It appears there are corner cases with damaged input that can lead
to small overreads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Code ported from qatar/master, please see there for per line authorship.
Main authors AFAIK are Ronald and Justin. I have no authorship on this.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master: (58 commits)
amrnbdec: check frame size before decoding.
cscd: use negative error values to indicate decode_init() failures.
h264: prevent overreads in intra PCM decoding.
FATE: do not decode audio in the nuv test.
dxa: set audio stream time base using the sample rate
psx-str: do not allow seeking by bytes
asfdec: Do not set AVCodecContext.frame_size
vqf: set packet parameters after av_new_packet()
mpegaudiodec: use DSPUtil.butterflies_float().
FATE: add mp3 test for sample that exhibited false overreads
fate: add cdxl test for bit line plane arrangement
vmnc: return error on decode_init() failure.
libvorbis: add/update error messages
libvorbis: use AVFifoBuffer for output packet buffer
libvorbis: remove unneeded e_o_s check
libvorbis: check return values for functions that can return errors
libvorbis: use float input instead of s16
libvorbis: do not flush libvorbis analysis if dsp state was not initialized
libvorbis: use VBR by default, with default quality of 3
libvorbis: fix use of minrate/maxrate AVOptions
...
Conflicts:
Changelog
doc/APIchanges
libavcodec/avcodec.h
libavcodec/dpxenc.c
libavcodec/libvorbis.c
libavcodec/vmnc.c
libavformat/asfdec.c
libavformat/id3v2enc.c
libavformat/internal.h
libavformat/mp3enc.c
libavformat/utils.c
libavformat/version.h
libswscale/utils.c
tests/fate/video.mak
tests/ref/fate/nuv
tests/ref/fate/prores-alpha
tests/ref/lavf/ffm
tests/ref/vsynth1/prores
tests/ref/vsynth2/prores
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
docs: use -bsf:[vas] instead of -[vas]bsf.
mpegaudiodec: Prevent premature clipping of mp3 input buffer.
lavf: move the packet keyframe setting code.
oggenc: free comment header for all codecs
lcl: error out if uncompressed input buffer is smaller than framesize.
mjpeg: abort decoding if packet is too large.
golomb: use HAVE_BITS_REMAINING() macro to prevent infloop on EOF.
get_bits: add HAVE_BITS_REMAINING macro.
lavf/output-example: use new audio encoding API correctly.
lavf/output-example: more proper usage of the new API.
tiff: Prevent overreads in the type_sizes array.
tiff: Make the TIFF_LONG and TIFF_SHORT types unsigned.
apetag: do not leak memory if avio_read() fails
apetag: propagate errors.
SBR DSP x86: implement SSE sbr_hf_g_filt
SBR DSP x86: implement SSE sbr_sum_square_sse
SBR DSP: use intptr_t for the ixh parameter.
Conflicts:
doc/bitstream_filters.texi
doc/examples/muxing.c
doc/ffmpeg.texi
libavcodec/golomb.h
libavcodec/x86/Makefile
libavformat/oggenc.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Instead of clipping extrasize based on EXTRABYTES, clip based on the
amount of buffer actually left. Without this fix, there are warbles
and other distortions in the test case below.
http://kevincennis.com/mix/assets/sounds/1901_voxfx.mp3
* qatar/master:
mov: Use defines for sample flags in fragments
mov: Use defines for trun flags
mov: Use defines for tfhd flags
proresenc: force bitrate not to exceed given limit
vc1parse: call vc1_init_common().
wma: don't return 0 on invalid packets.
asf: prevent packet_size_left from going negative if hdrlen > pktlen.
mjpegb: don't return 0 at the end of frame decoding.
rtpdec: Identify incorrectly signalled H263
vp8dsp: split long line.
aiff: don't skip block_align==0 check on COMM-after-SSND files.
dpcm: ignore extra unpaired bytes in stereo streams.
mp3on4: require a minimum framesize.
mpc7: assign an error level + context to av_log() msg.
huffyuv: error out on bit overrun.
dct-test: Add the missing ff_ prefix to the altivec functions
dct-test: Remove a stray declaration of a nonexistent function
movenc: Write the unknown duration as 64 bit fields in ismv
movenc: Write track durations with all bits set if duration is unknown
Conflicts:
libavcodec/dct-test.c
libavcodec/wmadec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
If bufsize < headersize, init_get_bits() will be called with a negative
number, causing it to fail and any subsequent call to get_bits() will
crash because it reads from a NULL pointer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
* qatar/master: (29 commits)
fate: add golomb-test
golomb-test: K&R formatting cosmetics
h264: Split h264-test off into a separate file - golomb-test.c.
h264-test: cleanup: drop timer invocations, commented out code and other cruft
h264-test: Remove unused DSP and AVCodec contexts and related init calls.
adpcm: Add missing stdint.h #include to fix standalone header compilation.
lavf: add functions for accessing the fourcc<->CodecID mapping tables.
lavc: set AVCodecContext.codec in avcodec_get_context_defaults3().
lavc: make avcodec_close() work properly on unopened codecs.
lavc: add avcodec_is_open().
lavf: rename AVInputFormat.value to raw_codec_id.
lavf: remove the pointless value field from flv and iv8
lavc/lavf: remove unnecessary symbols from the symbol version script.
lavc: reorder AVCodec fields.
lavf: reorder AVInput/OutputFormat fields.
mp3dec: Fix a heap-buffer-overflow
adpcmenc: remove some unneeded casts
adpcmenc: use int16_t and uint8_t instead of short and unsigned char.
adpcmenc: fix adpcm_ms extradata allocation
adpcmenc: return proper AVERROR codes instead of -1
...
Conflicts:
doc/APIchanges
libavcodec/Makefile
libavcodec/adpcmenc.c
libavcodec/avcodec.h
libavcodec/h264.c
libavcodec/libavcodec.v
libavcodec/mpc7.c
libavcodec/mpegaudiodec.c
libavcodec/options.c
libavformat/Makefile
libavformat/avformat.h
libavformat/flvdec.c
libavformat/libavformat.v
Merged-by: Michael Niedermayer <michaelni@gmx.at>
In some cases, what is left to read from ptr is smaller than EXTRABYTES.
Based on a patch by Thierry Foucu <tfoucu@gmail.com>.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
* qatar/master:
rtpdec: Use our own SSRC in the SDES field when sending RRs
Finalize changelog for 0.8 Release
Prepare for 0.8 Release
threads: change the default for threads back to 1
threads: update slice_count and slice_offset from user context
aviocat: Remove useless includes
doc/APIChanges: fill in missing dates and hashes
Revert "avserver: fix build after the next bump."
mpegaudiodec: switch error detection check to AV_EF_BUFFER
lavf: rename fer option and document resulting (f_)err_detect options
lavc: rename err_filter option to err_detect and document it
mpegvideo: fix invalid memory access for small video dimensions
movenc: Reorder entries in the MOVIentry struct, for tigheter packing
rtsp: Remove extern declarations for variables that don't exist
aviocat: Flush the output before closing
Conflicts:
Changelog
RELEASE
libavcodec/mpegaudiodec.c
libavcodec/pthread.c
libavformat/options.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
fate: Add tests for more AAC features.
aacps: Add missing newline in error message.
fate: Add tests for vc1/wmapro in ism.
aacdec: Add a fate test for 5.1 channel SBR.
aacdec: Turn off PS for multichannel files that use PCE based configs.
cabac: remove put_cabac_u/ueg from cabac-test.
swscale: RGB4444 and BGR444 input
FATE: add test for xWMA demuxer.
FATE: add test for SMJPEG demuxer and associated IMA ADPCM audio decoder.
mpegaudiodec: optimized iMDCT transform
mpegaudiodec: change imdct window arrangment for better pointer alignment
mpegaudiodec: move imdct and windowing function to mpegaudiodsp
mpegaudiodec: interleave iMDCT buffer to simplify future SIMD implementations
swscale: convert yuy2/uyvy/nv12/nv21ToY/UV from inline asm to yasm.
FATE: test to exercise WTV demuxer.
mjpegdec: K&R formatting cosmetics
swscale: K&R formatting cosmetics for code examples
swscale: K&R reformatting cosmetics for header files
FATE test: cvid-grayscale; ensures that the grayscale Cinepak variant is exercised.
Conflicts:
libavcodec/cabac.c
libavcodec/mjpegdec.c
libavcodec/mpegaudiodec.c
libavcodec/mpegaudiodsp.c
libavcodec/mpegaudiodsp.h
libavcodec/mpegaudiodsp_template.c
libavcodec/x86/Makefile
libavcodec/x86/imdct36_sse.asm
libavcodec/x86/mpegaudiodec_mmx.c
libswscale/swscale-test.c
libswscale/swscale.c
libswscale/swscale_internal.h
libswscale/x86/swscale_template.c
tests/fate/demux.mak
tests/fate/microsoft.mak
tests/fate/video.mak
tests/fate/wma.mak
tests/ref/lavfi/pixfmts_scale
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
mpegenc: use avctx->slices as number of slices
v410enc: fix undefined signed left shift caused by integer promotion
Release notes: mention cleaned up header includes
fix Changelog file
Fix a bunch of typos.
Drop some pointless void* return value casts from av_malloc() invocations.
wavpack: fix typos in previous cosmetic clean-up commit
wavpack: cosmetics: K&R pretty-printing
avconv: remove the 'codec framerate is different from stream' warning
wavpack: determine sample_fmt before requesting a buffer
bmv audio: implement new audio decoding API
mpegaudiodec: skip all channels when skipping granules
mpegenc: simplify muxrate calculation
Conflicts:
Changelog
avconv.c
doc/RELEASE_NOTES
libavcodec/h264.c
libavcodec/mpeg12.c
libavcodec/mpegaudiodec.c
libavcodec/mpegvideo.c
libavformat/mpegenc.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
FATE: add tests for dfa
mpegaudiodec: fix seeking.
mpegaudiodec: fix compilation when testing the unchecked bitstream reader
threads: add sysconf based number of CPUs detection
threads: always include necessary headers for number of CPUs detection
threads: default to automatic thread count detection
Changelog: restore version <next> header
cook: K&R formatting cosmetics
Conflicts:
Changelog
libavcodec/version.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The safe bitstream reader does not allow using skip_bits_long() to seek to a
point before the start of the buffer, which was needed by the mp3 decoder.
This change instead calculates the start point of the first valid granule and
skips to that position.
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
The buffer splicing relies on the bitstream reader over-reading
the end of the buffer as declared in init_get_bits(), although
more data is actually present. Manually moving the bitstream
boundary after init_get_bits() allows this to work as expected.
Signed-off-by: Mans Rullgard <mans@mansr.com>
* qatar/master:
aac_latm: reconfigure decoder on audio specific config changes
latmdec: fix audio specific config parsing
Add avcodec_decode_audio4().
avcodec: change number of plane pointers from 4 to 8 at next major bump.
Update developers documentation with coding conventions.
svq1dec: avoid undefined get_bits(0) call
ARM: h264dsp_neon cosmetics
ARM: make some NEON macros reusable
Do not memcpy raw video frames when using null muxer
fate: update asf seektest
vp8: flush buffers on size changes.
doc: improve general documentation for MacOSX
asf: use packet dts as approximation of pts
asf: do not call av_read_frame
rtsp: Initialize the media_type_mask in the rtp guessing demuxer
Cleaned up alacenc.c
Conflicts:
doc/APIchanges
doc/developer.texi
libavcodec/8svx.c
libavcodec/aacdec.c
libavcodec/ac3dec.c
libavcodec/avcodec.h
libavcodec/nellymoserdec.c
libavcodec/tta.c
libavcodec/utils.c
libavcodec/version.h
libavcodec/wmadec.c
libavformat/asfdec.c
tests/ref/seek/lavf_asf
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Pass the correct size in bits to mpeg4audio_get_config and add a flag
to disable parsing of the sync extension when the size is not known.
Latm with AudioMuxVersion 0 does not specify the size of the audio
specific config. Data after the audio specific config can be
misinterpreted as sync extension resulting in random and wrong configs.
* qatar/master:
vc1: use an enum for Frame Coding Mode
doc: cleanup filter section
indeo3: error out if no motion vector is set.
x86inc: Flag shufps as an floating-point instruction for the AVX emulation code.
mpegaudio: do not use init_static_data() for initializing tables.
musepack: fix signed shift overflow in mpc_read_packet()
mov: Make format string match variable type.
wmavoice: Make format string match variable type.
vc1: select interlaced scan table by FCM element
Generalize RIFF INFO tag support; support reading INFO tag in wav
pthread: track thread existence in a separate variable.
Conflicts:
doc/filters.texi
libavcodec/pthread.c
libavformat/avi.c
libavformat/riff.c
libavformat/riff.h
libavformat/wav.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master: (53 commits)
probe: Restore identification of files with very large id3 tags and no extension.
probe: Remove id3 tag presence as a criteria to do file extension checking.
mpegts: MP4 SL support
mpegts: MP4 OD support
mpegts: Add support for Sections in PMT
mpegts: Replace the MP4 descriptor parser with a recursive parser.
mpegts: Add support for multiple mp4 descriptors
mpegts: Parse mpeg2 SL descriptors.
isom: Add MPEG4SYSTEMS dummy object type indication.
aacdec: allow output reconfiguration on channel changes
nellymoserenc: take float input samples instead of int16
nellymoserdec: use dsp functions for overlap and windowing
nellymoserdec: do not fail if there is extra data in the packet
nellymoserdec: fail if output buffer is too small
nellymoserdec: remove pointless buffer size check.
lavf: add init_put_byte() to the list of visible symbols.
seek-test: free options dictionary after use
snow: do not draw_edge if emu_edge is set
tools/pktdumper: update to recent avformat api
seek-test: update to recent avformat api
...
Conflicts:
doc/APIchanges
libavcodec/mpegaudiodec.c
libavcodec/nellymoserdec.c
libavcodec/snow.c
libavcodec/version.h
libavcodec/wmadec.c
libavformat/avformat.h
libavformat/mpegts.c
libavformat/mxfdec.c
libavformat/utils.c
libavformat/wtv.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The documentation for CODEC_CAP_PARSE_ONLY and AVCodecContext.parse_only
indicates that they are utilized through avcodec_parse_frame(), which was
never actually implemented.
Its functionality was removed several years ago, so it doesn't do anything.
AVCodecContext.frame_number could serve the same purpose if someone
wants to debug the frame count.