From bb35a42e93c1556511a1812dce7776afcea4001b Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 9 Jan 2013 09:52:48 +0100 Subject: [PATCH 01/11] APIchanges: Fill in missing commit hashes --- doc/APIchanges | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 34faf01153..0b9cdac9b0 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -13,17 +13,17 @@ libavutil: 2011-04-18 API changes, most recent first: -2012-03-04 - xxxxxxx - lavu 51.22.1 - error.h +2012-03-04 - 7f3f855 - lavu 51.22.1 - error.h Add AVERROR_UNKNOWN -2012-02-29 - xxxxxxx - lavf 53.21.1 +2012-02-29 - 2ad77c6 - lavf 53.21.1 Add avformat_get_riff_video_tags() and avformat_get_riff_audio_tags(). -2012-02-29 - xxxxxxx - lavu 51.22.0 - intfloat.h +2012-02-29 - a1556d3 - lavu 51.22.0 - intfloat.h Add a new installed header libavutil/intfloat.h with int/float punning functions. -2012-02-17 - xxxxxxx - lavc 53.35.0 +2012-02-17 - 350d06d - lavc 53.35.0 Add avcodec_is_open() function. 2012-01-15 - lavc 53.34.0 From a4a63bf5b55f9b42b752301ae417ee3f50f5a594 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 11 Dec 2012 17:26:10 -0800 Subject: [PATCH 02/11] aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN. Found-by: pawlkt CC: libav-stable@libav.org Fixes: CVE-2012-5144 (cherry picked from commit 6d5b0092678b2a95dfe209a207550bd2fe9ef646) Signed-off-by: Reinhard Tartler --- libavcodec/aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 2b9b45c9e8..6478c7765b 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -1747,7 +1747,7 @@ static void apply_tns(float coef[1024], TemporalNoiseShaping *tns, int w, filt, m, i; int bottom, top, order, start, end, size, inc; float lpc[TNS_MAX_ORDER]; - float tmp[TNS_MAX_ORDER]; + float tmp[TNS_MAX_ORDER + 1]; for (w = 0; w < ics->num_windows; w++) { bottom = ics->num_swb; From d282e5ce7286eab3bc4f5cbfe81a74551bd31006 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 23 Nov 2012 14:05:36 +0100 Subject: [PATCH 03/11] lavf: avoid integer overflow in ff_compute_frame_duration() Scaling the denominator instead of the numerator if it is too large loses precision. Fixes an assert caused by a negative frame duration in the fuzzed sample nasa-8s2.ts_s202310. CC: libav-stable@libav.org (cherry picked from commit 7709ce029a7bc101b9ac1ceee607cda10dcb89dc) Signed-off-by: Reinhard Tartler --- libavformat/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 240cd94925..9dc1dcb2c6 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -838,7 +838,10 @@ static void compute_frame_duration(int *pnum, int *pden, AVStream *st, *pnum = st->codec->time_base.num; *pden = st->codec->time_base.den; if (pc && pc->repeat_pict) { - *pnum = (*pnum) * (1 + pc->repeat_pict); + if (*pnum > INT_MAX / (1 + pc->repeat_pict)) + *pden /= 1 + pc->repeat_pict; + else + *pnum *= 1 + pc->repeat_pict; } //If this codec can be interlaced or progressive then we need a parser to compute duration of a packet //Thus if we have no parser in such case leave duration undefined. From 522e97bd9e91903249b5b7f9fb9f267bb55cb967 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sat, 24 Nov 2012 15:50:03 +0100 Subject: [PATCH 04/11] flashsv: check for keyframe before using differential coding Fixes a segfault in te fuzzed sample resolutionchange.flv_s211713. CC: libav-stable@libav.org (cherry picked from commit 5ae72f54532960cb9eae82a1c9e8d505106c022b) Signed-off-by: Reinhard Tartler --- libavcodec/flashsv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index c99c21c719..792ad57f88 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -370,6 +370,11 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, } if (has_diff) { + if (!s->keyframe) { + av_log(avctx, AV_LOG_ERROR, + "inter frame without keyframe\n"); + return AVERROR_INVALIDDATA; + } s->diff_start = get_bits(&gb, 8); s->diff_height = get_bits(&gb, 8); av_log(avctx, AV_LOG_DEBUG, From 6cd92c3880956ee58fa59aca2d0656b10f506988 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 16 Nov 2012 14:31:09 +0100 Subject: [PATCH 05/11] h264: enable low delay only if no delayed frames were seen Dropping frames is undesirable but that is the only way by which the decoder could return to low delay mode. Instead emit a warning and continue with delayed frames. Fixes a crash in fuzzed sample nasa-8s2.ts_s20033 caused by a larger than expected has_b_frames value. Low delay keeps getting re-enabled from a presumely broken SPS. CC: libav-stable@libav.org (cherry picked from commit 706acb558a38eba633056773280155d66c2f4b24) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index b866917e5f..1c5b841889 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -4030,9 +4030,16 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ ff_h264_decode_seq_parameter_set(h); } - if (s->flags& CODEC_FLAG_LOW_DELAY || - (h->sps.bitstream_restriction_flag && !h->sps.num_reorder_frames)) - s->low_delay=1; + if (s->flags & CODEC_FLAG_LOW_DELAY || + (h->sps.bitstream_restriction_flag && + !h->sps.num_reorder_frames)) { + if (s->avctx->has_b_frames > 1 || h->delayed_pic[0]) + av_log(avctx, AV_LOG_WARNING, "Delayed frames seen " + "reenabling low delay requires a codec " + "flush.\n"); + else + s->low_delay = 1; + } if(avctx->has_b_frames < 2) avctx->has_b_frames= !s->low_delay; From b6592b402cd245fa4ac74f8eea4e0f9300c62adc Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 28 Nov 2012 17:31:35 +0100 Subject: [PATCH 06/11] flashsv: make sure data for zlib priming is available Fixes a segfault in the fuzzed sample resolutionchange.flv_s314809. CC: libav-stable@libav.org (cherry picked from commit 3ae69b91668e3d9b65af4007eb5871397cf0b0ab) Signed-off-by: Reinhard Tartler --- libavcodec/flashsv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index 792ad57f88..4a231ce899 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -394,6 +394,11 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, av_log_missing_feature(avctx, "zlibprime_curr", 1); return AVERROR_PATCHWELCOME; } + if (!s->blocks && (s->zlibprime_curr || s->zlibprime_prev)) { + av_log(avctx, AV_LOG_ERROR, "no data available for zlib " + "priming\n"); + return AVERROR_INVALIDDATA; + } size--; // account for flags byte } From f1b3cc02ec5eda0bcbce10236cc2254d22048b17 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 21 Nov 2012 19:41:59 +0100 Subject: [PATCH 07/11] h264: error out on unset current_picture_ptr for h->current_slice > 0 Fixes a segfault with fuzzed sample sample_varPAR_s11622_r001-02.avi. CC: libav-stable@libav.org (cherry picked from commit 0b300daad2f5cb59a7c06dde5ac701685e6edf16) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 1c5b841889..c9940da97f 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2889,6 +2889,11 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ s->picture_structure = last_pic_structure; s->dropable = last_pic_dropable; return AVERROR_INVALIDDATA; + } else if (!s->current_picture_ptr) { + av_log(s->avctx, AV_LOG_ERROR, + "unset current_picture_ptr on %d. slice\n", + h0->current_slice + 1); + return AVERROR_INVALIDDATA; } } else { /* Shorten frame num gaps so we don't have to allocate reference From 6b70965f398ebcea599225f2215074d434327182 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 3 Dec 2012 22:53:30 +0100 Subject: [PATCH 08/11] ppc: always use pic for shared libraries CC: libav-stable@libav.org (cherry picked from commit 1944d532a8a1c4b12222f0acfeb1153630dbc996) Conflicts: configure --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 51e20cb54e..2d17ce0b28 100755 --- a/configure +++ b/configure @@ -2392,7 +2392,7 @@ check_host_cflags -std=c99 check_host_cflags -Wall case "$arch" in - alpha|ia64|mips|parisc|sparc) + alpha|ia64|mips|parisc|ppc|sparc) spic=$shared ;; x86) From 1d98811b957db3a4c8a3774e85cf8eb07c03c2d4 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 5 Dec 2012 19:56:36 +0100 Subject: [PATCH 09/11] h264: slice-mt: get last_pic_dropable from master context Fixes fate-h264-conformance-cvnlfi2_sony_h and smllwebdl.mkv from https://github.com/OpenELEC/OpenELEC.tv/issues/1557 . CC: libav-stable@libav.org (cherry picked from commit a8cb1746c5b6307b2e820f965a7da8d907893b38) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index c9940da97f..97b21155f0 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2866,7 +2866,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ h->mb_mbaff = 0; h->mb_aff_frame = 0; last_pic_structure = s0->picture_structure; - last_pic_dropable = s->dropable; + last_pic_dropable = s0->dropable; s->dropable = h->nal_ref_idc == 0; if(h->sps.frame_mbs_only_flag){ s->picture_structure= PICT_FRAME; From f620c12067a2a80af9fb63927665f82f583e18d7 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sun, 25 Nov 2012 12:56:04 +0100 Subject: [PATCH 10/11] h264: check sps.log2_max_frame_num for validity Fixes infinite or long taking loop in frame num gap code in the fuzzed sample bipbop234.ts_s223302. CC: libav-stable@libav.org (cherry picked from commit d7d6efe42b0d2057e67999b96b9a391f533d2333) Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index ff6103c2c0..a468c96ac4 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -37,6 +37,9 @@ //#undef NDEBUG #include +#define MAX_LOG2_MAX_FRAME_NUM (12 + 4) +#define MIN_LOG2_MAX_FRAME_NUM 4 + static const AVRational pixel_aspect[17]={ {0, 1}, {1, 1}, @@ -301,7 +304,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ MpegEncContext * const s = &h->s; int profile_idc, level_idc, constraint_set_flags = 0; unsigned int sps_id; - int i; + int i, log2_max_frame_num_minus4; SPS *sps; profile_idc= get_bits(&s->gb, 8); @@ -348,7 +351,16 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ sps->bit_depth_chroma = 8; } - sps->log2_max_frame_num= get_ue_golomb(&s->gb) + 4; + log2_max_frame_num_minus4 = get_ue_golomb(&s->gb); + if (log2_max_frame_num_minus4 < MIN_LOG2_MAX_FRAME_NUM - 4 || + log2_max_frame_num_minus4 > MAX_LOG2_MAX_FRAME_NUM - 4) { + av_log(h->s.avctx, AV_LOG_ERROR, + "log2_max_frame_num_minus4 out of range (0-12): %d\n", + log2_max_frame_num_minus4); + return AVERROR_INVALIDDATA; + } + sps->log2_max_frame_num = log2_max_frame_num_minus4 + 4; + sps->poc_type= get_ue_golomb_31(&s->gb); if(sps->poc_type == 0){ //FIXME #define From a335ffd7f4cdaaa6a8fe4187f6f06b0418eea19a Mon Sep 17 00:00:00 2001 From: Victor Lopez Date: Wed, 19 Dec 2012 09:12:24 +0100 Subject: [PATCH 11/11] h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles Fixes bug 396. CC: libav-stable@libav.org (cherry picked from commit 1c8bf3bfed5ff5c504c8e3de96188a977f67cce0) Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index a468c96ac4..00c5003a22 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -333,7 +333,11 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ memset(sps->scaling_matrix8, 16, sizeof(sps->scaling_matrix8)); sps->scaling_matrix_present = 0; - if(sps->profile_idc >= 100){ //high profile + if (sps->profile_idc == 100 || sps->profile_idc == 110 || + sps->profile_idc == 122 || sps->profile_idc == 244 || + sps->profile_idc == 44 || sps->profile_idc == 83 || + sps->profile_idc == 86 || sps->profile_idc == 118 || + sps->profile_idc == 128 || sps->profile_idc == 144) { sps->chroma_format_idc= get_ue_golomb_31(&s->gb); if(sps->chroma_format_idc > 3) { av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc (%u) out of range\n", sps->chroma_format_idc);