Progressive images can have only 16 references, error out if there are
more, since the data is almost certainly corrupt, and the invalid value
will lead to random crashes or invalid writes later on.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Interlaced images can have 32 references (16 per field), so limiting the
array size to 16 leads to invalid writes.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
The safe bitstream reader broke it since the buffer size was specified
in bytes instead of bits.
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
CC: libav-stable@libav.org
* qatar/master:
doc/general: update supported devices table.
doc/general: add missing @tab to codecs table.
h264: Fix invalid interlaced/progressive MB combinations for direct mode prediction.
avconv: reindent
avconv: link '-passlogfile' option to libx264 'stats' AVOption.
libx264: add 'stats' private option for setting 2pass stats filename.
libx264: fix help text for slice-max-size option.
http: Clear the auth state on redirects
http: Retry auth if it failed due to being stale
rtsp: Resend new keepalive commands if they used stale auth
rtsp: Retry authentication if failed due to being stale
httpauth: Parse the stale field in digest auth
dxva2_vc1: pass the overlap flag to the decoder
dxva2_vc1: fix decoding of BI frames
FATE: add shorthand to wavpack test
dfa: convert to bytestream2 API
anm decoder: move buffer allocation from decode_init() to decode_frame()
h264: improve parsing of broken AVC SPS
Conflicts:
ffmpeg.c
libavcodec/anm.c
libavcodec/dfa.c
libavcodec/h264.c
libavcodec/h264_direct.c
libavcodec/h264_ps.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This bug might have been exploitable (out of HEAP buffer writes)
Bug introduced by libav
commit a55d5bdc6e
Date: Tue Mar 6 15:15:42 2012 -0800
algmm: convert to bytestream2 API.
* qatar/master:
pcm-mpeg: convert to bytestream2 API
Revert "h264: clear trailing bits in partially parsed NAL units"
remove iwmmxt optimizations
mimic: do not continue if swap_buf_size is 0
mimic: convert to bytestream2 API
frwu: use MKTAG to check marker instead of AV_RL32
txd: port to bytestream2 API
c93: convert to bytestream2 API
iff: make .long_name more descriptive
FATE: add test for cdxl demuxer
rtsp: Fix a typo
Conflicts:
libavcodec/arm/dsputil_iwmmxt.c
libavcodec/arm/dsputil_iwmmxt_rnd_template.c
libavcodec/arm/mpegvideo_iwmmxt.c
libavcodec/c93.c
libavcodec/txd.c
libavutil/arm/cpu.c
tests/fate/demux.mak
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Parsing the entire NAL as SPS fixes decoding of some AVC bitstreams
with broken escaping. Since the size of the NAL unit is known and
checked against the buffer end we can parse it entirely without buffer
overreads.
Fixes playback of
http://streams.videolan.org/streams/mp4/Mr_MrsSmith-h264_aac.mp4
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
This reverts commit 729ebb2f18.
There was an off-by-one error in the bit mask calculation clearing
actually the last valid bit and causing
http://bugzilla.libav.org/show_bug.cgi?id=227
The broken sample (Mr_MrsSmith-h264_aac.mp4) the commit was fixing
does not work after correcting the off-by-one error.
CC: libav-stable@libav.org
The were broken since August of 2010 without anyone noticing until
three weeks ago. Nobody cares about it anymore and hopefully Marvell
will support NEON like in the PXA978 from now on.
Yasm creates an implicit unaligned text section if "struc" is used
outside of any section:
http://tortall.lighthouseapp.com/projects/78676-yasm/tickets/247
Since yasm only honors the "align" annotation on the first declaration
of a section, this implicit text section causes all text section
alignments to be ignored. Also fixes a yasm warning about it agnoring
alignment.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
cook: expand dither_tab[], and make sure indexes into it don't overflow.
xxan: reindent xan_unpack_luma().
xxan: protect against chroma LUT overreads.
xxan: convert to bytestream2 API.
xxan: don't read before start of buffer in av_memcpy_backptr().
vp8: convert mbedge loopfilter x86 assembly to use named arguments.
vp8: convert inner loopfilter x86 assembly to use named arguments.
Conflicts:
libavcodec/xxan.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
MPC8 allows indices of mpc_CC up to -1, and mpc_SCF up to -6, thus pad
the tables by that much on the left end.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
The two samples both have stype 0.
Without this extra check, the code breaks 4:2:2 dvsd
(stype 4), since that has the same resolution.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
* qatar/master:
Fix a bunch of common typos.
build: Skip compiling xvmc.h under the correct condition.
configure: darwin: Change dylib install names to include major version.
mpegts: Always honor a registration descriptor if present and there is no other codec information.
aacdec: Fix SCE parity check.
aacdec: Fix out of array writes (stack).
rtsp: Only set the ttl parameter if the server actually gave a value
udp: Set ttl for read-write streams, too, not only for write-only ones
udp: Only bind to the multicast address if in read-only mode
udp: Clarify the comment about binding the multicast address
udp: Reorder comments
Conflicts:
libavcodec/aacdec.c
tools/patcheck
Merged-by: Michael Niedermayer <michaelni@gmx.at>
An unpaired SCE preceding a CPE only makes sense for front SCEs
preceding the first CPE.
Split from FFmpeg commit a8d67efa53
Signed-off-by: Alex Converse <alex.converse@gmail.com>
Set the element to channel vector (e2c_vec) size to be the maximum
number of aac channel elements. This makes it slightly larger than it
needs to be because CCEs are never mapped to output channel locations.
Also add a check that all input tags (legal or not) will fit.
Split from FFmpeg commit a8d67efa53
Signed-off-by: Alex Converse <alex.converse@gmail.com>
Fixes trac #1045.
Thanks to Peter Ross for his help with this patch.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Matroska demuxer needs to recreate tta header, so just display
crc error without aborting.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
This fixes some invalid memory access caused later in the function
by res_chan[] not being set for all channels. This happens when a
channel doesn't appear a submap. This change simply returns a
decoder error when this situation is detected.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
We slightly overread the input buffer, so we require
padding at the end of the buffer, as is documented in the
get_bits API. Without padding, we'll read uninitialized
data or beyond the end of the .rodata, which may crash.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
* qatar/master: (29 commits)
sbrdsp.asm: convert all instructions to float/SSE ones.
dv: cosmetics.
dv: check buffer size before reading profile.
Revert "AAC SBR: group some writes."
udp: Print an error message if bind fails
cook: extend channel uncoupling tables so the full bit range is covered.
roqvideo: cosmetics.
roqvideo: convert to bytestream2 API.
dca: don't use av_clip_uintp2().
wmall: fix build with -DDEBUG enabled.
smc: port to bytestream2 API.
AAC SBR: group some writes.
dsputil: remove shift parameter from scalarproduct_int16
SBR DSP: unroll sum_square
rv34: remove dead code in intra availability check
rv34: clean a bit availability checks.
v4l2: update documentation
tgq: convert to bytestream2 API.
parser: remove forward declaration of MpegEncContext
dca: prevent accessing static arrays with invalid indexes.
...
Conflicts:
doc/indevs.texi
libavcodec/Makefile
libavcodec/dca.c
libavcodec/dvdata.c
libavcodec/eatgq.c
libavcodec/mmvideo.c
libavcodec/roqvideodec.c
libavcodec/smc.c
libswscale/output.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The codec would keep returning the last decoded frame if the stream
contains B-frames, since it wouldn't clear that frame from the list of
frames to be returned to the user.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Since the values are floats, using the float operations
makes sense, improves performance on some CPUs and
makes the code SSE compatible instead of needing SSE2.
Based on suggestion by Jason.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
There is only one caller, which does not need the shifting. Other use cases
are situations where different roundings would be needed.
The x86 and neon versions are modified accordingly.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
The length is even, so some unrolling can be performed. Timings are for x86:
- 32bits: 102c -> 82c
- 64bits: 82c -> 69c
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
This was an incorrect copy-and-paste to a code not needing the original code.
Spotted by Jason in a previous review but forgotten in the commit.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
movq from SSE register _to_ memory is an SSE2 instruction.
Use the SSE movlps function instead that does the same thing.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
This fixes an issue in the code to check the size that will
be written to match the actual code writing. In the long
term it would make sense to change this so the counting and
writing code are the same so they dont need to be kept in sync.
It also increases the array size, which was too small either way
and adds a redudnant saftey check.
This issue does not affect any FFmpeg release as it has been
introduced Jan 31 which is narrowly after our last release.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Results of IDCT can by far outreach the range of ff_cropTbl[], leading
to overreads and potentially crashes.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
This fixes some arith decoder overreads and a potential infinite loop.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master: (31 commits)
cdxl demux: do not create packets with uninitialized data at EOF.
Replace computations of remaining bits with calls to get_bits_left().
amrnb/amrwb: Remove get_bits usage.
cosmetics: reindent
avformat: do not require a pixel/sample format if there is no decoder
avformat: do not fill-in audio packet duration in compute_pkt_fields()
lavf: Use av_get_audio_frame_duration() in get_audio_frame_size()
dca_parser: parse the sample rate and frame durations
libspeexdec: do not set AVCodecContext.frame_size
libopencore-amr: do not set AVCodecContext.frame_size
alsdec: do not set AVCodecContext.frame_size
siff: do not set AVCodecContext.frame_size
amr demuxer: do not set AVCodecContext.frame_size.
aiffdec: do not set AVCodecContext.frame_size
mov: do not set AVCodecContext.frame_size
ape: do not set AVCodecContext.frame_size.
rdt: remove workaround for infinite loop with aac
avformat: do not require frame_size in avformat_find_stream_info() for CELT
avformat: do not require frame_size in avformat_find_stream_info() for MP1/2/3
avformat: do not require frame_size in avformat_find_stream_info() for AAC
...
Conflicts:
doc/APIchanges
libavcodec/Makefile
libavcodec/avcodec.h
libavcodec/h264.c
libavcodec/h264_ps.c
libavcodec/utils.c
libavcodec/version.h
libavcodec/x86/dsputil_mmx.c
libavformat/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
All colorspaces are supported.
Renamed libutvideo.cpp to libutvideodec.cpp.
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This is so the forthcoming encoder wrapper can share
them.
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This only returns bits per sample when it is exactly correct. That is, the
codec contains only raw samples with no frame headers or padding. This applies
to basically all PCM codecs and a small subset of ADPCM codecs.
This condition cannot happen, if it can it is a bug that MUST be fixed.
And i very happily volunteer to fix it if someone reports a case to
me that fails.
This reverts commit 5d652e063b.
This splits ff_dsputil_init_mmx() into multiple functions, one for
each MMX/SSE level, somewhat simplifying the nested conditions.
Signed-off-by: Mans Rullgard <mans@mansr.com>
Signed-off-by: Diego Biurrun <diego@biurrun.de>
This fixes some global out of array reads and wrong cliping.
No speed difference meassurable under clang on i5
also all important code paths on all important platforms should
use SIMD.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes a out of global array read in the cplscale* tables.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master: (27 commits)
cmdutils: use new avcodec_is_decoder/encoder() functions.
lavc: make codec_is_decoder/encoder() public.
lavc: deprecate AVCodecContext.sub_id.
libcdio: add a forgotten AVClass to the private context.
swscale: remove "cpu flags" from -sws_flags description.
proresenc: give user a possibility to alter some encoding parameters
vorbisenc: add output buffer overwrite protection
libopencore-amrnbenc: fix end-of-stream handling
ra144enc: fix end-of-stream handling
nellymoserenc: zero any leftover packet bytes
nellymoserenc: use proper MDCT overlap delay
qpeg: Use bytestream2 functions to prevent buffer overreads.
swscale: make %rep unconditional.
vp8: convert simple loopfilter x86 assembly to use named arguments.
vp8: convert idct x86 assembly to use named arguments.
vp8: convert mc x86 assembly to use named arguments.
vp8: convert loopfilter x86 assembly to use cpuflags().
vp8: convert idct/mc x86 assembly to use cpuflags().
swscale: remove now unnecessary hack.
x86inc: don't "bake" stack_offset in named arguments.
...
Conflicts:
cmdutils.c
doc/APIchanges
libavcodec/mpeg12.c
libavcodec/options.c
libavcodec/qpeg.c
libavcodec/utils.c
libavcodec/version.h
libavdevice/libcdio.c
tests/lavf-regression.sh
Merged-by: Michael Niedermayer <michaelni@gmx.at>
In most places where it's used, it's as a pointless write-only field.
Only rv10 decoder actually reads from it, but it stores some internal
version info in it. There is no reason for it to be in a public field.
Use CODEC_CAP_DELAY and CODEC_CAP_SMALL_LAST_FRAME to properly pad and flush
the encoder at the end of encoding. This is needed in order to have all input
samples decoded.
Use CODEC_CAP_DELAY and CODEC_CAP_SMALL_LAST_FRAME to properly pad and flush
the encoder at the end of encoding. This is needed in order to have all input
samples decoded.
* qatar/master:
tiertexseq: set correct block_align for audio
tiertexseq: set audio stream start time to 0
voc/avs: Do not change the sample rate mid-stream.
segafilm: use the sample rate as the time base for audio streams
ea: fix audio pts
psx-str: fix audio pts
vqf: set packet duration
tta demuxer: set packet duration
mpegaudio_parser: do not ignore information from the first parsed frame
mpegaudio_parser: be less picky about the start position
thp: set audio packet durations
avcodec: add a Vorbis parser to get packet duration
vorbisdec: read the previous window flag for long windows
lavc: free the output packet when encoding failed or produced no output.
lavc: preserve avpkt->destruct in ff_alloc_packet().
lavc: clarify the meaning of AVCodecContext.frame_number.
mpegts: Pad the packet buffer in handle_packet().
mpegts: Do not call read_sl_header() when no bytes remain in the buffer.
Conflicts:
libavcodec/mpegaudio_parser.c
libavcodec/version.h
libavformat/mpegts.c
tests/ref/fate/pva-demux
Merged-by: Michael Niedermayer <michaelni@gmx.at>
We need to set ms_stereo in encode_init() in order to avoid incorrectly
encoding the first frame as non-m/s while flagging it as m/s. Fixes an
uncomfortable pop in the left channel at the start of playback.
CC:libav-stable@libav.org
Currently we have an assert() that prevents the frame from being too large,
but it is more user-friendly to give an error message instead of aborting on
assert(). This condition is quite unlikely due to the minimum bit rate check
in encode_init(), but it is still worth having.
The maximum theoretical frame size is around 17000 bytes. Although in
practice it will generally be much smaller, we require a larger buffer
just to be safe.
CC: libav-stable@libav.org
ff_wma_init() allows up to 50kHz, but this generates an exponent band
size table that requires 65 bands. The code assumes 25 bands in many
places, and using sample rates higher than 48kHz will lead to buffer
overwrites.
CC:libav-stable@libav.org
This is near the theoretical limit for wma frame size and is the most that
our decoder can handle. Allowing higher bit rates will just end up padding
each frame with empty bytes.
Fixes invalid writes for avconv when using very high bit rates.
CC:libav-stable@libav.org
The code only supports 16 and 24 bps currently, 20bps causes
out of array reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
When reading sequentially, we are using the actual flag from the previous
frame, but when seeking we do not know what the previous window flag was, so
we need to read it from the bitstream.
This fixes some out of global array accesses of dither_tab.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Benjamin Larsson <benjamin@southpole.se>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
qpeg should probably be changed to use the checked bytestream reader.
But for now this fixes it and is significantly less work.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>