From 4eea330a2afa317940a11d5bf5461ba673ab6b67 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 30 May 2012 04:04:54 +0100 Subject: [PATCH 1/8] h264: allow cropping to AVCodecContext.width/height Override the frame size from the SPS with AVCodecContext values if the latter specify a size smaller by less than one macroblock. This is required for correct cropping of MOV files from Canon cameras. Signed-off-by: Mans Rullgard (cherry picked from commit 30f515091c323da59c0f1b533703dedca2f4b95d) Conflicts: libavcodec/h264.c (cherry picked from commit e1608014c50eeb9f4744a53de0794eb6bb1269a2) Signed-off-by: Reinhard Tartler (cherry picked from commit b102d5d97daedb717c023ec7bfa43047d97de284) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 06ded4d1f1..02ff83309f 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1799,6 +1799,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ else s->height= 16*s->mb_height - 4*FFMIN(h->sps.crop_bottom, 3); + if (FFALIGN(s->avctx->width, 16) == s->width && + FFALIGN(s->avctx->height, 16) == s->height) { + s->width = s->avctx->width; + s->height = s->avctx->height; + } + if (s->context_initialized && ( s->width != s->avctx->width || s->height != s->avctx->height || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) { From 44e6cf3f75f00d201a8cb1b836251f5a826186a0 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 30 May 2012 04:06:00 +0100 Subject: [PATCH 2/8] mov: set AVCodecContext.width/height for h264 This is required for correct cropping of files from Canon cameras. Signed-off-by: Mans Rullgard (cherry picked from commit 8aa93e900449c88c3169ff5636fed03f41779cac) Signed-off-by: Reinhard Tartler (cherry picked from commit 2fb4be9a99a2c2a9435339830e3d940171cc0d9b) Signed-off-by: Reinhard Tartler (cherry picked from commit 0054d70f23edd1f61a10a1c2c687b3a04831feb9) Signed-off-by: Reinhard Tartler --- libavformat/mov.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 2edd27e440..f1cde0b767 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1820,9 +1820,6 @@ static int mov_read_trak(MOVContext *c, ByteIOContext *pb, MOVAtom atom) #if CONFIG_H263_DECODER case CODEC_ID_H263: #endif -#if CONFIG_H264_DECODER - case CODEC_ID_H264: -#endif #if CONFIG_MPEG4_DECODER case CODEC_ID_MPEG4: #endif From aa4121276777b20eaaa83bf9bd544b00748c865c Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Thu, 27 Sep 2012 19:25:06 +0200 Subject: [PATCH 3/8] vc1dec: add flush function for WMV9 and VC-1 decoders CC: libav-stable@libav.org (cherry picked from commit 4dc8c8386eef942dba35c4f2fb3210e22b511a5b) Signed-off-by: Anton Khirnov (cherry picked from commit 02b72394627933dc8ce26445231a69f00dba491b) Conflicts: libavcodec/vc1dec.c Signed-off-by: Anton Khirnov (cherry picked from commit 0173a7966b331105158a88f96b9afcc431d2fef8) Signed-off-by: Anton Khirnov --- libavcodec/vc1dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index abcc5ecda8..8d31e8bc1e 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -3328,6 +3328,7 @@ AVCodec vc1_decoder = { vc1_decode_frame, CODEC_CAP_DR1 | CODEC_CAP_DELAY, NULL, + .flush = ff_mpeg_flush, .long_name = NULL_IF_CONFIG_SMALL("SMPTE VC-1"), .pix_fmts = ff_hwaccel_pixfmt_list_420 }; @@ -3344,6 +3345,7 @@ AVCodec wmv3_decoder = { vc1_decode_frame, CODEC_CAP_DR1 | CODEC_CAP_DELAY, NULL, + .flush = ff_mpeg_flush, .long_name = NULL_IF_CONFIG_SMALL("Windows Media Video 9"), .pix_fmts = ff_hwaccel_pixfmt_list_420 }; From 459feb7cce03af7154c098171fc9d36fc9d472f6 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 6 Aug 2012 13:59:04 +0200 Subject: [PATCH 4/8] nuv: check RTjpeg header for validity CC: libav-stable@libav.org (cherry picked from commit 859a579e9bbf47fae2e09494c43bcf813dcb2fad) Signed-off-by: Anton Khirnov (cherry picked from commit 6704522ca9dd32c858ee474492be568c386910f9) Signed-off-by: Anton Khirnov (cherry picked from commit f31170d4e7f9671e019315391160d454b18d7296) Signed-off-by: Anton Khirnov --- libavcodec/nuv.c | 9 +++++---- libavcodec/rtjpeg.h | 3 +++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 791f450913..6f832cc27a 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -184,17 +184,18 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, } if (c->codec_frameheader) { int w, h, q; - if (buf_size < 12) { + if (buf_size < RTJPEG_HEADER_SIZE || buf[4] != RTJPEG_HEADER_SIZE || + buf[5] != RTJPEG_FILE_VERSION) { av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame\n"); - return -1; + return AVERROR_INVALIDDATA; } w = AV_RL16(&buf[6]); h = AV_RL16(&buf[8]); q = buf[10]; if (!codec_reinit(avctx, w, h, q)) return -1; - buf = &buf[12]; - buf_size -= 12; + buf = &buf[RTJPEG_HEADER_SIZE]; + buf_size -= RTJPEG_HEADER_SIZE; } if (keyframe && c->pic.data[0]) diff --git a/libavcodec/rtjpeg.h b/libavcodec/rtjpeg.h index 4bcb9f70ca..73d41f481d 100644 --- a/libavcodec/rtjpeg.h +++ b/libavcodec/rtjpeg.h @@ -25,6 +25,9 @@ #include #include "dsputil.h" +#define RTJPEG_FILE_VERSION 0 +#define RTJPEG_HEADER_SIZE 12 + typedef struct { int w, h; DSPContext *dsp; From fd7426ed898533bed98e6b472ff5f5c8e47f2eb5 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 2 Jul 2012 10:46:39 +0200 Subject: [PATCH 5/8] imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt CC: libav-stable@libav.org (cherry picked from commit 39bb27bf79bc4c2d8beaed637a14176264cb1916) Signed-off-by: Anton Khirnov (cherry picked from commit 7a7229b52d1900279041991fadbd29b27e8dfe95) Signed-off-by: Anton Khirnov (cherry picked from commit 8812b5f164109553f009ce385e17a1af16b6ea53) Signed-off-by: Anton Khirnov --- libavcodec/imgconvert.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 8f789c4ae0..ae8ec16543 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -851,7 +851,8 @@ static enum PixelFormat avcodec_find_best_pix_fmt1(int64_t pix_fmt_mask, /* find exact color match with smallest size */ dst_pix_fmt = PIX_FMT_NONE; min_dist = 0x7fffffff; - for(i = 0;i < PIX_FMT_NB; i++) { + /* test only the first 64 pixel formats to avoid undefined behaviour */ + for (i = 0; i < 64; i++) { if (pix_fmt_mask & (1ULL << i)) { loss = avcodec_get_pix_fmt_loss(i, src_pix_fmt, has_alpha) & loss_mask; if (loss == 0) { From c82ae85a8a78a98f7c7fea68d24a4ac0ca74d01f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Nov 2011 17:19:25 +0100 Subject: [PATCH 6/8] mpegvideo: Don't use ff_mspel_motion() for vc1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Using ff_mspel_motion assumes that s (a MpegEncContext poiinter) really is a Wmv2Context. This fixes crashes in error resilience on vc1/wmv3 videos. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 18f2d5cb9c48d06895960f37467576725c9dc2d1) Signed-off-by: Anton Khirnov (cherry picked from commit da0c457663479bc1828918e1bb3e4a5e4de0d557) Signed-off-by: Anton Khirnov (cherry picked from commit 899d95efe12f1e250b361837c1c8c06df9ac9b86) Signed-off-by: Anton Khirnov --- libavcodec/mpegvideo_common.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_common.h b/libavcodec/mpegvideo_common.h index 73106664f9..258f7cdaa7 100644 --- a/libavcodec/mpegvideo_common.h +++ b/libavcodec/mpegvideo_common.h @@ -727,7 +727,8 @@ static av_always_inline void MPV_motion_internal(MpegEncContext *s, 0, 0, 0, ref_picture, pix_op, qpix_op, s->mv[dir][0][0], s->mv[dir][0][1], 16); - }else if(!is_mpeg12 && (CONFIG_WMV2_DECODER || CONFIG_WMV2_ENCODER) && s->mspel){ + } else if (!is_mpeg12 && (CONFIG_WMV2_DECODER || CONFIG_WMV2_ENCODER) && + s->mspel && s->codec_id == CODEC_ID_WMV2) { ff_mspel_motion(s, dest_y, dest_cb, dest_cr, ref_picture, pix_op, s->mv[dir][0][0], s->mv[dir][0][1], 16); From a4e277312cacfb78ef7583ed0b4fe4ccf5a0bcb1 Mon Sep 17 00:00:00 2001 From: Mina Nagy Zaki Date: Wed, 8 Jun 2011 19:24:25 +0300 Subject: [PATCH 7/8] lavfi: avfilter_merge_formats: handle case where inputs are same This fixes a double-free crash if lists are the same due to the two merge_ref() calls at the end of the (useless) merging that happens. Signed-off-by: Anton Khirnov (cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325) Conflicts: libavfilter/formats.c Signed-off-by: Reinhard Tartler (cherry picked from commit e5f4e249422834f727bcd432b73af971277f1371) Signed-off-by: Anton Khirnov (cherry picked from commit b6c5848a1f8fc2755ea70d325acaddae9fac45ab) Signed-off-by: Anton Khirnov --- libavfilter/formats.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/formats.c b/libavfilter/formats.c index 2a9bdb0bd0..8b8bf75962 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -44,6 +44,9 @@ AVFilterFormats *avfilter_merge_formats(AVFilterFormats *a, AVFilterFormats *b) AVFilterFormats *ret; unsigned i, j, k = 0; + if (a == b) + return a; + ret = av_mallocz(sizeof(AVFilterFormats)); /* merge list of formats */ From 0e2f415adf5d8c0e8bbb210c3c2693315854718f Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Mon, 4 Jun 2012 18:27:03 -0700 Subject: [PATCH 8/8] vorbis: Validate that the floor 1 X values contain no duplicates. Duplicate values in this vector are explicitly banned by the Vorbis I spec and cause divide-by-zero crashes later on. (cherry picked from commit ecf79c4d3e8baaf2f303278ef81db6f8407656bc) Signed-off-by: Reinhard Tartler (cherry picked from commit 9aaaeba45c41cf2b3fa4100abbdee7437428f93c) Signed-off-by: Anton Khirnov (cherry picked from commit d6e250abfc36b239ef0c1fc9d45d588b853bfcb9) Signed-off-by: Anton Khirnov --- libavcodec/vorbis.c | 9 ++++++++- libavcodec/vorbis.h | 3 ++- libavcodec/vorbis_dec.c | 6 +++++- libavcodec/vorbis_enc.c | 3 ++- 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 109737976c..5f0ddda32f 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -123,7 +123,8 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, uint_fast32_t num) return 0; } -void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) +int ff_vorbis_ready_floor1_list(AVCodecContext *avccontext, + vorbis_floor1_entry *list, int values) { int i; list[0].sort = 0; @@ -147,6 +148,11 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) for (i = 0; i < values - 1; i++) { int j; for (j = i + 1; j < values; j++) { + if (list[i].x == list[j].x) { + av_log(avccontext, AV_LOG_ERROR, + "Duplicate value found in floor 1 X coordinates\n"); + return AVERROR_INVALIDDATA; + } if (list[list[i].sort].x > list[list[j].sort].x) { int tmp = list[i].sort; list[i].sort = list[j].sort; @@ -154,6 +160,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) } } } + return 0; } static inline void render_line_unrolled(intptr_t x, uint8_t y, int x1, diff --git a/libavcodec/vorbis.h b/libavcodec/vorbis.h index ce9bead425..18a826eee8 100644 --- a/libavcodec/vorbis.h +++ b/libavcodec/vorbis.h @@ -35,7 +35,8 @@ typedef struct { uint_fast16_t high; } vorbis_floor1_entry; -void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values); +int ff_vorbis_ready_floor1_list(AVCodecContext *avccontext, + vorbis_floor1_entry *list, int values); unsigned int ff_vorbis_nth_root(unsigned int x, unsigned int n); // x^(1/n) int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, uint_fast32_t num); void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values, diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c index e5ad4aaae3..a2ae854699 100644 --- a/libavcodec/vorbis_dec.c +++ b/libavcodec/vorbis_dec.c @@ -550,7 +550,11 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) } // Precalculate order of x coordinates - needed for decode - ff_vorbis_ready_floor1_list(floor_setup->data.t1.list, floor_setup->data.t1.x_list_dim); + if (ff_vorbis_ready_floor1_list(vc->avccontext, + floor_setup->data.t1.list, + floor_setup->data.t1.x_list_dim)) { + return AVERROR_INVALIDDATA; + } } else if (floor_setup->floor_type == 0) { uint_fast8_t max_codebook_dim = 0; diff --git a/libavcodec/vorbis_enc.c b/libavcodec/vorbis_enc.c index 934463d1e1..2fb41d16eb 100644 --- a/libavcodec/vorbis_enc.c +++ b/libavcodec/vorbis_enc.c @@ -302,7 +302,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, }; fc->list[i].x = a[i - 2]; } - ff_vorbis_ready_floor1_list(fc->list, fc->values); + if (ff_vorbis_ready_floor1_list(avccontext, fc->list, fc->values)) + return AVERROR(EINVAL); venc->nresidues = 1; venc->residues = av_malloc(sizeof(vorbis_enc_residue) * venc->nresidues);