride) { @@ -239,7 +251,7 @@ static int vaapi_vc1_start_frame(AVCodecContext *avctx, av_unused const uint8_t pic_param->transform_fields.value = 0; /* reset all bits */ pic_param->transform_fields.bits.variable_sized_transform_flag = v->vstransform; pic_param->transform_fields.bits.mb_level_transform_type_flag = v->ttmbf; - pic_param->transform_fields.bits.frame_level_transform_type = v->ttfrm; + pic_param->transform_fields.bits.frame_level_transform_type = vc1_get_TTFRM(v); pic_param->transform_fields.bits.transform_ac_codingset_idx1 = v->c_ac_table_index; pic_param->transform_fields.bits.transform_ac_codingset_idx2 = v->y_ac_table_index; pic_param->transform_fields.bits.intra_transform_dc_table = v->s.dc_table_index; From b833859daa4eb8fe0ec9117859b21a734905b895 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 13 Sep 2011 18:53:18 -0400 Subject: [PATCH 200/290] mpc7: check output buffer size before decoding (cherry picked from commit c8b5c4d27409dfdcec80868686b173ba446c998b) Signed-off-by: Michael Niedermayer --- libavcodec/mpc7.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpc7.c b/libavcodec/mpc7.c index bb21469356..515bbf60a7 100644 --- a/libavcodec/mpc7.c +++ b/libavcodec/mpc7.c @@ -197,7 +197,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, int i, ch; int mb = -1; Band *bands = c->bands; - int off; + int off, out_size; int bits_used, bits_avail; memset(bands, 0, sizeof(bands)); @@ -205,6 +205,12 @@ static int mpc7_decode_frame(AVCodecContext * avctx, av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size); } + out_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + bits = av_malloc(((buf_size - 1) & ~3) + FF_INPUT_BUFFER_PADDING_SIZE); c->dsp.bswap_buf((uint32_t*)bits, (const uint32_t*)(buf + 4), (buf_size - 4) >> 2); init_get_bits(&gb, bits, (buf_size - 4)* 8); @@ -277,7 +283,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, *data_size = 0; return buf_size; } - *data_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; + *data_size = out_size; return buf_size; } From 490617b6ffa13f8e49a196a752f927d5ebad6e2b Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 14 Sep 2011 11:16:42 -0400 Subject: [PATCH 201/290] mpc7: return error if packet is too small. (cherry picked from commit 8290d1f38b438f1b070de67645c8b4a42014c7ac) Signed-off-by: Michael Niedermayer --- libavcodec/mpc7.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpc7.c b/libavcodec/mpc7.c index 515bbf60a7..6477edcf28 100644 --- a/libavcodec/mpc7.c +++ b/libavcodec/mpc7.c @@ -203,6 +203,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, memset(bands, 0, sizeof(bands)); if(buf_size <= 4){ av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size); + return AVERROR(EINVAL); } out_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; From fc8c0ee09f8eb8eab6373e1b4946cb503caa9884 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 14 Sep 2011 11:39:21 -0400 Subject: [PATCH 202/290] mpc8: check output buffer size before decoding (cherry picked from commit 5674d4b0a35a34b75e3533a8580e0b5a0a8895a7) Signed-off-by: Michael Niedermayer --- libavcodec/mpc8.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index bca57451ca..90bc8c8b96 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -243,10 +243,16 @@ static int mpc8_decode_frame(AVCodecContext * avctx, GetBitContext gb2, *gb = &gb2; int i, j, k, ch, cnt, res, t; Band *bands = c->bands; - int off; + int off, out_size; int maxband, keyframe; int last[2]; + out_size = MPC_FRAME_SIZE * 2 * avctx->channels; + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + keyframe = c->cur_frame == 0; if(keyframe){ @@ -404,7 +410,7 @@ static int mpc8_decode_frame(AVCodecContext * avctx, c->last_bits_used = get_bits_count(gb); if(c->cur_frame >= c->frames) c->cur_frame = 0; - *data_size = MPC_FRAME_SIZE * 2 * avctx->channels; + *data_size = out_size; return c->cur_frame ? c->last_bits_used >> 3 : buf_size; } From d33a1d650742b579c86df1b77fd9ee5a3dc99b87 Mon Sep 17 00:00:00 2001 From: Compn Date: Sun, 2 Oct 2011 17:39:03 -0400 Subject: [PATCH 203/290] riff: map 0x0038 to amrnb, works on http://video.mopoto.com/4/40/407/40709.avi (cherry picked from commit 3ebab62fc67591fd9313fad32892d7d32e805422) Signed-off-by: Michael Niedermayer --- libavformat/riff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/riff.c b/libavformat/riff.c index 1ccd9091be..a834084b71 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -287,6 +287,7 @@ const AVCodecTag ff_codec_wav_tags[] = { { CODEC_ID_ADPCM_YAMAHA, 0x0020 }, { CODEC_ID_TRUESPEECH, 0x0022 }, { CODEC_ID_GSM_MS, 0x0031 }, + { CODEC_ID_AMR_NB, 0x0038 }, /* rogue format number */ { CODEC_ID_ADPCM_G726, 0x0045 }, { CODEC_ID_MP2, 0x0050 }, { CODEC_ID_MP3, 0x0055 }, From 902e9595e3ac5afdedf273a4e69fb43e32d518af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Oct 2011 00:38:50 +0200 Subject: [PATCH 204/290] MAINTAINERS: new ffplay maintainer Signed-off-by: Michael Niedermayer (cherry picked from commit cffd20b90ee6f35e37cdb51dd94e6b2174fd31b6) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index fb28a4e822..8409cd1930 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -19,7 +19,7 @@ ffmpeg: ffmpeg.c Michael Niedermayer ffplay: - ffplay.c Michael Niedermayer + ffplay.c Marton Balint ffprobe: ffprobe.c Stefano Sabatini From 78eab18740b457bc482845d5f4ec8fe484e0afb3 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 14 Sep 2011 13:57:04 -0400 Subject: [PATCH 205/290] qdm2: check output buffer size before decoding (cherry picked from commit 7d49f79f1cd47783a963a757a6563b9cac29db62) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 1665c8daed..144ce98042 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1958,13 +1958,20 @@ static int qdm2_decode_frame(AVCodecContext *avctx, int buf_size = avpkt->size; QDM2Context *s = avctx->priv_data; int16_t *out = data; - int i; + int i, out_size; if(!buf) return 0; if(buf_size < s->checksum_size) return -1; + out_size = 16 * s->channels * s->frame_size * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + av_log(avctx, AV_LOG_DEBUG, "decode(%d): %p[%d] -> %p[%d]\n", buf_size, buf, s->checksum_size, data, *data_size); @@ -1974,7 +1981,7 @@ static int qdm2_decode_frame(AVCodecContext *avctx, out += s->channels * s->frame_size; } - *data_size = (uint8_t*)out - (uint8_t*)data; + *data_size = out_size; return s->checksum_size; } From 4f45967cf5138fb2c7567c5b3d0fb697998b2aeb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Oct 2011 04:21:19 +0200 Subject: [PATCH 206/290] ff_dv_frame_profile2: Check input buffer size. Based on code by DivX, Inc. / drffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51b0694bc051cda2bfed048a35e694d1047c6ef0) Signed-off-by: Michael Niedermayer --- libavcodec/dvdata.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/dvdata.c b/libavcodec/dvdata.c index 05993d874f..db6ed2b871 100644 --- a/libavcodec/dvdata.c +++ b/libavcodec/dvdata.c @@ -248,11 +248,13 @@ static const DVprofile dv_profiles[] = { const DVprofile* ff_dv_frame_profile(const DVprofile *sys, const uint8_t* frame, unsigned buf_size) { - int i; + int i, dsf, stype; - int dsf = (frame[3] & 0x80) >> 7; + if(buf_size < DV_PROFILE_BYTES) + return NULL; - int stype = frame[80*5 + 48 + 3] & 0x1f; + dsf = (frame[3] & 0x80) >> 7; + stype = frame[80*5 + 48 + 3] & 0x1f; /* 576i50 25Mbps 4:1:1 is a special case */ if (dsf == 1 && stype == 0 && frame[4] & 0x07 /* the APT field */) { From c2d017e88ff6bb0f557dabfe795d0907c2d11849 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 20 Sep 2011 15:27:44 -0400 Subject: [PATCH 207/290] sipr: fix the output data size check and only calculate it once. (cherry picked from commit 1b5a189f06879338088809b3049ea7620f4e7e78) Signed-off-by: Michael Niedermayer --- libavcodec/sipr.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/sipr.c b/libavcodec/sipr.c index 9befe8a158..db5ded740f 100644 --- a/libavcodec/sipr.c +++ b/libavcodec/sipr.c @@ -509,7 +509,7 @@ static int sipr_decode_frame(AVCodecContext *avctx, void *datap, GetBitContext gb; float *data = datap; int subframe_size = ctx->mode == MODE_16k ? L_SUBFR_16k : SUBFR_SIZE; - int i; + int i, out_size; ctx->avctx = avctx; if (avpkt->size < (mode_par->bits_per_frame >> 3)) { @@ -520,7 +520,11 @@ static int sipr_decode_frame(AVCodecContext *avctx, void *datap, *data_size = 0; return -1; } - if (*data_size < subframe_size * mode_par->subframe_count * sizeof(float)) { + + out_size = mode_par->frames_per_packet * subframe_size * + mode_par->subframe_count * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { av_log(avctx, AV_LOG_ERROR, "Error processing packet: output buffer (%d) too small\n", *data_size); @@ -542,8 +546,7 @@ static int sipr_decode_frame(AVCodecContext *avctx, void *datap, data += subframe_size * mode_par->subframe_count; } - *data_size = mode_par->frames_per_packet * subframe_size * - mode_par->subframe_count * sizeof(float); + *data_size = out_size; return mode_par->bits_per_frame >> 3; } From 2809f4ab934ca94b32e64f3a70e6008cd3876420 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 14 Sep 2011 13:38:07 -0400 Subject: [PATCH 208/290] qcelp: check output buffer size before decoding (cherry picked from commit e43dd3d2a8e106169e707484090a2d973ece2184) Signed-off-by: Michael Niedermayer --- libavcodec/qcelpdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/qcelpdec.c b/libavcodec/qcelpdec.c index e83704d801..61c812c85d 100644 --- a/libavcodec/qcelpdec.c +++ b/libavcodec/qcelpdec.c @@ -738,11 +738,17 @@ static int qcelp_decode_frame(AVCodecContext *avctx, void *data, int *data_size, int buf_size = avpkt->size; QCELPContext *q = avctx->priv_data; float *outbuffer = data; - int i; + int i, out_size; float quantized_lspf[10], lpc[10]; float gain[16]; float *formant_mem; + out_size = 160 * av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + if((q->bitrate = determine_bitrate(avctx, buf_size, &buf)) == I_F_Q) { warn_insufficient_frame_quality(avctx, "bitrate cannot be determined."); @@ -837,7 +843,7 @@ erasure: memcpy(q->prev_lspf, quantized_lspf, sizeof(q->prev_lspf)); q->prev_bitrate = q->bitrate; - *data_size = 160 * sizeof(*outbuffer); + *data_size = out_size; return buf_size; } From b491c15c8530fafdf5fcef25b1918339f196fbad Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 4 Oct 2011 22:13:56 +0200 Subject: [PATCH 209/290] h254: explicitly initialize bit depth/chroma idc Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 96d8ecf77a..fd33aeff3e 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1019,8 +1019,12 @@ static av_cold void common_init(H264Context *h){ s->height = s->avctx->height; s->codec_id= s->avctx->codec->id; - ff_h264dsp_init(&h->h264dsp, 8); - ff_h264_pred_init(&h->hpc, s->codec_id, 8); + s->avctx->bits_per_raw_sample = 8; + + ff_h264dsp_init(&h->h264dsp, + s->avctx->bits_per_raw_sample); + ff_h264_pred_init(&h->hpc, s->codec_id, + s->avctx->bits_per_raw_sample); h->dequant_coeff_pps= -1; s->unrestricted_mv=1; From 5d2b6006f0567629324613ee73b779acbaf8f039 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 3 Oct 2011 07:37:24 -0700 Subject: [PATCH 210/290] mpegvideo: fix position of bottom edge. It was wrong in colorspaces where horizontal and vertical chroma subsampling are not the same, e.g. 422. Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index a505b9071c..9c47c15a51 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -2302,12 +2302,15 @@ void ff_draw_horiz_band(MpegEncContext *s, int y, int h){ edge_h= FFMIN(h, s->v_edge_pos - y); - s->dsp.draw_edges(s->current_picture_ptr->data[0] + y *s->linesize , s->linesize, - s->h_edge_pos , edge_h , EDGE_WIDTH , EDGE_WIDTH , sides); - s->dsp.draw_edges(s->current_picture_ptr->data[1] + (y>>vshift)*s->uvlinesize, s->uvlinesize, - s->h_edge_pos>>hshift, edge_h>>hshift, EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides); - s->dsp.draw_edges(s->current_picture_ptr->data[2] + (y>>vshift)*s->uvlinesize, s->uvlinesize, - s->h_edge_pos>>hshift, edge_h>>hshift, EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides); + s->dsp.draw_edges(s->current_picture_ptr->data[0] + y *s->linesize, + s->linesize, s->h_edge_pos, edge_h, + EDGE_WIDTH, EDGE_WIDTH, sides); + s->dsp.draw_edges(s->current_picture_ptr->data[1] + (y>>vshift)*s->uvlinesize, + s->uvlinesize, s->h_edge_pos>>hshift, edge_h>>vshift, + EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides); + s->dsp.draw_edges(s->current_picture_ptr->data[2] + (y>>vshift)*s->uvlinesize, + s->uvlinesize, s->h_edge_pos>>hshift, edge_h>>vshift, + EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides); } h= FFMIN(h, s->avctx->height - y); From 614ef0dc0d9f2d6ec7e2e41a00d285b7a6a2eea1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Oct 2011 22:54:00 +0200 Subject: [PATCH 211/290] h264: fix fill_colmap() to not store entries mbaff style when the reference is not mbaff at all Signed-off-by: Michael Niedermayer (cherry picked from commit a3ba542af39ba4425cbb44d2a0ae09c212b40001) Signed-off-by: Michael Niedermayer --- libavcodec/h264_direct.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c index 34a4ff727f..0b19353656 100644 --- a/libavcodec/h264_direct.c +++ b/libavcodec/h264_direct.c @@ -89,7 +89,8 @@ static void fill_colmap(H264Context *h, int map[2][16+32], int list, int field, for(j=start; jref_list[0][j].frame_num + (h->ref_list[0][j].reference&3) == poc){ int cur_ref= mbafi ? (j-16)^field : j; - map[list][2*old_ref + (rfield^field) + 16] = cur_ref; + if(ref1->mbaff) + map[list][2*old_ref + (rfield^field) + 16] = cur_ref; if(rfield == field || !interl) map[list][old_ref] = cur_ref; break; From 06b15b371539cb2f05f717b228d9173d4aee991d Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 6 Oct 2011 21:55:44 +0200 Subject: [PATCH 212/290] h264: fix the size of PPS::chroma_qp_table Signed-off-by: Michael Niedermayer (cherry picked from commit e588a5c2d418fdcf08ece076a2642de44f444d55) Signed-off-by: Michael Niedermayer --- libavcodec/h264.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 0a380e03c1..a6f39730ff 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -227,7 +227,7 @@ typedef struct PPS{ int transform_8x8_mode; ///< transform_8x8_mode_flag uint8_t scaling_matrix4[6][16]; uint8_t scaling_matrix8[6][64]; - uint8_t chroma_qp_table[2][64]; ///< pre-scaled (with chroma_qp_index_offset) version of qp_table + uint8_t chroma_qp_table[2][QP_MAX_NUM+1]; ///< pre-scaled (with chroma_qp_index_offset) version of qp_table int chroma_qp_diff; }PPS; From 4c5cdb493c25a0ffb05022e7afa001725e0adc62 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 02:09:42 +0100 Subject: [PATCH 213/290] put_bits: fix invalid shift by 32 in flush_put_bits() If flush_put_bits() is called when the 32-bit buffer is empty, e.g. after writing a multiple of 32 bits, and invalid shift by 32 is performed. Since flush_put_bits() is called infrequently, this additional check should have negligible performance impact. Signed-off-by: Mans Rullgard (cherry picked from commit ac6eab1496aad6f8b09deabbef4fe5fd829e142d) Signed-off-by: Michael Niedermayer --- libavcodec/put_bits.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index 79016912d5..ccd2565920 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -100,7 +100,8 @@ static inline void flush_put_bits(PutBitContext *s) align_put_bits(s); #else #ifndef BITSTREAM_WRITER_LE - s->bit_buf<<= s->bit_left; + if (s->bit_left < 32) + s->bit_buf<<= s->bit_left; #endif while (s->bit_left < 32) { /* XXX: should test end of buffer */ From c2c83dcb322504807388f804d73d75a45fab004b Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 13:41:23 +0100 Subject: [PATCH 214/290] aacdec: fix undefined shifts Since nnz can be zero, this is needed to avoid a shift by 32. Signed-off-by: Mans Rullgard (cherry picked from commit d12294304acd82cb219e3f66ca9cd6efb2194fa4) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 6cc0cec0f0..e9f2cc53e9 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -1090,7 +1090,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024], GET_VLC(code, re, gb, vlc_tab, 8, 2); cb_idx = cb_vector_idx[code]; nnz = cb_idx >> 8 & 15; - bits = SHOW_UBITS(re, gb, nnz) << (32-nnz); + bits = nnz ? GET_CACHE(re, gb) : 0; LAST_SKIP_BITS(re, gb, nnz); cf = VMUL4S(cf, vq, cb_idx, bits, sf + idx); } while (len -= 4); @@ -1130,7 +1130,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024], GET_VLC(code, re, gb, vlc_tab, 8, 2); cb_idx = cb_vector_idx[code]; nnz = cb_idx >> 8 & 15; - sign = SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12); + sign = nnz ? SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12) : 0; LAST_SKIP_BITS(re, gb, nnz); cf = VMUL2S(cf, vq, cb_idx, sign, sf + idx); } while (len -= 2); From 37ce6ba425d70718b646ba49ec23761abd511d9e Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 13:49:42 +0100 Subject: [PATCH 215/290] dca: fix signed overflow in shift Signed-off-by: Mans Rullgard (cherry picked from commit 559c244d42be7a02c23976216b47fd63b80d6c7f) Signed-off-by: Michael Niedermayer --- libavcodec/dca.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index 69df8f4597..24153ebdd2 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -905,7 +905,8 @@ static void qmf_32_subbands(DCAContext * s, int chans, for (subindex = 0; subindex < 8; subindex++) { /* Load in one sample from each subband and clear inactive subbands */ for (i = 0; i < sb_act; i++){ - uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ ((i-1)&2)<<30; + unsigned sign = (i - 1) & 2; + uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ sign << 30; AV_WN32A(&s->raXin[i], v); } From 4ba0e0375961fcb05d0d4258e75c807c1ed577f5 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 13:52:44 +0100 Subject: [PATCH 216/290] motion_est: fix some signed overflows Signed-off-by: Mans Rullgard (cherry picked from commit e708afd3c026a9eb547dab07781320a7e2564312) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index c12ebf4c7c..02e804d88f 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1040,7 +1040,7 @@ void ff_estimate_p_frame_motion(MpegEncContext * s, /* intra / predictive decision */ pix = c->src[0][0]; sum = s->dsp.pix_sum(pix, s->linesize); - varc = s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)(sum*sum))>>8) + 500; + varc = s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)sum*sum)>>8) + 500; pic->mb_mean[s->mb_stride * mb_y + mb_x] = (sum+128)>>8; pic->mb_var [s->mb_stride * mb_y + mb_x] = (varc+128)>>8; @@ -1202,7 +1202,7 @@ void ff_estimate_p_frame_motion(MpegEncContext * s, if((c->avctx->mb_cmp&0xFF)==FF_CMP_SSE){ intra_score= varc - 500; }else{ - int mean= (sum+128)>>8; + unsigned mean = (sum+128)>>8; mean*= 0x01010101; for(i=0; i<16; i++){ From f7be632cbde8aa094535edf0af3a30a7556acbac Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 15:03:51 +0100 Subject: [PATCH 217/290] vp8: fix signed overflows In addition to avoiding undefined behaviour, an unsigned type makes more sense for packing multiple 8-bit values. Signed-off-by: Mans Rullgard (cherry picked from commit bb59156606e00057a706ed30165bc7329db3823f) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 3e93653085..a417ae3672 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -919,7 +919,8 @@ void intra_predict(VP8Context *s, uint8_t *dst[3], VP8Macroblock *mb, int mb_x, int mb_y) { AVCodecContext *avctx = s->avctx; - int x, y, mode, nnz, tr; + int x, y, mode, nnz; + uint32_t tr; // for the first row, we need to run xchg_mb_border to init the top edge to 127 // otherwise, skip it if we aren't going to deblock @@ -948,7 +949,7 @@ void intra_predict(VP8Context *s, uint8_t *dst[3], VP8Macroblock *mb, // from the top macroblock if (!(!mb_y && avctx->flags & CODEC_FLAG_EMU_EDGE) && mb_x == s->mb_width-1) { - tr = tr_right[-1]*0x01010101; + tr = tr_right[-1]*0x01010101u; tr_right = (uint8_t *)&tr; } From edc942202b577946c265fe9fdff236fac2b2cc2f Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 02:06:26 +0100 Subject: [PATCH 218/290] lavf: fix signed overflow in avformat_find_stream_info() On the first iteration through this code, last_dts is always INT64_MIN (AV_NOPTS_VALUE) and the subtraction overflows in an invalid manner. Although the result is only used if the input values are valid, performing the subtraction is still not allowed in a strict environment. Signed-off-by: Mans Rullgard (cherry picked from commit a31e9f68a426f634e002282885c6c2eb1bfbea44) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index b15582acb1..400d96826d 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2396,9 +2396,9 @@ int av_find_stream_info(AVFormatContext *ic) } { int64_t last = st->info->last_dts; - int64_t duration= pkt->dts - last; - if(pkt->dts != AV_NOPTS_VALUE && last != AV_NOPTS_VALUE && duration>0){ + if(pkt->dts != AV_NOPTS_VALUE && last != AV_NOPTS_VALUE && pkt->dts > last){ + int64_t duration= pkt->dts - last; double dur= duration * av_q2d(st->time_base); // if(st->codec->codec_type == AVMEDIA_TYPE_VIDEO) From 1646d2d2ae20c32b075cf271c7b276a1d587ebe4 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:30 +0200 Subject: [PATCH 219/290] eamad: clear FF_INPUT_BUFFER_PADDING_SIZE bytes at the end of the temporary buffer Signed-off-by: Michael Niedermayer (cherry picked from commit 74b9c598396f76407c6b3841c10bc67ddddb2a98) Signed-off-by: Michael Niedermayer --- libavcodec/eamad.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index d4881ab843..ee8158174a 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -280,6 +280,7 @@ static int decode_frame(AVCodecContext *avctx, if (!t->bitstream_buf) return AVERROR(ENOMEM); bswap16_buf(t->bitstream_buf, (const uint16_t*)buf, (buf_end-buf)/2); + memset((uint8_t*)t->bitstream_buf + (buf_end-buf), 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&s->gb, t->bitstream_buf, 8*(buf_end-buf)); for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++) From 44740513709cb326667fc8b7d24abb6e16aacee6 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:27 +0200 Subject: [PATCH 220/290] eatgv: fix out of bound reads on corrupted motions vectors. Signed-off-by: Michael Niedermayer (cherry picked from commit 09302a897d1990b1338f049fcd29638d736b8823) Signed-off-by: Michael Niedermayer --- libavcodec/eatgv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/eatgv.c b/libavcodec/eatgv.c index 0855f10417..f50a308467 100644 --- a/libavcodec/eatgv.c +++ b/libavcodec/eatgv.c @@ -138,7 +138,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst * @return 0 on success, -1 on critical buffer underflow */ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){ - unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->width*s->last_frame.linesize[0]; + unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->height*s->last_frame.linesize[0]; int num_mvs; int num_blocks_raw; int num_blocks_packed; @@ -211,7 +211,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] + x*4 + s->mv_codebook[vector][0]; src_stride = s->last_frame.linesize[0]; - if (src+3*src_stride+3>=frame0_end) + if (src < s->last_frame.data[0] || src+3*src_stride+3>=frame0_end) continue; }else{ int offset = vector - num_mvs; From 1b6e6439faafb8de96ce01f008918ea36eaff8c2 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:28 +0200 Subject: [PATCH 221/290] eatgv: fix pointer arithmetic overflows. Signed-off-by: Michael Niedermayer (cherry picked from commit 6bfe0d4c3d7de11e859ea6720b011cf5fdf5ef03) Signed-off-by: Michael Niedermayer --- libavcodec/eatgv.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/libavcodec/eatgv.c b/libavcodec/eatgv.c index f50a308467..fb88dce5d3 100644 --- a/libavcodec/eatgv.c +++ b/libavcodec/eatgv.c @@ -74,7 +74,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst else src += 2; - if (src+3>src_end) + if (src_end - src < 3) return -1; size = AV_RB24(src); src += 3; @@ -138,7 +138,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst * @return 0 on success, -1 on critical buffer underflow */ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){ - unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->height*s->last_frame.linesize[0]; + unsigned last_frame_size = s->avctx->height*s->last_frame.linesize[0]; int num_mvs; int num_blocks_raw; int num_blocks_packed; @@ -148,7 +148,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b int mvbits; const unsigned char *blocks_raw; - if(buf+12>buf_end) + if(buf_end - buf < 12) return -1; num_mvs = AV_RL16(&buf[0]); @@ -171,7 +171,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b /* read motion vectors */ mvbits = (num_mvs*2*10+31) & ~31; - if (buf+(mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed>buf_end) + if (buf_end - buf < (mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed) return -1; init_get_bits(&gb, buf, mvbits); @@ -207,12 +207,14 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b int src_stride; if (vector < num_mvs) { - src = s->last_frame.data[0] + - (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] + - x*4 + s->mv_codebook[vector][0]; + unsigned offset = + (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] + + x*4 + s->mv_codebook[vector][0]; + src_stride = s->last_frame.linesize[0]; - if (src < s->last_frame.data[0] || src+3*src_stride+3>=frame0_end) + if (offset >= last_frame_size - (3*src_stride+3)) continue; + src = s->last_frame.data[0] + offset; }else{ int offset = vector - num_mvs; if (offsetbuf_end) { + if(buf_end - buf < 12) { av_log(avctx, AV_LOG_WARNING, "truncated header\n"); return -1; } @@ -272,7 +277,7 @@ static int tgv_decode_frame(AVCodecContext *avctx, pal_count = AV_RL16(&buf[6]); buf += 12; - for(i=0; i= 3; i++) { s->palette[i] = AV_RB24(buf); buf += 3; } From 7b3c851526740cb77fe5af0e48c50b7ead1e0143 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:32 +0200 Subject: [PATCH 222/290] eamad: avoid NULL derefence when missing the reference frame. Signed-off-by: Michael Niedermayer (cherry picked from commit 6e20554a6d33e92b81dc3cfed6082e03bff2a7f8) Signed-off-by: Michael Niedermayer --- libavcodec/eamad.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index ee8158174a..f5b25354f1 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -205,7 +205,8 @@ static void decode_mb(MadContext *t, int inter) for (j=0; j<6; j++) { if (mv_map & (1<gb); - comp_block(t, s->mb_x, s->mb_y, j, mv_x, mv_y, add); + if (t->last_frame.data[0]) + comp_block(t, s->mb_x, s->mb_y, j, mv_x, mv_y, add); } else { s->dsp.clear_block(t->block); decode_block_intra(t, t->block); From 79bafbb0dd6af48eae51eb69c472208f97eff11d Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:31 +0200 Subject: [PATCH 223/290] eamad: check for out of bound reads when doing MC Signed-off-by: Michael Niedermayer (cherry picked from commit da35797359cec148f3fe59894c62727b0422d75a) Signed-off-by: Michael Niedermayer --- libavcodec/eamad.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index f5b25354f1..150bd08108 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -85,15 +85,21 @@ static inline void comp_block(MadContext *t, int mb_x, int mb_y, { MpegEncContext *s = &t->s; if (j < 4) { + unsigned offset = (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x; + if (offset >= (s->height - 7) * t->last_frame.linesize[0] - 7) + return; comp(t->frame.data[0] + (mb_y*16 + ((j&2)<<2))*t->frame.linesize[0] + mb_x*16 + ((j&1)<<3), t->frame.linesize[0], - t->last_frame.data[0] + (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x, + t->last_frame.data[0] + offset, t->last_frame.linesize[0], add); } else if (!(s->avctx->flags & CODEC_FLAG_GRAY)) { int index = j - 3; + unsigned offset = (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2); + if (offset >= (s->height/2 - 7) * t->last_frame.linesize[index] - 7) + return; comp(t->frame.data[index] + (mb_y*8)*t->frame.linesize[index] + mb_x * 8, t->frame.linesize[index], - t->last_frame.data[index] + (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2), + t->last_frame.data[index] + offset, t->last_frame.linesize[index], add); } } From 5415c488f9c6103df06ccfdc77dd50d1f030d271 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:33 +0200 Subject: [PATCH 224/290] eamad: release the reference frame on video size changes Signed-off-by: Michael Niedermayer (cherry picked from commit 6c1fb3e7631178c2a45c6c41b9b8d9ee3a5298fc) Signed-off-by: Michael Niedermayer --- libavcodec/eamad.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index 150bd08108..602bbfcf93 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -273,6 +273,8 @@ static int decode_frame(AVCodecContext *avctx, avcodec_set_dimensions(avctx, s->width, s->height); if (t->frame.data[0]) avctx->release_buffer(avctx, &t->frame); + if (t->last_frame.data[0]) + avctx->release_buffer(avctx, &t->last_frame); } t->frame.reference = 1; From 2fdbc1d5533ce596bc7e4872dd801c5cdda58aeb Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:39 +0200 Subject: [PATCH 225/290] vqavideo: check for invalid/unsupported version Signed-off-by: Michael Niedermayer (cherry picked from commit b226af39107f09cd650875388250f4968eea54db) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index ca4fd94d75..6d7f65a051 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -138,6 +138,10 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) /* load up the VQA parameters from the header */ vqa_header = (unsigned char *)s->avctx->extradata; s->vqa_version = vqa_header[0]; + if (s->vqa_version < 1 || s->vqa_version > 3) { + av_log(s->avctx, AV_LOG_ERROR, " VQA video: unsupported version %d\n", s->vqa_version); + return -1; + } s->width = AV_RL16(&vqa_header[6]); s->height = AV_RL16(&vqa_header[8]); if(av_image_check_size(s->width, s->height, 0, avctx)){ From b832e539c0dceb2108c8b7f824d9eff9d751853a Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:37 +0200 Subject: [PATCH 226/290] vqa: fix double free on corrupted streams Signed-off-by: Michael Niedermayer (cherry picked from commit e3123856c79c36507772ada1bcda6cfe36a1e297) Signed-off-by: Michael Niedermayer --- libavformat/westwood.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavformat/westwood.c b/libavformat/westwood.c index 818fe2d8d3..dd6ddef905 100644 --- a/libavformat/westwood.c +++ b/libavformat/westwood.c @@ -277,10 +277,8 @@ static int wsvqa_read_header(AVFormatContext *s, /* there are 0 or more chunks before the FINF chunk; iterate until * FINF has been skipped and the file will be ready to be demuxed */ do { - if (avio_read(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE) { - av_free(st->codec->extradata); + if (avio_read(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE) return AVERROR(EIO); - } chunk_tag = AV_RB32(&scratch[0]); chunk_size = AV_RB32(&scratch[4]); From 7ab0b6b7eda60e235b7db07a6895fa8bdade01c8 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 9 Oct 2011 01:54:41 +0200 Subject: [PATCH 227/290] vqavideo: check for out of bound reads. Signed-off-by: Michael Niedermayer (cherry picked from commit 6d45702f7f257c1cfcd3ce3287bf258854528a4a) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 6d7f65a051..64a68e1ca1 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -230,6 +230,8 @@ static void decode_format80(const unsigned char *src, int src_size, src_index += 2; av_dlog(NULL, "(1) copy %X bytes from absolute pos %X\n", count, src_pos); CHECK_COUNT(); + if (src_pos + count > dest_size) + return; for (i = 0; i < count; i++) dest[dest_index + i] = dest[src_pos + i]; dest_index += count; @@ -252,6 +254,8 @@ static void decode_format80(const unsigned char *src, int src_size, src_index += 2; av_dlog(NULL, "(3) copy %X bytes from absolute pos %X\n", count, src_pos); CHECK_COUNT(); + if (src_pos + count > dest_size) + return; for (i = 0; i < count; i++) dest[dest_index + i] = dest[src_pos + i]; dest_index += count; @@ -272,6 +276,8 @@ static void decode_format80(const unsigned char *src, int src_size, src_index += 2; av_dlog(NULL, "(5) copy %X bytes from relpos %X\n", count, src_pos); CHECK_COUNT(); + if (dest_index < src_pos) + return; for (i = 0; i < count; i++) dest[dest_index + i] = dest[dest_index - src_pos + i]; dest_index += count; From 67c46b9b3027fdd9fd737e21a80d3326748b1c15 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:01:33 +0200 Subject: [PATCH 228/290] qtrle: check for invalid line offset Signed-off-by: Michael Niedermayer (cherry picked from commit a4ed7c3fe9f99b89f86b65710d8855dc572f1a25) Signed-off-by: Michael Niedermayer --- libavcodec/qtrle.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index 2cc2de2e23..0f280f5829 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -464,6 +464,8 @@ static int qtrle_decode_frame(AVCodecContext *avctx, stream_ptr += 4; height = AV_RB16(&s->buf[stream_ptr]); stream_ptr += 4; + if (height > s->avctx->height - start_line) + goto done; } else { start_line = 0; height = s->avctx->height; From ca58b215ab2c4d593b8be04420dfa6c1720a409c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 21:57:27 +0200 Subject: [PATCH 229/290] txd: check for out of bound reads. Signed-off-by: Michael Niedermayer (cherry picked from commit e182de9a98272fbe4f368000911191aaeb0d6fb3) Signed-off-by: Michael Niedermayer --- libavcodec/txd.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/libavcodec/txd.c b/libavcodec/txd.c index 0e25458c86..219c337534 100644 --- a/libavcodec/txd.c +++ b/libavcodec/txd.c @@ -23,6 +23,7 @@ #include "libavutil/intreadwrite.h" #include "libavutil/imgutils.h" +#include "bytestream.h" #include "avcodec.h" #include "s3tc.h" @@ -42,6 +43,7 @@ static av_cold int txd_init(AVCodecContext *avctx) { static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; TXDContext * const s = avctx->priv_data; AVFrame *picture = data; AVFrame * const p = &s->picture; @@ -52,6 +54,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, const uint32_t *palette = (const uint32_t *)(cur + 88); uint32_t *pal; + if (buf_end - cur < 92) + return AVERROR_INVALIDDATA; version = AV_RL32(cur); d3d_format = AV_RL32(cur+76); w = AV_RL16(cur+80); @@ -69,6 +73,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if (depth == 8) { avctx->pix_fmt = PIX_FMT_PAL8; + if (buf_end - cur < 1024) + return AVERROR_INVALIDDATA; cur += 1024; } else if (depth == 16 || depth == 32) avctx->pix_fmt = PIX_FMT_RGB32; @@ -100,6 +106,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, v = AV_RB32(palette+y); pal[y] = (v>>8) + (v<<24); } + if (buf_end - cur < w * h) + return AVERROR_INVALIDDATA; for (y=0; y 1; mipmap_count--) - cur += AV_RL32(cur) + 4; + for (; mipmap_count > 1 && buf_end - cur >= 4; mipmap_count--) { + uint32_t length = bytestream_get_le32(&cur); + if (buf_end - cur < length) + break; + cur += length; + } *picture = s->picture; *data_size = sizeof(AVPicture); From adb12c4deb7685037439ecaea5cac890a6e1f9c3 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:34 +0200 Subject: [PATCH 230/290] xxan: check for out of bound accesses Signed-off-by: Michael Niedermayer (cherry picked from commit a68a6a4fb19caecc91d5f7fe3ef4f83f6d3c4586) Signed-off-by: Michael Niedermayer --- libavcodec/xxan.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index 10ec53f467..c93ff43663 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -129,7 +129,9 @@ static int xan_unpack(uint8_t *dest, const int dest_len, if (size + size2 > dest_end - dest) break; } - if (src + size > src_end || dest + size + size2 > dest_end) + if (src + size > src_end || + dest + size + size2 > dest_end || + dest + size - orig_dest < back ) return -1; bytestream_get_buffer(&src, dest, size); dest += size; @@ -194,6 +196,8 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt) if (mode) { for (j = 0; j < avctx->height >> 1; j++) { for (i = 0; i < avctx->width >> 1; i++) { + if (src_end - src < 1) + return 0; val = *src++; if (val) { val = AV_RL16(table + (val << 1)); @@ -202,8 +206,6 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt) U[i] = uval | (uval >> 5); V[i] = vval | (vval >> 5); } - if (src == src_end) - return 0; } U += s->pic.linesize[1]; V += s->pic.linesize[2]; @@ -214,6 +216,8 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt) for (j = 0; j < avctx->height >> 2; j++) { for (i = 0; i < avctx->width >> 1; i += 2) { + if (src_end - src < 1) + return 0; val = *src++; if (val) { val = AV_RL16(table + (val << 1)); @@ -302,6 +306,9 @@ static int xan_decode_frame_type0(AVCodecContext *avctx, AVPacket *avpkt) corr_end - corr_off); if (dec_size < 0) dec_size = 0; + else + dec_size = FFMIN(dec_size, s->buffer_size/2 - 1); + for (i = 0; i < dec_size; i++) s->y_buffer[i*2+1] = (s->y_buffer[i*2+1] + (s->scratch_buffer[i] << 1)) & 0x3F; } From a65045915f5b4ec6da73df54d1914b320a861223 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:36 +0200 Subject: [PATCH 231/290] qtrle: check for out of bound writes. Signed-off-by: Michael Niedermayer (cherry picked from commit 7fb92be7e50ea4ba5712804326c6814ae02dd190) Signed-off-by: Michael Niedermayer --- libavcodec/qtrle.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index 0f280f5829..124106fc16 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -127,6 +127,7 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int stream_ptr, while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (num_pixels * (s->buf[stream_ptr++] - 1)); + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -183,6 +184,7 @@ static void qtrle_decode_8bpp(QtrleContext *s, int stream_ptr, int row_ptr, int while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (4 * (s->buf[stream_ptr++] - 1)); + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -236,6 +238,7 @@ static void qtrle_decode_16bpp(QtrleContext *s, int stream_ptr, int row_ptr, int while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 2; + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -285,6 +288,7 @@ static void qtrle_decode_24bpp(QtrleContext *s, int stream_ptr, int row_ptr, int while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 3; + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -336,6 +340,7 @@ static void qtrle_decode_32bpp(QtrleContext *s, int stream_ptr, int row_ptr, int while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 4; + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { From 115d88c4b218a2659a5ed9437407ddeda0a7e32e Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 21:22:06 +0100 Subject: [PATCH 232/290] h264pred: use unsigned types for pixel values, fix signed overflows Signed-off-by: Mans Rullgard (cherry picked from commit 60f10e0ad37418cc697765d85b0bc22db70f726a) Signed-off-by: Michael Niedermayer --- libavcodec/h264pred.c | 10 +++++----- libavcodec/h264pred_template.c | 32 ++++++++++++++++---------------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/libavcodec/h264pred.c b/libavcodec/h264pred.c index f6533cf9ba..4917e0d3a0 100644 --- a/libavcodec/h264pred.c +++ b/libavcodec/h264pred.c @@ -40,7 +40,7 @@ #undef BIT_DEPTH static void pred4x4_vertical_vp8_c(uint8_t *src, const uint8_t *topright, int stride){ - const int lt= src[-1-1*stride]; + const unsigned lt = src[-1-1*stride]; LOAD_TOP_EDGE LOAD_TOP_RIGHT_EDGE uint32_t v = PACK_4U8((lt + 2*t0 + t1 + 2) >> 2, @@ -55,7 +55,7 @@ static void pred4x4_vertical_vp8_c(uint8_t *src, const uint8_t *topright, int st } static void pred4x4_horizontal_vp8_c(uint8_t *src, const uint8_t *topright, int stride){ - const int lt= src[-1-1*stride]; + const unsigned lt = src[-1-1*stride]; LOAD_LEFT_EDGE AV_WN32A(src+0*stride, ((lt + 2*l0 + l1 + 2) >> 2)*0x01010101); @@ -292,7 +292,7 @@ static void pred16x16_tm_vp8_c(uint8_t *src, int stride){ static void pred8x8_left_dc_rv40_c(uint8_t *src, int stride){ int i; - int dc0; + unsigned dc0; dc0=0; for(i=0;i<8; i++) @@ -307,7 +307,7 @@ static void pred8x8_left_dc_rv40_c(uint8_t *src, int stride){ static void pred8x8_top_dc_rv40_c(uint8_t *src, int stride){ int i; - int dc0; + unsigned dc0; dc0=0; for(i=0;i<8; i++) @@ -322,7 +322,7 @@ static void pred8x8_top_dc_rv40_c(uint8_t *src, int stride){ static void pred8x8_dc_rv40_c(uint8_t *src, int stride){ int i; - int dc0=0; + unsigned dc0 = 0; for(i=0;i<4; i++){ dc0+= src[-1+i*stride] + src[i-stride]; diff --git a/libavcodec/h264pred_template.c b/libavcodec/h264pred_template.c index 3cd4463d76..153aabc5f2 100644 --- a/libavcodec/h264pred_template.c +++ b/libavcodec/h264pred_template.c @@ -120,28 +120,28 @@ static void FUNCC(pred4x4_129_dc)(uint8_t *_src, const uint8_t *topright, int _s #define LOAD_TOP_RIGHT_EDGE\ - const int av_unused t4= topright[0];\ - const int av_unused t5= topright[1];\ - const int av_unused t6= topright[2];\ - const int av_unused t7= topright[3];\ + const unsigned av_unused t4 = topright[0];\ + const unsigned av_unused t5 = topright[1];\ + const unsigned av_unused t6 = topright[2];\ + const unsigned av_unused t7 = topright[3];\ #define LOAD_DOWN_LEFT_EDGE\ - const int av_unused l4= src[-1+4*stride];\ - const int av_unused l5= src[-1+5*stride];\ - const int av_unused l6= src[-1+6*stride];\ - const int av_unused l7= src[-1+7*stride];\ + const unsigned av_unused l4 = src[-1+4*stride];\ + const unsigned av_unused l5 = src[-1+5*stride];\ + const unsigned av_unused l6 = src[-1+6*stride];\ + const unsigned av_unused l7 = src[-1+7*stride];\ #define LOAD_LEFT_EDGE\ - const int av_unused l0= src[-1+0*stride];\ - const int av_unused l1= src[-1+1*stride];\ - const int av_unused l2= src[-1+2*stride];\ - const int av_unused l3= src[-1+3*stride];\ + const unsigned av_unused l0 = src[-1+0*stride];\ + const unsigned av_unused l1 = src[-1+1*stride];\ + const unsigned av_unused l2 = src[-1+2*stride];\ + const unsigned av_unused l3 = src[-1+3*stride];\ #define LOAD_TOP_EDGE\ - const int av_unused t0= src[ 0-1*stride];\ - const int av_unused t1= src[ 1-1*stride];\ - const int av_unused t2= src[ 2-1*stride];\ - const int av_unused t3= src[ 3-1*stride];\ + const unsigned av_unused t0 = src[ 0-1*stride];\ + const unsigned av_unused t1 = src[ 1-1*stride];\ + const unsigned av_unused t2 = src[ 2-1*stride];\ + const unsigned av_unused t3 = src[ 3-1*stride];\ static void FUNCC(pred4x4_down_right)(uint8_t *_src, const uint8_t *topright, int _stride){ pixel *src = (pixel*)_src; From f65e396aa13925f125c320895d4b9eda241fbba6 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 01:59:51 +0100 Subject: [PATCH 233/290] crc: fix signed overflow This fixes a signed overflow from i << 24 when i == 255 by making i unsigned. The result of the shift is already assigned to an variable of unsigned type. Signed-off-by: Mans Rullgard (cherry picked from commit 8b19ae07616bbd18969b94cbf5d74308a8f2bbdf) Signed-off-by: Michael Niedermayer --- libavutil/crc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/crc.c b/libavutil/crc.c index c3d74a2ce9..d0e736ed4d 100644 --- a/libavutil/crc.c +++ b/libavutil/crc.c @@ -57,7 +57,7 @@ static AVCRC av_crc_table[AV_CRC_MAX][257]; * @return <0 on failure */ int av_crc_init(AVCRC *ctx, int le, int bits, uint32_t poly, int ctx_size){ - int i, j; + unsigned i, j; uint32_t c; if (bits < 8 || bits > 32 || poly >= (1LL< Date: Sun, 9 Oct 2011 20:32:58 +0100 Subject: [PATCH 234/290] mpegvideo_enc: fix a signed overflow Signed-off-by: Mans Rullgard (cherry picked from commit 05795f35be4b479bfa8d60ed3eb13e0f89e439c0) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 3c92aa93f4..b9e141d4cd 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -2007,7 +2007,7 @@ static int mb_var_thread(AVCodecContext *c, void *arg){ int varc; int sum = s->dsp.pix_sum(pix, s->linesize); - varc = (s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)(sum*sum))>>8) + 500 + 128)>>8; + varc = (s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)sum*sum)>>8) + 500 + 128)>>8; s->current_picture.mb_var [s->mb_stride * mb_y + mb_x] = varc; s->current_picture.mb_mean[s->mb_stride * mb_y + mb_x] = (sum+128)>>8; From 33029d7353b2d005357ff7ef4d6968a9f70acb69 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 9 Oct 2011 20:46:22 +0100 Subject: [PATCH 235/290] wmavoice: fix a signed overflow Signed-off-by: Mans Rullgard (cherry picked from commit ba3f07d0611d9a6c10eaa90b3c058ecdffe76676) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index c343080b36..22273527af 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1085,7 +1085,7 @@ static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, int excl_range = s->aw_pulse_range; // always 16 or 24 uint16_t *use_mask_ptr = &use_mask[idx >> 4]; int first_sh = 16 - (idx & 15); - *use_mask_ptr++ &= 0xFFFF << first_sh; + *use_mask_ptr++ &= 0xFFFFu << first_sh; excl_range -= first_sh; if (excl_range >= 16) { *use_mask_ptr++ = 0; From 190807a56c88231d26c9f66f0dc19cb32db3afb4 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 9 Oct 2011 20:38:01 +0100 Subject: [PATCH 236/290] 4xm: fix signed overflow Signed-off-by: Mans Rullgard (cherry picked from commit 84dda407628e298f33d610e9e04a8b2945d24665) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 7344f4cd1f..3f8061f942 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -279,7 +279,7 @@ static void init_mv(FourXContext *f){ } #endif -static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, int h, int stride, int scale, int dc){ +static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, int h, int stride, int scale, unsigned dc){ int i; dc*= 0x10001; From 9b6080f68523353122e1727a10999bb3bab38e15 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 7 Oct 2011 18:41:06 -0700 Subject: [PATCH 237/290] mxfdec: Fix some buffer overreads caused by the misuse of AVPacket related functions. (cherry picked from commit 0c46e958d1fd3817b8e9fa048d0450d509c80378) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index a69944d8d2..953d3b0002 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -223,12 +223,13 @@ static int mxf_get_d10_aes3_packet(AVIOContext *pb, AVStream *st, AVPacket *pkt, if (length > 61444) /* worst case PAL 1920 samples 8 channels */ return -1; - av_new_packet(pkt, length); - avio_read(pb, pkt->data, length); + length = av_get_packet(pb, pkt, length); + if (length < 0) + return length; data_ptr = pkt->data; end_ptr = pkt->data + length; buf_ptr = pkt->data + 4; /* skip SMPTE 331M header */ - for (; buf_ptr < end_ptr; ) { + for (; buf_ptr + st->codec->channels*4 < end_ptr; ) { for (i = 0; i < st->codec->channels; i++) { uint32_t sample = bytestream_get_le32(&buf_ptr); if (st->codec->bits_per_coded_sample == 24) @@ -238,7 +239,7 @@ static int mxf_get_d10_aes3_packet(AVIOContext *pb, AVStream *st, AVPacket *pkt, } buf_ptr += 32 - st->codec->channels*4; // always 8 channels stored SMPTE 331M } - pkt->size = data_ptr - pkt->data; + av_shrink_packet(pkt, data_ptr - pkt->data); return 0; } @@ -290,12 +291,16 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv if (memcmp(tmpbuf, checkv, 16)) av_log(s, AV_LOG_ERROR, "probably incorrect decryption key\n"); size -= 32; - av_get_packet(pb, pkt, size); + size = av_get_packet(pb, pkt, size); + if (size < 0) + return size; + else if (size < plaintext_size) + return AVERROR_INVALIDDATA; size -= plaintext_size; if (mxf->aesc) av_aes_crypt(mxf->aesc, &pkt->data[plaintext_size], &pkt->data[plaintext_size], size >> 4, ivec, 1); - pkt->size = orig_size; + av_shrink_packet(pkt, orig_size); pkt->stream_index = index; avio_skip(pb, end - avio_tell(pb)); return 0; @@ -332,8 +337,11 @@ static int mxf_read_packet(AVFormatContext *s, AVPacket *pkt) av_log(s, AV_LOG_ERROR, "error reading D-10 aes3 frame\n"); return -1; } - } else - av_get_packet(s->pb, pkt, klv.length); + } else { + int ret = av_get_packet(s->pb, pkt, klv.length); + if (ret < 0) + return ret; + } pkt->stream_index = index; pkt->pos = klv.offset; return 0; From 73f85eae68b6d40cad1cd53b04a6ed1a31cced1b Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Mon, 10 Oct 2011 20:41:31 +0100 Subject: [PATCH 238/290] sipr: fix get_bits(0) calls Zero-length get_bits() is undefined, must check before calling. Signed-off-by: Mans Rullgard (cherry picked from commit c79d2a20bad59298188171f1316a830d563a41ee) Signed-off-by: Michael Niedermayer --- libavcodec/sipr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/sipr.c b/libavcodec/sipr.c index db5ded740f..bd7d22388a 100644 --- a/libavcodec/sipr.c +++ b/libavcodec/sipr.c @@ -194,14 +194,16 @@ static void decode_parameters(SiprParameters* parms, GetBitContext *pgb, { int i, j; - parms->ma_pred_switch = get_bits(pgb, p->ma_predictor_bits); + if (p->ma_predictor_bits) + parms->ma_pred_switch = get_bits(pgb, p->ma_predictor_bits); for (i = 0; i < 5; i++) parms->vq_indexes[i] = get_bits(pgb, p->vq_indexes_bits[i]); for (i = 0; i < p->subframe_count; i++) { parms->pitch_delay[i] = get_bits(pgb, p->pitch_delay_bits[i]); - parms->gp_index[i] = get_bits(pgb, p->gp_index_bits); + if (p->gp_index_bits) + parms->gp_index[i] = get_bits(pgb, p->gp_index_bits); for (j = 0; j < p->number_of_fc_indexes; j++) parms->fc_indexes[i][j] = get_bits(pgb, p->fc_index_bits[j]); From 7f7b2e89e270801ea5918afa1432d3bb32f6ebc7 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 21 Sep 2011 11:37:51 -0400 Subject: [PATCH 239/290] smacker: validate number of channels (cherry picked from commit e190e453bd1e4d4b409ed3556b3a50d1087c15d7) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index be4bc2336f..30dbaa7dae 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -560,6 +560,10 @@ static av_cold int decode_end(AVCodecContext *avctx) static av_cold int smka_decode_init(AVCodecContext *avctx) { + if (avctx->channels < 1 || avctx->channels > 2) { + av_log(avctx, AV_LOG_ERROR, "invalid number of channels\n"); + return AVERROR(EINVAL); + } avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; avctx->sample_fmt = avctx->bits_per_coded_sample == 8 ? AV_SAMPLE_FMT_U8 : AV_SAMPLE_FMT_S16; return 0; From e6b225532933655d95266ce772b8a45b14aa27ec Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 21 Sep 2011 11:42:55 -0400 Subject: [PATCH 240/290] smacker: check buffer size before reading output size (cherry picked from commit cf044f8bff0d28dbc34492f18b0d18b3ba8bad9d) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 30dbaa7dae..0c1aa16224 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -587,6 +587,11 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, int bits, stereo; int pred[2] = {0, 0}; + if (buf_size <= 4) { + av_log(avctx, AV_LOG_ERROR, "packet is too small\n"); + return AVERROR(EINVAL); + } + unp_size = AV_RL32(buf); init_get_bits(&gb, buf + 4, (buf_size - 4) * 8); From 800ab099e332c93c90634b14309c5d56659223a8 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 21 Sep 2011 11:49:33 -0400 Subject: [PATCH 241/290] smacker: validate channels and sample format. (cherry picked from commit ff1f89de2da3472d133e2c95bf7c9ad2d88df33d) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 0c1aa16224..0b7a19aa32 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -607,6 +607,14 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, av_log(avctx, AV_LOG_ERROR, "Frame is too large to fit in buffer\n"); return -1; } + if (stereo ^ (avctx->channels != 1)) { + av_log(avctx, AV_LOG_ERROR, "channels mismatch\n"); + return AVERROR(EINVAL); + } + if (bits && avctx->sample_fmt == AV_SAMPLE_FMT_U8) { + av_log(avctx, AV_LOG_ERROR, "sample format mismatch\n"); + return AVERROR(EINVAL); + } memset(vlc, 0, sizeof(VLC) * 4); memset(h, 0, sizeof(HuffContext) * 4); From 1c3d46a9246af544f3e9b3b81fe8589e58756484 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Tue, 11 Oct 2011 16:00:21 +0100 Subject: [PATCH 242/290] h264: fix HRD parameters parsing The bit_rate_value_minus1 and cpb_size_value_minus1 elements allow a wider range than get_ue_golomb() supports. This adds a get_ue_golomb_long() function supporting up to 31 leading zeros, which is the maximum for these syntax elements, and uses it in decode_hrd_parameters(). Signed-off-by: Mans Rullgard (cherry picked from commit fdba370f8a1bdfc22ecbdf3c7148c2f8680a4ac4) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 14 ++++++++++++++ libavcodec/h264_ps.c | 4 ++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 90eeb30b54..8dff0322a7 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -75,6 +75,20 @@ static inline int get_ue_golomb(GetBitContext *gb){ } } +/** + * Read an unsigned Exp-Golomb code in the range 0 to UINT32_MAX-1. + */ +static inline unsigned get_ue_golomb_long(GetBitContext *gb) +{ + unsigned buf, log; + + buf = show_bits_long(gb, 32); + log = 31 - av_log2(buf); + skip_bits_long(gb, log); + + return get_bits_long(gb, log + 1) - 1; +} + /** * read unsigned exp golomb code, constraint to a max of 31. * the return value is undefined if the stored value exceeds 31. diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 423f54b324..89e2502e0d 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -143,8 +143,8 @@ static inline int decode_hrd_parameters(H264Context *h, SPS *sps){ get_bits(&s->gb, 4); /* bit_rate_scale */ get_bits(&s->gb, 4); /* cpb_size_scale */ for(i=0; igb); /* bit_rate_value_minus1 */ - get_ue_golomb(&s->gb); /* cpb_size_value_minus1 */ + get_ue_golomb_long(&s->gb); /* bit_rate_value_minus1 */ + get_ue_golomb_long(&s->gb); /* cpb_size_value_minus1 */ get_bits1(&s->gb); /* cbr_flag */ } sps->initial_cpb_removal_delay_length = get_bits(&s->gb, 5) + 1; From 7d02df7036d4efef1410a840b3e5ffb7a8c42cf1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Oct 2011 20:09:53 +0200 Subject: [PATCH 243/290] arm: fix av_clipl_int32() asm Note, the other arm asm code is likely affected too and should be changed as well. Signed-off-by: Michael Niedermayer (cherry picked from commit 96bc6485bc929741827fc0f08ef06bea662a3eea) Signed-off-by: Michael Niedermayer --- libavutil/arm/intmath.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/arm/intmath.h b/libavutil/arm/intmath.h index 4130177549..1e9d3e8b15 100644 --- a/libavutil/arm/intmath.h +++ b/libavutil/arm/intmath.h @@ -104,7 +104,7 @@ static av_always_inline av_const int32_t av_clipl_int32_arm(int64_t a) "mvnne %1, #1<<31 \n\t" "moveq %0, %Q2 \n\t" "eorne %0, %1, %R2, asr #31 \n\t" - : "=r"(x), "=&r"(y) : "r"(a)); + : "=r"(x), "=&r"(y) : "r"(a):"cc"); return x; } From 5ae87280e219e843c71201c580780e8e30083559 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Oct 2011 22:03:19 +0200 Subject: [PATCH 244/290] mem: fix memalign hack av_realloc() Signed-off-by: Michael Niedermayer (cherry picked from commit fc11927890f38445a950b453d24928525da0e61a) Signed-off-by: Michael Niedermayer --- libavutil/mem.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavutil/mem.c b/libavutil/mem.c index a58f432a2c..a53676c553 100644 --- a/libavutil/mem.c +++ b/libavutil/mem.c @@ -137,7 +137,9 @@ void *av_realloc(void *ptr, size_t size) //FIXME this isn't aligned correctly, though it probably isn't needed if(!ptr) return av_malloc(size); diff= ((char*)ptr)[-1]; - return (char*)realloc((char*)ptr - diff, size + diff) + diff; + ptr= realloc((char*)ptr - diff, size + diff); + if(ptr) ptr = (char*)ptr + diff; + return ptr; #else return realloc(ptr, size + !size); #endif From d398d042c1b141277b81a24ba800db2832c5fe9c Mon Sep 17 00:00:00 2001 From: John Brooks Date: Wed, 12 Oct 2011 11:06:26 +0300 Subject: [PATCH 245/290] rtpdec: Fix the minimum packet length for RTCP SR packets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We actually read 20 bytes of these packets. Signed-off-by: Martin Storsjö (cherry picked from commit 5d6ecf5345c0913e2b66427ea062e7989201a139) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtpdec.c b/libavformat/rtpdec.c index 9fc30d7b66..bc0aea6100 100644 --- a/libavformat/rtpdec.c +++ b/libavformat/rtpdec.c @@ -114,7 +114,7 @@ static int rtcp_parse_packet(RTPDemuxContext *s, const unsigned char *buf, int l while (len >= 2) { switch (buf[1]) { case RTCP_SR: - if (len < 16) { + if (len < 20) { av_log(NULL, AV_LOG_ERROR, "Invalid length for RTCP SR packet\n"); return AVERROR_INVALIDDATA; } From 2c0cddf25517b2fbe208637e599d517832ebc0e3 Mon Sep 17 00:00:00 2001 From: John Brooks Date: Wed, 12 Oct 2011 00:53:12 -0600 Subject: [PATCH 246/290] rtpdec: Read the packet length for all RTCP packet types MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This allows skipping past unsupported RTCP packet types, as RFC 3550 section 6.1 mandates. Currently this only has any practical effect if a sender puts an unrecognized type before RTCP_BYE in a compounded packet, or (incorrectly) does not put RTCP_SR first. Signed-off-by: Martin Storsjö (cherry picked from commit 07b77fe3871f86b87e35876d38f1969da5ece4b2) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavformat/rtpdec.c b/libavformat/rtpdec.c index bc0aea6100..130a78d0d1 100644 --- a/libavformat/rtpdec.c +++ b/libavformat/rtpdec.c @@ -111,14 +111,15 @@ RTPDynamicProtocolHandler *ff_rtp_handler_find_by_id(int id, static int rtcp_parse_packet(RTPDemuxContext *s, const unsigned char *buf, int len) { int payload_len; - while (len >= 2) { + while (len >= 4) { + payload_len = FFMIN(len, (AV_RB16(buf + 2) + 1) * 4); + switch (buf[1]) { case RTCP_SR: - if (len < 20) { + if (payload_len < 20) { av_log(NULL, AV_LOG_ERROR, "Invalid length for RTCP SR packet\n"); return AVERROR_INVALIDDATA; } - payload_len = (AV_RB16(buf + 2) + 1) * 4; s->last_rtcp_ntp_time = AV_RB64(buf + 8); s->last_rtcp_timestamp = AV_RB32(buf + 16); @@ -129,14 +130,13 @@ static int rtcp_parse_packet(RTPDemuxContext *s, const unsigned char *buf, int l s->rtcp_ts_offset = s->last_rtcp_timestamp - s->base_timestamp; } - buf += payload_len; - len -= payload_len; break; case RTCP_BYE: return -RTCP_BYE; - default: - return -1; } + + buf += payload_len; + len -= payload_len; } return -1; } From 7e95a12d51ffc5369f66ab46ce32f8c126678bbc Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 12 Oct 2011 22:30:44 -0400 Subject: [PATCH 247/290] mlpdec: validate that the reported channel count matches the actual output channel count (cherry picked from commit caa845851d790f894a2ccbe12580934f75545f92) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index b13d0795cd..baae9a321d 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -950,7 +950,12 @@ static int output_data_internal(MLPDecodeContext *m, unsigned int substr, int32_t *data_32 = (int32_t*) data; int16_t *data_16 = (int16_t*) data; - if (*data_size < (s->max_channel + 1) * s->blockpos * (is32 ? 4 : 2)) + if (m->avctx->channels != s->max_matrix_channel + 1) { + av_log(m->avctx, AV_LOG_ERROR, "channel count mismatch\n"); + return AVERROR_INVALIDDATA; + } + + if (*data_size < m->avctx->channels * s->blockpos * (is32 ? 4 : 2)) return -1; for (i = 0; i < s->blockpos; i++) { From 62cf52c8602efe8cf8c4713a8f44d5f76a908bb8 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 12 Oct 2011 23:23:18 -0400 Subject: [PATCH 248/290] truespeech: check to make sure channels == 1 (cherry picked from commit 3e7a176759e8a8e66d65c779b47b5bba793dfd4e) Signed-off-by: Michael Niedermayer --- libavcodec/truespeech.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/truespeech.c b/libavcodec/truespeech.c index d903a0119e..b5f74662ba 100644 --- a/libavcodec/truespeech.c +++ b/libavcodec/truespeech.c @@ -56,6 +56,11 @@ static av_cold int truespeech_decode_init(AVCodecContext * avctx) { // TSContext *c = avctx->priv_data; + if (avctx->channels != 1) { + av_log_ask_for_sample(avctx, "Unsupported channel count: %d\n", avctx->channels); + return AVERROR(EINVAL); + } + avctx->sample_fmt = AV_SAMPLE_FMT_S16; return 0; } From 5c18bcfd9cb6b4bbb40d487b52226ed5cf79320e Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 13 Oct 2011 14:47:06 -0700 Subject: [PATCH 249/290] mov: Prevent illegal writes when chapter titles are very short. Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index cdba33dcb0..553abc246a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2402,14 +2402,21 @@ static void mov_read_chapters(AVFormatContext *s) // The samples could theoretically be in any encoding if there's an encd // atom following, but in practice are only utf-8 or utf-16, distinguished // instead by the presence of a BOM - ch = avio_rb16(sc->pb); - if (ch == 0xfeff) - avio_get_str16be(sc->pb, len, title, title_len); - else if (ch == 0xfffe) - avio_get_str16le(sc->pb, len, title, title_len); - else { - AV_WB16(title, ch); - get_strz(sc->pb, title + 2, len - 1); + if (!len) { + title[0] = 0; + } else { + ch = avio_rb16(sc->pb); + if (ch == 0xfeff) + avio_get_str16be(sc->pb, len, title, title_len); + else if (ch == 0xfffe) + avio_get_str16le(sc->pb, len, title, title_len); + else { + AV_WB16(title, ch); + if (len == 1 || len == 2) + title[len] = '0'; + else + get_strz(sc->pb, title + 2, len - 1); + } } ff_new_chapter(s, i, st->time_base, sample->timestamp, end, title); From e58870a58749eb3266e16166d8370a5f2e960311 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 14 Oct 2011 10:38:42 -0700 Subject: [PATCH 250/290] mov: 10l: Terminate string with 0 not '0' (cherry picked from commit 7ad06beb2cf31d8a96f475361425d6cc95e8f176) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 553abc246a..a1aaf4a963 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2413,7 +2413,7 @@ static void mov_read_chapters(AVFormatContext *s) else { AV_WB16(title, ch); if (len == 1 || len == 2) - title[len] = '0'; + title[len] = 0; else get_strz(sc->pb, title + 2, len - 1); } From d51c7b4cbe022f6b3b026735dc7e29eb50bbf129 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sat, 15 Oct 2011 00:03:55 +0200 Subject: [PATCH 251/290] matroskadec: fix out of bounds write Signed-off-by: Janne Grunau (cherry picked from commit 723229c11f1400e6a09c8a1c9c27193f376eb1d1) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 66d3e46b08..f5894124bc 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1811,7 +1811,7 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, lace_size[n] = lace_size[n - 1] + snum; total += lace_size[n]; } - lace_size[n] = size - total; + lace_size[laces - 1] = size - total; break; } } From d1166f03bea9da2f14fbbfcc6987e6cef0132da1 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 14 Oct 2011 23:21:46 +0200 Subject: [PATCH 252/290] vp8: fix return value if update_dimensions fails Signed-off-by: Janne Grunau (cherry picked from commit f05c2fb6eb1f9ddaec3c07d1874ba62ec0891269) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index a417ae3672..6e25876b01 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -273,7 +273,7 @@ static int decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_size) if (!s->macroblocks_base || /* first frame */ width != s->avctx->width || height != s->avctx->height) { - if ((ret = update_dimensions(s, width, height) < 0)) + if ((ret = update_dimensions(s, width, height)) < 0) return ret; } From 5f5f36b52e21d9aed347aef73aefe473e7d31409 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 14 Oct 2011 23:27:52 +0200 Subject: [PATCH 253/290] vp8: force reallocation in update_thread_context after frame size change Signed-off-by: Janne Grunau (cherry picked from commit 56535793810584f5b3ae59e62cea66fe22d0307d) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 6e25876b01..daaee83f2d 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -33,6 +33,19 @@ # include "arm/vp8.h" #endif +static void free_buffers(VP8Context *s) +{ + av_freep(&s->macroblocks_base); + av_freep(&s->filter_strength); + av_freep(&s->intra4x4_pred_mode_top); + av_freep(&s->top_nnz); + av_freep(&s->edge_emu_buffer); + av_freep(&s->top_border); + av_freep(&s->segmentation_map); + + s->macroblocks = NULL; +} + static void vp8_decode_flush(AVCodecContext *avctx) { VP8Context *s = avctx->priv_data; @@ -45,15 +58,7 @@ static void vp8_decode_flush(AVCodecContext *avctx) } memset(s->framep, 0, sizeof(s->framep)); - av_freep(&s->macroblocks_base); - av_freep(&s->filter_strength); - av_freep(&s->intra4x4_pred_mode_top); - av_freep(&s->top_nnz); - av_freep(&s->edge_emu_buffer); - av_freep(&s->top_border); - av_freep(&s->segmentation_map); - - s->macroblocks = NULL; + free_buffers(s); } static int update_dimensions(VP8Context *s, int width, int height) @@ -1750,6 +1755,11 @@ static int vp8_decode_update_thread_context(AVCodecContext *dst, const AVCodecCo { VP8Context *s = dst->priv_data, *s_src = src->priv_data; + if (s->macroblocks_base && + (s_src->mb_width != s->mb_width || s_src->mb_height != s->mb_height)) { + free_buffers(s); + } + s->prob[0] = s_src->prob[!s_src->update_probabilities]; s->segmentation = s_src->segmentation; s->lf_delta = s_src->lf_delta; From d32f509de1c6bbd2b441cf1ce9fda08504bfae6f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 14 Oct 2011 23:43:29 +0200 Subject: [PATCH 254/290] vp8: prevent read from uninitialized memory in decode_mvs Signed-off-by: Janne Grunau (cherry picked from commit 0f0b5d643401d4d83322eeee0e57eb5a226ef9ab) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index daaee83f2d..3217605e58 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -492,6 +492,7 @@ void decode_mvs(VP8Context *s, VP8Macroblock *mb, int mb_x, int mb_y) AV_ZERO32(&near_mv[0]); AV_ZERO32(&near_mv[1]); + AV_ZERO32(&near_mv[2]); /* Process MB on top, left and top-left */ #define MV_EDGE_CHECK(n)\ From 15a7fe106cb4ae57cf9d36bb1ed2006b5a59ba16 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 14 Oct 2011 23:46:06 +0200 Subject: [PATCH 255/290] pthread: copy coded frame dimensions in update_context_from_thread Signed-off-by: Janne Grunau (cherry picked from commit feadcd1bdcbb4601f4ff01878027264fde985ee1) Signed-off-by: Michael Niedermayer --- libavcodec/pthread.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index fb5c2f1e1e..4feecbaaed 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -332,6 +332,9 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src, dst->height = src->height; dst->pix_fmt = src->pix_fmt; + dst->coded_width = src->coded_width; + dst->coded_height = src->coded_height; + dst->has_b_frames = src->has_b_frames; dst->idct_algo = src->idct_algo; dst->slice_count = src->slice_count; From e86e9f8b7acd8c68a3d4fefc803756d7ee8737eb Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 14 Oct 2011 18:27:59 -0700 Subject: [PATCH 256/290] avio: Check for invalid buffer length. (cherry picked from commit ab2940691ba76e1a9b0ce608db0dfc45021d741e) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index c6a67c3acc..1f79531559 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -778,13 +778,14 @@ int avio_get_str(AVIOContext *s, int maxlen, char *buf, int buflen) { int i; + if (buflen <= 0) + return AVERROR(EINVAL); // reserve 1 byte for terminating 0 buflen = FFMIN(buflen - 1, maxlen); for (i = 0; i < buflen; i++) if (!(buf[i] = avio_r8(s))) return i + 1; - if (buflen) - buf[i] = 0; + buf[i] = 0; for (; i < maxlen; i++) if (!avio_r8(s)) return i + 1; @@ -796,6 +797,8 @@ int avio_get_str(AVIOContext *s, int maxlen, char *buf, int buflen) {\ char* q = buf;\ int ret = 0;\ + if (buflen <= 0) \ + return AVERROR(EINVAL); \ while (ret + 1 < maxlen) {\ uint8_t tmp;\ uint32_t ch;\ From f531193690d91399dd99ae1bf61af311d9734f32 Mon Sep 17 00:00:00 2001 From: Matthew Einhorn Date: Wed, 24 Aug 2011 20:14:03 -0400 Subject: [PATCH 257/290] Fixes avpicture_layout to not write past buffer end. avpicture_get_size() returns the size of buffer required for avpicture_layout. For pseudo-paletted formats (gray8...) this size does not include the palette. However, avpicture_layout doesn't know this and still writes the palette. Consequently, avpicture_layout writes passed the length of the buffer. This fixes it by fixing avpicture_layout so that it doesn't write the palette for these formats. Signed-off-by: Matthew Einhorn Signed-off-by: Michael Niedermayer (cherry picked from commit e662b263d9c500270a8f1dc7e1b81b51d5bdfd4e) Signed-off-by: Michael Niedermayer --- libavcodec/imgconvert.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 9aa584fa5c..04c58ca278 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -470,6 +470,16 @@ int avpicture_layout(const AVPicture* src, enum PixelFormat pix_fmt, int width, } } + switch (pix_fmt) { + case PIX_FMT_RGB8: + case PIX_FMT_BGR8: + case PIX_FMT_RGB4_BYTE: + case PIX_FMT_BGR4_BYTE: + case PIX_FMT_GRAY8: + // do not include palette for these pseudo-paletted formats + return size; + } + if (desc->flags & PIX_FMT_PAL) memcpy((unsigned char *)(((size_t)dest + 3) & ~3), src->data[1], 256 * 4); From feef77ec3a88baa830cfe71a17fe857339cc3ea3 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:40 +0200 Subject: [PATCH 258/290] mpegts: fix return value when enough ts packets have been parsed or when the first PMT has been seen. Signed-off-by: Michael Niedermayer (cherry picked from commit 49ec0c818dc3c1c293a582b57fb58ba611a10b32) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 82f422161e..da8f228426 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1083,7 +1083,7 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len // stop parsing after pmt, we found header if (!ts->stream->nb_streams) - ts->stop_parse = 1; + ts->stop_parse = 2; for(;;) { st = 0; @@ -1403,11 +1403,15 @@ static int handle_packets(MpegTSContext *ts, int nb_packets) ts->stop_parse = 0; packet_num = 0; for(;;) { - if (ts->stop_parse>0) - break; packet_num++; - if (nb_packets != 0 && packet_num >= nb_packets) + if (nb_packets != 0 && packet_num >= nb_packets || + ts->stop_parse > 1) { + ret = AVERROR(EAGAIN); break; + } + if (ts->stop_parse > 0) + break; + ret = read_packet(s, packet, ts->raw_packet_size); if (ret != 0) return ret; From cbfd34246cdddc58a627dd10fc563245601b2162 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:41 +0200 Subject: [PATCH 259/290] mpegts: do not return from ff_mpegts_parse_packet() after having seen the first PMT It prevents leaving the AVPacket uninitialized. Signed-off-by: Michael Niedermayer (cherry picked from commit bc38e83793be5f7a184c88be55e556453a25224b) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index da8f228426..618bd8f1b4 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1862,10 +1862,8 @@ int ff_mpegts_parse_packet(MpegTSContext *ts, AVPacket *pkt, len1 = len; ts->pkt = pkt; - ts->stop_parse = 0; for(;;) { - if (ts->stop_parse>0) - break; + ts->stop_parse = 0; if (len < TS_PACKET_SIZE) return -1; if (buf[0] != 0x47) { @@ -1875,6 +1873,8 @@ int ff_mpegts_parse_packet(MpegTSContext *ts, AVPacket *pkt, handle_packet(ts, buf); buf += TS_PACKET_SIZE; len -= TS_PACKET_SIZE; + if (ts->stop_parse == 1) + break; } } return len1 - len; From e1ea35fb52d0ad2466c9c0565d99210df3f97237 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Thu, 15 Sep 2011 18:08:52 -0400 Subject: [PATCH 260/290] shorten: check for realloc failure (cherry picked from commit 9e5e2c2d010c05c10337e9c1ec9d0d61495e0c9c) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 4c1abe8e4c..8ebe033454 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -113,6 +113,7 @@ static int allocate_buffers(ShortenContext *s) { int i, chan; int *coeffs; + void *tmp_ptr; for (chan=0; chanchannels; chan++) { if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){ @@ -124,9 +125,15 @@ static int allocate_buffers(ShortenContext *s) return -1; } - s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean)); + tmp_ptr = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean)); + if (!tmp_ptr) + return AVERROR(ENOMEM); + s->offset[chan] = tmp_ptr; - s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + if (!tmp_ptr) + return AVERROR(ENOMEM); + s->decoded[chan] = tmp_ptr; for (i=0; inwrap; i++) s->decoded[chan][i] = 0; s->decoded[chan] += s->nwrap; @@ -284,8 +291,15 @@ static int shorten_decode_frame(AVCodecContext *avctx, int i, input_buf_size = 0; int16_t *samples = data; if(s->max_framesize == 0){ + void *tmp_ptr; s->max_framesize= 1024; // should hopefully be enough for the first header - s->bitstream= av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, s->max_framesize); + tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, + s->max_framesize); + if (!tmp_ptr) { + av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n"); + return AVERROR(ENOMEM); + } + s->bitstream = tmp_ptr; } if(1 && s->max_framesize){//FIXME truncated From b08001e00ac4be3dd586825d135b30bdf389d7b0 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 16 Sep 2011 18:01:28 -0400 Subject: [PATCH 261/290] shorten: check output buffer size before decoding Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 8ebe033454..0b9d420d86 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -481,6 +481,12 @@ static int shorten_decode_frame(AVCodecContext *avctx, s->cur_chan++; if (s->cur_chan == s->channels) { + int out_size = s->blocksize * s->channels * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } samples = interleave_buffer(samples, s->channels, s->blocksize, s->decoded); s->cur_chan = 0; goto frame_done; From 93f1159af5221e23c749be8fa0d3df3ef7a93fd0 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 3 Nov 2011 15:55:52 -0700 Subject: [PATCH 262/290] vp6: Fix illegal read. (cherry picked from commit 2a6eb06254df79e96b3d791b6b89b2534ced3119) Signed-off-by: Michael Niedermayer --- libavcodec/vp6.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 3721d52192..c66d2e74ff 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -374,7 +374,7 @@ static void vp6_parse_coeff_huffman(VP56Context *s) if (b > 3) pt = 1; vlc_coeff = &s->dccv_vlc[pt]; - for (coeff_idx=0; coeff_idx<64; ) { + for (coeff_idx = 0;;) { int run = 1; if (coeff_idx<2 && s->nb_null[coeff_idx][pt]) { s->nb_null[coeff_idx][pt]--; @@ -411,6 +411,8 @@ static void vp6_parse_coeff_huffman(VP56Context *s) } } coeff_idx+=run; + if (coeff_idx >= 64) + break; cg = FFMIN(vp6_coeff_groups[coeff_idx], 3); vlc_coeff = &s->ract_vlc[pt][ct][cg]; } From e9de2d98a904aa6f13fd07cb776850569e110f22 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 23 Sep 2011 19:50:41 -0400 Subject: [PATCH 263/290] twinvq: check output buffer size before decoding (cherry picked from commit e53eecd0e7211973a1a9757f559bdd93a1848901) Signed-off-by: Michael Niedermayer --- libavcodec/twinvq.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index f8e75bb933..7be13bcf0c 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -822,7 +822,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data, const ModeTab *mtab = tctx->mtab; float *out = data; enum FrameType ftype; - int window_type; + int window_type, out_size; static const enum FrameType wtype_to_ftype_table[] = { FT_LONG, FT_LONG, FT_SHORT, FT_LONG, FT_MEDIUM, FT_LONG, FT_LONG, FT_MEDIUM, FT_MEDIUM @@ -835,6 +835,13 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data, return buf_size; } + out_size = mtab->size * avctx->channels * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n"); + return AVERROR(EINVAL); + } + init_get_bits(&gb, buf, buf_size * 8); skip_bits(&gb, get_bits(&gb, 8)); window_type = get_bits(&gb, WINDOW_TYPE_BITS); @@ -857,7 +864,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data, return buf_size; } - *data_size = mtab->size*avctx->channels*4; + *data_size = out_size; return buf_size; } From 2137d99086b36b95f589ec19ab3f906d32d31b4a Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 23 Sep 2011 19:56:58 -0400 Subject: [PATCH 264/290] vorbisdec: check output buffer size before writing output (cherry picked from commit 60aa1a358d9c1c8f891e72246d5dcd897857eca8) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 024c8fd3cf..8f16d3a5a5 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1605,7 +1605,7 @@ static int vorbis_decode_frame(AVCodecContext *avccontext, vorbis_context *vc = avccontext->priv_data ; GetBitContext *gb = &(vc->gb); const float *channel_ptrs[255]; - int i, len; + int i, len, out_size; if (!buf_size) return 0; @@ -1630,6 +1630,13 @@ static int vorbis_decode_frame(AVCodecContext *avccontext, av_dlog(NULL, "parsed %d bytes %d bits, returned %d samples (*ch*bits) \n", get_bits_count(gb) / 8, get_bits_count(gb) % 8, len); + out_size = len * vc->audio_channels * + av_get_bytes_per_sample(avccontext->sample_fmt); + if (*data_size < out_size) { + av_log(avccontext, AV_LOG_ERROR, "output buffer is too small\n"); + return AVERROR(EINVAL); + } + if (vc->audio_channels > 8) { for (i = 0; i < vc->audio_channels; i++) channel_ptrs[i] = vc->channel_floors + i * len; @@ -1645,8 +1652,7 @@ static int vorbis_decode_frame(AVCodecContext *avccontext, vc->fmt_conv.float_to_int16_interleave(data, channel_ptrs, len, vc->audio_channels); - *data_size = len * vc->audio_channels * - av_get_bytes_per_sample(avccontext->sample_fmt); + *data_size = out_size; return buf_size ; } From 241f15f1c93f5bd661a187e42644220fd89ea7de Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 23 Sep 2011 19:22:06 -0400 Subject: [PATCH 265/290] tta: check for extradata allocation failure in tta demuxer (cherry picked from commit f540ca22c5fb4504d959c295f55591a9ec2a8859) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/tta.c b/libavformat/tta.c index c37039d0da..9df9763c74 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -107,6 +107,10 @@ static int tta_read_header(AVFormatContext *s, AVFormatParameters *ap) return -1; } st->codec->extradata = av_mallocz(st->codec->extradata_size+FF_INPUT_BUFFER_PADDING_SIZE); + if (!st->codec->extradata) { + st->codec->extradata_size = 0; + return AVERROR(ENOMEM); + } avio_seek(s->pb, start_offset, SEEK_SET); avio_read(s->pb, st->codec->extradata, st->codec->extradata_size); From 6ae93d030476ddd7fa2ab4d9d2dd25df85725390 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Oct 2011 14:31:53 +0200 Subject: [PATCH 266/290] resample: Fix overflow Found-by: Jim Radford Signed-off-by: Michael Niedermayer --- libavcodec/resample2.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/resample2.c b/libavcodec/resample2.c index b940059d84..fc8ffea466 100644 --- a/libavcodec/resample2.c +++ b/libavcodec/resample2.c @@ -207,8 +207,10 @@ AVResampleContext *av_resample_init(int out_rate, int in_rate, int filter_size, memcpy(&c->filter_bank[c->filter_length*phase_count+1], c->filter_bank, (c->filter_length-1)*sizeof(FELEM)); c->filter_bank[c->filter_length*phase_count]= c->filter_bank[c->filter_length - 1]; - c->src_incr= out_rate; - c->ideal_dst_incr= c->dst_incr= in_rate * phase_count; + if(!av_reduce(&c->src_incr, &c->dst_incr, out_rate, in_rate * (int64_t)phase_count, INT32_MAX/2)) + goto error; + c->ideal_dst_incr= c->dst_incr; + c->index= -phase_count*((c->filter_length-1)/2); return c; From a39b5e8b323785695fb0e3c0f30bd9e24287db87 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Oct 2011 14:34:45 +0200 Subject: [PATCH 267/290] resample2: fix potential overflow Signed-off-by: Michael Niedermayer --- libavcodec/resample2.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/resample2.c b/libavcodec/resample2.c index fc8ffea466..5c425587ab 100644 --- a/libavcodec/resample2.c +++ b/libavcodec/resample2.c @@ -248,10 +248,9 @@ int av_resample(AVResampleContext *c, short *dst, short *src, int *consumed, int dst[dst_index] = src[index2>>32]; index2 += incr; } - frac += dst_index * dst_incr_frac; index += dst_index * dst_incr; - index += frac / c->src_incr; - frac %= c->src_incr; + index += (frac + dst_index * (int64_t)dst_incr_frac) / c->src_incr; + frac = (frac + dst_index * (int64_t)dst_incr_frac) % c->src_incr; }else{ for(dst_index=0; dst_index < dst_size; dst_index++){ FELEM *filter= c->filter_bank + c->filter_length*(index & c->phase_mask); From edf3c5a3ebeee8df55c6a05f88a682091f10a364 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Oct 2011 15:26:45 +0200 Subject: [PATCH 268/290] resample: Fix array size Found-by: Jim Radford Signed-off-by: Michael Niedermayer (cherry picked from commit 3e7db0a9ee758bf0570a141be1fea64f8d9c03db) Signed-off-by: Michael Niedermayer --- libavcodec/resample.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/resample.c b/libavcodec/resample.c index 33413dbeaf..68e604ee92 100644 --- a/libavcodec/resample.c +++ b/libavcodec/resample.c @@ -326,9 +326,9 @@ int audio_resample(ReSampleContext *s, short *output, short *input, int nb_sampl if (s->sample_fmt[1] != AV_SAMPLE_FMT_S16) { output_bak = output; - if (!s->buffer_size[1] || s->buffer_size[1] < lenout) { + if (!s->buffer_size[1] || s->buffer_size[1] < 2*lenout) { av_free(s->buffer[1]); - s->buffer_size[1] = lenout; + s->buffer_size[1] = 2*lenout; s->buffer[1] = av_malloc(s->buffer_size[1]); if (!s->buffer[1]) { av_log(s->resample_context, AV_LOG_ERROR, "Could not allocate buffer\n"); From 4a66fe21073e87079720b961c209ea55fc9234a3 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 27 Sep 2011 14:27:43 -0400 Subject: [PATCH 269/290] mpegaudiodec: check output data size based on avctx->frame_size Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudiodec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index 9fbae0c316..32dfd23bc1 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -1801,8 +1801,8 @@ static int decode_frame(AVCodecContext * avctx, avctx->bit_rate = s->bit_rate; avctx->sub_id = s->layer; - if(*data_size < 1152*avctx->channels*sizeof(OUT_INT)) - return -1; + if (*data_size < avctx->frame_size * avctx->channels * sizeof(OUT_INT)) + return AVERROR(EINVAL); *data_size = 0; if(s->frame_size<=0 || s->frame_size > buf_size){ @@ -1870,6 +1870,9 @@ static int decode_frame_adu(AVCodecContext * avctx, avctx->bit_rate = s->bit_rate; avctx->sub_id = s->layer; + if (*data_size < avctx->frame_size * avctx->channels * sizeof(OUT_INT)) + return AVERROR(EINVAL); + s->frame_size = len; if (avctx->parse_only) { From f19b8d95335a9fb616c7c1d806d3dd3abda031c9 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 11 Oct 2011 11:47:15 -0400 Subject: [PATCH 270/290] apedec: check for filter buffer allocation failure (cherry picked from commit 7500781313d11b37772c05a28da20fbc112db478) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index f036c4a1d7..7cf72a00bd 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -163,6 +163,18 @@ typedef struct APEContext { // TODO: dsputilize +static av_cold int ape_decode_close(AVCodecContext * avctx) +{ + APEContext *s = avctx->priv_data; + int i; + + for (i = 0; i < APE_FILTER_LEVELS; i++) + av_freep(&s->filterbuf[i]); + + av_freep(&s->data); + return 0; +} + static av_cold int ape_decode_init(AVCodecContext * avctx) { APEContext *s = avctx->priv_data; @@ -195,25 +207,18 @@ static av_cold int ape_decode_init(AVCodecContext * avctx) for (i = 0; i < APE_FILTER_LEVELS; i++) { if (!ape_filter_orders[s->fset][i]) break; - s->filterbuf[i] = av_malloc((ape_filter_orders[s->fset][i] * 3 + HISTORY_SIZE) * 4); + FF_ALLOC_OR_GOTO(avctx, s->filterbuf[i], + (ape_filter_orders[s->fset][i] * 3 + HISTORY_SIZE) * 4, + filter_alloc_fail); } dsputil_init(&s->dsp, avctx); avctx->sample_fmt = AV_SAMPLE_FMT_S16; avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; return 0; -} - -static av_cold int ape_decode_close(AVCodecContext * avctx) -{ - APEContext *s = avctx->priv_data; - int i; - - for (i = 0; i < APE_FILTER_LEVELS; i++) - av_freep(&s->filterbuf[i]); - - av_freep(&s->data); - return 0; +filter_alloc_fail: + ape_decode_close(avctx); + return AVERROR(ENOMEM); } /** From 43fa5bf55ed5e1a26fff6d0cd434fb911250ee9a Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 11 Oct 2011 12:47:11 -0400 Subject: [PATCH 271/290] apedec: check for data buffer realloc failure (cherry picked from commit 11ca8b2d7486e879926488404b3b79af774f0f2d) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7cf72a00bd..4c2d238b16 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -819,7 +819,10 @@ static int ape_decode_frame(AVCodecContext * avctx, } if(!s->samples){ - s->data = av_realloc(s->data, (buf_size + 3) & ~3); + void *tmp_data = av_realloc(s->data, (buf_size + 3) & ~3); + if (!tmp_data) + return AVERROR(ENOMEM); + s->data = tmp_data; s->dsp.bswap_buf((uint32_t*)s->data, (const uint32_t*)buf, buf_size >> 2); s->ptr = s->last_ptr = s->data; s->data_end = s->data + buf_size; From 998fc04bcfeeaa2b0885ee84e37bcd345797981a Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 11 Oct 2011 13:17:44 -0400 Subject: [PATCH 272/290] apedec: use unsigned int for 'nblocks' and make sure that it's within int range Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 4c2d238b16..260ef2efa0 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -802,7 +802,7 @@ static int ape_decode_frame(AVCodecContext * avctx, int buf_size = avpkt->size; APEContext *s = avctx->priv_data; int16_t *samples = data; - int nblocks; + uint32_t nblocks; int i, n; int blockstodecode; int bytes_used; @@ -838,9 +838,10 @@ static int ape_decode_frame(AVCodecContext * avctx, s->currentframeblocks = nblocks; buf += 4; - if (s->samples <= 0) { + if (!nblocks || nblocks > INT_MAX) { + av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %u.\n", nblocks); *data_size = 0; - return buf_size; + return AVERROR_INVALIDDATA; } memset(s->decoded0, 0, sizeof(s->decoded0)); From ae2d3d6be01a520b1b3f71510359a99c82631751 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 11 Oct 2011 13:25:27 -0400 Subject: [PATCH 273/290] apedec: set s->currentframeblocks after validating nblocks --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 260ef2efa0..4d8a9401c1 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -827,7 +827,7 @@ static int ape_decode_frame(AVCodecContext * avctx, s->ptr = s->last_ptr = s->data; s->data_end = s->data + buf_size; - nblocks = s->samples = bytestream_get_be32(&s->ptr); + nblocks = bytestream_get_be32(&s->ptr); n = bytestream_get_be32(&s->ptr); if(n < 0 || n > 3){ av_log(avctx, AV_LOG_ERROR, "Incorrect offset passed\n"); @@ -836,13 +836,13 @@ static int ape_decode_frame(AVCodecContext * avctx, } s->ptr += n; - s->currentframeblocks = nblocks; buf += 4; if (!nblocks || nblocks > INT_MAX) { av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %u.\n", nblocks); *data_size = 0; return AVERROR_INVALIDDATA; } + s->currentframeblocks = s->samples = nblocks; memset(s->decoded0, 0, sizeof(s->decoded0)); memset(s->decoded1, 0, sizeof(s->decoded1)); From 0ac6777a34f4e53b36dc6665826f94798d1e195f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 28 Oct 2011 23:50:04 -0700 Subject: [PATCH 274/290] vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 59 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 45 insertions(+), 14 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index b9af998bc5..549f494ff6 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -45,6 +45,7 @@ #define FRAGMENT_PIXELS 8 static av_cold int vp3_decode_end(AVCodecContext *avctx); +static void vp3_decode_flush(AVCodecContext *avctx); //FIXME split things out into their own arrays typedef struct Vp3Fragment { @@ -890,7 +891,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, /* decode a VLC into a token */ token = get_vlc2(gb, vlc_table, 11, 3); /* use the token to get a zero run, a coefficient, and an eob run */ - if (token <= 6) { + if ((unsigned) token <= 6U) { eob_run = eob_run_base[token]; if (eob_run_get_bits[token]) eob_run += get_bits(gb, eob_run_get_bits[token]); @@ -908,7 +909,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, coeff_i += eob_run; eob_run = 0; } - } else { + } else if (token >= 0) { bits_to_get = coeff_get_bits[token]; if (bits_to_get) bits_to_get = get_bits(gb, bits_to_get); @@ -942,6 +943,10 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, for (i = coeff_index+1; i <= coeff_index+zero_run; i++) s->num_coded_frags[plane][i]--; coeff_i++; + } else { + av_log(s->avctx, AV_LOG_ERROR, + "Invalid token %d\n", token); + return -1; } } @@ -991,6 +996,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) /* unpack the Y plane DC coefficients */ residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_y_table], 0, 0, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; /* reverse prediction of the Y-plane DC coefficients */ reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]); @@ -998,8 +1005,12 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) /* unpack the C plane DC coefficients */ residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0, 1, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0, 2, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; /* reverse prediction of the C-plane DC coefficients */ if (!(s->avctx->flags & CODEC_FLAG_GRAY)) @@ -1036,11 +1047,17 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) for (i = 1; i <= 63; i++) { residual_eob_run = unpack_vlcs(s, gb, y_tables[i], i, 0, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i, 1, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i, 2, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; } return 0; @@ -1777,10 +1794,15 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data; int qps_changed = 0, i, err; +#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field) + if (!s1->current_frame.data[0] ||s->width != s1->width - ||s->height!= s1->height) + ||s->height!= s1->height) { + if (s != s1) + copy_fields(s, s1, golden_frame, current_frame); return -1; + } if (s != s1) { // init tables if the first frame hasn't been decoded @@ -1796,8 +1818,6 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * sizeof(*s->motion_val[1])); } -#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field) - // copy previous frame data copy_fields(s, s1, golden_frame, dsp); @@ -1987,9 +2007,6 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx) Vp3DecodeContext *s = avctx->priv_data; int i; - if (avctx->is_copy && !s->current_frame.data[0]) - return 0; - av_free(s->superblock_coding); av_free(s->all_fragments); av_free(s->coded_fragment_list[0]); @@ -2016,12 +2033,7 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx) free_vlc(&s->motion_vector_vlc); /* release all frames */ - if (s->golden_frame.data[0]) - ff_thread_release_buffer(avctx, &s->golden_frame); - if (s->last_frame.data[0] && s->last_frame.type != FF_BUFFER_TYPE_COPY) - ff_thread_release_buffer(avctx, &s->last_frame); - /* no need to release the current_frame since it will always be pointing - * to the same frame as either the golden or last frame */ + vp3_decode_flush(avctx); return 0; } @@ -2341,6 +2353,23 @@ static void vp3_decode_flush(AVCodecContext *avctx) ff_thread_release_buffer(avctx, &s->current_frame); } +static int vp3_init_thread_copy(AVCodecContext *avctx) +{ + Vp3DecodeContext *s = avctx->priv_data; + + s->superblock_coding = NULL; + s->all_fragments = NULL; + s->coded_fragment_list[0] = NULL; + s->dct_tokens_base = NULL; + s->superblock_fragments = NULL; + s->macroblock_coding = NULL; + s->motion_val[0] = NULL; + s->motion_val[1] = NULL; + s->edge_emu_buffer = NULL; + + return 0; +} + AVCodec ff_theora_decoder = { "theora", AVMEDIA_TYPE_VIDEO, @@ -2354,6 +2383,7 @@ AVCodec ff_theora_decoder = { NULL, .flush = vp3_decode_flush, .long_name = NULL_IF_CONFIG_SMALL("Theora"), + .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy), .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) }; #endif @@ -2371,5 +2401,6 @@ AVCodec ff_vp3_decoder = { NULL, .flush = vp3_decode_flush, .long_name = NULL_IF_CONFIG_SMALL("On2 VP3"), + .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy), .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) }; From 346e089d25ba5f1f7509a7fbff6843471b7ccf6b Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 14 Oct 2011 00:16:31 -0400 Subject: [PATCH 275/290] atrac1: check output buffer size before decoding (cherry picked from commit 33684b9c12b74c0140fb91e8150263db4a48d55e) Signed-off-by: Michael Niedermayer --- libavcodec/atrac1.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/atrac1.c b/libavcodec/atrac1.c index 1f4c36c141..9d37e4c866 100644 --- a/libavcodec/atrac1.c +++ b/libavcodec/atrac1.c @@ -276,7 +276,7 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; AT1Ctx *q = avctx->priv_data; - int ch, ret, i; + int ch, ret, i, out_size; GetBitContext gb; float* samples = data; @@ -286,6 +286,13 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data, return -1; } + out_size = q->channels * AT1_SU_SAMPLES * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + for (ch = 0; ch < q->channels; ch++) { AT1SUCtx* su = &q->SUs[ch]; @@ -318,7 +325,7 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data, } } - *data_size = q->channels * AT1_SU_SAMPLES * sizeof(*samples); + *data_size = out_size; return avctx->block_align; } From f98bb0d3ec73b047121bcdf172cc809ac3c47013 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 14 Oct 2011 00:24:50 -0400 Subject: [PATCH 276/290] atrac1: validate number of channels (cherry picked from commit bff5b2c1ca1290ea30587ff2f76171f9e3854872) Signed-off-by: Michael Niedermayer --- libavcodec/atrac1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/atrac1.c b/libavcodec/atrac1.c index 9d37e4c866..6897790307 100644 --- a/libavcodec/atrac1.c +++ b/libavcodec/atrac1.c @@ -336,6 +336,11 @@ static av_cold int atrac1_decode_init(AVCodecContext *avctx) avctx->sample_fmt = AV_SAMPLE_FMT_FLT; + if (avctx->channels < 1 || avctx->channels > AT1_MAX_CHANNELS) { + av_log(avctx, AV_LOG_ERROR, "Unsupported number of channels: %d\n", + avctx->channels); + return AVERROR(EINVAL); + } q->channels = avctx->channels; /* Init the mdct transforms */ From 8491677ab632f89f31bb26e48c8d1c429be07928 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 25 Oct 2011 13:47:50 -0400 Subject: [PATCH 277/290] binkaudio: add some buffer overread checks. This stops decoding before overreads instead of after. (cherry picked from commit 101ef19ef4dc9f5c3d536aee8fcc10fff2af4d9e) Signed-off-by: Michael Niedermayer --- libavcodec/binkaudio.c | 47 +++++++++++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 10 deletions(-) diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c index ff36458c7e..3b65a19261 100644 --- a/libavcodec/binkaudio.c +++ b/libavcodec/binkaudio.c @@ -153,11 +153,18 @@ static const uint8_t rle_length_tab[16] = { 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 32, 64 }; +#define GET_BITS_SAFE(out, nbits) do { \ + if (get_bits_left(gb) < nbits) \ + return AVERROR_INVALIDDATA; \ + out = get_bits(gb, nbits); \ +} while (0) + /** * Decode Bink Audio block * @param[out] out Output buffer (must contain s->block_size elements) + * @return 0 on success, negative error code on failure */ -static void decode_block(BinkAudioContext *s, short *out, int use_dct) +static int decode_block(BinkAudioContext *s, short *out, int use_dct) { int ch, i, j, k; float q, quant[25]; @@ -170,13 +177,19 @@ static void decode_block(BinkAudioContext *s, short *out, int use_dct) for (ch = 0; ch < s->channels; ch++) { FFTSample *coeffs = s->coeffs_ptr[ch]; if (s->version_b) { + if (get_bits_left(gb) < 64) + return AVERROR_INVALIDDATA; coeffs[0] = av_int2flt(get_bits(gb, 32)) * s->root; coeffs[1] = av_int2flt(get_bits(gb, 32)) * s->root; } else { + if (get_bits_left(gb) < 58) + return AVERROR_INVALIDDATA; coeffs[0] = get_float(gb) * s->root; coeffs[1] = get_float(gb) * s->root; } + if (get_bits_left(gb) < s->num_bands * 8) + return AVERROR_INVALIDDATA; for (i = 0; i < s->num_bands; i++) { /* constant is result of 0.066399999/log10(M_E) */ int value = get_bits(gb, 8); @@ -191,15 +204,20 @@ static void decode_block(BinkAudioContext *s, short *out, int use_dct) while (i < s->frame_len) { if (s->version_b) { j = i + 16; - } else if (get_bits1(gb)) { - j = i + rle_length_tab[get_bits(gb, 4)] * 8; } else { - j = i + 8; + int v; + GET_BITS_SAFE(v, 1); + if (v) { + GET_BITS_SAFE(v, 4); + j = i + rle_length_tab[v] * 8; + } else { + j = i + 8; + } } j = FFMIN(j, s->frame_len); - width = get_bits(gb, 4); + GET_BITS_SAFE(width, 4); if (width == 0) { memset(coeffs + i, 0, (j - i) * sizeof(*coeffs)); i = j; @@ -209,9 +227,11 @@ static void decode_block(BinkAudioContext *s, short *out, int use_dct) while (i < j) { if (s->bands[k] == i) q = quant[k++]; - coeff = get_bits(gb, width); + GET_BITS_SAFE(coeff, width); if (coeff) { - if (get_bits1(gb)) + int v; + GET_BITS_SAFE(v, 1); + if (v) coeffs[i] = -q * coeff; else coeffs[i] = q * coeff; @@ -247,6 +267,8 @@ static void decode_block(BinkAudioContext *s, short *out, int use_dct) s->overlap_len * s->channels * sizeof(*out)); s->first = 0; + + return 0; } static av_cold int decode_end(AVCodecContext *avctx) @@ -278,12 +300,17 @@ static int decode_frame(AVCodecContext *avctx, int reported_size; GetBitContext *gb = &s->gb; + if (buf_size < 4) { + av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); + return AVERROR_INVALIDDATA; + } + init_get_bits(gb, buf, buf_size * 8); reported_size = get_bits_long(gb, 32); - while (get_bits_count(gb) / 8 < buf_size && - samples + s->block_size <= samples_end) { - decode_block(s, samples, avctx->codec->id == CODEC_ID_BINKAUDIO_DCT); + while (samples + s->block_size <= samples_end) { + if (decode_block(s, samples, avctx->codec->id == CODEC_ID_BINKAUDIO_DCT)) + break; samples += s->block_size; get_bits_align32(gb); } From 711e6c947b728b23e84f15152fa59ef8ae20de63 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Thu, 27 Oct 2011 13:33:57 -0400 Subject: [PATCH 278/290] cin audio: validate the channel count Signed-off-by: Michael Niedermayer --- libavcodec/dsicinav.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index faca821c7d..d4dbb35472 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -310,6 +310,11 @@ static av_cold int cinaudio_decode_init(AVCodecContext *avctx) CinAudioContext *cin = avctx->priv_data; cin->avctx = avctx; + if (avctx->channels != 1) { + av_log_ask_for_sample(avctx, "Number of channels is not supported\n"); + return AVERROR_PATCHWELCOME; + } + cin->initial_decode_frame = 1; cin->delta = 0; avctx->sample_fmt = AV_SAMPLE_FMT_S16; From 0e3dec6b08b16307c2bc276d1b4f8b96ab52414e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 Oct 2011 22:42:45 +0100 Subject: [PATCH 279/290] asfdec: Check packet_replic_size earlier Signed-off-by: Michael Niedermayer (cherry picked from commit 60fcc19bff49e0b1972eae014afc087afd94a415) Signed-off-by: Michael Niedermayer --- libavformat/asfdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 033bdede13..be8885d904 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -808,6 +808,10 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){ DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0); DO_2BITS(asf->packet_property, asf->packet_replic_size, 0); //printf("key:%d stream:%d seq:%d offset:%d replic_size:%d\n", asf->packet_key_frame, asf->stream_index, asf->packet_seq, //asf->packet_frag_offset, asf->packet_replic_size); + if (rsize+asf->packet_replic_size > asf->packet_size_left) { + av_log(s, AV_LOG_ERROR, "packet_replic_size %d is invalid\n", asf->packet_replic_size); + return -1; + } if (asf->packet_replic_size >= 8) { asf->packet_obj_size = avio_rl32(pb); if(asf->packet_obj_size >= (1<<24) || asf->packet_obj_size <= 0){ @@ -842,10 +846,6 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){ av_log(s, AV_LOG_ERROR, "unexpected packet_replic_size of %d\n", asf->packet_replic_size); return -1; } - if (rsize > asf->packet_size_left) { - av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n"); - return -1; - } if (asf->packet_flags & 0x01) { DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal if (rsize > asf->packet_size_left) { From d8acee792f9d3b2c271d480e4d72ff7e558e0c66 Mon Sep 17 00:00:00 2001 From: Tobias Rapp Date: Mon, 31 Oct 2011 15:11:37 +0100 Subject: [PATCH 280/290] mp3enc: avoid truncating id3v1 tags by one byte Avoid writing the trailing null-byte for id3v1 tags if length reaches max length. Signed-off-by: Michael Niedermayer (cherry picked from commit 0f39fa0279e12c7a174d1da9294bffd95cb15c4c) Signed-off-by: Michael Niedermayer --- libavformat/mp3enc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavformat/mp3enc.c b/libavformat/mp3enc.c index 50342bb950..76d1813172 100644 --- a/libavformat/mp3enc.c +++ b/libavformat/mp3enc.c @@ -51,11 +51,12 @@ static int id3v1_create_tag(AVFormatContext *s, uint8_t *buf) buf[0] = 'T'; buf[1] = 'A'; buf[2] = 'G'; - count += id3v1_set_string(s, "TIT2", buf + 3, 30); //title - count += id3v1_set_string(s, "TPE1", buf + 33, 30); //author|artist - count += id3v1_set_string(s, "TALB", buf + 63, 30); //album - count += id3v1_set_string(s, "TDRL", buf + 93, 4); //date - count += id3v1_set_string(s, "comment", buf + 97, 30); + /* we knowingly overspecify each tag length by one byte to compensate for the mandatory null byte added by av_strlcpy */ + count += id3v1_set_string(s, "TIT2", buf + 3, 30 + 1); //title + count += id3v1_set_string(s, "TPE1", buf + 33, 30 + 1); //author|artist + count += id3v1_set_string(s, "TALB", buf + 63, 30 + 1); //album + count += id3v1_set_string(s, "TDRL", buf + 93, 4 + 1); //date + count += id3v1_set_string(s, "comment", buf + 97, 30 + 1); if ((tag = av_dict_get(s->metadata, "TRCK", NULL, 0))) { //track buf[125] = 0; buf[126] = atoi(tag->value); From 864581fea3afb40f1d40cee000da30be54ec049d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Nov 2011 14:46:18 +0100 Subject: [PATCH 281/290] configure: fix arch x86_32 Signed-off-by: Michael Niedermayer (cherry picked from commit 078811d9e484892e3ad49819148fe6ae65a1954b) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index be2f721f7a..822c500eab 100755 --- a/configure +++ b/configure @@ -2203,7 +2203,7 @@ case "$arch" in arch="sparc" subarch="sparc64" ;; - i[3-6]86|i86pc|BePC|x86pc|x86_64|amd64) + i[3-6]86|i86pc|BePC|x86pc|x86_64|x86_32|amd64) arch="x86" ;; esac From 112431705d82eea875635641185a8aee27bcd86e Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 28 Oct 2011 00:52:36 -0400 Subject: [PATCH 282/290] libgsmdec: check output buffer size before decoding (cherry picked from commit b03761b1309293bbf30edef767503875277b01cf) Signed-off-by: Michael Niedermayer --- libavcodec/libgsm.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/libgsm.c b/libavcodec/libgsm.c index 1f76f82d55..073cf4498d 100644 --- a/libavcodec/libgsm.c +++ b/libavcodec/libgsm.c @@ -141,18 +141,25 @@ static int libgsm_decode_frame(AVCodecContext *avctx, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; + int out_size = avctx->frame_size * av_get_bytes_per_sample(avctx->sample_fmt); + + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + *data_size = 0; /* In case of error */ if(buf_size < avctx->block_align) return -1; switch(avctx->codec_id) { case CODEC_ID_GSM: if(gsm_decode(avctx->priv_data,buf,data)) return -1; - *data_size = GSM_FRAME_SIZE*sizeof(int16_t); break; case CODEC_ID_GSM_MS: if(gsm_decode(avctx->priv_data,buf,data) || gsm_decode(avctx->priv_data,buf+33,((int16_t*)data)+GSM_FRAME_SIZE)) return -1; - *data_size = GSM_FRAME_SIZE*sizeof(int16_t)*2; } + + *data_size = out_size; return avctx->block_align; } From 5a3f494466afb9eb9c20e69fa92dfdbae386573a Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 28 Oct 2011 18:25:49 -0400 Subject: [PATCH 283/290] imc: check for ff_fft_init() failure (cherry picked from commit 95fee70d6773fde1c34ff6422f48e5e66f37f263) Signed-off-by: Michael Niedermayer --- libavcodec/imc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/imc.c b/libavcodec/imc.c index f08efe46ec..ea0318c371 100644 --- a/libavcodec/imc.c +++ b/libavcodec/imc.c @@ -104,7 +104,7 @@ static VLC_TYPE vlc_tables[VLC_TABLES_SIZE][2]; static av_cold int imc_decode_init(AVCodecContext * avctx) { - int i, j; + int i, j, ret; IMCContext *q = avctx->priv_data; double r1, r2; @@ -156,7 +156,10 @@ static av_cold int imc_decode_init(AVCodecContext * avctx) } q->one_div_log2 = 1/log(2); - ff_fft_init(&q->fft, 7, 1); + if ((ret = ff_fft_init(&q->fft, 7, 1))) { + av_log(avctx, AV_LOG_INFO, "FFT init failed\n"); + return ret; + } dsputil_init(&q->dsp, avctx); avctx->sample_fmt = AV_SAMPLE_FMT_FLT; avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; From cba03dc66730cab43a4257bc027d35f09c393f62 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 28 Oct 2011 18:31:21 -0400 Subject: [PATCH 284/290] imc: validate channel count ask for a sample if not mono (cherry picked from commit 7b7f47e73356d113cace74b922eee0b6ff5ffe0b) Signed-off-by: Michael Niedermayer --- libavcodec/imc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/imc.c b/libavcodec/imc.c index ea0318c371..bc1a6a9f3c 100644 --- a/libavcodec/imc.c +++ b/libavcodec/imc.c @@ -108,6 +108,11 @@ static av_cold int imc_decode_init(AVCodecContext * avctx) IMCContext *q = avctx->priv_data; double r1, r2; + if (avctx->channels != 1) { + av_log_ask_for_sample(avctx, "Number of channels is not supported\n"); + return AVERROR_PATCHWELCOME; + } + q->decoder_reset = 1; for(i = 0; i < BANDS; i++) From c4a34f402528502a857e134a670421048c388c93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Oct 2011 15:47:14 +0200 Subject: [PATCH 285/290] snow: emu edge support Fixes Ticket592 Signed-off-by: Michael Niedermayer (cherry picked from commit 4416931fc069332e267ab6df037a1227c051d7b1) Signed-off-by: Michael Niedermayer --- libavcodec/snow.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/snow.c b/libavcodec/snow.c index 43a71904eb..86ab710f80 100644 --- a/libavcodec/snow.c +++ b/libavcodec/snow.c @@ -1917,8 +1917,6 @@ static void dwt_quantize(SnowContext *s, Plane *p, DWTELEM *buffer, int width, i static void halfpel_interpol(SnowContext *s, uint8_t *halfpel[4][4], AVFrame *frame){ int p,x,y; - assert(!(s->avctx->flags & CODEC_FLAG_EMU_EDGE)); - for(p=0; p<3; p++){ int is_chroma= !!p; int w= s->avctx->width >>is_chroma; @@ -1975,7 +1973,7 @@ static int frame_start(SnowContext *s){ int w= s->avctx->width; //FIXME round up to x16 ? int h= s->avctx->height; - if(s->current_picture.data[0]){ + if(s->current_picture.data[0] && !(s->avctx->flags&CODEC_FLAG_EMU_EDGE)){ s->dsp.draw_edges(s->current_picture.data[0], s->current_picture.linesize[0], w , h , EDGE_WIDTH , EDGE_WIDTH , EDGE_TOP | EDGE_BOTTOM); From 1e1015fd223ff33a88585db13047ce766369c21b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Nov 2011 13:37:27 +0100 Subject: [PATCH 286/290] Version numbers for 0.8.6 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 7b5b0df3c2..b52216e198 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.5 +PROJECT_NUMBER = 0.8.6 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 7ada0d303f..7fc2521fd7 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.5 +0.8.6 diff --git a/VERSION b/VERSION index 7ada0d303f..7fc2521fd7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.5 +0.8.6 From 8045254bacca54bc5bb242f43b72564037b8a50d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Nov 2011 22:05:34 +0100 Subject: [PATCH 287/290] update versions for 0.7 branch Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 24ceb58ecd..61156c4f62 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.6 +PROJECT_NUMBER = 0.7.7 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index c006218557..879be8a98f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.6 +0.7.7 diff --git a/VERSION b/VERSION index c006218557..879be8a98f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.6 +0.7.7 From d484a07f1cb2fd416dd4e733ee793a1603c507bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Wed, 19 Oct 2011 18:41:02 +0200 Subject: [PATCH 288/290] Do not call parse_keyframes_index with NULL stream. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Seems to fix trac issue #569. Sample is unfortunately not available, but it might be caused by an index existing for non-existing audio stream (?). Signed-off-by: Reimar Döffinger (cherry picked from commit 6ea6ff053af2aff8a9a898292f9640efa9290c9f) --- libavformat/flvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index a2a3c5c493..c48224b445 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -210,7 +210,7 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, AVStream *vst case AMF_DATA_TYPE_OBJECT: { unsigned int keylen; - if (ioc->seekable && key && !strcmp(KEYFRAMES_TAG, key) && depth == 1) + if (vstream && ioc->seekable && key && !strcmp(KEYFRAMES_TAG, key) && depth == 1) if (parse_keyframes_index(s, ioc, vstream, max_pos) < 0) av_log(s, AV_LOG_ERROR, "Keyframe index parsing failed\n"); From 80a173a33b8abe961397834843881d90a1ddb2a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sat, 5 Nov 2011 21:45:31 +0100 Subject: [PATCH 289/290] av_lzo1x_decode: properly handle negative buffer length. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Treating them like 0 is safest, current code would invoke undefined pointer arithmetic behaviour in this case. Signed-off-by: Reimar Döffinger (cherry picked from commit b9242fd12f4be4a79e31fd0aa125ab8a48226896) (cherry picked from commit 0411b1928965050a940155984a16ad82fe462fc1) --- libavutil/lzo.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/lzo.c b/libavutil/lzo.c index 40a41a424d..8407d7d376 100644 --- a/libavutil/lzo.c +++ b/libavutil/lzo.c @@ -175,11 +175,11 @@ int av_lzo1x_decode(void *out, int *outlen, const void *in, int *inlen) { int state= 0; int x; LZOContext c; - if (!*outlen || !*inlen) { + if (*outlen <= 0 || *inlen <= 0) { int res = 0; - if (!*outlen) + if (*outlen <= 0) res |= AV_LZO_OUTPUT_FULL; - if (!*inlen) + if (*inlen <= 0) res |= AV_LZO_INPUT_DEPLETED; return res; } From 3970d4e72809d9c9bf4c463ba1a6ab2650e3252b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sat, 5 Nov 2011 22:34:09 +0100 Subject: [PATCH 290/290] nuv: Fix combination of size changes and LZO compression. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There were multiple issues, for example might we have to re-run the decompression when the size of the buffer increased, we should always use a decompression buffer large enough for the header (so we do not get stuck when the size is too small). Signed-off-by: Reimar Döffinger --- libavcodec/nuv.c | 38 ++++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 6eb6de3101..3381e275b1 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -20,6 +20,7 @@ */ #include #include +#include #include "libavutil/bswap.h" #include "libavutil/lzo.h" @@ -112,19 +113,23 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, int qualit if (quality >= 0) get_quant_quality(c, quality); if (width != c->width || height != c->height) { - if (av_image_check_size(height, width, 0, avctx) < 0) - return 0; + // also reserve space for a possible additional header + int buf_size = 24 + height * width * 3 / 2 + AV_LZO_OUTPUT_PADDING; + if (av_image_check_size(height, width, 0, avctx) < 0 || + buf_size > INT_MAX/8) + return -1; avctx->width = c->width = width; avctx->height = c->height = height; - av_fast_malloc(&c->decomp_buf, &c->decomp_size, c->height * c->width * 3 / 2); + av_fast_malloc(&c->decomp_buf, &c->decomp_size, buf_size); if (!c->decomp_buf) { av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n"); - return 0; + return AVERROR(ENOMEM); } rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); + return 1; } else if (quality != c->quality) rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); - return 1; + return 0; } static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, @@ -135,6 +140,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVFrame *picture = data; int orig_size = buf_size; int keyframe; + int size_change = 0; int result; enum {NUV_UNCOMPRESSED = '0', NUV_RTJPEG = '1', NUV_RTJPEG_IN_LZO = '2', NUV_LZO = '3', @@ -172,18 +178,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, default: keyframe = 1; break; } +retry: // skip rest of the frameheader. buf = &buf[12]; buf_size -= 12; if (comptype == NUV_RTJPEG_IN_LZO || comptype == NUV_LZO) { - int outlen = c->decomp_size, inlen = buf_size; + int outlen = c->decomp_size - AV_LZO_OUTPUT_PADDING, inlen = buf_size; if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen)) av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); buf = c->decomp_buf; - buf_size = c->decomp_size; + buf_size = c->decomp_size - AV_LZO_OUTPUT_PADDING; } if (c->codec_frameheader) { - int w, h, q; + int w, h, q, res; if (buf_size < 12) { av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame\n"); return -1; @@ -191,13 +198,20 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, w = AV_RL16(&buf[6]); h = AV_RL16(&buf[8]); q = buf[10]; - if (!codec_reinit(avctx, w, h, q)) - return -1; + res = codec_reinit(avctx, w, h, q); + if (res < 0) + return res; + if (res) { + buf = avpkt->data; + buf_size = avpkt->size; + size_change = 1; + goto retry; + } buf = &buf[12]; buf_size -= 12; } - if (keyframe && c->pic.data[0]) + if ((size_change || keyframe) && c->pic.data[0]) avctx->release_buffer(avctx, &c->pic); c->pic.reference = 3; c->pic.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_READABLE | @@ -259,7 +273,7 @@ static av_cold int decode_init(AVCodecContext *avctx) { if (avctx->extradata_size) get_quant(avctx, c, avctx->extradata, avctx->extradata_size); dsputil_init(&c->dsp, avctx); - if (!codec_reinit(avctx, avctx->width, avctx->height, -1)) + if (codec_reinit(avctx, avctx->width, avctx->height, -1) < 0) return 1; return 0; }