Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.
Fixes CVE-2012-0858
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
Add a check to avoid writing past the end of the channel_unit.components[]
array.
Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
This makes the check that avoids overwrite of the samples array actually
work properly.
fixes CVE-2012-0848
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
Update FATE reference to account for now non-existent palette packet.
This also fixes the FATE test if frame data is not initialized in
get_buffer(), so update comment in avconv accordingly.
By replacing memcpy with an unrolled loop using the alignment knowledge
it has, some speedup can be obtained.
Before (gcc 4.6.1): ~400 cycles
After: ~370 cycles
Overall, around 2% speed increase when decoding a 2400s mp3 to f32le.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
* shariman/wmall:
Do not try to read residue if ave_mean <= 1
Move some variable declarations to comply with C90
Cosmetics: fix some whitespace errors
Support 24-bit decoding
wmall: remove ;;
Conflicts:
libavcodec/wmalosslessdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Otherwise, we end up with with log(0) or log(1). av_ceil_log2 simply
assumes the argument is non-zero and returns wrong result when it is.
(Not that there is a proper way of returning an undefined value.)
Since quantisation matrices are stored in context, decoding slices with
different quantisers in parallel leads to unpredictable content of
aforementioned matrices and wrong output picture thereof.
* qatar/master: (21 commits)
CDXL demuxer and decoder
hls: Re-add legacy applehttp name to preserve interface compatibility.
hlsproto: Rename the functions and context
hlsproto: Encourage users to try the hls demuxer instead of the proto
doc: Move the hls protocol section into the right place
libavformat: Rename the applehttp protocol to hls
hls: Rename the functions and context
libavformat: Rename the applehttp demuxer to hls
rtpdec: Support H263 in RFC 2190 format
rv30: check block type validity
ttadec: CRC checking
movenc: Support muxing VC1
avconv: Don't split out inline sequence headers when stream copying VC1
rv34: handle size changes during frame multithreading
rv40: prevent undefined signed overflow in rv40_loop_filter()
rv34: use AVERROR return values in ff_rv34_decode_frame()
rv34: use uint16_t for RV34DecContext.deblock_coefs
librtmp: Add "lib" prefix to librtmp URLProtocol declarations.
movenc: Use defines instead of hardcoded numbers for RTCP types
smjpegdec: implement seeking
...
Conflicts:
Changelog
doc/general.texi
libavcodec/avcodec.h
libavcodec/rv30.c
libavcodec/tta.c
libavcodec/version.h
libavformat/Makefile
libavformat/allformats.c
libavformat/version.h
libswscale/x86/swscale_mmx.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
rtpdec: Use 4 byte startcodes for H.264
matroskadec: Mark variable as av_unused.
Move some conditionally used variables into the block where they are used.
Drop some completely unnecessary av_unused attributes.
swscale: Remove unused variable alpMmxFilter.
Drop unnecessary av_uninit attributes from some variable declarations.
movenc: Support muxing wmapro in ismv/isma
mpegtsenc: Add an AVOption for forcing a new PAT/PMT/SDT to be written
swscale: move YUV2PACKED16WRAPPER() macro down to where it is used.
swscale: handle gray16 as a "planar" YUV format (Y-only, of course).
swscale: use yuv2packed1() functions for unscaled chroma also.
swscale: fix incorrect chroma bias in yuv2rgb48_1_c().
swscale: fix invalid memory accesses in yuvpacked1() functions.
Move PS2 MMI code below the mips subdirectory, where it belongs.
mips: Move MMI function declarations to a header.
build: Set correct dependencies for rtmp* protocols implemented by librtmp.
Conflicts:
libavcodec/ac3enc_template.c
libavformat/mpegtsenc.c
libswscale/output.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The wrong variable was passed into decode_ham_plane32()
Fixes: Ticket922
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
swscale: convert yuv2yuvX() to using named arguments.
swscale: rename "dstw" to "w" to prevent name collisions.
swscale: use named registers in yuv2yuv1_plane() place.
lavf: fix aspect ratio mismatch message.
avconv: set AVFormatContext.duration from '-t'
cljr: implement encode2.
cljr: set the properties of the coded_frame, not input frame.
dnxhdenc: switch to encode2.
bmpenc: switch to encode2().
Conflicts:
libavcodec/bmpenc.c
libavcodec/cljr.c
libavformat/utils.c
tests/ref/vsynth1/cljr
tests/ref/vsynth2/cljr
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The cleanup is only done now when
a picture is returned (assuming that it has to be done when its returned)
a error is returned (assuming that there will be no further progress on the frame)
the codec is not h264 (this is still needed due to some deadlocks in realvideo)
This fixes a decoding regression with 00017.MTS
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
FATE: update reference for seek-alac_mp4
sunrast: Return AVERROR values instead of -1.
sunrast: Add support for gray8 decoding.
swscale: enforce a minimum filtersize.
alacenc: use AVCodec.encode2()
alacenc: cosmetics: indentation
alacenc: consolidate bitstream writing into a single function.
alacenc: only encode frame size in header for a final smaller frame
alacenc: store current frame size in AlacEncodeContext.
alacenc: return AVERROR codes in alac_encode_frame()
alacenc: calculate a new max frame size for the final small frame
alacenc: pretty-printing and other cosmetics
alacenc: fix error handling and potential memleaks in alac_encode_init()
alacenc: do not set coded_frame->key_frame
alacenc: do not set bits_per_coded_sample
alacenc: remove unneeded frame_size check in alac_encode_frame()
tta: error out if samplerate is zero.
ttadec: fix invalid free when an error occurs while decoding 24-bit tta
wavpack: add needed braces for 2 statements inside an if block
Conflicts:
tests/ref/acodec/alac
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master: (38 commits)
v210enc: remove redundant check for pix_fmt
wavpack: allow user to disable CRC checking
v210enc: Use Bytestream2 functions
cafdec: Check return value of avio_seek and avoid modifying state if it fails
yop: Check return value of avio_seek and avoid modifying state if it fails
tta: Check return value of avio_seek and avoid modifying state if it fails
tmv: Check return value of avio_seek and avoid modifying state if it fails
r3d: Check return value of avio_seek and avoid modifying state if it fails
nsvdec: Check return value of avio_seek and avoid modifying state if it fails
mpc8: Check return value of avio_seek and avoid modifying state if it fails
jvdec: Check return value of avio_seek and avoid modifying state if it fails
filmstripdec: Check return value of avio_seek and avoid modifying state if it fails
ffmdec: Check return value of avio_seek and avoid modifying state if it fails
dv: Check return value of avio_seek and avoid modifying state if it fails
bink: Check return value of avio_seek and avoid modifying state if it fails
Check AVCodec.pix_fmts in avcodec_open2()
svq3: Prevent illegal reads while parsing extradata.
remove ParseContext1
vc1: use ff_parse_close
mpegvideo parser: move specific fields into private context
...
Conflicts:
libavcodec/4xm.c
libavcodec/aacdec.c
libavcodec/h264.c
libavcodec/h264.h
libavcodec/h264_cabac.c
libavcodec/h264_cavlc.c
libavcodec/mpeg4video_parser.c
libavcodec/svq3.c
libavcodec/v210enc.c
libavformat/cafdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The DC coefficient should be included, too.
This probably was missed because DC quantizer is always
even for MPEG-1/2 but this function is also used for MPEG-4.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Conversion of the luma intra prediction mode to one of the constrained
("alzheimer") ones can happen by crafting special bitstreams, causing
a crash because we'll call a NULL function pointer for 16x16 block intra
prediction, since constrained intra prediction functions are only
implemented for chroma (8x8 blocks).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
in , else (1) { if (!1) } the if conditional will never evaluate to be true.
So as making the check useless.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
We need to do unsigned saturation in order to cover the corner case when the
absolute coefficient value is 16777215 (the maximum value).
Fixes Bug #216
That way all mix levels as exported by avpriv_ac3_parse_header()
will have the same meaning.
Previously the 3-bit center mix level for E-AC-3 was used to index in a
4-entry table, leading to out-of-array reads.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
* qatar/master: (26 commits)
eac3dec: replace undefined 1<<31 with INT32_MIN in noise generation
yadif: specify array size outside DECLARE_ALIGNED
prores: specify array size outside DECLARE_ALIGNED brackets.
WavPack demuxer: set packet duration
tta: use skip_bits_long()
mxfdec: Ignore the last entry in Avid's index table segments
mxfdec: Sanity-check SampleRate
mxfdec: Handle small EditUnitByteCount
mxfdec: Consider OPAtom files that do not have exactly one EC to be OP1a
mxfdec: Don't crash in mxf_packet_timestamps() if current_edit_unit overflows
mxfdec: Zero nb_ptses in mxf_compute_ptses_fake_index()
mxfdec: Sanity check PreviousPartition
mxfdec: Never seek back in local sets and KLVs
mxfdec: Move the current_partition check inside mxf_read_header()
mxfdec: Fix infinite loop in mxf_packet_timestamps()
mxfdec: Check eof_reached in mxf_read_local_tags()
mxfdec: Check for NULL component
mxfdec: Make sure mxf->nb_index_tables > 0 in mxf_packet_timestamps()
mxfdec: Make sure x < index_table->nb_ptses
build: Add missing directories to DIRS declarations.
...
Conflicts:
doc/build_system.txt
doc/fate.texi
libavfilter/x86/yadif_template.c
libavformat/mxfdec.c
libavutil/Makefile
tests/fate/audio.mak
tests/fate/prores.mak
tests/fate/screen.mak
tests/fate/video.mak
tests/ref/fate/bethsoft-vid
tests/ref/fate/cscd
tests/ref/fate/dfa4
tests/ref/fate/nuv
tests/ref/fate/vp8-sign-bias
tests/ref/fate/wmv8-drm
tests/ref/lavf/gxf
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Comment-by-michael: iam commiting this as the code cannot work without it and likely works with it.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes crashes on exit when closing a bitstream filter that
hasn't allocated any private data, on OS X.
Signed-off-by: Martin Storsjö <martin@martin.st>
* qatar/master:
pixdesc: mark pseudopaletted formats with a special flag.
avconv: switch to avcodec_encode_video2().
libx264: implement encode2().
libx264: split extradata writing out of encode_nals().
lavc: add avcodec_encode_video2() that encodes from an AVFrame -> AVPacket
cmdutils: update copyright year to 2012.
swscale: sign-extend integer function argument to qword on x86-64.
x86inc: support yasm -f win64 flag also.
h264: manually save/restore XMM registers for functions using INIT_MMX.
x86inc: allow manual use of WIN64_SPILL_XMM.
aacdec: Use correct speaker order for 7.1.
aacdec: Remove incorrect comment.
aacdec: Simplify output configuration.
Remove Sun medialib glue code.
dsputil: set STRIDE_ALIGN to 16 for x86 also.
pngdsp: swap argument inversion.
Conflicts:
cmdutils.c
configure
doc/APIchanges
ffmpeg.c
libavcodec/aacdec.c
libavcodec/dsputil.h
libavcodec/libx264.c
libavcodec/mlib/dsputil_mlib.c
libavcodec/utils.c
libavfilter/vf_scale.c
libavutil/avutil.h
libswscale/mlib/yuv2rgb_mlib.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This changes a number of FATE results, since before this commit, the
timestamps in all tests using rawenc were made up by lavf.
In most cases, the previous timestamps were completely bogus.
In some other cases -- raw formats, mostly h264 -- the new timestamps
are bogus as well. The only difference is that timestamps invented by
the muxer are replaced by timestamps invented by the demuxer.
cscd -- avconv sets output codec timebase from r_frame_rate
and r_frame_rate is in this case some guessed number 31.42 (377/12),
which is not accurate enough to represent all timestamps. This results
in some frames having duplicate pts. Therefore, vsync 0 needs to be
changed to vsync 2 and avconv drops two frames. A proper fix in the
future would be to set output timebase to something saner in avconv.
nuv -- previous timestamps for video were wrong AND the cscd
comment applies, one frame is dropped.
vp8-signbias -- the file contains two frames with identical timestamps,
so -vsync 0 needs to be removed/changed to -vsync 2 and avconv drops one
frame.
vc1-ism -- apparrently either the demuxer lies about timestamps or the
file is broken, since dts == pts on all packets, but reordering clearly
takes place.
The spec says the following speaker mapping is default:
center front speaker
left, right center front speakers,
left, right outside front speakers,
left surround, right surround rear speakers,
front low frequency effects speaker
* qatar/master:
swscale: make yuv2yuv1 use named registers.
h264: mark h264_idct_add8_10 with number of XMM registers.
swscale: fix V plane memory location in bilinear/unscaled RGB/YUYV case.
vp8: always update next_framep[] before returning from decode_frame().
avconv: estimate next_dts from framerate if it is set.
avconv: better next_dts usage.
avconv: rename InputStream.pts to last_dts.
avconv: reduce overloading for InputStream.pts.
avconv: rename InputStream.next_pts to next_dts.
avconv: rework -t handling for encoding.
avconv: set encoder timebase for subtitles.
pva-demux test: add -vn
swscale: K&R formatting cosmetics for SPARC code
apedec: allow the user to set the maximum number of output samples per call
apedec: do not unnecessarily zero output samples for mono frames
apedec: allocate a single flat buffer for decoded samples
apedec: use sizeof(field) instead of sizeof(type)
swscale: split C output functions into separate file.
swscale: Split C input functions into separate file.
bytestream: Add bytestream2 writing API.
The avconv changes are due to massive regressions and bugs not merged yet.
Conflicts:
ffmpeg.c
libavcodec/vp8.c
libswscale/swscale.c
libswscale/x86/swscale_template.c
tests/fate/demux.mak
tests/ref/lavf/asf
tests/ref/lavf/avi
tests/ref/lavf/mkv
tests/ref/lavf/mpg
tests/ref/lavf/nut
tests/ref/lavf/ogg
tests/ref/lavf/rm
tests/ref/lavf/ts
tests/ref/seek/lavf_avi
tests/ref/seek/lavf_mkv
tests/ref/seek/lavf_rm
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This fixes crashes in e.g. PNG decoding with SSE2 enabled. In fact, many
x86 optimizations for codecs assume that our buffer strides are 16-byte
aligned.
Also slightly move around code not allocate a new frame if we won't
decode it. This prevents us from putting undecoded frames in frame
pointers, which (in mt decoding) other threads will use and wait on
as references, causing a deadlock (if we skipped decoding) or a crash
(if we didn't initialized next_framep[] at all).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
It makes sense in some cases to split up the output packet to save on memory
usage (ape frames can be very large), but the current/default size is
arbitrary. Allowing the user to configure this gives more flexibility and
requires minimal additional code.
* qatar/master:
Revert "v210enc: use FFALIGN()"
doxygen: Do not include license boilerplates in Doxygen comment blocks.
avplay: reset decoder flush state when seeking
ape: skip packets with invalid size
ape: calculate final packet size instead of guessing
ape: stop reading after the last frame has been read
ape: return AVERROR_EOF instead of AVERROR(EIO) when demuxing is finished
ape: return error if seeking to the current packet fails in ape_read_packet()
avcodec: Clarify AVFrame member documentation.
v210dec: check for coded_frame allocation failure
v210enc: use stride as it is already calculated
v210enc: use FFALIGN()
v210enc: return proper AVERROR codes instead of -1
v210enc: do not set coded_frame->key_frame
v210enc: check for coded_frame allocation failure
drawtext: add 'fix_bounds' option on coords fixing
drawtext: fix text_{w, h} expression vars
drawtext: add missing braces around an if() block.
Conflicts:
libavcodec/arm/vp8.h
libavcodec/arm/vp8dsp_init_arm.c
libavcodec/v210dec.c
libavfilter/vf_drawtext.c
libavformat/ape.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
FFALIGN doesn't work with non-powers-of-2.
This reverts commit 7ad1b612c8.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Line sizes are only 8-byte aligned, so use unaliged loads
for add_bytes_l2 pointers.
Increasing the alignment requirement to 16 seemed a bit extreme
(png may be used for rather small sizes).
Also fix a mov that had its arguments swapped, leading
add_bytes_l2 being applied on up to 8 bytes too few.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
* qatar/master:
libx264: fix indentation.
vorbis: fix overflows in floor1[] vector and inverse db table index.
win64: add a XMM clobber test configure option.
movdec: Parse the dvc1 atom
ARM: ac3: fix ac3_bit_alloc_calc_bap_armv6
swscale: K&R formatting cosmetics for Blackfin code
frwu: lowercase the FRWU codec name
movdec: fix dts generation in fragmented files
fate: make acodec-ac3_fixed test output raw AC3
APIchanges: add missing commit hashes
swscale: implement MMX, SSE2 and AVX functions for RGB32 input.
ra144enc: drop pointless "encoder" from .long_name
bethsoftvideo: fix palette reading.
mpc7: use av_fast_padded_malloc()
mpc7: simplify handling of packet sizes that are not a multiple of 4 bytes
doc: decoding Forward Uncompressed is supported
Fix a typo in the x86 asm version of ff_vector_clip_int32()
pcmenc: Do not set avpkt->size.
ff_alloc_packet: modify the size of the packet to match the requested size
Conflicts:
doc/APIchanges
libavcodec/libx264.c
libavcodec/mpc7.c
libavformat/isom.h
libswscale/Makefile
libswscale/bfin/yuv2rgb_bfin.c
tests/ref/fate/bethsoft-vid
tests/ref/seek/ac3_ac3
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This will be useful to test more aggressively for failures to mark XMM
registers as clobbered in Win64 builds, and prevent regressions thereof.
Based on a patch by Ramiro Polla <ramiro.polla@gmail.com>
* qatar/master: (22 commits)
frwu: Employ more meaningful return values.
fraps: Use av_fast_padded_malloc() instead of av_realloc()
mjpegdec: use av_fast_padded_malloc()
eatqi: use av_fast_padded_malloc()
asv1: use av_fast_padded_malloc()
avcodec: Add av_fast_padded_malloc().
swscale: enable dithering in MMX functions.
swscale: make rgb24 function macros slightly smaller.
avcodec.h: Remove some disabled cruft.
swscale: remove obsolete comment.
swscale-test: Drop unused argc and argv arguments from main().
zmbv: Employ more meaningful return values.
zmbvenc: Employ more meaningful return values.
vc1: prevent null pointer dereference on broken files
zmbv: check av_realloc() return values and avoid memleaks on ENOMEM
truespeech: align buffer
ac3: Do not read past the end of ff_ac3_band_start_tab.
dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.
dv: Fix null pointer dereference due to ach=0
dv: check stype
...
Conflicts:
doc/APIchanges
libavcodec/asv1.c
libavcodec/avcodec.h
libavcodec/eatqi.c
libavcodec/fraps.c
libavcodec/frwu.c
libavcodec/zmbv.c
libavformat/dv.c
libswscale/swscale.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Return the correct number of consumed bytes and set *data_size = 0.
Returned size is 1 too small, leading to that 1 byte being read as the next
frame, which results in an extra blank frame at the beginning of the stream.
Avoids doing malloc/free for each frame.
Also fixes valgrind errors due to use of uninitialized padding bytes.
Based on a patch by Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Wrapper around av_fast_malloc() that keeps FF_INPUT_BUFFER_PADDING_SIZE
zero-padded bytes at the end of the used buffer.
Based on a patch by Reimar Döffinger <Reimar.Doeffinger@gmx.de>.
"Copyright (c) 2001 Michael Niedermayer" and "part of Libav" is not likely
not only am i not a libav developer there also was no libav in 2001
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>