Compare commits

...

321 Commits

Author SHA1 Message Date
Andreas Rheinhardt df000208ea libavcodec/libvpxenc: Don't free user-provided AVPacket
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 26b4509690)
2020-05-23 21:34:02 +02:00
Andreas Rheinhardt 021fe2603f avcodec/libopusenc: Don't free user-provided AVPacket
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit b803993b6d)
2020-05-23 21:33:57 +02:00
Andreas Rheinhardt e631660726 avformat/matroskadec: Fix default value of BlockAddID
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit dbc50f8a93)
2020-04-03 23:17:39 +02:00
Mark Harris b858bcbbf6 avutil/mem: Fix invalid use of av_alloc_size
The alloc_size attribute is valid only on functions that return a
pointer.  GCC 9 (not yet released) warns about invalid usage:

./libavutil/mem.h:342:1: warning: 'alloc_size' attribute ignored on a function returning int' [-Wattributes]
  342 | av_alloc_size(2, 3) int av_reallocp_array(void *ptr, size_t nmemb, size_t size);
      | ^~~~~~~~~~~~~

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4361293fcf)
2019-07-23 01:18:14 -03:00
James Almer b307cbe276 avcodec/hevcdec: decode at most one slice reporting being the first in the picture
Fixes deadlocks when decoding packets containing more than one of the aforementioned
slices when using frame threads.

Tested-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 70c8c8a818)
2019-03-20 22:23:12 -03:00
Paul B Mahol bdcbe9296a avfilter/af_silenceremove: fix possible crash if supplied duration is negative
Signed-off-by: Paul B Mahol <onemda@gmail.com>

Fixes ticket #7697.
(cherry picked from commit 2d1594a8d6)
2019-01-25 00:53:39 +01:00
Michael Niedermayer 527e64d32c Changelog: Update
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-28 00:24:53 +02:00
Michael Niedermayer 15296d64ca avutil/integer: Fix integer overflow in av_mul_i()
Found-by: fate
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3cc3cb663b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-25 00:24:54 +02:00
Michael Niedermayer 82e796a4c9 avcodec/msrle: Check that the input is large enough to contain a end of picture code
Fixes: Timeout
Fixes: 10625/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSRLE_fuzzer-5659651283091456

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 203ccb8746)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-25 00:24:29 +02:00
Michael Niedermayer 1dbf2bc7a9 Update for 3.0.12
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 02:15:08 +02:00
Michael Niedermayer dd5232c838 avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling
Fixes: assertion failure
Fixes: 10785/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5672160496975872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 305e523105)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:41 +02:00
Michael Niedermayer 9c1bb7e8de avcodec/mpeg4videodec: Fix typo in sprite delta check
Fixes: Integer overflow
Fixes: 10890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5636062181851136

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b737317a88)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:41 +02:00
Michael Niedermayer f9cfdf2bae avcodec/h264_cavlc: Check mb_skip_run
Fixes: 10300/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6292205497483264
Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f72b9904fe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:41 +02:00
Michael Niedermayer b15db639a5 avcodec/ra144: Fix integer overflow in add_wav()
Fixes: signed integer overflow: -2144033225 + -5208934 cannot be represented in type 'int'
Fixes: 10633/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5679133791617024

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c6282141cb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:41 +02:00
Michael Niedermayer 6a5b0a3c75 avformat/utils: Never store negative values in last_IP_duration
Fixes: integer overflow compute_pkt_fields()
Fixes: compute_pkt_usan

Reported-by: Thomas Guilbert <tguilbert@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 079d1a7175)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:41 +02:00
Michael Niedermayer 51404bb4f6 avformat/utils: Fix integer overflow in discontinuity check
Fixes: signed integer overflow: 7738135736989908991 - -7954308516317364223 cannot be represented in type 'long'
Fixes: find_stream_info_usan

Reported-by: Thomas Guilbert <tguilbert@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4e19cfcfa3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:41 +02:00
Michael Niedermayer 4b14c3ed78 avcodec/unary: Improve get_unary() docs
Found-by: kierank
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ad89e203bf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:41 +02:00
Michael Niedermayer 9b95c4740d avcodec/dvdsubdec: Sanity check len in decode_rle()
Fixes: Timeout
Fixes: 9778/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5186007132536832

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e7b023e1db)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:41 +02:00
Michael Niedermayer 58cb3ad576 avcodec/mpeg4videodec: Fix undefined shift in get_amv()
Fixes: runtime error: shift exponent -1 is negative
Fixes: 9938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5653783529914368

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c88afa44c4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:41 +02:00
Michael Niedermayer 648b904662 avcodec/zmbv: Check that the decompressed data size is correct
This checks the value exactly for intra frames and checks it against a
minimum for inter frames as they can be variable.

Fixes: Timeout
Fixes: 10182/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-6245951174344704

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e33b28cc79)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:41 +02:00
Michael Niedermayer 6161aade4c avcodec/zmbv: Update decomp_len in raw frames
decomp_len is used in raw frames, so it should not be left at the value from
whatever was decoded previously (which may be any other frame)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3d201b83cd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 1ed6224cdf avcodec/shorten: Fix bitstream end check in read_header()
Fixes: Timeout
Fixes: 9961/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5687856176562176

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 28b80c2d52)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 1049ccec34 avcodec/dvdsubdec: Avoid branch in decode_run_8bit()
Speed improvment 35.5 sec -> 34.7sec

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 71bf033050)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer fcab1b996a avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 697984b9db)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer fceedd4de9 avcodec/ra144: Fix undefined integer overflow in add_wav()
Fixes: signed integer overflow: -26884 * 91439 cannot be represented in type 'int'
Fixes: 9687/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-4995588121690112

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 93a203662f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 23c5d8d9ce avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb()
Fixes: Timeout
Fixes: 9634/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-6267852259590144

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c9222b972d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer c2ac8d3147 avcodec/vb: Check for end of bytestream before reading blocktype
Fixes: Timeout
Fixes: 9601/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VB_fuzzer-4550228702134272

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1cbac9ce20)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 22f743e602 avcodec/snowdec: Fix integer overflow with motion vector residual
Fixes: signed integer overflow: -19818 + -2147483648 cannot be represented in type 'int'
Fixes: 9545/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4928769537081344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit acba153a14)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 172bb520c9 avformat/nsvdec: Do not parse multiple NSVf
The specification states "NSV files may contain a single file header. "
Fixes: out of array access
Fixes: nsv-asan-002f473f726a0dcbd3bd53e422c4fc40b3cf3421

Found-by: Paul Ch <paulcher@icloud.com>
Tested-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 78d4b6bd43)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 4babf70c7e avformat/mlvdec: read_string() received unsigned size, make the argument unsigned
Fixes: infinite loop
Fixes: mlv-timeout-e3b8cab9835edecad6823baa057e029671329d04

Found-by: Paul Ch <paulcher@icloud.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1e71cb2c8e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 0ea54cae21 avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header()
Fixes: long running loop
Fixes: ivr-timeout-42468cb797f52f025fb329394702f5d4d64322d6

Found-by: Paul Ch <paulcher@icloud.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c2eec1762d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer f1425b389a avcodec/shorten: Fix integer overflow in residual/LPC combination
Fixes: signed integer overflow: -540538872 + -2012739576 cannot be represented in type 'int'
Fixes: 9255/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5758630052757504

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit db7e9082e1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 5eeaaa29fa avcodec/shorten: Check verbatim length
Fixes: Timeout
Fixes: 9252/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5780720709533696

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7007dabec0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer f7778c2ce9 avcodec/mpegaudio_parser: Initialize poutbuf*
Possibly fixes: null pointer dereference
Possibly fixes: 9352/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5146068961460224
Fixes: Heap-use-after-free
Fixes: 9453/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5137954375729152

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0f4c3b0b8e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer f6e570aa01 avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c()
Fixes: signed integer overflow: -1813244069 + -1407981383 cannot be represented in type 'int'
Fixes: 8823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5643295618236416

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 47db5763e2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer f81fd4c524 avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp()
Fixes: Timeout
Fixes: 9213/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QTRLE_fuzzer-5649753332252672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7dd836a3f9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 9f18b056da avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too
Fixes: signed integer overflow: 8 * 340018243 cannot be represented in type 'int'
Fixes: 9441/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5194665207791616

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bed125b710)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer cc82d22289 avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 9291/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6324345860259840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 462d1be6de)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 86dfce06e3 avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i()
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 8926/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6047609228623872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 69cac9e130)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 057cfa4200 avcodec/diracdec: Prevent integer overflow in intermediate in global_mv()
Fixes: signed integer overflow: -393471 * 5460 cannot be represented in type 'int'
Fixes: 8890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6299775379963904

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5129040646)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer d7d54f3fd5 swresample/swresample: Fix input channel count in resample_first computation
Found-by: Marcin Gorzel <gorzel@google.com>
Reviewed-by: Marcin Gorzel <gorzel@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bce4da85e8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 60493f388c avutil/pixfmt: Document chroma plane size for odd resolutions
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit be0b77e6e8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 961eeb4035 avcodec/dvdsub_parser: Allocate input padding
Fixes: out of array read
Fixes: 9350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5746777750765568

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cd86b5cfe2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer d7d237a441 avcodec/dvdsub_parser: Init output buf/size
No testcase

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9e6c843776)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Simon Thelen e7dc6231e2 avcodec/imgconvert: fix possible null pointer dereference
regression since 354b26a394

(cherry picked from commit 8c2c97403b)
(cherry picked from commit c1e172c2e1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 0c9c4c3103 avcodec/dirac_dwt_template: Fix signedness regression in interleave()
Found-by: <jdarnley>
Tested-by: James Darnley <james.darnley@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 181435a4de)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Rahul Chaudhry 328ab7f0a1 swresample/arm: rename labels to fix xcode build error
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e84212b78e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
James Almer 0d4a11d0a9 avformat/utils: fix mixed declarations and code
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 31de45d20b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
James Almer c3831e89ef libwebpenc_animencoder: add missing braces to struct initialization
The first member of the WebPAnimEncoderOptions struct is non scalar

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 488e6409df)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 790e6fead0 avformat/movenc: Check input sample count
Fixes: division by 0
Fixes: fpe_movenc.c_199_1.wav
Fixes: fpe_movenc.c_199_2.wav
Fixes: fpe_movenc.c_199_3.wav
Fixes: fpe_movenc.c_199_4.wav
Fixes: fpe_movenc.c_199_5.wav
Fixes: fpe_movenc.c_199_6.wav
Fixes: fpe_movenc.c_199_7.wav

Found-by: #CHEN HONGXU# <HCHEN017@e.ntu.edu.sg>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3a2d21bc5f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 4ead5a9470 avcodec/mjpegdec: Check for odd progressive RGB
Fixes: out of array access
Fixes: 9225/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5684770334834688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee1e3ca5eb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 469503ac1d avformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id
Fixes: out of array access
Fixes: ffmpeg_bof_1.avi

Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ed22dc2221)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 94edbf464c avformat/mms: Add missing chunksize check
Fixes: out of array read
Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a

Found-by: Paul Ch <paulcher@icloud.com>
1st hunk by Paul Ch <paulcher@icloud.com>
Tested-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cced03dd66)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 6cadf46dff avformat/pva: Check for EOF before retrying in read_part_of_packet()
Fixes: Infinite loop
Fixes: pva-4b1835dbc2027bf3c567005dcc78e85199240d06

Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9807d3976b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer ee8c6566e2 avformat/rmdec: Do not pass mime type in rm_read_multi() to ff_rm_read_mdpr_codecdata()
Fixes: use after free()
Fixes: rmdec-crash-ffe85b4cab1597d1cfea6955705e53f1f5c8a362

Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a7e032a277)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 438e848b65 avcodec/indeo4: Check for end of bitstream in decode_mb_info()
Fixes: Timeout
Fixes: 8776/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-5361788798369792

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 267ba2aa96)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 21a6570158 avcodec/shorten: Fix undefined addition in shorten_decode_frame()
Fixes: signed integer overflow: 1139785606 + 1454196085 cannot be represented in type 'int'
Fixes: 8937/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-6202943597445120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3b10bb8772)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 3afdb1c8a7 avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration()
Fixes: shift exponent 47 is too large for 32-bit type 'int'
Fixes: 9163/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5661750182543360

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 652d7c6348)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 405cfcae41 avcodec/jpeg2000dec: Check that there are enough bytes for all tiles
Fixes: OOM
Fixes: 8781/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5810709081358336

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0898a3d990)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer dd7d2770f3 avcodec/escape124: Fix spelling errors in comment
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f59c4e4391)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 181c3d82e9 avcodec/ra144: Fix integer overflow in ff_eval_refl()
Fixes: signed integer overflow: -4096 * -524288 cannot be represented in type 'int'
Fixes: 8650/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5734816036159488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b31189881a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 662f7cef06 avcodec/cscd: Check output buffer size for lzo.
Fixes: Timeout
Fixes: 8665/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5768442610188288

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
(cherry picked from commit 78167b498f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 1e067b7ed8 avcodec/escape124: Check buf_size against num_superblocks
Fixes: Timeout
Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6677c98626)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer d862380718 avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan()
Fixes: Timeout
Fixes: 8648/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5108395525799936

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 540e8c2d64)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer eaefd3ada9 avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed()
Fixes: signed integer overflow: 1195517 * 2048 cannot be represented in type 'int'
Fixes: 8636/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-4695836326887424

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8bd514d934)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer a1c125d2bd avcodec/dirac_dwt_template: Fix undefined behavior in interleave()
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 8697/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5197148130902016

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 575d8ca026)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 626143903b avutil/common: Fix undefined behavior in av_clip_uintp2_c()
Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Fixes: 8521/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5639024952737792

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aa41d322be)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 963915a4b4 fftools/ffmpeg: Fallback to duration if sample rate is unavailable
Regression since: af1761f7
Fixes: Division by 0
Fixes: ffmpeg_crash_1

Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 16d8b13b3b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer ff75dc10fd avformat/mov: Only set pkt->duration to non negative values
Reviewed-by: Sasi Inguva <isasi@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8176799f31)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 18214e2a3f avcodec/h264_mc_template: Only prefetch motion if the list is used.
Fixes: index 59 out of bounds for type 'H264Ref [48]'
Fixes: 8232/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5703295145345024

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8b55591757)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer aa803d93bf avcodec/xwddec: Use ff_set_dimensions()
Fixes: OOM
Fixes: 8178/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XWD_fuzzer-4844793342459904

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c2852e4e00)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 23fdebaec5 avcodec/wavpack: Fix overflow in adding tail
Fixes: signed integer overflow: 2146907204 + 26846088 cannot be represented in type 'int'
Fixes: 8105/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-6233036682166272

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d13379fb79)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 50e55b81be avcodec/shorten: Fix multiple integer overflows
Fixes: signed integer overflow: 3 * 1006632960 cannot be represented in type 'int'
Fixes: 8278/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5692857166856192

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f2abd36b38)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 07fd8627e5 avcodec/shorten: Sanity check nmeans
Fixes: OOM
Fixes: 8195/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5179785826271232

The reference software appears to use longs for 32bits and it uses int for nmeans
hinting that the intended maximum size was not 32bit.

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d91a0b503d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 0c645bd73c avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan()
Fixes: signed integer overflow: 32768 + 2147450880 cannot be represented in type 'int'
Fixes: 7885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5298834394578944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 936f4a2c2e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer aee71463fb avcodec/truemotion2: Fix overflow in tm2_apply_deltas()
Fixes: signed integer overflow: 1077952576 + 1077952576 cannot be represented in type 'int'
Fixes: 7712/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5056281753681920

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 79c6047c36)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer f144d5eb49 avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c
Fixes: runtime error: signed integer overflow: -1440457022 - 785819492 cannot be represented in type 'int'
Fixes: 7700/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OPUS_fuzzer-6595838684954624

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e7dda51150)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer bbd9f480f3 avcodec/amrwbdec: Fix division by 0 in find_hb_gain()
This restructures the code slightly toward D_UTIL_dec_synthesis()

Fixes: 7420/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMRWB_fuzzer-6577305112543232

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit dce80a4b47)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 7f142e5402 avformat/mov: replace a value error by clipping into valid range in mov_read_stsc()
Fixes: #7165

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fe84f70819)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer b4024909c1 avformat/mov: Break out early if chunk_count is 0 in mov_build_index()
Without this some operations might overflow (undefined behavior)
even though the index adding loop would never execute

No testcase known

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 56e76bd057)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer fe9c23bebb avcodec/fic: Avoid some magic numbers related to cursors
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c6a11714c4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 243bdbde57 avcodec/g2meet: ask for sample with overflowing RGB
Suggested-by: Tomas Härdin <tjoppen@acc.umu.se>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ab834b8f36)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 1f81818c6a avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed()
Fixes: signed integer overflow: -2141499320 + -14469590 cannot be represented in type 'int'
Fixes: 7351/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-6351214791884800

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 90475db97e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer be77d7ba78 oavcodec/aacpsdsp_template: Use unsigned for hs0X to prevent undefined behavior
Fixes: signed integer overflow: 1073741842 + 1784008138 cannot be represented in type 'int'
Fixes: 6792/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5677589835284480

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 62cb6fadf3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer fe37daf25d avcodec/g723_1dec: Clip bits2 in both directions
Fixes: shift exponent 33 is too large for 32-bit type 'int'
Fixes: 6743/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G723_1_fuzzer-5823772687859712

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 53f241218d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 0d58511013 avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header()
Fixes truncation
Fixes Assertion n <= 31 && value < (1U << n) failed at libavcodec/put_bits.h:169
Fixes: ffmpeg_crash_2.avi

Found-by: Thuan Pham <thuanpv@comp.nus.edu.sg>, Marcel Böhme, Andrew Santosa and Alexandru RazvanCaciulescu with AFLSmart

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e1182fac1a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 3eff19d388 avcodec/mlpdec: Only change noise_type if the related fields are valid
Fixes: inconsistency
Fixes:runtime error: index 8 out of bounds for type 'int32_t [8]'
Fixes: 6686/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-5191383498358784

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 63c4a4b0d6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 876d3ee862 indeo4: Decode all or nothing of a band header.
This avoids inconsistent value combinations.
Alternatively it would be possible to add more checks and careful use of
temporary variables, but my try of this quickly seemed to become
a rather large change.
The disadvantage of this, is that the struct is copied back and forth.

Fixes: index 6 out of bounds for type 'const uint16_t [5][16]'
Fixes: 6557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-4787296550256640

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 10c8521265)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer ffe4ffa4ef avformat/mov: Only fail for STCO/STSC contradictions if both exist
Fixes regression with playback of GF9720Repeal20the20Eighth20with20Helen20Linehan.m4a
See: crbug 822666

Found-by: "Mattias Wadman <mattias.wadman@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2c2d689c56)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer a8fcb810c9 avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0
Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int');
Fixes: 6500/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-4523620274536448

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cb944fc7f1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 1747563cea avcodec/fic: Check available input space for cursor
Fixes: out of array read
Fixes: 6546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-6317064647081984

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cb2f7ea96b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 00c18862a3 avcodec/g2meet: Check RGB upper limit
Fixes: runtime error: left shift of 1876744317 by 16 places cannot be represented in type 'int'
Fixes: 6799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5115274731716608

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4dd2c8b9ea)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 6850377b59 avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case
Fixes: shift exponent 47 is too large for 32-bit type 'int'
Fixes: 7955/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6016721977606144

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 652ba72ed3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 6aae60cc7d avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done
Fixes: assertion failure
Fixes: 7949/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-4819602782552064

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a96c131eb5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 88e5a30cf8 avcodec/g2meet: Change order of operations to avoid undefined behavior
Fixes: signed integer overflow: 65280 * 196032 cannot be represented in type 'int'
Fixes: 7279/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5977332473921536

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0a47451458)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 9505b28538 avcodec/flac_parser: Fix infinite loop
Fixes: crbug/827204

Reported-by: Frank Liberato <liberato@google.com>
Reviewed-by: Frank Liberato <liberato@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 15a2e35e9e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 04e69effbb avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED()
Fixes: runtime error: signed integer overflow: 2147483637 + 128 cannot be represented in type 'int'
Fixes: 6701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5358324934508544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6e95d80e6f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer baa4913e12 avcodec/error_resilience: Fix integer overflow in filter181()
Fixes: runtime error: signed integer overflow: 197710 * 10923 cannot be represented in type 'int'
Fixes: 7010/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5667127596941312

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1c97035e3b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer aaa2d4a265 avcodec/h263dec: Check slice_ret in mspeg4 slice loop
Fixes infinite loop
Fixes: 6858/clusterfuzz-testcase-ffmpeg_AV_CODEC_ID_MSMPEG4V3_fuzzer-4681563766784000
Fixes: 6890/clusterfuzz-testcase-ffmpeg_AV_CODEC_ID_WMV1_fuzzer-4756103142309888

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit de841fbea7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer cc8710b5af avcodec/elsdec: Fix memleaks
Fixes: 6798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5135899701542912

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0bd0401336)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 70c7c73920 avcodec/vc1_block: simplify ac_val computation
also fixes: runtime error: index 1456 out of bounds for type 'int16_t [16]'

Found-by: durandal_1707
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d06b01fc2d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 142e1e3e9a avcodec/ffv1enc: Check that the crc + version combination is supported
The crc flag is only stored since version 3 thus before this crcs do not
work. We increase the version as needed same as we do with pix_fmts

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d9706f79c1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Stephan Holljes 73d07e320c lavf/http.c: Free allocated client URLContext in case of error.
Signed-off-by: Stephan Holljes <klaxa1337@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7b6b8c9265)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 3bf0a405f0 avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame
Fixes: Timeout
Fixes: 6306/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DSICINVIDEO_fuzzer-5079253549842432

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5549488bbf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer a8640c87a7 avcodec/dsicinvideo: Propagate errors from cin_decode_rle()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 942217b153)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer e49e8259df avcodec/dfa: Check dimension against maximum
The headers from where the dimensions are read in actual files
are limited to 16bit per component.

Fixes: Timeout
Fixes: 6305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DFA_fuzzer-4824270749302784

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9d5a4fcfbb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 3009bf0be6 avcodec/cinepak: Skip empty frames
Speeds up decoding from 3 to 0.1 seconds for 6302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5626371985375232
Fixes: Timeout

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9033920bec)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 5891d222ff avcodec/cinepak: move some checks prior to frame allocation
Speeds up decoding from 8 to 3 seconds for 6302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5626371985375232
Fixes: Timeout

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2324ef1ff3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Rahul Chaudhry ad3ec05d03 swresample/arm: remove unintentional relocation.
Branch to global symbol results in reference to PLT, and when compiling
for THUMB-2 - in a R_ARM_THM_JUMP19 relocation. Some linkers don't
support this relocation (ld.gold), while others can end up truncating
the relocation to fit (ld.bfd).

Convert this branch through PLT into a direct branch that the assembler
can resolve locally.

See https://github.com/android-ndk/ndk/issues/337 for background.

The current workaround is to disable neon during gstreamer build,
which is not optimal and can be reverted after this patch:
https://github.com/freedesktop/gstreamer-cerbero/commit/41556c415739fbc3a72c7eaee7e70a565b719b2f

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b22db4f465)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 9665d6258c doc/APIchanges: Fix typos in hashes
Thanks-to: Moritz Barsnick <barsnick@gmx.net> for finding the correct ones

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ec8a5262b0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer b591673c50 avformat/utils: Check cur_dts in update_initial_timestamps() more
Fixes: runtime error: signed integer overflow: 18133149658382192 - -9223090561878065151 cannot be represented in type 'long long'
Fixes: crbug 831552

Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 37d46dc21d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer cf321e93c4 avcodec/utils: Enforce minimum width also for VP5/6
Fixes: out of array access
Fixes: poc_0411

Found-by: GwanYeong Kim <gy741.kim@gmail.com>
Tested-by: GwanYeong Kim <gy741.kim@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 544324827e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 065057c8a3 avcodec/truemotion2: Propagate out of bounds error from GET_TOK()
Fixes: Timeout
Fixes: 6389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5695918121680896

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f6304af234)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 5aaa5bd1b0 avcodec/mjpegdec: Check input buffer size.
Fixes: Timeout
Fixes: 6381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5665032743419904

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8d381b57fd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Matt Wolenetz 4b04da1e52 lavc/libopusdec: Allow avcodec_open2 to call .close
If there is a decoder initialization failure detected in avcodec_open2
after .init is called, allow graceful decoder .close to prevent leaking
libopus decoder allocations.

BUG=828526

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e43e97f0e0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer c0bb5613d4 avcodec/movtextdec: Check style_start/end
Limits based on 3GPP TS 26.245 V14.0.0
Fixes: Timeout
Fixes: 6377/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOVTEXT_fuzzer-5175929115508736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 249aca8f98)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 72b9ba8a5b avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble()
Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be represented in type 'int'

This was missed in b1bef755f6
Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c837918f50)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer b2be78f9d2 libavcodec/rv34: error out earlier on missing references
Fixes visual corruption on seeking

Fixes: downloadTest_clip_24M.rmvb

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6cd81d68c5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Hendrik Schreiber da371c5b21 swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering.
Removed +len1 in call to s->mix_2_1_f() as I found no logical explanation for it. After removal, problem was gone.

Signed-off-by: Hendrik Schreiber <hs@tagtraum.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 647fd4b829)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 98096645f2 avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed()
I was not able to reproduce this, this fix is based on just the fuzzer log.
Fixes: 4959/clusterfuzz-testcase-minimized-6035350934781952

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 197a4e8fee)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 1f648a098d avcodec/cscd: Error out when LZ* decompression fails
Fixes: Timeout
Fixes: 6304/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5754772461191168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d52be5d4e9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
heimdallr 19379529a5 avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list()
example:

AVPixelFormat pixFmts[] = { AV_PIX_FMT_RGB24, AV_PIX_FMT_RGBA };
int loss = 0;
AVPixelFormat best = avcodec_find_best_pix_fmt_of_list(pixFmts, AV_PIX_FMT_BGRA, 1, &loss);

best is AV_PIX_FMT_RGB24. But AV_PIX_FMT_RGBA is better.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 354b26a394)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 03f891c050 avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame()
Fixes: 2018_03_23_poc.wav
Found-by: GwanYeong Kim <gy741.kim@gmail.com>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ea15915b2d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 0721e3c1bd avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables
Found-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5c75438b89)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 7ccb9c37ac avcodec/get_bits: Make sure the input bitstream with padding can be addressed
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e529fe7633)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 028af5acbe avformat/mov: Check STSC and remove invalid entries
Fixes assertion failure
Fixes: crbug 822547, crbug 822666 and crbug 823009

Affects: aark15sd_9A62E2FA.mp4

Found-by: ClusterFuzz
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9e67447a4f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer f4fe702258 avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it
Fixes: Timeout
Fixes: 6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 939440ad1a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer e623800387 avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg
Fixes: Timeout
Fixes: 6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8ee3265dbe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 448cd0d0b3 avcodec/wmalosslessdec: Reset num_saved_bits on error path
Fixes: NULL pointer dereference
Fixes: poc-201803.wav
Found-by: GwanYeong Kim <gy741.kim@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 64c9ce0abc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 30d40580c4 avformat/mov: Fix integer overflows related to sample_duration
Fixes: runtime error: signed integer overflow: -9166684017437101870 + -2495066639299164439 cannot be represented in type

Fixes: Chromium bug 791349

Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2f37082827)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer ad7c57f9db avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE
Fixes: potential signed integer overflow

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f655ddfb47)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 69344f628b avformat/oggparseogm: Check lb against psize
No testcase, this was found during code review

Found-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3e7c847aaf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 46f37c65ab avformat/oggparseogm: Fix undefined shift in ogm_packet()
Fixes: shift exponent 48 is too large for 32-bit type 'int'
Fixes: Chromium bug 786793
Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 010b7b30b7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 4df16ad1ef avformat/avidec: Fix integer overflow in cum_len check
Fixes: signed integer overflow: 3775922176 * 4278190080 cannot be represented in type 'long'
Fixes: Chromium bug 791237

Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 06e092e781)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 81a6076e4b avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE
Fixes: Chromium bug 795653
Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long'
Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 02ecda4aba)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer 7fd80d91f7 avformat/utils: Fix integer overflow of fps_first/last_dts
Fixes: runtime error: signed integer overflow: 7738135736989908991 - -7898362169240453118 cannot be represented in type 'long'
Fixes: Chromium bug 796778
Reported-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1b1362e408)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
Michael Niedermayer b8fd13befe libavformat/oggparsevorbis: Fix memleak on multiple headers
Fixes: Chromium bug 800123
Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3934aa495d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-23 01:44:40 +02:00
James Almer 29683c6ba1 avdevice/iec61883: free the private context at the end
Fixes part of ticket #7146.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 5079e96bcc)
2018-04-18 22:57:49 -03:00
James Almer b949fd7a65 avdevice/iec61883: return reference counted packets
Fixes part of ticket #7146, dealing with leaks of packet data since
commit 87c8812270.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit b8629654c6)
2018-04-18 22:57:41 -03:00
Marton Balint 3c056989dc avdevice/iec61883: free packet on buffer allocation error
Fixes Coverity CID 1396416.

Signed-off-by: Marton Balint <cus@passwd.hu>
(cherry picked from commit 4556dad2b7)
2018-04-18 22:57:26 -03:00
Michael Niedermayer b910b34926 Changelog: update
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-27 20:00:58 +01:00
Michael Niedermayer add3c2468e avcodec/bintext: sanity check dimensions
Fixes: Timeout
Fixes: 6277/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XBIN_fuzzer-6047202288861184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 090c0abff9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-27 19:59:58 +01:00
Michael Niedermayer fbf690d79a avcodec/utvideodec: Check subsample factors
Fixes: Out of array read
Fixes: heap_poc

Found-by: GwanYeong Kim <gy741.kim@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7414d0bda7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-27 19:59:58 +01:00
Michael Niedermayer 789a12b140 avcodec/smc: Check input packet size
Fixes: Timeout
Fixes: 6261/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-5811309653262336

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0293663483)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-27 19:59:58 +01:00
Michael Niedermayer 24a3c45da5 avcodec/cavsdec: Check alpha/beta offset
Fixes: Integer overflow
Fixes: 6183/clusterfuzz-testcase-minimized-6269224436629504

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ae2eb04648)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-27 19:59:58 +01:00
Michael Niedermayer 6822bd50c1 avcodec/diracdec: Fix integer overflow in mv computation
Fixes: signed integer overflow: -2072 + -2147483646 cannot be represented in type 'int'
Fixes: 6097/clusterfuzz-testcase-minimized-5034145253163008

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 47e65ad63b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-27 19:59:58 +01:00
Michael Niedermayer 6648d3fef6 avcodec/aacdec_templat: Fix integer overflow in apply_ltp()
Fixes: signed integer overflow: -1625276744 + -1041893960 cannot be represented in type 'int'
Fixes: 5948/clusterfuzz-testcase-minimized-5791479856365568

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 33fe17bdc8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-27 19:59:58 +01:00
Michael Niedermayer afc85dacba avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53()
Fixes: 5918/clusterfuzz-testcase-minimized-5120505435652096

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 793347a545)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-27 19:59:58 +01:00
Michael Niedermayer b4135fb335 avcodec/diracdec: Use int64 in global mv to prevent overflow
Fixes: runtime error: signed integer overflow: 361 * -6295541 cannot be represented in type 'int'
Fixes: 5911/clusterfuzz-testcase-minimized-6450382197751808

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cbcbefdc3b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-27 19:59:58 +01:00
Michael Niedermayer 876ecfccfb avcodec/dxtory: Remove code that corrupts dimensions
Fixes: Timeout
Fixes: 5796/clusterfuzz-testcase-minimized-5206729085157376

Does someone have a valid sample that triggers this path ?

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3748746a4d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-27 19:59:58 +01:00
James Almer e0750d2067 avformat/hvcc: zero initialize the nal buffers past the last written byte
Prevents use of uninitialized values.

Fixes ticket #7038.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 9482ec1b20)
2018-02-24 00:37:13 -03:00
Tobias Rapp 8ae9bbef87 swresample/rematrix: fix update of channel matrix if input or output layout is undefined
Prefer direct in/out channel count values over channel layout, when
available. Fixes a pan filter bug (ticket #6790).

Signed-off-by: Tobias Rapp <t.rapp@noa-archive.com>
(cherry picked from commit 6325bd3717)
2018-02-20 10:08:05 +01:00
Michael Niedermayer 9f14908a96 Update for 3.0.11
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 15:33:44 +01:00
Michael Niedermayer 6492799fce avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i()
Fixes: 5894/clusterfuzz-testcase-minimized-5315325420634112
Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 647fa49495)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 03:01:43 +01:00
Michael Niedermayer 010dd0d26e avcodec/vp8: Check for bitstream end before vp7_fade_frame()
Fixes: Timeout
Fixes: 5653/clusterfuzz-testcase-5497680018014208

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit de675648ce)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:52:16 +01:00
Michael Niedermayer 675e243949 avcodec/exr: Check remaining bits in last get code loop
Fixes: runtime error: shift exponent -7 is negative
Fixes: 3902/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6081926122176512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit dd8351b118)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:52:16 +01:00
Michael Niedermayer e38e2d6533 avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c()
Fixes: 5567/clusterfuzz-testcase-minimized-5769966247739392
Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ab6f571ef7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:52:16 +01:00
Michael Niedermayer 340c315c67 avcodec/h264_cabac: Tighten allowed coeff_abs range
Fixes: integer overflows
Reported-by: "Xiaohan Wang (王消寒)" <xhwang@chromium.org>

Based on limits in "8.5 Transform coefficient decoding process and picture
construction process prior to deblocking  filter process"

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f26a63c4ee)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:52:16 +01:00
Xiaohan Wang d4f9119532 avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc()
When ff_h264_decode_mb_cavlc() failed due to wrong sl->qscale values,
e.g. dquant out of range, set the qscale to be a valid value before
returning -1 and exiting the function. The qscale value can be used
later e.g. in loop filter.

BUG=806122

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 71f39de2a5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:52:16 +01:00
Michael Niedermayer 664e3d217a avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs()
This fixes a hypothetical integer overflow

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f2318aee8c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:52:16 +01:00
Michael Niedermayer ce46e45f4c avcodec/mpeg4videodec: Ignore multiple VOL headers
Fixes: Ticket7005

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 63a4bdbf3b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:52:16 +01:00
Michael Niedermayer c6b5e80635 avcodec/vp3: Check eob_run
Fixes: out of array access
Fixes: 5919/clusterfuzz-testcase-minimized-5859311382167552
Fixes: special case for theora (untested due to lack of sample)

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 570023eab3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:52:16 +01:00
Michael Niedermayer a26ac3cc69 avcodec/huffyuvdec: Check input buffer size
Fixes: Timeout
Fixes: 5487/clusterfuzz-testcase-4696837035393024

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 08c220d26c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 8886e1228d avcodec/wavpack: Fix integer overflow in FFABS
Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Fixes: 5396/clusterfuzz-testcase-minimized-6558555529281536

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8e50bd61e4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 6baa0e811b avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble()
Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be represented in type 'int'
Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b1bef755f6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 35f47ac0d5 avcodec/dirac_dwt: Fix several integer overflows
Fixes: runtime error: signed integer overflow: -2146071175 + -268479557 cannot be represented in type 'int'
Fixes: 5237/clusterfuzz-testcase-minimized-4569895275593728

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fe1e6c06d0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer c1a133b610 avcodec/indeo5: Do not leave frame_type set to an invalid value
Fixes: null pointer dereference
Fixes: 5264/clusterfuzz-testcase-minimized-4621956621008896

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2ff9f17851)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer adb0a29111 avcodec/hevc_ps: Check log2_sao_offset_scale_*
Fixes: 4868/clusterfuzz-testcase-minimized-6236542906400768
Fixes: runtime error: shift exponent 126 is too large for 32-bit type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4a75a75c62)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Aman Gupta d664557023 avcodec/hevc_ps: extract one SPS fields required for hvcC construction
Signed-off-by: Aman Gupta <aman@tmm1.net>
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 60039c2d12 avcodec/mpeg4videodec: Avoid possibly aliasing violating casts
Found-by: kierank
Reviewed-by: Kieran Kunhya <kieran618@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d4967c04e0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 6a01b65034 avcodec/get_bits: Document the return code of get_vlc2()
Found-by: kierank
Reviewed-by: Kieran Kunhya <kieran618@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4a94ff4ccd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 78b1d57a4b avcodec/mpeg4videodec: Check mb_num also against 0
The spec implies that 0 is invalid in addition to the existing checks

Found-by: <kierank>
Reviewed-by: Kieran Kunhya <kieran618@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 05f4703a16)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 5d06804b31 avfilter/vf_transpose: Fix used plane count.
Fixes out of array access
Fixes: poc.mp4

Found-by: GwanYeong Kim <gy741.kim@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c6939f65a1)
(cherry picked from commit 3f621455d6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer cedd9ea93e avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode()
I suspect that this can be limited tighter, but i failed to find anything
in the spec that would confirm that.

Fixes: 4833/clusterfuzz-testcase-minimized-5302840101699584
Fixes: runtime error: left shift of 134217730 by 4 places cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a026a3efae)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 269aecafab avcodec/mjpegdec: Fix integer overflow in DC dequantization
Fixes: runtime error: signed integer overflow: -65535 * 65312 cannot be represented in type 'int'
Fixes: 4900/clusterfuzz-testcase-minimized-5769019744321536

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1bfc1aa004)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 181c3cbacf avcodec/dxtory: Fix bits left checks
Fixes: Timeout
Fixes: 4863/clusterfuzz-testcase-6347354178322432

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6e1a167c55)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer f7abc14d0d avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 94d4237a7a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer a8ce9d518b avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK()
Fixes: signed integer overflow: 1477974040 - -1877995504 cannot be represented in type 'int'
Fixes: 4861/clusterfuzz-testcase-minimized-4570316383715328

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 56a53340ed)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer dfb8448842 avcodec/snowdec: Fix integer overflow before htaps check
Fixes: runtime error: signed integer overflow: -1094995529 * 2 cannot be represented in type 'int'
Fixes: 4828/clusterfuzz-testcase-minimized-5100849937252352

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2eecf3cf8e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer e5296dfffa avcodec/ulti: Check number of blocks at init
Fixes: Timeout
Fixes: 4832/clusterfuzz-testcase-4699096590843904

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 725353525e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 7d5ca21698 avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs()
Fixes: runtime error: signed integer overflow: 2147483520 + 128 cannot be represented in type 'int'
Fixes: 4800/clusterfuzz-testcase-minimized-6110372403609600

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a1f38c7589)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Nikolas Bowe 23af1858fe avformat/lrcdec: Fix memory leak in lrc_read_header()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ef5994e09d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Nikolas Bowe 9d0b3fa58c avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e07649e618)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Carl Eugen Hoyos e858326086 configure: bump year
Happy new year!

(cherry picked from commit bddf31ba75)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 222ac34612 avcodec/utils: Avoid hardcoding duplicated types in sizeof()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 860d991fcd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer c7e98ee6e0 avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one
Fixes high pitched shriek
Fixes: 25420848_1478428308873746_4255813235963330560_n.mp4

Reported-by: Dale Curtis <dalecurtis@google.com>
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7dbbb75ee3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer abb7498c3f avcodec/h264addpx_template: Fixes integer overflows
Fixes: signed integer overflow: 512 + 2147483491 cannot be represented in type 'int'
Fixes: 4780/clusterfuzz-testcase-minimized-4709066174627840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d6945aeee4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 6164ca4765 avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0
Fixes: 4830/clusterfuzz-testcase-minimized-5255392054476800
Fixes: signed integer overflow: 2147483646 - -7 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0e62a23734)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer b4d9605c67 avcodec/diracdec: Fix integer overflow with quant
Fixes: signed integer overflow: 2 + 2147483646 cannot be represented in type 'int'
Fixes: 4792/clusterfuzz-testcase-minimized-6322450775146496

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit eaa9317589)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer c17cc8ee4f avcodec/opus_parser: Check payload_len in parse_opus_ts_header()
Fixes: clusterfuzz-testcase-minimized-6134545979277312
Fixes: crbug 797469

Reported-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1bcd7fefcb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 3cad8e730e avcodec/jpeg2000dsp: Fix integer overflows in ict_int()
Fixes: signed integer overflow: 46802 * -71230 cannot be represented in type 'int'
Fixes: 4756/clusterfuzz-testcase-minimized-4812495563784192

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b3192c64b5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 06325d77bf avcodec/h264_slice: Do not attempt to render into frames already output
Fixes: null pointer dereference
Fixes: 4698/clusterfuzz-testcase-minimized-5096956322906112

This testcase does not reproduce the issue before 03b82b3ab9

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 476665d4de)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 0c753a46ef avcodec/dnxhddec: Check dc vlc
Fixes: signed integer overflow: 1024 + 2147483640 cannot be represented in type 'int'
Fixes: 4671/clusterfuzz-testcase-minimized-6027464343027712

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b2be76c0a4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 9143ddea0f avcodec/exr: Check buf_size more completely
Fixes: Out of heap array read
Fixes: 4683/clusterfuzz-testcase-minimized-6152313673613312

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 903be5e4f6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 6fab791daa avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed()
Fixes: signed integer overflow: 2 * 1629495328 cannot be represented in type 'int'
Fixes: 4716/clusterfuzz-testcase-minimized-5835915940331520

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3d23f7a096)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 844a9b439b avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w()
Fixes: left shift of negative value -1
Fixes: 4690/clusterfuzz-testcase-minimized-6117482428366848

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d135f3c514)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer f08be2b3d2 avcodec/flacdec: avoid undefined shift
Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int'
Fixes: 4688/clusterfuzz-testcase-minimized-6572210748653568

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 560daf8891)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer b3af84774b avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant)
Fixes: runtime error: left shift of negative value -180
Fixes: 4626/clusterfuzz-testcase-minimized-5647837887987712

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0c9ab5ef9c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer a0bcc6cced avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0()
Fixes: runtime error: signed integer overflow: 2147483646 + 33554433 cannot be represented in type 'int'
Fixes: 4563/clusterfuzz-testcase-minimized-5438979567517696

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4d70fbeec8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 09d61d3b81 avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs()
Fixes: signed integer overflow: 2147483647 + 1073741824 cannot be represented in type 'int'
Fixes: 4555/clusterfuzz-testcase-minimized-4505532481142784

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0ee143558d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 01f2bc5ec8 avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message()
Fixes: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int'
Fixes: 4554/clusterfuzz-testcase-minimized-4843714515042304

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 991ef6e5b9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer b7f48cd044 avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv()
Fixes: runtime error: left shift of negative value -3
Fixes: 4524/clusterfuzz-testcase-minimized-6055590120914944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 439fbb9c8b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Kelly Ledford 95139c4480 libavfilter/af_dcshift.c: Fixed repeated spelling error
'threshhold' should be 'threshold'

Signed-off-by: Kelly Ledford <kelly.ledford@intel.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bc219082bb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Jun Zhao e512c83e63 avfilter/formats: fix wrong function name in error message
Use perdefined micro __FUNCTION__ rather than hard coding function name
to fix wrong function name in error message.

Signed-off-by: Jun Zhao <jun.zhao@intel.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4280948702)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 4d0a460101 avcodec/amrwbdec: Fix division by 0 in voice_factor()
The added value matches "Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; Extended Adaptive Multi-Rate - Wideband (AMR-WB+) codec; Floating-point ANSI-C code (3GPP TS 26.304 version 14.0.0 Release 14)
Extended Adaptive Multi-Rate - Wideband (AMR-WB+) codec; Floating-point ANSI-C code"

Fixes: runtime error: division by zero
Fixes: 4415/clusterfuzz-testcase-minimized-4677752314658816

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1d0817d56b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer 4a5ec6226b avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED()
Fixes: runtime error: signed integer overflow: 2147483646 + 2048 cannot be represented in type 'int'
Fixes: 4479/clusterfuzz-testcase-minimized-6529894147162112

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 610dd74502)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
Michael Niedermayer a5a6d2dc75 avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97*
Fixes: 4478/clusterfuzz-testcase-minimized-4752113767809024
Fixes: runtime error: signed integer overflow: -2147483626 + -319489 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5e9a13a5a3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-02-19 02:40:54 +01:00
James Almer ef95789c8c avformat/libssh: check the user provided a password before trying to use it
Fixes ticket #6413

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 8ddb6820bd)
2018-01-11 10:41:31 -03:00
Michael Niedermayer 2bc6b9b2a9 Changelog: update
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:30:18 +01:00
Dale Curtis 06a6f73ad8 avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u.
Didn't notice this one when 9648cc6d was landed.

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 95bacb521a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Dale Curtis 532f0d1278 Don't manipulate duration when it's AV_NOPTS_VALUE.
This leads to signed integer overflow.

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit c5fd57f483)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Dale Curtis e6c6bb218e avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead.
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9648cc6d7f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Dale Curtis b01020a050 avformat/utils: Prevent undefined shift with wrap_bits > 64.
2LL << (wrap_bits=64 - 1) does not fit in int64_t; change the
code to use a uint64_t (2ULL) and add an av_assert2() to
ensure wrap_bits <= 64.

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 03fbc0daa7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 44dc83f0e0 avcodec/j2kenc: Fix out of array access in encode_cblk()
Fixes: 4427/clusterfuzz-testcase-minimized-5106919271301120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0674087004)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer a65633aa9d avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h()
Fixes: runtime error: left shift of negative value -127
Fixes: 4397/clusterfuzz-testcase-minimized-4779061080489984

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0409d33311)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 78b6e8fb23 avcodec/mlpdsp: Fix signed integer overflow, 2nd try
The outputted bits should match what is used in the lossless check

Fixes: runtime error: signed integer overflow: -538697856 * 256 cannot be represented in type 'int'
Fixes: 4326/clusterfuzz-testcase-minimized-5689449645080576

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 97c00edaa0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 71e40180cb avcodec/kgv1dec: Check that there is enough input for maximum RLE compression
Fixes: Timeout
Fixes: 4271/clusterfuzz-testcase-4676667768307712

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3aad94bf2b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 2214afdf40 avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*
Fixes: runtime error: signed integer overflow: -2143827186 - 7404944 cannot be represented in type 'int'
Fixes: 4354/clusterfuzz-testcase-minimized-4671122764201984

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2b6964f764)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer abff307736 avcodec/mpeg4videodec: Check also for negative versions in the validity check
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0e7865ce41)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Dale Curtis 50b2264810 Close ogg stream upon error when using AV_EF_EXPLODE.
Without this there can be multiple memory leaks for unrecognized
ogg streams.

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bce8fc0754)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Dale Curtis c09d587ac5 Fix undefined shift on assumed 8-bit input.
decode_user_data() attempts to create an integer |build|
value with 8 bits of spacing for 3 components. However
each component is an int32_t, so shifting each component
is undefined for values outside of the 8 bit range.

This patch simply clamps input to 8-bits per component
and prints out a warning that the values were clamped.

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7010dd98b5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Dale Curtis 712814fb17 Use ff_thread_once for fixed, float table init.
These tables are static so they should only be initialized once
instead of on every call to ff_mpadsp_init().

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5eaaffaf64)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Jacob Trimble 20e78d5339 avformat/mov: Propagate errors in mov_switch_root.
Signed-off-by: Jacob Trimble <modmaker@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2d9cf3bf16)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer bf44f250a2 avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v()
Fixes: runtime error: left shift of negative value -255
Fixes: 4037/clusterfuzz-testcase-minimized-5290998163832832

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7d88586e47)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer a3606385f0 avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output()
Fixes: runtime error: left shift of negative value -7862264
Fixes: 4074/clusterfuzz-testcase-minimized-4516104123711488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4f7f70738e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer b9b4d34ecf avcodec/zmbv: Check that the buffer is large enough for mvec
Fixes: Timeout
Fixes: 4143/clusterfuzz-testcase-4736864637419520

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2ab9568a2c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer bc65abecd3 avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0()
Fixes: 4035/clusterfuzz-testcase-minimized-6479308925173760
Fixes: runtime error: signed integer overflow: 9 * 402653183 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 73964680d7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer d1421edab7 avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb()
Fixes: Timeout
Fixes: 3200/clusterfuzz-testcase-5750022136135680

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 65e0a7c473)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 12aea29a95 avcodec/snowdec: Check for remaining bitstream in decode_blocks()
Fixes: Timeout
Fixes: 3142/clusterfuzz-testcase-5007853163118592

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4527ec2216)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer b8a10f10cc avcodec/snowdec: Check intra block dc differences.
Fixes: Timeout
Fixes: 3142/clusterfuzz-testcase-5007853163118592

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c3b9bbcc6e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Fredrik Hubinette 74677deaca avformat/mov: Check size of STSC allocation
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a6fdd75fe6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 4171249d76 avcodec/vc2enc: Clear coef_buf on allocation
Fixes: Use of uninitialized memory
Fixes: assertion failure

Reviewed-by: <atomnuker>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6d00905f81)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 2fc1a8ba49 avcodec/h264dec: Fix potential array overread
add padding before scantable arrays

See: 522d850e68

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 380b48fb9f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer b8a6b56027 avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu
Fixes: out of array read
Fixes: 3516/attachment-311488.dat

Found-by: Insu Yun, Georgia Tech.
Tested-by: wuninsu@gmail.com
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 58cf31cee7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 91aadc6a5b avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c()
Fixes: runtime error: signed integer overflow: 1939661764 - -454942263 cannot be represented in type 'int'
Fixes: 3191/clusterfuzz-testcase-minimized-5688798451073024

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2afe05402f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 43299eabea avcodec/aacdec_fixed: Fix undefined shift
Fixes: runtime error: left shift of negative value -801112064
Fixes: 3492/clusterfuzz-testcase-minimized-5784775283441664

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fca198fb5b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer f2763b8ba8 avcodec/mdct_*: Fix integer overflow in addition in RESCALE()
Fixes: runtime error: signed integer overflow: 1219998458 - -1469874012 cannot be represented in type 'int'
Fixes: 3443/clusterfuzz-testcase-minimized-5369987105554432

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 770c934fa1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer f33f13172c avcodec/snowdec: Fix integer overflow in header parsing
Fixes: 3984/clusterfuzz-testcase-minimized-5265759929368576
Fixes: runtime error: signed integer overflow: -1085585801 + -1094995529 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c897a92858)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer b9e9c5cee0 avcodec/cngdec: Fix integer clipping
Fixes: runtime error: value -36211.7 is outside the range of representable values of type 'short'
Fixes: 2992/clusterfuzz-testcase-6649611793989632

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 51090133b3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer b45971a955 avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c()
Fixes: runtime error: shift exponent 66 is too large for 64-bit type 'long long'
Fixes: 3642/clusterfuzz-testcase-minimized-5443853801750528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 981e99ab99)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 4fbee42727 avutil/softfloat: Add FLOAT_MIN
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 21ae8b4869 avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc()
Fixes: 3642/clusterfuzz-testcase-minimized-5443853801750528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7d1dec4668)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 122634a580 avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add()
Fixes: runtime error: signed integer overflow: -503316480 + -2013265038 cannot be represented in type 'int'
Fixes: 3805/clusterfuzz-testcase-minimized-6578427831255040

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e131b8cedb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 4d9321136d avcodec/xan: Check for bitstream end in xan_huffman_decode()
Fixes: Timeout
Fixes: 3707/clusterfuzz-testcase-6465922706440192

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4b51437dcc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Luca Barbato 66754f0a96 avformat: Free the internal codec context at the end
Avoid a use after free in avformat_find_stream_info.

(cherry picked from commit 9e4a5eb51b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer a3bb922c4d avcodec/xan: Improve overlapping check
Fixes: memcpy-param-overlap
Fixes: 3612/clusterfuzz-testcase-minimized-6393461273001984

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e8fafef1db)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 52ebd1a0dc avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed()
Fixes: runtime error: signed integer overflow: 623487 * 536870912 cannot be represented in type 'int'
Fixes: 3594/clusterfuzz-testcase-minimized-4650622935629824

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 41d96af2a7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 56cc35019e avcodec/aacdec_fixed: Fix integer overflow in predict()
Fixes: runtime error: signed integer overflow: -2110708110 + -82837504 cannot be represented in type 'int'
Fixes: 3547/clusterfuzz-testcase-minimized-6009386439802880

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0976752420)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 93854b7052 avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line()
Fixes: 1773/clusterfuzz-testcase-minimized-4832523987189760

Fixes: Timeout

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f80224ed19)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Michael Niedermayer 52bb493afa avcodec/jpeglsdec: Check ilv for being a supported value
Fixes: 1773/clusterfuzz-testcase-minimized-4832523987189760

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fe533628b9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-12-02 00:28:59 +01:00
Rostislav Pehlivanov 94e538aebb vc2enc_dwt: pad the temporary buffer by the slice size
Since non-Haar wavelets need to look into pixels outside the frame, we
need to pad the buffer. The old factor of two seemed to be a workaround
that fact and only padded to the left and bottom. This correctly pads
by the slice size and as such reduces memory usage and potential
exploits.
Reported by Liu Bingchang.

Ideally, there should be no temporary buffer but the encoder is designed
to deinterleave the coefficients into the classical wavelet structure
with the lower frequency values in the top left corner.

Signed-off-by: Rostislav Pehlivanov <atomnuker@gmail.com>
(cherry picked from commit 3228ac730c)
2017-11-09 02:09:53 +00:00
Michael Niedermayer 479e65ba47 Update for 3.0.10
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-10-26 18:48:41 +02:00
Michael Niedermayer abb3ec84bb avcodec/snowdec: Check mv_scale
Fixes: runtime error: signed integer overflow: 2 * -1094995530 cannot be represented in type 'int'
Fixes: 3512/clusterfuzz-testcase-minimized-4812747210489856

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 393d6fc739)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-10-15 00:45:25 +02:00
Michael Niedermayer 5422cdca42 avcodec/pafvideo: Check for bitstream end in decode_0()
Fixes: Timeout
Fixes: 3529/clusterfuzz-testcase-5057068371279872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9c85329cd0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-10-15 00:45:11 +02:00
Michael Niedermayer df441441c5 avcodec/ffv1dec: Fix out of array read in slice counting
Fixes: test-201710.mp4

Found-by: 连一汉 <lianyihan@360.cn> and Zhibin Hu
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c20f4fcb74)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-10-13 13:02:24 +02:00
Michael Niedermayer 87a8a4a507 avcodec/dirac_dwt: Fix integer overflow in COMPOSE_53iL0()
Fixes: runtime error: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int'
Fixes: 3485/clusterfuzz-testcase-minimized-4940429332054016

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bdee75a4e7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-10-13 13:01:59 +02:00
Michael Niedermayer ad3b198f47 avcodec/mpeg_er: Clear mcsel in mpeg_er_decode_mb()
Fixes out of array read
Should fix: 3516/clusterfuzz-testcase-minimized-4608518562775040 (not reprodoceable)

Found-by: Insu Yun, Georgia Tech.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 127a362630)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-10-13 12:59:48 +02:00
Michael Niedermayer 789ad4d361 avcodec/mpeg4videodec: Use 64 bit intermediates for sprite delta
Fixes: runtime error: signed integer overflow: -104713 * 65536 cannot be represented in type 'int'
Fixes: 3453/clusterfuzz-testcase-minimized-5555554657239040
Fixes: 3528/clusterfuzz-testcase-minimized-6283628420005888

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e38f280fec)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-10-13 12:59:00 +02:00
Michael Niedermayer 6fa58eabb1 avcodec/x86/lossless_videoencdsp: Fix handling of small widths
Fixes out of array access
Fixes: crash-huf.avi

Regression since: 6b41b44149

This could also be fixed by adding checks in the C code that calls the dsp

Found-by: Zhibin Hu and 连一汉 <lianyihan@360.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit df62b70de8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-10-05 01:34:00 +02:00
Michael Niedermayer 9825fcea99 avcodec/truemotion2: Fix integer overflows in tm2_high_chroma()
Fixes: runtime error: signed integer overflow: -1408475220 + -1408475220 cannot be represented in type 'int'
Fixes: 3336/clusterfuzz-testcase-minimized-5656839179993088

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 44874b4f5e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-10-05 01:30:03 +02:00
Michael Niedermayer d0e4c3410c avcodec/aacdec_template: Clear tns present flag on error
Fixes: 3444/clusterfuzz-testcase-minimized-6270352105668608

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit dcf9bae4a9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-10-05 01:29:45 +02:00
Michael Niedermayer fc1acb103d avcodec/proresdec2: SKIP_BITS() does not work with len=32
Fixes: invalid shift
Fixes: 3482/clusterfuzz-testcase-minimized-5446915875405824

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c37138e01a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-10-05 01:28:22 +02:00
Michael Niedermayer 9f2beced0a avcodec/hevcdsp_template: Fix undefined shift
Fixes: runtime error: left shift of negative value -255
Fixes: 3373/clusterfuzz-testcase-minimized-5604083912146944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fbdab6eca7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-10-05 01:28:00 +02:00
Michael Niedermayer d164c49af7 avcodec/jpeg2000: Check that codsty->log2_prec_widths/heights has been initialized
Fixes: OOM
Fixes: 2225/clusterfuzz-testcase-minimized-5505632079708160

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 64e034da95)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-10-05 01:26:58 +02:00
Michael Niedermayer 2c84969cb4 avcodec/takdec: Fix integer overflow in decode_lpc()
Fixes: runtime error: signed integer overflow: 16748560 + 2143729712 cannot be represented in type 'int'
Fixes: 3202/clusterfuzz-testcase-minimized-4988291642294272

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5d31f03a02)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-25 11:10:30 +02:00
Michael Niedermayer 09913c5ec4 avcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift
Fixes: runtime error: shift exponent 42 is too large for 32-bit type 'unsigned int'
Fixes: 3410/clusterfuzz-testcase-minimized-5313377960198144

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4f5eaf0b59)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-25 11:10:15 +02:00
Michael Niedermayer a89a340e4f avcodec/takdec: Fix integer overflows in decode_subframe()
Fixes: runtime error: signed integer overflow: -1562477869 + -691460395 cannot be represented in type 'int'
Fixes: 3196/clusterfuzz-testcase-minimized-4528307146063872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3dabb9c69d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-25 11:09:06 +02:00
Michael Niedermayer 977d6d8bff avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*()
Fixes: runtime error: signed integer overflow: 161 * 13872281 cannot be represented in type 'int'

Fixes: 3295/clusterfuzz-testcase-minimized-4738998142500864

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 67da2685e0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-24 02:43:53 +02:00
Michael Niedermayer 3386a57b08 avcodec/ffv1dec: Fix integer overflow in read_quant_table()
Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 3361/clusterfuzz-testcase-minimized-5065842955911168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d00fc952b6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-24 02:41:19 +02:00
Michael Niedermayer 145fce8c4b avcodec/svq3: Fix overflow in svq3_add_idct_c()
Fixes: runtime error: signed integer overflow: 2147392585 + 524288 cannot be represented in type 'int'
Fixes: 3348/clusterfuzz-testcase-minimized-4809500517203968

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2c933c5168)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-24 02:41:00 +02:00
Michael Niedermayer d54cc921a4 avcodec/pngdec: Clean up on av_frame_ref() failure
Fixes: memleak
Fixes: 3203/clusterfuzz-testcase-minimized-4514553595428864

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5480e82d77)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-20 03:09:15 +02:00
Michael Niedermayer 791d06da1a avcodec/hevc_ps: Fix c?_qp_offset_list size
Fixes: runtime error: index 5 out of bounds for type 'int8_t const[5]'
Fixes:3175/clusterfuzz-testcase-minimized-4736774054084608

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit abf3f9fa23)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-12 02:30:35 +02:00
Michael Niedermayer 9bc5df5ec8 avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int()
Fixes: runtime error: signed integer overflow: 22553 * -188962 cannot be represented in type 'int'
Fixes: 3042/clusterfuzz-testcase-minimized-5174210131394560

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2d025e7428)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-11 13:29:39 +02:00
Michael Niedermayer 03d8e9fec5 avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels
Fixes: runtime error: left shift of negative value -95
Fixes: 3077/clusterfuzz-testcase-minimized-4684917524922368

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c225da68cf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-11 13:29:19 +02:00
Michael Niedermayer bed626f845 avcodec/diracdec: Fix overflow in DC computation
Fixes: runtime error: signed integer overflow: 11896 + 2147483646 cannot be represented in type 'int'
Fixes: 3053/clusterfuzz-testcase-minimized-6355082062856192

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b5995856a4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-11 13:28:43 +02:00
Michael Niedermayer e4a9790bac avformat/asfdec: Fix DoS in asf_build_simple_index()
Fixes: Missing EOF check in loop
No testcase

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit afc9c683ed)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-08 18:37:40 +02:00
Michael Niedermayer d08abbd0bd avformat/mov: Fix DoS in read_tfra()
Fixes: Missing EOF check in loop
No testcase

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9cb4eb7728)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-08 18:37:21 +02:00
Michael Niedermayer fd4500df5c avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting
Fixes: runtime error: signed integer overflow: 1073901567 + 1073901567 cannot be represented in type 'int'
Fixes: 3124/clusterfuzz-testcase-minimized-454643435752652

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f71cd44147)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-02 23:54:44 +02:00
Michael Niedermayer 92f4341ed1 avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED()
Fixes: runtime error: signed integer overflow: 1168175789 + 1168178473 cannot be represented in type 'int'
Fixes: 3081/clusterfuzz-testcase-minimized-4807564879462400
Fixes: 2844/clusterfuzz-testcase-minimized-5561715838156800

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2a0823ae96)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-02 23:54:16 +02:00
孙浩(晓黑) b2aa633d66 avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
Fixes: 20170829B.mxf

Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9d00fb9d70)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-01 03:20:53 +02:00
孙浩(晓黑) 74c067e955 avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()
Fixes: 20170829A.mxf

Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 900f39692c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-01 03:04:24 +02:00
孙浩(晓黑) c6d3640cf7 avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.
Fixes: 20170829.nsv

Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c24bcb5536)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-09-01 03:03:44 +02:00
Michael Niedermayer e89125faba avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()
Fixes: runtime error: signed integer overflow: 267 * 8388608 cannot be represented in type 'int'
Fixes: 2743/clusterfuzz-testcase-minimized-5820652076400640

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 732f976456)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-29 21:21:05 +02:00
Michael Niedermayer 51ee15df58 avcodec/hevc_ps: Fix undefined shift in pcm code
Fixes: runtime error: shift exponent -1 is negative
Fixes: 3091/clusterfuzz-testcase-minimized-6229767969832960

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2a83866c9f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-29 21:20:50 +02:00
Michael Niedermayer a5018026af avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate()
Fixes: runtime error: signed integer overflow: 8903997421129740175 + 354481484684609529 cannot be represented in type 'long'
Fixes: 2045/clusterfuzz-testcase-minimized-6751255865065472

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit eefb68c9c3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-28 01:44:23 +02:00
Michael Niedermayer 9a73a77681 avformat/mvdec: Fix DoS due to lack of eof check
Fixes: loop.mv

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4f05e2e2dc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-28 01:43:28 +02:00
孙浩 and 张洪亮(望初) 4c6bed6e3b avformat/rl2: Fix DoS due to lack of eof check
Fixes: loop.rl2

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 96f24d1bee)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-28 01:43:03 +02:00
孙浩 and 张洪亮(望初) 81e6a95e54 avformat/rmdec: Fix DoS due to lack of eof check
Fixes: loop.ivr

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 124eb202e7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-28 01:42:34 +02:00
孙浩 and 张洪亮(望初) adca94d65e avformat/cinedec: Fix DoS due to lack of eof check
Fixes: loop.cine

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7e80b63ecd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-28 01:42:23 +02:00
孙浩 and 张洪亮(望初) 39ddbd204a avformat/asfdec: Fix DoS due to lack of eof check
Fixes: loop.asf

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7f9ec5593e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-28 01:42:00 +02:00
Michael Niedermayer b9fa2a86e6 avformat/hls: Fix DoS due to infinite loop
Fixes: loop.m3u

The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome

Found-by: Xiaohei and Wangchu from Alibaba Security Team

Previous version reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7ec414892d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-28 01:41:36 +02:00
Michael Niedermayer ffdc430c4a ffprobe: Fix NULL pointer handling in color parameter printing
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 351e28f9a7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-24 12:46:07 +02:00
Michael Niedermayer cf838b8fd2 ffprobe: Fix null pointer dereference with color primaries
Found-by: AD-lab of venustech
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 837cb4325b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b2c39fcc3c0749490dc93bca80f56724878b55fe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-24 12:25:56 +02:00
Michael Niedermayer 9e98eee39d avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()
Fixes: integer overflow
Fixes: 2893/clusterfuzz-testcase-minimized-5809330567774208

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2b44dcbc44)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-24 12:10:32 +02:00
Vitaly Buka aadd7fbc14 avformat/aviobuf: Fix signed integer overflow in avio_seek()
Signed integer overflow is undefined behavior.
Detected with clang and -fsanitize=signed-integer-overflow

Signed-off-by: Vitaly Buka <vitalybuka@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit eca2a49716)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-24 12:08:06 +02:00
Vitaly Buka 64af458bb8 avformat/mov: Fix signed integer overflows with total_size
Signed integer overflow is undefined behavior.
Detected with clang and -fsanitize=signed-integer-overflow

Signed-off-by: Vitaly Buka <vitalybuka@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4a404cb5b9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-24 12:03:51 +02:00
Vitaly Buka 616154a6a5 avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization
Signed integer overflow is undefined behavior.
Detected with clang and -fsanitize=signed-integer-overflow

Signed-off-by: Vitaly Buka <vitalybuka@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8c2bb10ddf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-24 12:03:33 +02:00
Michael Niedermayer 2820ffe392 avcodec/aacdec_template: Fix running cleanup in decode_ics_info()
Fixes: out of array read
Fixes: 2873/clusterfuzz-testcase-minimized-5924145713905664

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg

Previous version reviewed-by: Alex Converse <alex.converse@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6f03ffb47d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-23 04:03:16 +02:00
Michael Niedermayer c543ff526b avcodec/me_cmp: Fix crashes on ARM due to misalignment
Adds a diff_pixels_unaligned()

Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872503

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bc488ec28a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-21 23:27:09 +02:00
Michael Niedermayer 2f49580e03 avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0()
Fixes: runtime error: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int'
Fixes: 3013/clusterfuzz-testcase-minimized-4644084197097472

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a165b53daa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-21 23:27:09 +02:00
Michael Niedermayer 689e97fcad avcodec/fic: Fixes signed integer overflow
Fixes: runtime error: signed integer overflow: 1037142357 + 1227025305 cannot be represented in type 'int'
Fixes: 3024/clusterfuzz-testcase-minimized-5885660323905536

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0c9d5b015c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-21 23:27:08 +02:00
Michael Niedermayer f7509e9fce avcodec/snowdec: Fix off by 1 error
Fixes: runtime error: index 4 out of bounds for type 'int8_t [4]'
Fixes: 3023/clusterfuzz-testcase-minimized-6421736130084864

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d132683ddd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-21 23:27:08 +02:00
Michael Niedermayer 9bfa8b692e avcodec/diracdec: Check perspective_exp and zrs_exp.
Fixes: undefined shift
Fixes: runtime error: shift exponent 264 is too large for 32-bit type 'int'
Fixes: 2860/clusterfuzz-testcase-minimized-4672811689836544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1e6cab8745)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-17 00:27:31 +02:00
Michael Niedermayer e154826a2f avcodec/mpeg4videodec: Clear mcsel before decoding an image
Fixes: runtime error: signed integer overflow: 2146467840 + 1032192 cannot be represented in type 'int'
Fixes: 2826/clusterfuzz-testcase-minimized-5901511613743104

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7735ed2974)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-13 01:07:20 +02:00
Michael Niedermayer f91733e141 avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*
Fix multiple: runtime error: signed integer overflow: 6497 * 3409630 cannot be represented in type 'int'
Fixes: 2819/clusterfuzz-testcase-minimized-4743700301217792

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5380f9c1c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-08 19:38:09 +02:00
Michael Niedermayer 410f709bec avcodec/aacdec_fixed: fix invalid shift in predict()
Fixes: runtime error: shift exponent -2 is negative
Fixes: 2818/clusterfuzz-testcase-minimized-5062943676825600

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1e443051b2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-08 19:37:42 +02:00
Michael Niedermayer b59d6183c4 avcodec/h264_slice: Fix overflow in slice offset
Fixes: runtime error: signed integer overflow: 1610612736 * 2 cannot be represented in type 'int'
Fixes: 2817/clusterfuzz-testcase-minimized-5289691240726528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1f53bde6d8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-08 19:37:24 +02:00
Steven Siloti a371850d58 avformat/utils: fix memory leak in avformat_free_context
The pointer to the packet queue is stored in the internal structure
so the queue needs to be flushed before internal is freed.

Signed-off-by: Steven Siloti <ssiloti@bittorrent.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 949debd1d1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-05 23:25:05 +02:00
Michael Niedermayer 693db350dd avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0()
Fixes: runtime error: signed integer overflow: 9 * 335544320 cannot be represented in type 'int'
Fixes: 2739/clusterfuzz-testcase-minimized-6737297955356672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bf8ab72ae9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-07-29 19:13:21 +02:00
Michael Niedermayer ac0fbaf8ac avcodec/diracdec: Fix integer overflow in divide3()
Fixes: runtime error: signed integer overflow: -1073746548 * 21845 cannot be represented in type 'int'
Fixes: 2729/clusterfuzz-testcase-minimized-5902915464069120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c0220c768c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-07-29 14:23:25 +02:00
Michael Niedermayer 43d7b1e42f avcodec/takdec: Fix integer overflow in decode_subframe()
Fixes: runtime error: signed integer overflow: -536870912 - 1972191120 cannot be represented in type 'int'
Fixes: 2711/clusterfuzz-testcase-minimized-4975142398590976

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2c630d159f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-07-29 14:18:35 +02:00
Michael Niedermayer 81c940b151 avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2
Fixes: out of array accesses

Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ffcc82219c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-07-29 14:17:58 +02:00
Michael Niedermayer 2954ce9dea avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2
Fixes: out of array accesses
Fixes: crash-9238fa9e8d4fde3beda1f279626f53812cb001cb-SEGV

Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 08c073434e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-07-29 04:49:47 +02:00
Michael Niedermayer 654e157d21 avcodec/diracdec: Fix integer overflow in signed multiplication in UNPACK_ARITH()
Fixes: runtime error: signed integer overflow: 1073741823 * 4 cannot be represented in type 'int'
Fixes: 2729/clusterfuzz-testcase-minimized-5902915464069120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8e275a74b0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-07-28 03:41:09 +02:00
Michael Niedermayer f31fc4755f avcodec/dnxhddec: Move mb height check out of non hr branch
Fixes: out of array access
Fixes: poc.dnxhd

Found-by: Bingchang, Liu@VARAS of IIE
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 296debd213)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-07-27 03:11:20 +02:00
Michael Niedermayer 665311ab1f avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2
Fixes: runtime error: signed integer overflow: -2147483647 - 2 cannot be represented in type 'int'
Fixes: 2702/clusterfuzz-testcase-minimized-4511932591636480

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 74c1c22d7f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-07-26 17:25:17 +02:00
Michael Niedermayer 8c05ac89d3 avformat/oggparsecelt: Do not re-allocate os->private
Fixes: double free
Fixes: clusterfuzz-testcase-minimized-5080550145785856

Found-by: ClusterFuzz
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7140761481)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-07-26 00:15:38 +02:00
Michael Niedermayer 3fd54e4440 avcodec/aacps: Fix multiple integer overflow in map_val_34_to_20()
Fixes: avcodec/aacps.c:511:40: runtime error: signed integer overflow: 1509077651 + 758068176 cannot be represented in type 'int'
Fixes: 2678/clusterfuzz-testcase-minimized-4702787684270080

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0764fe1d09)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-07-26 00:14:03 +02:00
Michael Niedermayer d4bc7fc412 avcodec/aacdec_fixed: fix: left shift of negative value -1
Fixes: 2699/clusterfuzz-testcase-minimized-5631303862976512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2dfb8c4178)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-07-26 00:11:56 +02:00
Brice Waegeneire d57345e8d0 doc/filters: typo in frei0r
Signed-off-by: Brice Waegeneire <brice.wge@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6a6eec485d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-07-23 15:01:04 +02:00
Vodyannikov Aleksandr 8642322b9f avcodec/cfhd: Fix decoding regression due to height check
Fixes: Ticket6546

Regression since: 54aaadf648

Reviewed-by: Muhammad Faiz <mfcc64@gmail.com>
Reviewed-by: Kieran Kunhya <kierank@obe.tv>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 47c9365724)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-07-23 15:00:53 +02:00
173 changed files with 1627 additions and 577 deletions
+315
View File
@@ -1,6 +1,321 @@
Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.
version 3.0.12
- avutil/integer: Fix integer overflow in av_mul_i()
- avcodec/msrle: Check that the input is large enough to contain a end of picture code
- avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling
- avcodec/mpeg4videodec: Fix typo in sprite delta check
- avcodec/h264_cavlc: Check mb_skip_run
- avcodec/ra144: Fix integer overflow in add_wav()
- avformat/utils: Never store negative values in last_IP_duration
- avformat/utils: Fix integer overflow in discontinuity check
- avcodec/unary: Improve get_unary() docs
- avcodec/dvdsubdec: Sanity check len in decode_rle()
- avcodec/mpeg4videodec: Fix undefined shift in get_amv()
- avcodec/zmbv: Check that the decompressed data size is correct
- avcodec/zmbv: Update decomp_len in raw frames
- avcodec/shorten: Fix bitstream end check in read_header()
- avcodec/dvdsubdec: Avoid branch in decode_run_8bit()
- avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking()
- avcodec/ra144: Fix undefined integer overflow in add_wav()
- avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb()
- avcodec/vb: Check for end of bytestream before reading blocktype
- avcodec/snowdec: Fix integer overflow with motion vector residual
- avformat/nsvdec: Do not parse multiple NSVf
- avformat/mlvdec: read_string() received unsigned size, make the argument unsigned
- avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header()
- avcodec/shorten: Fix integer overflow in residual/LPC combination
- avcodec/shorten: Check verbatim length
- avcodec/mpegaudio_parser: Initialize poutbuf*
- avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c()
- avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp()
- avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too
- avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case
- avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i()
- avcodec/diracdec: Prevent integer overflow in intermediate in global_mv()
- swresample/swresample: Fix input channel count in resample_first computation
- avutil/pixfmt: Document chroma plane size for odd resolutions
- avcodec/dvdsub_parser: Allocate input padding
- avcodec/dvdsub_parser: Init output buf/size
- avcodec/imgconvert: fix possible null pointer dereference
- avcodec/dirac_dwt_template: Fix signedness regression in interleave()
- swresample/arm: rename labels to fix xcode build error
- avformat/utils: fix mixed declarations and code
- libwebpenc_animencoder: add missing braces to struct initialization
- avformat/movenc: Check input sample count
- avcodec/mjpegdec: Check for odd progressive RGB
- avformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id
- avformat/mms: Add missing chunksize check
- avformat/pva: Check for EOF before retrying in read_part_of_packet()
- avformat/rmdec: Do not pass mime type in rm_read_multi() to ff_rm_read_mdpr_codecdata()
- avcodec/indeo4: Check for end of bitstream in decode_mb_info()
- avcodec/shorten: Fix undefined addition in shorten_decode_frame()
- avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration()
- avcodec/jpeg2000dec: Check that there are enough bytes for all tiles
- avcodec/escape124: Fix spelling errors in comment
- avcodec/ra144: Fix integer overflow in ff_eval_refl()
- avcodec/cscd: Check output buffer size for lzo.
- avcodec/escape124: Check buf_size against num_superblocks
- avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan()
- avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed()
- avcodec/dirac_dwt_template: Fix undefined behavior in interleave()
- avutil/common: Fix undefined behavior in av_clip_uintp2_c()
- fftools/ffmpeg: Fallback to duration if sample rate is unavailable
- avformat/mov: Only set pkt->duration to non negative values
- avcodec/h264_mc_template: Only prefetch motion if the list is used.
- avcodec/xwddec: Use ff_set_dimensions()
- avcodec/wavpack: Fix overflow in adding tail
- avcodec/shorten: Fix multiple integer overflows
- avcodec/shorten: Sanity check nmeans
- avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan()
- avcodec/truemotion2: Fix overflow in tm2_apply_deltas()
- avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c
- avcodec/amrwbdec: Fix division by 0 in find_hb_gain()
- avformat/mov: replace a value error by clipping into valid range in mov_read_stsc()
- avformat/mov: Break out early if chunk_count is 0 in mov_build_index()
- avcodec/fic: Avoid some magic numbers related to cursors
- avcodec/g2meet: ask for sample with overflowing RGB
- avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed()
- oavcodec/aacpsdsp_template: Use unsigned for hs0X to prevent undefined behavior
- avcodec/g723_1dec: Clip bits2 in both directions
- avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header()
- avcodec/mlpdec: Only change noise_type if the related fields are valid
- indeo4: Decode all or nothing of a band header.
- avformat/mov: Only fail for STCO/STSC contradictions if both exist
- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0
- avcodec/fic: Check available input space for cursor
- avcodec/g2meet: Check RGB upper limit
- avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case
- avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done
- avcodec/g2meet: Change order of operations to avoid undefined behavior
- avcodec/flac_parser: Fix infinite loop
- avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED()
- avcodec/error_resilience: Fix integer overflow in filter181()
- avcodec/h263dec: Check slice_ret in mspeg4 slice loop
- avcodec/elsdec: Fix memleaks
- avcodec/vc1_block: simplify ac_val computation
- avcodec/ffv1enc: Check that the crc + version combination is supported
- lavf/http.c: Free allocated client URLContext in case of error.
- avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame
- avcodec/dsicinvideo: Propagate errors from cin_decode_rle()
- avcodec/dfa: Check dimension against maximum
- avcodec/cinepak: Skip empty frames
- avcodec/cinepak: move some checks prior to frame allocation
- swresample/arm: remove unintentional relocation.
- doc/APIchanges: Fix typos in hashes
- avformat/utils: Check cur_dts in update_initial_timestamps() more
- avcodec/utils: Enforce minimum width also for VP5/6
- avcodec/truemotion2: Propagate out of bounds error from GET_TOK()
- avcodec/mjpegdec: Check input buffer size.
- lavc/libopusdec: Allow avcodec_open2 to call .close
- avcodec/movtextdec: Check style_start/end
- avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble()
- libavcodec/rv34: error out earlier on missing references
- swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering.
- avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed()
- avcodec/cscd: Error out when LZ* decompression fails
- avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list()
- avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame()
- avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables
- avcodec/get_bits: Make sure the input bitstream with padding can be addressed
- avformat/mov: Check STSC and remove invalid entries
- avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it
- avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg
- avcodec/wmalosslessdec: Reset num_saved_bits on error path
- avformat/mov: Fix integer overflows related to sample_duration
- avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE
- avformat/oggparseogm: Check lb against psize
- avformat/oggparseogm: Fix undefined shift in ogm_packet()
- avformat/avidec: Fix integer overflow in cum_len check
- avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE
- avformat/utils: Fix integer overflow of fps_first/last_dts
- libavformat/oggparsevorbis: Fix memleak on multiple headers
- avdevice/iec61883: free the private context at the end
- avdevice/iec61883: return reference counted packets
- avdevice/iec61883: free packet on buffer allocation error
version 3.0.11
- avcodec/bintext: sanity check dimensions
- avcodec/utvideodec: Check subsample factors
- avcodec/smc: Check input packet size
- avcodec/cavsdec: Check alpha/beta offset
- avcodec/diracdec: Fix integer overflow in mv computation
- avcodec/aacdec_templat: Fix integer overflow in apply_ltp()
- avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53()
- avcodec/diracdec: Use int64 in global mv to prevent overflow
- avcodec/dxtory: Remove code that corrupts dimensions
- avformat/hvcc: zero initialize the nal buffers past the last written byte
- swresample/rematrix: fix update of channel matrix if input or output layout is undefined
- avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i()
- avcodec/vp8: Check for bitstream end before vp7_fade_frame()
- avcodec/exr: Check remaining bits in last get code loop
- avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c()
- avcodec/h264_cabac: Tighten allowed coeff_abs range
- avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc()
- avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs()
- avcodec/mpeg4videodec: Ignore multiple VOL headers
- avcodec/vp3: Check eob_run
- avcodec/huffyuvdec: Check input buffer size
- avcodec/wavpack: Fix integer overflow in FFABS
- avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble()
- avcodec/dirac_dwt: Fix several integer overflows
- avcodec/indeo5: Do not leave frame_type set to an invalid value
- avcodec/hevc_ps: Check log2_sao_offset_scale_*
- avcodec/hevc_ps: extract one SPS fields required for hvcC construction
- avcodec/mpeg4videodec: Avoid possibly aliasing violating casts
- avcodec/get_bits: Document the return code of get_vlc2()
- avcodec/mpeg4videodec: Check mb_num also against 0
- avfilter/vf_transpose: Fix used plane count.
- avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode()
- avcodec/mjpegdec: Fix integer overflow in DC dequantization
- avcodec/dxtory: Fix bits left checks
- avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down
- avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK()
- avcodec/snowdec: Fix integer overflow before htaps check
- avcodec/ulti: Check number of blocks at init
- avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs()
- avformat/lrcdec: Fix memory leak in lrc_read_header()
- avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks()
- configure: bump year
- avcodec/utils: Avoid hardcoding duplicated types in sizeof()
- avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one
- avcodec/h264addpx_template: Fixes integer overflows
- avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0
- avcodec/diracdec: Fix integer overflow with quant
- avcodec/opus_parser: Check payload_len in parse_opus_ts_header()
- avcodec/jpeg2000dsp: Fix integer overflows in ict_int()
- avcodec/h264_slice: Do not attempt to render into frames already output
- avcodec/dnxhddec: Check dc vlc
- avcodec/exr: Check buf_size more completely
- avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed()
- avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w()
- avcodec/flacdec: avoid undefined shift
- avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant)
- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0()
- avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs()
- avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message()
- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv()
- libavfilter/af_dcshift.c: Fixed repeated spelling error
- avfilter/formats: fix wrong function name in error message
- avcodec/amrwbdec: Fix division by 0 in voice_factor()
- avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED()
- avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97*
- avformat/libssh: check the user provided a password before trying to use it
version 3.0.10
- avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u.
- Don't manipulate duration when it's AV_NOPTS_VALUE.
- avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead.
- avformat/utils: Prevent undefined shift with wrap_bits > 64.
- avcodec/j2kenc: Fix out of array access in encode_cblk()
- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h()
- avcodec/mlpdsp: Fix signed integer overflow, 2nd try
- avcodec/kgv1dec: Check that there is enough input for maximum RLE compression
- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*
- avcodec/mpeg4videodec: Check also for negative versions in the validity check
- Close ogg stream upon error when using AV_EF_EXPLODE.
- Fix undefined shift on assumed 8-bit input.
- Use ff_thread_once for fixed, float table init.
- avformat/mov: Propagate errors in mov_switch_root.
- avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v()
- avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output()
- avcodec/zmbv: Check that the buffer is large enough for mvec
- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0()
- avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb()
- avcodec/snowdec: Check for remaining bitstream in decode_blocks()
- avcodec/snowdec: Check intra block dc differences.
- avformat/mov: Check size of STSC allocation
- avcodec/vc2enc: Clear coef_buf on allocation
- avcodec/h264dec: Fix potential array overread
- avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu
- avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c()
- avcodec/aacdec_fixed: Fix undefined shift
- avcodec/mdct_*: Fix integer overflow in addition in RESCALE()
- avcodec/snowdec: Fix integer overflow in header parsing
- avcodec/cngdec: Fix integer clipping
- avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c()
- avutil/softfloat: Add FLOAT_MIN
- avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc()
- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add()
- avcodec/xan: Check for bitstream end in xan_huffman_decode()
- avformat: Free the internal codec context at the end
- avcodec/xan: Improve overlapping check
- avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed()
- avcodec/aacdec_fixed: Fix integer overflow in predict()
- avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line()
- avcodec/jpeglsdec: Check ilv for being a supported value
- avcodec/snowdec: Check mv_scale
- avcodec/pafvideo: Check for bitstream end in decode_0()
- avcodec/ffv1dec: Fix out of array read in slice counting
- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_53iL0()
- avcodec/mpeg_er: Clear mcsel in mpeg_er_decode_mb()
- avcodec/mpeg4videodec: Use 64 bit intermediates for sprite delta
- avcodec/x86/lossless_videoencdsp: Fix handling of small widths
- avcodec/truemotion2: Fix integer overflows in tm2_high_chroma()
- avcodec/aacdec_template: Clear tns present flag on error
- avcodec/proresdec2: SKIP_BITS() does not work with len=32
- avcodec/hevcdsp_template: Fix undefined shift
- avcodec/jpeg2000: Check that codsty->log2_prec_widths/heights has been initialized
- avcodec/takdec: Fix integer overflow in decode_lpc()
- avcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift
- avcodec/takdec: Fix integer overflows in decode_subframe()
- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*()
- avcodec/ffv1dec: Fix integer overflow in read_quant_table()
- avcodec/svq3: Fix overflow in svq3_add_idct_c()
- avcodec/pngdec: Clean up on av_frame_ref() failure
- avcodec/hevc_ps: Fix c?_qp_offset_list size
- avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int()
- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels
- avcodec/diracdec: Fix overflow in DC computation
- avformat/asfdec: Fix DoS in asf_build_simple_index()
- avformat/mov: Fix DoS in read_tfra()
- avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting
- avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED()
- avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
- avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()
- avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.
- avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()
- avcodec/hevc_ps: Fix undefined shift in pcm code
- avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate()
- avformat/mvdec: Fix DoS due to lack of eof check
- avformat/rl2: Fix DoS due to lack of eof check
- avformat/rmdec: Fix DoS due to lack of eof check
- avformat/cinedec: Fix DoS due to lack of eof check
- avformat/asfdec: Fix DoS due to lack of eof check
- avformat/hls: Fix DoS due to infinite loop
- ffprobe: Fix NULL pointer handling in color parameter printing
- ffprobe: Fix null pointer dereference with color primaries
- avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()
- avformat/aviobuf: Fix signed integer overflow in avio_seek()
- avformat/mov: Fix signed integer overflows with total_size
- avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization
- avcodec/aacdec_template: Fix running cleanup in decode_ics_info()
- avcodec/me_cmp: Fix crashes on ARM due to misalignment
- avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0()
- avcodec/fic: Fixes signed integer overflow
- avcodec/snowdec: Fix off by 1 error
- avcodec/diracdec: Check perspective_exp and zrs_exp.
- avcodec/mpeg4videodec: Clear mcsel before decoding an image
- avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*
- avcodec/aacdec_fixed: fix invalid shift in predict()
- avcodec/h264_slice: Fix overflow in slice offset
- avformat/utils: fix memory leak in avformat_free_context
- avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0()
- avcodec/diracdec: Fix integer overflow in divide3()
- avcodec/takdec: Fix integer overflow in decode_subframe()
- avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2
- avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2
- avcodec/diracdec: Fix integer overflow in signed multiplication in UNPACK_ARITH()
- avcodec/dnxhddec: Move mb height check out of non hr branch
- avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2
- avformat/oggparsecelt: Do not re-allocate os->private
- avcodec/aacps: Fix multiple integer overflow in map_val_34_to_20()
- avcodec/aacdec_fixed: fix: left shift of negative value -1
- doc/filters: typo in frei0r
- avcodec/cfhd: Fix decoding regression due to height chec
version 3.0.9
- avcodec/aacdec_template: Fix undefined integer overflow in apply_tns()
- avcodec/mjpegdec: Clip DC also on the negative side.
+1 -1
View File
@@ -1 +1 @@
3.0.9
3.0.12
Vendored
+1 -1
View File
@@ -6412,7 +6412,7 @@ cat > $TMPH <<EOF
#define FFMPEG_CONFIG_H
#define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
#define FFMPEG_LICENSE "$(c_escape $license)"
#define CONFIG_THIS_YEAR 2017
#define CONFIG_THIS_YEAR 2018
#define FFMPEG_DATADIR "$(eval c_escape $datadir)"
#define AVCONV_DATADIR "$(eval c_escape $datadir)"
#define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"
+2 -2
View File
@@ -333,7 +333,7 @@ API changes, most recent first:
Add av_opt_get_dict_val/set_dict_val with AV_OPT_TYPE_DICT to support
dictionary types being set as options.
2014-08-13 - afbd4b8 - lavf 56.01.0 - avformat.h
2014-08-13 - afbd4b7e09 - lavf 56.01.0 - avformat.h
Add AVFormatContext.event_flags and AVStream.event_flags for signaling to
the user when events happen in the file/stream.
@@ -350,7 +350,7 @@ API changes, most recent first:
2014-08-08 - 5c3c671 - lavf 55.53.100 - avio.h
Add avio_feof() and deprecate url_feof().
2014-08-07 - bb78903 - lsws 2.1.3 - swscale.h
2014-08-07 - bb789016d4 - lsws 2.1.3 - swscale.h
sws_getContext is not going to be removed in the future.
2014-08-07 - a561662 / ad1ee5f - lavc 55.73.101 / 55.57.3 - avcodec.h
+1 -1
View File
@@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg
# This could be handy for archiving the generated documentation or
# if some version control system is used.
PROJECT_NUMBER = 3.0.9
PROJECT_NUMBER = 3.0.12
# With the PROJECT_LOGO tag one can specify a logo or icon that is included
# in the documentation. The maximum height of the logo should not exceed 55
+18
View File
@@ -306,6 +306,24 @@ used to end the output video at the length of the shortest input file,
which in this case is @file{input.mp4} as the GIF in this example loops
infinitely.
@section hls
HLS demuxer
It accepts the following options:
@table @option
@item live_start_index
segment index to start live streams at (negative values are from the end).
@item allowed_extensions
',' separated list of file extensions that hls is allowed to access.
@item max_reload
Maximum number of times a insufficient list is attempted to be reloaded.
Default value is 1000.
@end table
@section image2
Image file demuxer.
+1 -1
View File
@@ -7276,7 +7276,7 @@ It accepts the following parameters:
@item filter_name
The name of the frei0r effect to load. If the environment variable
@env{FREI0R_PATH} is defined, the frei0r effect is searched for in each of the
directories specified by the colon-separated list in @env{FREIOR_PATH}.
directories specified by the colon-separated list in @env{FREI0R_PATH}.
Otherwise, the standard frei0r paths are searched, in this order:
@file{HOME/.frei0r-1/lib/}, @file{/usr/local/lib/frei0r-1/},
@file{/usr/lib/frei0r-1/}.
+6 -2
View File
@@ -2382,8 +2382,12 @@ static int process_input_packet(InputStream *ist, const AVPacket *pkt, int no_eo
ist->dts = ist->next_dts;
switch (ist->dec_ctx->codec_type) {
case AVMEDIA_TYPE_AUDIO:
ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) /
ist->dec_ctx->sample_rate;
if (ist->dec_ctx->sample_rate) {
ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) /
ist->dec_ctx->sample_rate;
} else {
ist->next_dts += av_rescale_q(pkt->duration, ist->st->time_base, AV_TIME_BASE_Q);
}
break;
case AVMEDIA_TYPE_VIDEO:
if (ist->framerate.num) {
+56 -21
View File
@@ -1746,6 +1746,57 @@ static inline int show_tags(WriterContext *w, AVDictionary *tags, int section_id
return ret;
}
static void print_color_range(WriterContext *w, enum AVColorRange color_range, const char *fallback)
{
const char *val = av_color_range_name(color_range);
if (!val || color_range == AVCOL_RANGE_UNSPECIFIED) {
print_str_opt("color_range", fallback);
} else {
print_str("color_range", val);
}
}
static void print_color_space(WriterContext *w, enum AVColorSpace color_space)
{
const char *val = av_color_space_name(color_space);
if (!val || color_space == AVCOL_SPC_UNSPECIFIED) {
print_str_opt("color_space", "unknown");
} else {
print_str("color_space", val);
}
}
static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries)
{
const char *val = av_color_primaries_name(color_primaries);
if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) {
print_str_opt("color_primaries", "unknown");
} else {
print_str("color_primaries", val);
}
}
static void print_color_trc(WriterContext *w, enum AVColorTransferCharacteristic color_trc)
{
const char *val = av_color_transfer_name(color_trc);
if (!val || color_trc == AVCOL_TRC_UNSPECIFIED) {
print_str_opt("color_transfer", "unknown");
} else {
print_str("color_transfer", val);
}
}
static void print_chroma_location(WriterContext *w, enum AVChromaLocation chroma_location)
{
const char *val = av_chroma_location_name(chroma_location);
if (!val || chroma_location == AVCHROMA_LOC_UNSPECIFIED) {
print_str_opt("chroma_location", "unspecified");
} else {
print_str("chroma_location", val);
}
}
static void show_packet(WriterContext *w, AVFormatContext *fmt_ctx, AVPacket *pkt, int packet_idx)
{
char val_str[128];
@@ -2208,28 +2259,12 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id
if (s) print_str ("pix_fmt", s);
else print_str_opt("pix_fmt", "unknown");
print_int("level", dec_ctx->level);
if (dec_ctx->color_range != AVCOL_RANGE_UNSPECIFIED)
print_str ("color_range", av_color_range_name(dec_ctx->color_range));
else
print_str_opt("color_range", "N/A");
s = av_get_colorspace_name(dec_ctx->colorspace);
if (s) print_str ("color_space", s);
else print_str_opt("color_space", "unknown");
if (dec_ctx->color_trc != AVCOL_TRC_UNSPECIFIED)
print_str("color_transfer", av_color_transfer_name(dec_ctx->color_trc));
else
print_str_opt("color_transfer", av_color_transfer_name(dec_ctx->color_trc));
if (dec_ctx->color_primaries != AVCOL_PRI_UNSPECIFIED)
print_str("color_primaries", av_color_primaries_name(dec_ctx->color_primaries));
else
print_str_opt("color_primaries", av_color_primaries_name(dec_ctx->color_primaries));
if (dec_ctx->chroma_sample_location != AVCHROMA_LOC_UNSPECIFIED)
print_str("chroma_location", av_chroma_location_name(dec_ctx->chroma_sample_location));
else
print_str_opt("chroma_location", av_chroma_location_name(dec_ctx->chroma_sample_location));
print_color_range(w, dec_ctx->color_range, "N/A");
print_color_space(w, dec_ctx->colorspace);
print_color_trc(w, dec_ctx->color_trc);
print_primaries(w, dec_ctx->color_primaries);
print_chroma_location(w, dec_ctx->chroma_sample_location);
#if FF_API_PRIVATE_OPT
if (dec_ctx->timecode_frame_start >= 0) {
+10 -6
View File
@@ -305,8 +305,12 @@ static av_always_inline void predict(PredictorState *ps, int *coef,
if (output_enable) {
int shift = 28 - pv.exp;
if (shift < 31)
*coef += (pv.mant + (1 << (shift - 1))) >> shift;
if (shift < 31) {
if (shift > 0) {
*coef += (unsigned)((pv.mant + (1 << (shift - 1))) >> shift);
} else
*coef += (unsigned)pv.mant << -shift;
}
}
e0 = av_int2sf(*coef, 2);
@@ -381,7 +385,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac,
for (k = offsets[i]; k < offsets[i + 1]; k++) {
tmp = (int)(((int64_t)src[group * 128 + k] * c + \
(int64_t)0x1000000000) >> 37);
dest[group * 128 + k] += (tmp + round) >> shift;
dest[group * 128 + k] += (tmp + (int64_t)round) >> shift;
}
}
}
@@ -390,7 +394,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac,
for (k = offsets[i]; k < offsets[i + 1]; k++) {
tmp = (int)(((int64_t)src[group * 128 + k] * c + \
(int64_t)0x1000000000) >> 37);
dest[group * 128 + k] += tmp * (1 << shift);
dest[group * 128 + k] += tmp * (1U << shift);
}
}
}
@@ -413,7 +417,7 @@ static void apply_independent_coupling_fixed(AACContext *ac,
int i, c, shift, round, tmp;
const int gain = cce->coup.gain[index][0];
const int *src = cce->ch[0].ret;
int *dest = target->ret;
unsigned int *dest = target->ret;
const int len = 1024 << (ac->oc[1].m4ac.sbr == 1);
c = cce_scale_fixed[gain & 7];
@@ -430,7 +434,7 @@ static void apply_independent_coupling_fixed(AACContext *ac,
else {
for (i = 0; i < len; i++) {
tmp = (int)(((int64_t)src[i] * c + (int64_t)0x1000000000) >> 37);
dest[i] += tmp << shift;
dest[i] += tmp * (1U << shift);
}
}
}
+38 -21
View File
@@ -1255,6 +1255,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
const MPEG4AudioConfig *const m4ac = &ac->oc[1].m4ac;
const int aot = m4ac->object_type;
const int sampling_index = m4ac->sampling_index;
int ret_fail = AVERROR_INVALIDDATA;
if (aot != AOT_ER_AAC_ELD) {
if (get_bits1(gb)) {
av_log(ac->avctx, AV_LOG_ERROR, "Reserved bit set.\n");
@@ -1305,8 +1307,10 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
ics->num_swb = ff_aac_num_swb_512[sampling_index];
ics->tns_max_bands = ff_tns_max_bands_512[sampling_index];
}
if (!ics->num_swb || !ics->swb_offset)
return AVERROR_BUG;
if (!ics->num_swb || !ics->swb_offset) {
ret_fail = AVERROR_BUG;
goto fail;
}
} else {
ics->swb_offset = ff_swb_offset_1024[sampling_index];
ics->num_swb = ff_aac_num_swb_1024[sampling_index];
@@ -1330,7 +1334,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
if (aot == AOT_ER_AAC_LD) {
av_log(ac->avctx, AV_LOG_ERROR,
"LTP in ER AAC LD not yet implemented.\n");
return AVERROR_PATCHWELCOME;
ret_fail = AVERROR_PATCHWELCOME;
goto fail;
}
if ((ics->ltp.present = get_bits(gb, 1)))
decode_ltp(&ics->ltp, gb, ics->max_sfb);
@@ -1349,7 +1354,7 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
return 0;
fail:
ics->max_sfb = 0;
return AVERROR_INVALIDDATA;
return ret_fail;
}
/**
@@ -1936,16 +1941,17 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
global_gain = get_bits(gb, 8);
if (!common_window && !scale_flag) {
if (decode_ics_info(ac, ics, gb) < 0)
return AVERROR_INVALIDDATA;
ret = decode_ics_info(ac, ics, gb);
if (ret < 0)
goto fail;
}
if ((ret = decode_band_types(ac, sce->band_type,
sce->band_type_run_end, gb, ics)) < 0)
return ret;
goto fail;
if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics,
sce->band_type, sce->band_type_run_end)) < 0)
return ret;
goto fail;
pulse_present = 0;
if (!scale_flag) {
@@ -1953,37 +1959,48 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) {
av_log(ac->avctx, AV_LOG_ERROR,
"Pulse tool not allowed in eight short sequence.\n");
return AVERROR_INVALIDDATA;
ret = AVERROR_INVALIDDATA;
goto fail;
}
if (decode_pulses(&pulse, gb, ics->swb_offset, ics->num_swb)) {
av_log(ac->avctx, AV_LOG_ERROR,
"Pulse data corrupt or invalid.\n");
return AVERROR_INVALIDDATA;
ret = AVERROR_INVALIDDATA;
goto fail;
}
}
tns->present = get_bits1(gb);
if (tns->present && !er_syntax)
if (decode_tns(ac, tns, gb, ics) < 0)
return AVERROR_INVALIDDATA;
if (tns->present && !er_syntax) {
ret = decode_tns(ac, tns, gb, ics);
if (ret < 0)
goto fail;
}
if (!eld_syntax && get_bits1(gb)) {
avpriv_request_sample(ac->avctx, "SSR");
return AVERROR_PATCHWELCOME;
ret = AVERROR_PATCHWELCOME;
goto fail;
}
// I see no textual basis in the spec for this occurring after SSR gain
// control, but this is what both reference and real implmentations do
if (tns->present && er_syntax)
if (decode_tns(ac, tns, gb, ics) < 0)
return AVERROR_INVALIDDATA;
if (tns->present && er_syntax) {
ret = decode_tns(ac, tns, gb, ics);
if (ret < 0)
goto fail;
}
}
if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present,
&pulse, ics, sce->band_type) < 0)
return AVERROR_INVALIDDATA;
ret = decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present,
&pulse, ics, sce->band_type);
if (ret < 0)
goto fail;
if (ac->oc[1].m4ac.object_type == AOT_AAC_MAIN && !common_window)
apply_prediction(ac, sce);
return 0;
fail:
tns->present = 0;
return ret;
}
/**
@@ -2479,7 +2496,7 @@ static void apply_ltp(AACContext *ac, SingleChannelElement *sce)
for (sfb = 0; sfb < FFMIN(sce->ics.max_sfb, MAX_LTP_LONG_SFB); sfb++)
if (ltp->used[sfb])
for (i = offsets[sfb]; i < offsets[sfb + 1]; i++)
sce->coeffs[i] += predFreq[i];
sce->coeffs[i] += (UINTFLOAT)predFreq[i];
}
}
+4 -4
View File
@@ -499,13 +499,13 @@ static void map_idx_34_to_20(int8_t *par_mapped, const int8_t *par, int full)
static void map_val_34_to_20(INTFLOAT par[PS_MAX_NR_IIDICC])
{
#if USE_FIXED
par[ 0] = (int)(((int64_t)(par[ 0] + (par[ 1]>>1)) * 1431655765 + \
par[ 0] = (int)(((int64_t)(par[ 0] + (unsigned)(par[ 1]>>1)) * 1431655765 + \
0x40000000) >> 31);
par[ 1] = (int)(((int64_t)((par[ 1]>>1) + par[ 2]) * 1431655765 + \
par[ 1] = (int)(((int64_t)((par[ 1]>>1) + (unsigned)par[ 2]) * 1431655765 + \
0x40000000) >> 31);
par[ 2] = (int)(((int64_t)(par[ 3] + (par[ 4]>>1)) * 1431655765 + \
par[ 2] = (int)(((int64_t)(par[ 3] + (unsigned)(par[ 4]>>1)) * 1431655765 + \
0x40000000) >> 31);
par[ 3] = (int)(((int64_t)((par[ 4]>>1) + par[ 5]) * 1431655765 + \
par[ 3] = (int)(((int64_t)((par[ 4]>>1) + (unsigned)par[ 5]) * 1431655765 + \
0x40000000) >> 31);
#else
par[ 0] = (2*par[ 0] + par[ 1]) * 0.33333333f;
+12 -12
View File
@@ -129,12 +129,12 @@ static void ps_decorrelate_c(INTFLOAT (*out)[2], INTFLOAT (*delay)[2],
INTFLOAT apd_im = in_im;
in_re = AAC_MSUB30(link_delay_re, fractional_delay_re,
link_delay_im, fractional_delay_im);
in_re -= a_re;
in_re -= (UINTFLOAT)a_re;
in_im = AAC_MADD30(link_delay_re, fractional_delay_im,
link_delay_im, fractional_delay_re);
in_im -= a_im;
ap_delay[m][n+5][0] = apd_re + AAC_MUL31(ag[m], in_re);
ap_delay[m][n+5][1] = apd_im + AAC_MUL31(ag[m], in_im);
in_im -= (UINTFLOAT)a_im;
ap_delay[m][n+5][0] = apd_re + (UINTFLOAT)AAC_MUL31(ag[m], in_re);
ap_delay[m][n+5][1] = apd_im + (UINTFLOAT)AAC_MUL31(ag[m], in_im);
}
out[n][0] = AAC_MUL16(transient_gain[n], in_re);
out[n][1] = AAC_MUL16(transient_gain[n], in_im);
@@ -149,10 +149,10 @@ static void ps_stereo_interpolate_c(INTFLOAT (*l)[2], INTFLOAT (*r)[2],
INTFLOAT h1 = h[0][1];
INTFLOAT h2 = h[0][2];
INTFLOAT h3 = h[0][3];
INTFLOAT hs0 = h_step[0][0];
INTFLOAT hs1 = h_step[0][1];
INTFLOAT hs2 = h_step[0][2];
INTFLOAT hs3 = h_step[0][3];
UINTFLOAT hs0 = h_step[0][0];
UINTFLOAT hs1 = h_step[0][1];
UINTFLOAT hs2 = h_step[0][2];
UINTFLOAT hs3 = h_step[0][3];
int n;
for (n = 0; n < len; n++) {
@@ -180,10 +180,10 @@ static void ps_stereo_interpolate_ipdopd_c(INTFLOAT (*l)[2], INTFLOAT (*r)[2],
INTFLOAT h01 = h[0][1], h11 = h[1][1];
INTFLOAT h02 = h[0][2], h12 = h[1][2];
INTFLOAT h03 = h[0][3], h13 = h[1][3];
INTFLOAT hs00 = h_step[0][0], hs10 = h_step[1][0];
INTFLOAT hs01 = h_step[0][1], hs11 = h_step[1][1];
INTFLOAT hs02 = h_step[0][2], hs12 = h_step[1][2];
INTFLOAT hs03 = h_step[0][3], hs13 = h_step[1][3];
UINTFLOAT hs00 = h_step[0][0], hs10 = h_step[1][0];
UINTFLOAT hs01 = h_step[0][1], hs11 = h_step[1][1];
UINTFLOAT hs02 = h_step[0][2], hs12 = h_step[1][2];
UINTFLOAT hs03 = h_step[0][3], hs13 = h_step[1][3];
int n;
for (n = 0; n < len; n++) {
+7 -5
View File
@@ -437,6 +437,7 @@ static void sbr_gain_calc(AACContext *ac, SpectralBandReplication *sbr,
av_add_sf(FLOAT_1, sbr->e_curr[e][m]),
av_add_sf(FLOAT_1, sbr->q_mapped[e][m]))));
}
sbr->gain[e][m] = av_add_sf(sbr->gain[e][m], FLOAT_MIN);
}
for (m = sbr->f_tablelim[k] - sbr->kx[1]; m < sbr->f_tablelim[k + 1] - sbr->kx[1]; m++) {
sum[0] = av_add_sf(sum[0], sbr->e_origmapped[e][m]);
@@ -570,8 +571,9 @@ static void sbr_hf_assemble(int Y1[38][64][2],
int idx = indexsine&1;
int A = (1-((indexsine+(kx & 1))&2));
int B = (A^(-idx)) + idx;
int *out = &Y1[i][kx][idx];
int shift, round;
unsigned *out = &Y1[i][kx][idx];
int shift;
unsigned round;
SoftFloat *in = sbr->s_m[e];
for (m = 0; m+1 < m_max; m+=2) {
@@ -584,12 +586,12 @@ static void sbr_hf_assemble(int Y1[38][64][2],
}
if (shift < 32) {
round = 1 << (shift-1);
out[2*m ] += (in[m ].mant * A + round) >> shift;
out[2*m ] += (int)(in[m ].mant * A + round) >> shift;
}
if (shift2 < 32) {
round = 1 << (shift2-1);
out[2*m+2] += (in[m+1].mant * B + round) >> shift2;
out[2*m+2] += (int)(in[m+1].mant * B + round) >> shift2;
}
}
if(m_max&1)
@@ -600,7 +602,7 @@ static void sbr_hf_assemble(int Y1[38][64][2],
return;
} else if (shift < 32) {
round = 1 << (shift-1);
out[2*m ] += (in[m ].mant * A + round) >> shift;
out[2*m ] += (int)(in[m ].mant * A + round) >> shift;
}
}
}
+2 -2
View File
@@ -64,8 +64,8 @@ static void scale_coefs (
int dynrng,
int len)
{
int i, shift, round;
unsigned mul;
int i, shift;
unsigned mul, round;
int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7;
mul = (dynrng & 0x1f) + 0x20;
+9 -4
View File
@@ -614,7 +614,7 @@ static float voice_factor(float *p_vector, float p_gain,
AMRWB_SFR_SIZE) *
f_gain * f_gain;
return (p_ener - f_ener) / (p_ener + f_ener);
return (p_ener - f_ener) / (p_ener + f_ener + 0.01);
}
/**
@@ -865,15 +865,20 @@ static float find_hb_gain(AMRWBContext *ctx, const float *synth,
{
int wsp = (vad > 0);
float tilt;
float tmp;
if (ctx->fr_cur_mode == MODE_23k85)
return qua_hb_gain[hb_idx] * (1.0f / (1 << 14));
tilt = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1) /
ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE);
tmp = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1);
if (tmp > 0) {
tilt = tmp / ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE);
} else
tilt = 0;
/* return gain bounded by [0.1, 1.0] */
return av_clipf((1.0 - FFMAX(0.0, tilt)) * (1.25 - 0.25 * wsp), 0.1, 1.0);
return av_clipf((1.0 - tilt) * (1.25 - 0.25 * wsp), 0.1, 1.0);
}
/**
+2 -2
View File
@@ -336,11 +336,11 @@ function ff_sbr_hf_apply_noise_0_neon, export=1
vld1.32 {d0}, [r0,:64]
vld1.32 {d6}, [lr,:64]
vld1.32 {d2[]}, [r1,:32]!
vld1.32 {d3[]}, [r2,:32]!
vld1.32 {d18[]}, [r2,:32]!
vceq.f32 d4, d2, #0
veor d2, d2, d3
vmov d1, d0
vmla.f32 d0, d6, d3
vmla.f32 d0, d6, d18
vadd.f32 s2, s2, s4
vbif d0, d1, d4
vst1.32 {d0}, [r0,:64]!
+5 -2
View File
@@ -35,6 +35,8 @@
#include "bintext.h"
#include "internal.h"
#define FONT_WIDTH 8
typedef struct XbinContext {
AVFrame *frame;
int palette[16];
@@ -91,6 +93,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
break;
}
}
if (avctx->width < FONT_WIDTH || avctx->height < s->font_height)
return AVERROR_INVALIDDATA;
s->frame = av_frame_alloc();
if (!s->frame)
@@ -113,8 +118,6 @@ av_unused static void hscroll(AVCodecContext *avctx)
}
}
#define FONT_WIDTH 8
/**
* Draw character to screen
*/
+5
View File
@@ -1067,6 +1067,11 @@ static int decode_pic(AVSContext *h)
if (!h->loop_filter_disable && get_bits1(&h->gb)) {
h->alpha_offset = get_se_golomb(&h->gb);
h->beta_offset = get_se_golomb(&h->gb);
if ( h->alpha_offset < -64 || h->alpha_offset > 64
|| h-> beta_offset < -64 || h-> beta_offset > 64) {
h->alpha_offset = h->beta_offset = 0;
return AVERROR_INVALIDDATA;
}
} else {
h->alpha_offset = h->beta_offset = 0;
}
+1 -1
View File
@@ -324,7 +324,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
s->plane[s->channel_num].band[0][0].stride = data;
} else if (tag == 28) {
av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data);
if (data < 3 || data > s->plane[s->channel_num].band[0][0].height) {
if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_height) {
av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n");
ret = AVERROR(EINVAL);
break;
+29 -5
View File
@@ -315,14 +315,11 @@ static int cinepak_decode_strip (CinepakContext *s,
return AVERROR_INVALIDDATA;
}
static int cinepak_decode (CinepakContext *s)
static int cinepak_predecode_check (CinepakContext *s)
{
const uint8_t *eod = (s->data + s->size);
int i, result, strip_size, frame_flags, num_strips;
int y0 = 0;
int num_strips;
int encoded_buf_size;
frame_flags = s->data[0];
num_strips = AV_RB16 (&s->data[8]);
encoded_buf_size = AV_RB24(&s->data[1]);
@@ -353,6 +350,21 @@ static int cinepak_decode (CinepakContext *s)
s->sega_film_skip_bytes = 0;
}
if (s->size < 10 + s->sega_film_skip_bytes + num_strips * 12)
return AVERROR_INVALIDDATA;
return 0;
}
static int cinepak_decode (CinepakContext *s)
{
const uint8_t *eod = (s->data + s->size);
int i, result, strip_size, frame_flags, num_strips;
int y0 = 0;
frame_flags = s->data[0];
num_strips = AV_RB16 (&s->data[8]);
s->data += 10 + s->sega_film_skip_bytes;
num_strips = FFMIN(num_strips, MAX_STRIPS);
@@ -432,6 +444,7 @@ static int cinepak_decode_frame(AVCodecContext *avctx,
const uint8_t *buf = avpkt->data;
int ret = 0, buf_size = avpkt->size;
CinepakContext *s = avctx->priv_data;
int num_strips;
s->data = buf;
s->size = buf_size;
@@ -439,6 +452,17 @@ static int cinepak_decode_frame(AVCodecContext *avctx,
if (s->size < 10)
return AVERROR_INVALIDDATA;
num_strips = AV_RB16 (&s->data[8]);
//Empty frame, do not waste time
if (!num_strips && (!s->palette_video || !av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL)))
return buf_size;
if ((ret = cinepak_predecode_check(s)) < 0) {
av_log(avctx, AV_LOG_ERROR, "cinepak_predecode_check failed\n");
return ret;
}
if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
return ret;
+1 -1
View File
@@ -147,7 +147,7 @@ static int cng_decode_frame(AVCodecContext *avctx, void *data,
return ret;
buf_out = (int16_t *)frame->data[0];
for (i = 0; i < avctx->frame_size; i++)
buf_out[i] = p->filter_out[i + p->order];
buf_out[i] = av_clip_int16(p->filter_out[i + p->order]);
memcpy(p->filter_out, p->filter_out + avctx->frame_size,
p->order * sizeof(*p->filter_out));
+6 -2
View File
@@ -81,15 +81,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
switch ((buf[0] >> 1) & 7) {
case 0: { // lzo compression
int outlen = c->decomp_size, inlen = buf_size - 2;
if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen))
if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || outlen) {
av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n");
return AVERROR_INVALIDDATA;
}
break;
}
case 1: { // zlib compression
#if CONFIG_ZLIB
unsigned long dlen = c->decomp_size;
if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK)
if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK) {
av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n");
return AVERROR_INVALIDDATA;
}
break;
#else
av_log(avctx, AV_LOG_ERROR, "compiled without zlib support\n");
+1 -1
View File
@@ -41,7 +41,7 @@ static av_cold int dfa_decode_init(AVCodecContext *avctx)
avctx->pix_fmt = AV_PIX_FMT_PAL8;
if (!avctx->width || !avctx->height)
if (!avctx->width || !avctx->height || FFMAX(avctx->width, avctx->height) >= (1<<16))
return AVERROR_INVALIDDATA;
av_assert0(av_image_check_size(avctx->width, avctx->height, 0, avctx) >= 0);
+12 -12
View File
@@ -93,40 +93,40 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
// shared stuff for simd optimizations
#define COMPOSE_53iL0(b0, b1, b2)\
(b1 - ((b0 + b2 + 2) >> 2))
(b1 - (unsigned)((int)(b0 + (unsigned)(b2) + 2) >> 2))
#define COMPOSE_DIRAC53iH0(b0, b1, b2)\
(b1 + ((b0 + b2 + 1) >> 1))
(b1 + (unsigned)((int)(b0 + (unsigned)(b2) + 1) >> 1))
#define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\
(b2 + ((-b0 + 9*b1 + 9*b3 - b4 + 8) >> 4))
(int)(((unsigned)(b2) + ((int)(9U*b1 + 9U*b3 - b4 - b0 + 8) >> 4)))
#define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\
(b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5))
(int)(((unsigned)(b2) - ((int)(9U*b1 + 9U*b3 - b4 - b0 + 16) >> 5)))
#define COMPOSE_HAARiL0(b0, b1)\
(b0 - ((b1 + 1) >> 1))
((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1)))
#define COMPOSE_HAARiH0(b0, b1)\
(b0 + b1)
((int)(b0 + (unsigned)(b1)))
#define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\
(b4 - ((-8*(b0+b8) + 21*(b1+b7) - 46*(b2+b6) + 161*(b3+b5) + 128) >> 8))
((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8))
#define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\
(b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8))
((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8))
#define COMPOSE_DAUB97iL1(b0, b1, b2)\
(b1 - ((1817*(b0 + b2) + 2048) >> 12))
((unsigned)(b1) - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12))
#define COMPOSE_DAUB97iH1(b0, b1, b2)\
(b1 - (( 113*(b0 + b2) + 64) >> 7))
((unsigned)(b1) - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7))
#define COMPOSE_DAUB97iL0(b0, b1, b2)\
(b1 + (( 217*(b0 + b2) + 2048) >> 12))
((unsigned)(b1) + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12))
#define COMPOSE_DAUB97iH0(b0, b1, b2)\
(b1 + ((6497*(b0 + b2) + 2048) >> 12))
((unsigned)(b1) + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12))
#endif /* AVCODEC_DWT_H */
+11 -11
View File
@@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_
TYPE *b1 = (TYPE *)_b1;
TYPE *b2 = (TYPE *)_b2;
for (i = 0; i < width; i++)
b1[i] -= (b0[i] + b2[i] + 2) >> 2;
b1[i] -= (unsigned)((int)(b0[i] + (unsigned)b2[i] + 2) >> 2);
}
static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2,
@@ -57,8 +57,8 @@ static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src
{
int i;
for (i = 0; i < w2; i++) {
dst[2*i ] = (src0[i] + add) >> shift;
dst[2*i+1] = (src1[i] + add) >> shift;
dst[2*i ] = ((int)(src0[i] + (unsigned)add)) >> shift;
dst[2*i+1] = ((int)(src1[i] + (unsigned)add)) >> shift;
}
}
@@ -95,8 +95,8 @@ static void RENAME(horizontal_compose_dd97i)(uint8_t *_b, uint8_t *_tmp, int w)
tmp[w2+1] = tmp[w2] = tmp[w2-1];
for (x = 0; x < w2; x++) {
b[2*x ] = (tmp[x] + 1)>>1;
b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1)>>1;
b[2*x ] = ((int)(tmp[x] + 1U))>>1;
b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1U))>>1;
}
}
@@ -118,8 +118,8 @@ static void RENAME(horizontal_compose_dd137i)(uint8_t *_b, uint8_t *_tmp, int w)
tmp[w2+1] = tmp[w2] = tmp[w2-1];
for (x = 0; x < w2; x++) {
b[2*x ] = (tmp[x] + 1)>>1;
b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1)>>1;
b[2*x ] = ((int)(tmp[x] + 1U))>>1;
b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1U))>>1;
}
}
@@ -190,15 +190,15 @@ static void RENAME(horizontal_compose_daub97i)(uint8_t *_b, uint8_t *_temp, int
// second stage combined with interleave and shift
b0 = b2 = COMPOSE_DAUB97iL0(temp[w2], temp[0], temp[w2]);
b[0] = (b0 + 1) >> 1;
b[0] = ~((~b0) >> 1);
for (x = 1; x < w2; x++) {
b2 = COMPOSE_DAUB97iL0(temp[x+w2-1], temp[x ], temp[x+w2]);
b1 = COMPOSE_DAUB97iH0( b0, temp[x+w2-1], b2 );
b[2*x-1] = (b1 + 1) >> 1;
b[2*x ] = (b2 + 1) >> 1;
b[2*x-1] = ~((~b1) >> 1);
b[2*x ] = ~((~b2) >> 1);
b0 = b2;
}
b[w-1] = (COMPOSE_DAUB97iH0(b2, temp[w-1], b2) + 1) >> 1;
b[w-1] = ~((~COMPOSE_DAUB97iH0(b2, temp[w-1], b2)) >> 1);
}
static void RENAME(vertical_compose_dirac53iH0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_b2,
+24 -15
View File
@@ -129,7 +129,7 @@ typedef struct DiracContext {
GetBitContext gb;
AVDiracSeqHeader seq;
int seen_sequence_header;
int frame_number; /* number of the next frame to display */
int64_t frame_number; /* number of the next frame to display */
Plane plane[3];
int chroma_x_shift;
int chroma_y_shift;
@@ -231,7 +231,7 @@ enum dirac_subband {
/* magic number division by 3 from schroedinger */
static inline int divide3(int x)
{
return ((x+1)*21845 + 10922) >> 16;
return (int)((x+1U)*21845 + 10922) >> 16;
}
static DiracFrame *remove_frame(DiracFrame *framelist[], int picnum)
@@ -462,7 +462,8 @@ static inline int coeff_unpack_golomb(GetBitContext *gb, int qfactor, int qoffse
static inline void coeff_unpack_arith_##n(DiracArith *c, int qfactor, int qoffset, \
SubBand *b, type *buf, int x, int y) \
{ \
int coeff, sign, sign_pred = 0, pred_ctx = CTX_ZPZN_F1; \
int sign, sign_pred = 0, pred_ctx = CTX_ZPZN_F1; \
unsigned coeff; \
const int mstride = -(b->stride >> (1+b->pshift)); \
if (b->parent) { \
const type *pbuf = (type *)b->parent->ibuf; \
@@ -515,16 +516,16 @@ static inline void codeblock(DiracContext *s, SubBand *b,
}
if (s->codeblock_mode && !(s->old_delta_quant && blockcnt_one)) {
int quant = b->quant;
int quant;
if (is_arith)
quant += dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA);
quant = dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA);
else
quant += dirac_get_se_golomb(gb);
if (quant < 0) {
quant = dirac_get_se_golomb(gb);
if (quant > INT_MAX - b->quant || b->quant + quant < 0) {
av_log(s->avctx, AV_LOG_ERROR, "Invalid quant\n");
return;
}
b->quant = quant;
b->quant += quant;
}
if (b->quant > 115) {
@@ -593,7 +594,7 @@ static inline void codeblock(DiracContext *s, SubBand *b,
} \
INTRA_DC_PRED(8, int16_t)
INTRA_DC_PRED(10, int32_t)
INTRA_DC_PRED(10, uint32_t)
/**
* Dirac Specification ->
@@ -905,6 +906,10 @@ static int decode_lowdelay(DiracContext *s)
for (slice_x = 0; bufsize > 0 && slice_x < s->num_x; slice_x++) {
bytes = (slice_num+1) * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den
- slice_num * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den;
if (bytes >= INT_MAX || bytes*8 > bufsize) {
av_log(s->avctx, AV_LOG_ERROR, "too many bytes\n");
return AVERROR_INVALIDDATA;
}
slices[slice_num].bytes = bytes;
slices[slice_num].slice_x = slice_x;
slices[slice_num].slice_y = slice_y;
@@ -1081,6 +1086,10 @@ static int dirac_unpack_prediction_parameters(DiracContext *s)
s->globalmc[ref].perspective[0] = dirac_get_se_golomb(gb);
s->globalmc[ref].perspective[1] = dirac_get_se_golomb(gb);
}
if (s->globalmc[ref].perspective_exp + (uint64_t)s->globalmc[ref].zrs_exp > 30) {
return AVERROR_INVALIDDATA;
}
}
}
@@ -1310,8 +1319,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref)
int *c = s->globalmc[ref].perspective;
int m = (1<<ep) - (c[0]*x + c[1]*y);
int mx = m * ((A[0][0] * x + A[0][1]*y) + (1<<ez) * b[0]);
int my = m * ((A[1][0] * x + A[1][1]*y) + (1<<ez) * b[1]);
int64_t mx = m * (int64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1<<ez) * b[0]);
int64_t my = m * (int64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1<<ez) * b[1]);
block->u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep);
block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);
@@ -1333,7 +1342,7 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock
if (!block->ref) {
pred_block_dc(block, stride, x, y);
for (i = 0; i < 3; i++)
block->u.dc[i] += dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA);
block->u.dc[i] += (unsigned)dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA);
return;
}
@@ -1348,8 +1357,8 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock
global_mv(s, block, x, y, i);
} else {
pred_mv(block, stride, x, y, i);
block->u.mv[i][0] += dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA);
block->u.mv[i][1] += dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA);
block->u.mv[i][0] += (unsigned)dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA);
block->u.mv[i][1] += (unsigned)dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA);
}
}
}
@@ -2209,7 +2218,7 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
}
if (*got_frame)
s->frame_number = picture->display_picture_number + 1;
s->frame_number = picture->display_picture_number + 1LL;
return buf_idx;
}
+4 -4
View File
@@ -159,10 +159,10 @@ static void put_signed_rect_clamped_ ## PX ## bit_c(uint8_t *_dst, int dst_strid
int32_t *src = (int32_t *)_src; \
for (y = 0; y < height; y++) { \
for (x = 0; x < width; x+=4) { \
dst[x ] = av_clip_uintp2(src[x ] + (1 << (PX - 1)), PX); \
dst[x+1] = av_clip_uintp2(src[x+1] + (1 << (PX - 1)), PX); \
dst[x+2] = av_clip_uintp2(src[x+2] + (1 << (PX - 1)), PX); \
dst[x+3] = av_clip_uintp2(src[x+3] + (1 << (PX - 1)), PX); \
dst[x ] = av_clip_uintp2(src[x ] + (1U << (PX - 1)), PX); \
dst[x+1] = av_clip_uintp2(src[x+1] + (1U << (PX - 1)), PX); \
dst[x+2] = av_clip_uintp2(src[x+2] + (1U << (PX - 1)), PX); \
dst[x+3] = av_clip_uintp2(src[x+3] + (1U << (PX - 1)), PX); \
} \
dst += dst_stride >> 1; \
src += src_stride >> 2; \
+11 -3
View File
@@ -278,14 +278,18 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame,
if (header_prefix == DNXHD_HEADER_HR2) {
ctx->data_offset = 0x170 + (ctx->mb_height << 2);
} else {
if (ctx->mb_height > 68 ||
(ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) {
if (ctx->mb_height > 68) {
av_log(ctx->avctx, AV_LOG_ERROR,
"mb height too big: %d\n", ctx->mb_height);
return AVERROR_INVALIDDATA;
}
ctx->data_offset = 0x280;
}
if ((ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) {
av_log(ctx->avctx, AV_LOG_ERROR,
"mb height too big: %d\n", ctx->mb_height);
return AVERROR_INVALIDDATA;
}
if (buf_size < ctx->data_offset) {
av_log(ctx->avctx, AV_LOG_ERROR,
@@ -352,6 +356,10 @@ static av_always_inline int dnxhd_decode_dct_block(const DNXHDContext *ctx,
UPDATE_CACHE(bs, &row->gb);
GET_VLC(len, bs, &row->gb, ctx->dc_vlc.table, DNXHD_DC_VLC_BITS, 1);
if (len < 0) {
ret = len;
goto error;
}
if (len) {
level = GET_CACHE(bs, &row->gb);
LAST_SKIP_BITS(bs, &row->gb, len);
@@ -405,7 +413,7 @@ static av_always_inline int dnxhd_decode_dct_block(const DNXHDContext *ctx,
GET_VLC(index1, bs, &row->gb, ctx->ac_vlc.table,
DNXHD_VLC_BITS, 2);
}
error:
CLOSE_READER(bs, &row->gb);
return ret;
}
+19 -4
View File
@@ -158,6 +158,9 @@ static int cin_decode_lzss(const unsigned char *src, int src_size,
}
}
if (dst_end - dst > dst_size - dst_size/10)
return AVERROR_INVALIDDATA;
return 0;
}
@@ -184,6 +187,10 @@ static int cin_decode_rle(const unsigned char *src, int src_size,
}
dst += len;
}
if (dst_end - dst > dst_size - dst_size/10)
return AVERROR_INVALIDDATA;
return 0;
}
@@ -226,27 +233,35 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
* surface.width = surface.pitch */
switch (bitmap_frame_type) {
case 9:
cin_decode_rle(buf, bitmap_frame_size,
res = cin_decode_rle(buf, bitmap_frame_size,
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
if (res < 0)
return res;
break;
case 34:
cin_decode_rle(buf, bitmap_frame_size,
res = cin_decode_rle(buf, bitmap_frame_size,
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
if (res < 0)
return res;
cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
break;
case 35:
bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size,
cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size);
cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
res = cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
if (res < 0)
return res;
break;
case 36:
bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size,
cin->bitmap_table[CIN_INT_BMP],
cin->bitmap_size);
cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
res = cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
if (res < 0)
return res;
cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
break;
+8 -1
View File
@@ -44,6 +44,9 @@ static int dvdsub_parse(AVCodecParserContext *s,
{
DVDSubParseContext *pc = s->priv_data;
*poutbuf = buf;
*poutbuf_size = buf_size;
if (pc->packet_index == 0) {
if (buf_size < 2 || AV_RB16(buf) && buf_size < 6) {
if (buf_size)
@@ -54,7 +57,11 @@ static int dvdsub_parse(AVCodecParserContext *s,
if (pc->packet_len == 0) /* HD-DVD subpicture packet */
pc->packet_len = AV_RB32(buf+2);
av_freep(&pc->packet);
pc->packet = av_malloc(pc->packet_len);
if ((unsigned)pc->packet_len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
av_log(avctx, AV_LOG_ERROR, "packet length %d is invalid\n", pc->packet_len);
return buf_size;
}
pc->packet = av_malloc(pc->packet_len + AV_INPUT_BUFFER_PADDING_SIZE);
}
if (pc->packet) {
if (pc->packet_index + buf_size <= pc->packet_len) {
+3 -4
View File
@@ -82,10 +82,7 @@ static int decode_run_8bit(GetBitContext *gb, int *color)
{
int len;
int has_run = get_bits1(gb);
if (get_bits1(gb))
*color = get_bits(gb, 8);
else
*color = get_bits(gb, 2);
*color = get_bits(gb, 2 + 6*get_bits1(gb));
if (has_run) {
if (get_bits1(gb)) {
len = get_bits(gb, 7);
@@ -127,6 +124,8 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h,
len = decode_run_8bit(&gb, &color);
else
len = decode_run_2bit(&gb, &color);
if (len != INT_MAX && len > w - x)
return AVERROR_INVALIDDATA;
len = FFMIN(len, w - x);
memset(d + x, color, len);
x += len;
+6 -10
View File
@@ -304,11 +304,7 @@ static int dxtory_decode_v2(AVCodecContext *avctx, AVFrame *pic,
}
if (avctx->height - line) {
av_log(avctx, AV_LOG_VERBOSE,
"Not enough slice data available, "
"cropping the frame by %d pixels\n",
avctx->height - line);
avctx->height = line;
avpriv_request_sample(avctx, "Not enough slice data available");
}
return 0;
@@ -325,7 +321,7 @@ static int dx2_decode_slice_5x5(GetBitContext *gb, AVFrame *frame,
int stride = frame->linesize[0];
uint8_t *dst = frame->data[0] + stride * line;
for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
for (x = 0; x < width; x++) {
b = decode_sym_565(gb, lru[0], 5);
g = decode_sym_565(gb, lru[1], is_565 ? 6 : 5);
@@ -391,7 +387,7 @@ static int dx2_decode_slice_rgb(GetBitContext *gb, AVFrame *frame,
int stride = frame->linesize[0];
uint8_t *dst = frame->data[0] + stride * line;
for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
for (x = 0; x < width; x++) {
dst[x * 3 + 0] = decode_sym(gb, lru[0]);
dst[x * 3 + 1] = decode_sym(gb, lru[1]);
@@ -436,7 +432,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame,
uint8_t *U = frame->data[1] + (ustride >> 2) * line;
uint8_t *V = frame->data[2] + (vstride >> 2) * line;
for (y = 0; y < left - 3 && get_bits_left(gb) > 16; y += 4) {
for (y = 0; y < left - 3 && get_bits_left(gb) > 9 * width; y += 4) {
for (x = 0; x < width; x += 4) {
for (j = 0; j < 4; j++)
for (i = 0; i < 4; i++)
@@ -480,7 +476,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame,
uint8_t *V = frame->data[2] + (vstride >> 1) * line;
for (y = 0; y < left - 1 && get_bits_left(gb) > 16; y += 2) {
for (y = 0; y < left - 1 && get_bits_left(gb) > 6 * width; y += 2) {
for (x = 0; x < width; x += 2) {
Y[x + 0 + 0 * ystride] = decode_sym(gb, lru[0]);
Y[x + 1 + 0 * ystride] = decode_sym(gb, lru[0]);
@@ -523,7 +519,7 @@ static int dx2_decode_slice_444(GetBitContext *gb, AVFrame *frame,
uint8_t *U = frame->data[1] + ustride * line;
uint8_t *V = frame->data[2] + vstride * line;
for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
for (x = 0; x < width; x++) {
Y[x] = decode_sym(gb, lru[0]);
U[x] = decode_sym(gb, lru[1]) ^ 0x80;
+3 -5
View File
@@ -271,7 +271,7 @@ void ff_els_decoder_init(ElsDecCtx *ctx, const uint8_t *in, size_t data_size)
void ff_els_decoder_uninit(ElsUnsignedRung *rung)
{
av_free(rung->rem_rung_list);
av_freep(&rung->rem_rung_list);
}
static int els_import_byte(ElsDecCtx *ctx)
@@ -391,12 +391,10 @@ unsigned ff_els_decode_unsigned(ElsDecCtx *ctx, ElsUnsignedRung *ur)
if (ur->rung_list_size <= (ur->avail_index + 2) * sizeof(ElsRungNode)) {
// remember rung_node position
ptrdiff_t pos = rung_node - ur->rem_rung_list;
ur->rem_rung_list = av_realloc(ur->rem_rung_list,
ctx->err = av_reallocp(&ur->rem_rung_list,
ur->rung_list_size +
RUNG_SPACE);
if (!ur->rem_rung_list) {
av_free(ur->rem_rung_list);
ctx->err = AVERROR(ENOMEM);
if (ctx->err < 0) {
return 0;
}
memset((uint8_t *) ur->rem_rung_list + ur->rung_list_size, 0,
+2 -2
View File
@@ -108,7 +108,7 @@ static void filter181(int16_t *data, int width, int height, int stride)
dc = -prev_dc +
data[x + y * stride] * 8 -
data[x + 1 + y * stride];
dc = (dc * 10923 + 32768) >> 16;
dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16;
prev_dc = data[x + y * stride];
data[x + y * stride] = dc;
}
@@ -124,7 +124,7 @@ static void filter181(int16_t *data, int width, int height, int stride)
dc = -prev_dc +
data[x + y * stride] * 8 -
data[x + (y + 1) * stride];
dc = (dc * 10923 + 32768) >> 16;
dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16;
prev_dc = data[x + y * stride];
data[x + y * stride] = dc;
}
+5 -1
View File
@@ -222,7 +222,11 @@ static int escape124_decode_frame(AVCodecContext *avctx,
// This call also guards the potential depth reads for the
// codebook unpacking.
if (get_bits_left(&gb) < 64)
// Check if the amount we will read minimally is available on input.
// The 64 represent the immediately next 2 frame_* elements read, the 23/4320
// represent a lower bound of the space needed for skipped superblocks. Non
// skipped SBs need more space.
if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320)
return -1;
frame_flags = get_bits_long(&gb, 32);
+3 -3
View File
@@ -539,7 +539,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
while (lc > 0) {
const HufDec pl = hdecod[(c << (HUF_DECBITS - lc)) & HUF_DECMASK];
if (pl.len) {
if (pl.len && lc >= pl.len) {
lc -= pl.len;
get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
} else {
@@ -849,7 +849,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
line_offset = AV_RL64(s->gb.buffer + jobnr * 8);
// Check if the buffer has the required bytes needed from the offset
if (line_offset > buf_size - 8)
if (buf_size < 8 || line_offset > buf_size - 8)
return AVERROR_INVALIDDATA;
src = buf + line_offset + 8;
@@ -858,7 +858,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
return AVERROR_INVALIDDATA;
data_size = AV_RL32(src - 4);
if (data_size <= 0 || data_size > buf_size)
if (data_size <= 0 || data_size > buf_size - line_offset - 8)
return AVERROR_INVALIDDATA;
s->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1);
+2 -2
View File
@@ -483,7 +483,7 @@ static int read_quant_table(RangeCoder *c, int16_t *quant_table, int scale)
memset(state, 128, sizeof(state));
for (v = 0; i < 128; v++) {
unsigned len = get_symbol(c, state, 0) + 1;
unsigned len = get_symbol(c, state, 0) + 1U;
if (len > 128 - i || !len)
return AVERROR_INVALIDDATA;
@@ -803,7 +803,7 @@ static int read_header(FFV1Context *f)
} else {
const uint8_t *p = c->bytestream_end;
for (f->slice_count = 0;
f->slice_count < MAX_SLICES && 3 < p - c->bytestream_start;
f->slice_count < MAX_SLICES && 3 + 5*!!f->ec < p - c->bytestream_start;
f->slice_count++) {
int trailer = 3 + 5*!!f->ec;
int size = AV_RB24(p-trailer);
+4
View File
@@ -699,6 +699,10 @@ static av_cold int encode_init(AVCodecContext *avctx)
s->ec = (s->version >= 3);
}
// CRC requires version 3+
if (s->ec)
s->version = FFMAX(s->version, 3);
if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) {
av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n");
return AVERROR_INVALIDDATA;
+12 -7
View File
@@ -81,15 +81,16 @@ static const uint8_t fic_qmat_lq[64] = {
static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' };
#define FIC_HEADER_SIZE 27
#define CURSOR_OFFSET 59
static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd)
{
const int t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step];
const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step];
const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step];
const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step];
const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12);
const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12);
const unsigned t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step];
const unsigned t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step];
const unsigned t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step];
const unsigned t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step];
const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12);
const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12);
const unsigned t6 = t2 - t0;
const unsigned t7 = t3 - t1;
const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step];
@@ -334,6 +335,10 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
skip_cursor = 1;
}
if (!skip_cursor && avpkt->size < CURSOR_OFFSET + sizeof(ctx->cursor_buf)) {
skip_cursor = 1;
}
/* Slice height for all but the last slice. */
ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices;
if (ctx->slice_h % 16)
@@ -413,7 +418,7 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
/* Draw cursor. */
if (!skip_cursor) {
memcpy(ctx->cursor_buf, src + 59, 32 * 32 * 4);
memcpy(ctx->cursor_buf, src + CURSOR_OFFSET, sizeof(ctx->cursor_buf));
fic_draw_cursor(avctx, cur_x, cur_y);
}
+7 -2
View File
@@ -686,12 +686,17 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx,
}
for (curr = fpc->headers; curr; curr = curr->next) {
if (curr->max_score > 0 &&
(!fpc->best_header || curr->max_score > fpc->best_header->max_score)) {
if (!fpc->best_header || curr->max_score > fpc->best_header->max_score) {
fpc->best_header = curr;
}
}
if (fpc->best_header && fpc->best_header->max_score <= 0) {
// Only accept a bad header if there is no other option to continue
if (!buf_size || !buf || read_end != buf || fpc->nb_headers_buffered < FLAC_MIN_HEADERS)
fpc->best_header = NULL;
}
if (fpc->best_header) {
fpc->best_header_valid = 1;
if (fpc->best_header->offset > 0) {
+2 -2
View File
@@ -287,7 +287,7 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded,
if (pred_order > 2)
c = b - decoded[pred_order-2] + decoded[pred_order-3];
if (pred_order > 3)
d = c - decoded[pred_order-2] + 2*decoded[pred_order-3] - decoded[pred_order-4];
d = c - decoded[pred_order-2] + 2U*decoded[pred_order-3] - decoded[pred_order-4];
switch (pred_order) {
case 0:
@@ -445,7 +445,7 @@ static inline int decode_subframe(FLACContext *s, int channel)
return AVERROR_INVALIDDATA;
}
if (wasted) {
if (wasted && wasted < 32) {
int i;
for (i = 0; i < s->blocksize; i++)
decoded[i] = (unsigned)decoded[i] << wasted;
+8 -5
View File
@@ -555,8 +555,8 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int x, int y,
B = ((pred >> B_shift) & 0xFF) - TOSIGNED(delta);
}
if (R<0 || G<0 || B<0) {
av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B);
if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) {
avpriv_request_sample(NULL, "RGB %d %d %d is out of range\n", R, G, B);
return 0;
}
@@ -926,6 +926,7 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y,
if (c->ec.els_ctx.err != 0) {
av_log(avctx, AV_LOG_ERROR,
"ePIC: couldn't decode transparency pixel!\n");
ff_els_decoder_uninit(&c->ec.unsigned_rung);
return AVERROR_INVALIDDATA;
}
@@ -1354,14 +1355,16 @@ static void g2m_paint_cursor(G2MContext *c, uint8_t *dst, int stride)
} else {
dst += x * 3;
}
if (y < 0) {
if (y < 0)
h += y;
if (w < 0 || h < 0)
return;
if (y < 0) {
cursor += -y * c->cursor_stride;
} else {
dst += y * stride;
}
if (w < 0 || h < 0)
return;
for (j = 0; j < h; j++) {
for (i = 0; i < w; i++) {
+1 -1
View File
@@ -548,7 +548,7 @@ static void gain_scale(G723_1_Context *p, int16_t * buf, int energy)
denom <<= bits2;
bits2 = 5 + bits1 - bits2;
bits2 = FFMAX(0, bits2);
bits2 = av_clip_uintp2(bits2, 5);
gain = (num >> 1) / (denom >> 16);
gain = square_root(gain << 16 >> bits2);
+3 -1
View File
@@ -32,6 +32,7 @@
#include "libavutil/intreadwrite.h"
#include "libavutil/log.h"
#include "libavutil/avassert.h"
#include "avcodec.h"
#include "mathops.h"
/*
@@ -425,7 +426,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer,
int buffer_size;
int ret = 0;
if (bit_size >= INT_MAX - 7 || bit_size < 0 || !buffer) {
if (bit_size >= INT_MAX - FFMAX(7, AV_INPUT_BUFFER_PADDING_SIZE*8) || bit_size < 0 || !buffer) {
bit_size = 0;
buffer = NULL;
ret = AVERROR_INVALIDDATA;
@@ -574,6 +575,7 @@ void ff_free_vlc(VLC *vlc);
* @param max_depth is the number of times bits bits must be read to completely
* read the longest vlc code
* = (max_vlc_length + bits - 1) / bits
* @returns the code parsed or -1 if no vlc matches
*/
static av_always_inline int get_vlc2(GetBitContext *s, VLC_TYPE (*table)[2],
int bits, int max_depth)
+1 -1
View File
@@ -637,7 +637,7 @@ retry:
slice_ret = decode_slice(s);
while (s->mb_y < s->mb_height) {
if (s->msmpeg4_version) {
if (s->slice_height == 0 || s->mb_x != 0 ||
if (s->slice_height == 0 || s->mb_x != 0 || slice_ret < 0 ||
(s->mb_y % s->slice_height) != 0 || get_bits_left(&s->gb) < 0)
break;
} else {
+1
View File
@@ -605,6 +605,7 @@ typedef struct H264Context {
uint8_t (*mvd_table[2])[2];
uint8_t *direct_table;
uint8_t scan_padding[16];
uint8_t zigzag_scan[16];
uint8_t zigzag_scan8x8[64];
uint8_t zigzag_scan8x8_cavlc[64];
+1 -1
View File
@@ -1736,7 +1736,7 @@ decode_cabac_residual_internal(const H264Context *h, H264SliceContext *sl,
\
if( coeff_abs >= 15 ) { \
int j = 0; \
while (get_cabac_bypass(CC) && j < 30) { \
while (get_cabac_bypass(CC) && j < 16+7) { \
j++; \
} \
\
+9 -2
View File
@@ -721,8 +721,14 @@ int ff_h264_decode_mb_cavlc(const H264Context *h, H264SliceContext *sl)
cbp = 0; /* avoid warning. FIXME: find a solution without slowing
down the code */
if (sl->slice_type_nos != AV_PICTURE_TYPE_I) {
if (sl->mb_skip_run == -1)
sl->mb_skip_run = get_ue_golomb_long(&sl->gb);
if (sl->mb_skip_run == -1) {
unsigned mb_skip_run = get_ue_golomb_long(&sl->gb);
if (mb_skip_run > h->mb_num) {
av_log(h->avctx, AV_LOG_ERROR, "mb_skip_run %d is invalid\n", mb_skip_run);
return AVERROR_INVALIDDATA;
}
sl->mb_skip_run = mb_skip_run;
}
if (sl->mb_skip_run--) {
if (FRAME_MBAFF(h) && (sl->mb_y & 1) == 0) {
@@ -1113,6 +1119,7 @@ decode_intra_mb:
else sl->qscale -= max_qp+1;
if (((unsigned)sl->qscale) > max_qp){
av_log(h->avctx, AV_LOG_ERROR, "dquant out of range (%d) at %d %d\n", dquant, sl->mb_x, sl->mb_y);
sl->qscale = max_qp;
return -1;
}
}
+2 -1
View File
@@ -78,7 +78,8 @@ static void MCFUNC(hl_motion)(const H264Context *h, H264SliceContext *sl,
if (HAVE_THREADS && (h->avctx->active_thread_type & FF_THREAD_FRAME))
await_references(h, sl);
prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC);
if (USES_LIST(mb_type, 0))
prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC);
if (IS_16X16(mb_type)) {
mc_part(h, sl, 0, 1, 16, 0, dest_y, dest_cb, dest_cr, 0, 0,
+1
View File
@@ -814,6 +814,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count)
pps_ref_count[1] = FFMAX(pps_ref_count[1], h->pps.ref_count[1]);
}
// Detect unmarked random access points
if ( err >= 0
&& h->long_ref_count==0
&& ( h->short_ref_count<=2
+15 -7
View File
@@ -1633,6 +1633,12 @@ int ff_h264_decode_slice_header(H264Context *h, H264SliceContext *sl)
h->missing_fields ++;
h->cur_pic_ptr = NULL;
h->first_field = FIELD_PICTURE(h);
} else if (h->cur_pic_ptr->reference & DELAYED_PIC_REF) {
/* This frame was already output, we cannot draw into it
* anymore.
*/
h->first_field = 1;
h->cur_pic_ptr = NULL;
} else {
h->missing_fields = 0;
if (h->cur_pic_ptr->frame_num != h->frame_num) {
@@ -1822,17 +1828,19 @@ int ff_h264_decode_slice_header(H264Context *h, H264SliceContext *sl)
sl->deblocking_filter ^= 1; // 1<->0
if (sl->deblocking_filter) {
sl->slice_alpha_c0_offset = get_se_golomb(&sl->gb) * 2;
sl->slice_beta_offset = get_se_golomb(&sl->gb) * 2;
if (sl->slice_alpha_c0_offset > 12 ||
sl->slice_alpha_c0_offset < -12 ||
sl->slice_beta_offset > 12 ||
sl->slice_beta_offset < -12) {
int slice_alpha_c0_offset_div2 = get_se_golomb(&sl->gb);
int slice_beta_offset_div2 = get_se_golomb(&sl->gb);
if (slice_alpha_c0_offset_div2 > 6 ||
slice_alpha_c0_offset_div2 < -6 ||
slice_beta_offset_div2 > 6 ||
slice_beta_offset_div2 < -6) {
av_log(h->avctx, AV_LOG_ERROR,
"deblocking filter parameters %d %d out of range\n",
sl->slice_alpha_c0_offset, sl->slice_beta_offset);
slice_alpha_c0_offset_div2, slice_beta_offset_div2);
return AVERROR_INVALIDDATA;
}
sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2;
sl->slice_beta_offset = slice_beta_offset_div2 * 2;
}
}
+12 -12
View File
@@ -35,10 +35,10 @@ static void FUNCC(ff_h264_add_pixels4)(uint8_t *_dst, int16_t *_src, int stride)
stride /= sizeof(pixel);
for (i = 0; i < 4; i++) {
dst[0] += src[0];
dst[1] += src[1];
dst[2] += src[2];
dst[3] += src[3];
dst[0] += (unsigned)src[0];
dst[1] += (unsigned)src[1];
dst[2] += (unsigned)src[2];
dst[3] += (unsigned)src[3];
dst += stride;
src += 4;
@@ -55,14 +55,14 @@ static void FUNCC(ff_h264_add_pixels8)(uint8_t *_dst, int16_t *_src, int stride)
stride /= sizeof(pixel);
for (i = 0; i < 8; i++) {
dst[0] += src[0];
dst[1] += src[1];
dst[2] += src[2];
dst[3] += src[3];
dst[4] += src[4];
dst[5] += src[5];
dst[6] += src[6];
dst[7] += src[7];
dst[0] += (unsigned)src[0];
dst[1] += (unsigned)src[1];
dst[2] += (unsigned)src[2];
dst[3] += (unsigned)src[3];
dst[4] += (unsigned)src[4];
dst[5] += (unsigned)src[5];
dst[6] += (unsigned)src[6];
dst[7] += (unsigned)src[7];
dst += stride;
src += 8;
+4 -4
View File
@@ -91,10 +91,10 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, int16_t *_block, int stride){
const int a5 = -block[i+1*8] + block[i+7*8] + block[i+5*8] + (block[i+5*8]>>1);
const int a7 = block[i+3*8] + block[i+5*8] + block[i+1*8] + (block[i+1*8]>>1);
const int b1 = (a7>>2) + a1;
const int b3 = a3 + (a5>>2);
const int b5 = (a3>>2) - a5;
const int b7 = a7 - (a1>>2);
const int b1 = (a7>>2) + (unsigned)a1;
const int b3 = (unsigned)a3 + (a5>>2);
const int b5 = (a3>>2) - (unsigned)a5;
const int b7 = (unsigned)a7 - (a1>>2);
block[i+0*8] = b0 + b7;
block[i+7*8] = b0 - b7;
+4
View File
@@ -2781,6 +2781,10 @@ static int decode_nal_unit(HEVCContext *s, const HEVCNAL *nal)
}
if (s->sh.first_slice_in_pic_flag) {
if (s->ref) {
av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n");
goto fail;
}
ret = hevc_frame_start(s);
if (ret < 0)
return ret;
+3 -2
View File
@@ -407,6 +407,7 @@ typedef struct HEVCSPS {
HEVCWindow pic_conf_win;
int bit_depth;
int bit_depth_chroma;
int pixel_shift;
enum AVPixelFormat pix_fmt;
@@ -538,8 +539,8 @@ typedef struct HEVCPPS {
uint8_t chroma_qp_offset_list_enabled_flag;
uint8_t diff_cu_chroma_qp_offset_depth;
uint8_t chroma_qp_offset_list_len_minus1;
int8_t cb_qp_offset_list[5];
int8_t cr_qp_offset_list[5];
int8_t cb_qp_offset_list[6];
int8_t cr_qp_offset_list[6];
uint8_t log2_sao_offset_scale_luma;
uint8_t log2_sao_offset_scale_chroma;
+10 -5
View File
@@ -633,8 +633,10 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s)
suffix_val += 1 << k;
k++;
}
if (k == CABAC_MAX_BIN)
if (k == CABAC_MAX_BIN) {
av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k);
return AVERROR_INVALIDDATA;
}
while (k--)
suffix_val += get_cabac_bypass(&s->HEVClc->cc) << k;
@@ -975,16 +977,19 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int
while (prefix < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc))
prefix++;
if (prefix == CABAC_MAX_BIN) {
av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
return 0;
}
if (prefix < 3) {
for (i = 0; i < rc_rice_param; i++)
suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc);
last_coeff_abs_level_remaining = (prefix << rc_rice_param) + suffix;
} else {
int prefix_minus3 = prefix - 3;
if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) {
av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
return 0;
}
for (i = 0; i < prefix_minus3 + rc_rice_param; i++)
suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc);
last_coeff_abs_level_remaining = (((1 << prefix_minus3) + 3 - 1)
+26 -6
View File
@@ -224,6 +224,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx,
prev = 0;
for (i = 0; i < rps->num_negative_pics; i++) {
delta_poc = get_ue_golomb_long(gb) + 1;
if (delta_poc < 1 || delta_poc > 32768) {
av_log(avctx, AV_LOG_ERROR,
"Invalid value of delta_poc: %d\n",
delta_poc);
return AVERROR_INVALIDDATA;
}
prev -= delta_poc;
rps->delta_poc[i] = prev;
rps->used[i] = get_bits1(gb);
@@ -231,6 +237,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx,
prev = 0;
for (i = 0; i < nb_positive_pics; i++) {
delta_poc = get_ue_golomb_long(gb) + 1;
if (delta_poc < 1 || delta_poc > 32768) {
av_log(avctx, AV_LOG_ERROR,
"Invalid value of delta_poc: %d\n",
delta_poc);
return AVERROR_INVALIDDATA;
}
prev += delta_poc;
rps->delta_poc[rps->num_negative_pics + i] = prev;
rps->used[rps->num_negative_pics + i] = get_bits1(gb);
@@ -894,6 +906,7 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
sps->bit_depth, bit_depth_chroma);
return AVERROR_INVALIDDATA;
}
sps->bit_depth_chroma = bit_depth_chroma;
ret = map_pixel_format(avctx, sps);
if (ret < 0)
@@ -987,10 +1000,10 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
sps->pcm.log2_min_pcm_cb_size = get_ue_golomb_long(gb) + 3;
sps->pcm.log2_max_pcm_cb_size = sps->pcm.log2_min_pcm_cb_size +
get_ue_golomb_long(gb);
if (sps->pcm.bit_depth > sps->bit_depth) {
if (FFMAX(sps->pcm.bit_depth, sps->pcm.bit_depth_chroma) > sps->bit_depth) {
av_log(avctx, AV_LOG_ERROR,
"PCM bit depth (%d) is greater than normal bit depth (%d)\n",
sps->pcm.bit_depth, sps->bit_depth);
"PCM bit depth (%d, %d) is greater than normal bit depth (%d)\n",
sps->pcm.bit_depth, sps->pcm.bit_depth_chroma, sps->bit_depth);
return AVERROR_INVALIDDATA;
}
@@ -1257,6 +1270,11 @@ static int pps_range_extensions(GetBitContext *gb, AVCodecContext *avctx,
pps->log2_sao_offset_scale_luma = get_ue_golomb_long(gb);
pps->log2_sao_offset_scale_chroma = get_ue_golomb_long(gb);
if ( pps->log2_sao_offset_scale_luma > FFMAX(sps->bit_depth - 10, 0)
|| pps->log2_sao_offset_scale_chroma > FFMAX(sps->bit_depth_chroma - 10, 0)
)
return AVERROR_INVALIDDATA;
return(0);
}
@@ -1398,6 +1416,7 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx,
HEVCSPS *sps = NULL;
int i, ret = 0;
unsigned int pps_id = 0;
unsigned log2_parallel_merge_level_minus2;
AVBufferRef *pps_buf;
HEVCPPS *pps = av_mallocz(sizeof(*pps));
@@ -1584,13 +1603,14 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx,
goto err;
}
pps->lists_modification_present_flag = get_bits1(gb);
pps->log2_parallel_merge_level = get_ue_golomb_long(gb) + 2;
if (pps->log2_parallel_merge_level > sps->log2_ctb_size) {
log2_parallel_merge_level_minus2 = get_ue_golomb_long(gb);
if (log2_parallel_merge_level_minus2 > sps->log2_ctb_size) {
av_log(avctx, AV_LOG_ERROR, "log2_parallel_merge_level_minus2 out of range: %d\n",
pps->log2_parallel_merge_level - 2);
log2_parallel_merge_level_minus2);
ret = AVERROR_INVALIDDATA;
goto err;
}
pps->log2_parallel_merge_level = log2_parallel_merge_level_minus2 + 2;
pps->slice_header_extension_present_flag = get_bits1(gb);
+4
View File
@@ -344,11 +344,15 @@ static int decode_nal_sei_message(HEVCContext *s)
av_log(s->avctx, AV_LOG_DEBUG, "Decoding SEI\n");
while (byte == 0xFF) {
if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255)
return AVERROR_INVALIDDATA;
byte = get_bits(gb, 8);
payload_type += byte;
}
byte = 0xFF;
while (byte == 0xFF) {
if (get_bits_left(gb) < 8 + 8LL*payload_size)
return AVERROR_INVALIDDATA;
byte = get_bits(gb, 8);
payload_size += byte;
}
+8 -8
View File
@@ -125,7 +125,7 @@ static void FUNC(transform_skip)(int16_t *_coeffs, int16_t log2_size)
} else {
for (y = 0; y < size; y++) {
for (x = 0; x < size; x++) {
*coeffs = *coeffs << -shift;
*coeffs = *(uint16_t*)coeffs << -shift;
coeffs++;
}
}
@@ -599,7 +599,7 @@ static void FUNC(put_hevc_pel_bi_w_pixels)(uint8_t *_dst, ptrdiff_t _dststride,
ox1 = ox1 * (1 << (BIT_DEPTH - 8));
for (y = 0; y < height; y++) {
for (x = 0; x < width; x++) {
dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + (ox0 + ox1 + 1) * (1 << log2Wd)) >> (log2Wd + 1));
}
src += srcstride;
dst += dststride;
@@ -921,7 +921,7 @@ static void FUNC(put_hevc_qpel_bi_w_h)(uint8_t *_dst, ptrdiff_t _dststride, uint
for (y = 0; y < height; y++) {
for (x = 0; x < width; x++)
dst[x] = av_clip_pixel(((QPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 +
((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1));
src += srcstride;
dst += dststride;
src2 += MAX_PB_SIZE;
@@ -976,7 +976,7 @@ static void FUNC(put_hevc_qpel_bi_w_v)(uint8_t *_dst, ptrdiff_t _dststride, uint
for (y = 0; y < height; y++) {
for (x = 0; x < width; x++)
dst[x] = av_clip_pixel(((QPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 +
((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1));
src += srcstride;
dst += dststride;
src2 += MAX_PB_SIZE;
@@ -1057,7 +1057,7 @@ static void FUNC(put_hevc_qpel_bi_w_hv)(uint8_t *_dst, ptrdiff_t _dststride, uin
for (y = 0; y < height; y++) {
for (x = 0; x < width; x++)
dst[x] = av_clip_pixel(((QPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 + src2[x] * wx0 +
((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1));
tmp += MAX_PB_SIZE;
dst += dststride;
src2 += MAX_PB_SIZE;
@@ -1361,7 +1361,7 @@ static void FUNC(put_hevc_epel_bi_w_h)(uint8_t *_dst, ptrdiff_t _dststride, uint
for (y = 0; y < height; y++) {
for (x = 0; x < width; x++)
dst[x] = av_clip_pixel(((EPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 +
((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1));
src += srcstride;
dst += dststride;
src2 += MAX_PB_SIZE;
@@ -1413,7 +1413,7 @@ static void FUNC(put_hevc_epel_bi_w_v)(uint8_t *_dst, ptrdiff_t _dststride, uint
for (y = 0; y < height; y++) {
for (x = 0; x < width; x++)
dst[x] = av_clip_pixel(((EPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 +
((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1));
src += srcstride;
dst += dststride;
src2 += MAX_PB_SIZE;
@@ -1492,7 +1492,7 @@ static void FUNC(put_hevc_epel_bi_w_hv)(uint8_t *_dst, ptrdiff_t _dststride, uin
for (y = 0; y < height; y++) {
for (x = 0; x < width; x++)
dst[x] = av_clip_pixel(((EPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 + src2[x] * wx0 +
((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1));
tmp += MAX_PB_SIZE;
dst += dststride;
src2 += MAX_PB_SIZE;
+3
View File
@@ -180,6 +180,9 @@ static int hqa_decode_mb(HQContext *c, AVFrame *pic, int qgroup,
int flag = 0;
int i, ret, cbp;
if (get_bits_left(gb) < 1)
return AVERROR_INVALIDDATA;
cbp = get_vlc2(gb, c->hqa_cbp_vlc.table, 5, 1);
for (i = 0; i < 12; i++)
+3
View File
@@ -915,6 +915,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
AVFrame *const p = data;
int table_size = 0, ret;
if (buf_size < (width * height + 7)/8)
return AVERROR_INVALIDDATA;
av_fast_padded_malloc(&s->bitstream_buffer,
&s->bitstream_buffer_size,
buf_size);
+7 -2
View File
@@ -77,10 +77,15 @@ enum AVPixelFormat avcodec_find_best_pix_fmt_of_list(const enum AVPixelFormat *p
int i;
enum AVPixelFormat best = AV_PIX_FMT_NONE;
int loss;
for(i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++)
best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, loss_ptr);
for (i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) {
loss = loss_ptr ? *loss_ptr : 0;
best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, &loss);
}
if (loss_ptr)
*loss_ptr = loss;
return best;
}
+13 -3
View File
@@ -269,12 +269,14 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx)
* @param[in] avctx pointer to the AVCodecContext
* @return result code: 0 = OK, negative number = error
*/
static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *arg_band,
AVCodecContext *avctx)
{
int plane, band_num, indx, transform_id, scan_indx;
int i;
int quant_mat;
IVIBandDesc temp_band, *band = &temp_band;
memcpy(&temp_band, arg_band, sizeof(temp_band));
plane = get_bits(&ctx->gb, 2);
band_num = get_bits(&ctx->gb, 4);
@@ -408,10 +410,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
/* decode block huffman codebook */
if (!get_bits1(&ctx->gb))
band->blk_vlc.tab = ctx->blk_vlc.tab;
arg_band->blk_vlc.tab = ctx->blk_vlc.tab;
else
if (ff_ivi_dec_huff_desc(&ctx->gb, 1, IVI_BLK_HUFF,
&band->blk_vlc, avctx))
&arg_band->blk_vlc, avctx))
return AVERROR_INVALIDDATA;
/* select appropriate rvmap table for this band */
@@ -452,6 +454,9 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
return AVERROR_INVALIDDATA;
}
band->blk_vlc = arg_band->blk_vlc;
memcpy(arg_band, band, sizeof(*arg_band));
return 0;
}
@@ -500,6 +505,11 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band,
mb->b_mv_x =
mb->b_mv_y = 0;
if (get_bits_left(&ctx->gb) < 1) {
av_log(avctx, AV_LOG_ERROR, "Insufficient input for mb info\n");
return AVERROR_INVALIDDATA;
}
if (get_bits1(&ctx->gb)) {
if (ctx->frame_type == IVI4_FRAMETYPE_INTRA) {
av_log(avctx, AV_LOG_ERROR, "Empty macroblock in an INTRA picture!\n");
+1
View File
@@ -324,6 +324,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx)
ctx->frame_type = get_bits(&ctx->gb, 3);
if (ctx->frame_type >= 5) {
av_log(avctx, AV_LOG_ERROR, "Invalid frame type: %d \n", ctx->frame_type);
ctx->frame_type = FRAMETYPE_INTRA;
return AVERROR_INVALIDDATA;
}
+2 -1
View File
@@ -688,7 +688,8 @@ static void encode_cblk(Jpeg2000EncoderContext *s, Jpeg2000T1Context *t1, Jpeg20
cblk->npasses = passno;
cblk->ninclpasses = passno;
cblk->passes[passno-1].rate = ff_mqc_flush_to(&t1->mqc, cblk->passes[passno-1].flushed, &cblk->passes[passno-1].flushed_len);
if (passno)
cblk->passes[passno-1].rate = ff_mqc_flush_to(&t1->mqc, cblk->passes[passno-1].flushed, &cblk->passes[passno-1].flushed_len);
}
/* tier-2 routines: */
+3
View File
@@ -506,6 +506,9 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
// update precincts size: 2^n value
reslevel->log2_prec_width = codsty->log2_prec_widths[reslevelno];
reslevel->log2_prec_height = codsty->log2_prec_heights[reslevelno];
if (!reslevel->log2_prec_width || !reslevel->log2_prec_height) {
return AVERROR_INVALIDDATA;
}
/* Number of bands for each resolution level */
if (reslevelno == 0)
+13 -7
View File
@@ -340,7 +340,10 @@ static int get_siz(Jpeg2000DecoderContext *s)
s->numXtiles = ff_jpeg2000_ceildiv(s->width - s->tile_offset_x, s->tile_width);
s->numYtiles = ff_jpeg2000_ceildiv(s->height - s->tile_offset_y, s->tile_height);
if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile)) {
// There must be at least a SOT and SOD per tile, their minimum size is 14
if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile) ||
s->numXtiles * s->numYtiles * 14LL > bytestream2_size(&s->g)
) {
s->numXtiles = s->numYtiles = 0;
return AVERROR(EINVAL);
}
@@ -1125,6 +1128,9 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
step_x = 32;
step_y = 32;
if (RSpoc >= FFMIN(codsty->nreslevels, REpoc))
continue;
for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, REpoc); reslevelno++) {
uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; // ==> N_L - r
Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno;
@@ -1144,10 +1150,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
int xc = x / s->cdx[compno];
int yc = y / s->cdy[compno];
if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
continue;
if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
continue;
// check if a precinct exists
@@ -1214,10 +1220,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
if (reslevelno >= codsty->nreslevels)
continue;
if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
continue;
if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
continue;
// check if a precinct exists
@@ -1285,10 +1291,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; // ==> N_L - r
Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno;
if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
continue;
if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
continue;
// check if a precinct exists
+4 -4
View File
@@ -64,10 +64,10 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize)
int i;
for (i = 0; i < csize; i++) {
i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16);
i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16)
- (((i_ict_params[2] * *src2) + (1 << 15)) >> 16);
i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16);
i0 = *src0 + *src2 + ((int)((26345U * *src2) + (1 << 15)) >> 16);
i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16)
- ((int)(((unsigned)i_ict_params[2] * *src2) + (1 << 15)) >> 16);
i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16);
*src0++ = i0;
*src1++ = i1;
*src2++ = i2;
+4 -4
View File
@@ -305,22 +305,22 @@ static void dwt_encode97_int(DWTContext *s, int *t)
t[i] = (t[i] + ((1<<I_PRESHIFT)>>1)) >> I_PRESHIFT;
}
static void sr_1d53(int *p, int i0, int i1)
static void sr_1d53(unsigned *p, int i0, int i1)
{
int i;
if (i1 <= i0 + 1) {
if (i0 == 1)
p[1] >>= 1;
p[1] = (int)p[1] >> 1;
return;
}
extend53(p, i0, i1);
for (i = (i0 >> 1); i < (i1 >> 1) + 1; i++)
p[2 * i] -= (p[2 * i - 1] + p[2 * i + 1] + 2) >> 2;
p[2 * i] -= (int)(p[2 * i - 1] + p[2 * i + 1] + 2) >> 2;
for (i = (i0 >> 1); i < (i1 >> 1); i++)
p[2 * i + 1] += (p[2 * i] + p[2 * i + 2]) >> 1;
p[2 * i + 1] += (int)(p[2 * i] + p[2 * i + 2]) >> 1;
}
static void dwt_decode53(DWTContext *s, int *t)
+7
View File
@@ -233,6 +233,9 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s,
while (x < w) {
int err, pred;
if (get_bits_left(&s->gb) <= 0)
return;
/* compute gradients */
Ra = x ? R(dst, x - stride) : R(last, x);
Rb = R(last, x);
@@ -438,6 +441,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
avpriv_report_missing_feature(s->avctx, "Sample interleaved images");
ret = AVERROR_PATCHWELCOME;
goto end;
} else { /* unknown interleaving */
avpriv_report_missing_feature(s->avctx, "Unknown interleaved images");
ret = AVERROR_PATCHWELCOME;
goto end;
}
if (s->xfrm && s->nb_components == 3) {
+3
View File
@@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
h = (buf[1] + 1) * 8;
buf += 2;
if (avpkt->size < 2 + w*h / 513)
return AVERROR_INVALIDDATA;
if (w != avctx->width || h != avctx->height) {
av_freep(&c->frame_buffer);
av_freep(&c->last_frame_buffer);
+5 -1
View File
@@ -126,7 +126,10 @@ static av_cold int libopus_decode_close(AVCodecContext *avc)
{
struct libopus_context *opus = avc->priv_data;
opus_multistream_decoder_destroy(opus->dec);
if (opus->dec) {
opus_multistream_decoder_destroy(opus->dec);
opus->dec = NULL;
}
return 0;
}
@@ -200,6 +203,7 @@ AVCodec ff_libopus_decoder = {
.decode = libopus_decode,
.flush = libopus_flush,
.capabilities = AV_CODEC_CAP_DR1,
.caps_internal = FF_CODEC_CAP_INIT_CLEANUP,
.sample_fmts = (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_FLT,
AV_SAMPLE_FMT_S16,
AV_SAMPLE_FMT_NONE },
-2
View File
@@ -362,7 +362,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt,
// Check if subtraction resulted in an overflow
if ((discard_padding < opus->opts.packet_size) != (avpkt->duration > 0)) {
av_packet_unref(avpkt);
av_free(avpkt);
return AVERROR(EINVAL);
}
if (discard_padding > 0) {
@@ -371,7 +370,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt,
10);
if(!side_data) {
av_packet_unref(avpkt);
av_free(avpkt);
return AVERROR(ENOMEM);
}
AV_WL32(side_data + 4, discard_padding);
-1
View File
@@ -792,7 +792,6 @@ FF_ENABLE_DEPRECATION_WARNINGS
cx_frame->sz_alpha + 8);
if(!side_data) {
av_packet_unref(pkt);
av_free(pkt);
return AVERROR(ENOMEM);
}
AV_WB64(side_data, 1);
+1 -1
View File
@@ -41,7 +41,7 @@ static av_cold int libwebp_anim_encode_init(AVCodecContext *avctx)
int ret = ff_libwebp_encode_init_common(avctx);
if (!ret) {
LibWebPAnimContext *s = avctx->priv_data;
WebPAnimEncoderOptions enc_options = { 0 };
WebPAnimEncoderOptions enc_options = { { 0 } };
WebPAnimEncoderOptionsInit(&enc_options);
enc_options.verbose = av_log_get_level() >= AV_LOG_VERBOSE;
// TODO(urvang): Expose some options on command-line perhaps.
+4 -4
View File
@@ -39,13 +39,13 @@ void ff_mdct_calcw_c(FFTContext *s, FFTDouble *out, const FFTSample *input)
/* pre rotation */
for(i=0;i<n8;i++) {
re = RSCALE(-input[2*i+n3] - input[n3-1-2*i]);
im = RSCALE(-input[n4+2*i] + input[n4-1-2*i]);
re = RSCALE(-input[2*i+n3], - input[n3-1-2*i]);
im = RSCALE(-input[n4+2*i], + input[n4-1-2*i]);
j = revtab[i];
CMUL(x[j].re, x[j].im, re, im, -tcos[i], tsin[i]);
re = RSCALE( input[2*i] - input[n2-1-2*i]);
im = RSCALE(-input[n2+2*i] - input[ n-1-2*i]);
re = RSCALE( input[2*i] , - input[n2-1-2*i]);
im = RSCALE(-input[n2+2*i], - input[ n-1-2*i]);
j = revtab[n8 + i];
CMUL(x[j].re, x[j].im, re, im, -tcos[n8 + i], tsin[n8 + i]);
}
+7 -7
View File
@@ -33,12 +33,12 @@
*/
#if FFT_FLOAT
# define RSCALE(x) (x)
# define RSCALE(x, y) ((x) + (y))
#else
#if FFT_FIXED_32
# define RSCALE(x) (((x) + 32) >> 6)
# define RSCALE(x, y) ((int)((x) + (unsigned)(y) + 32) >> 6)
#else /* FFT_FIXED_32 */
# define RSCALE(x) ((x) >> 1)
# define RSCALE(x, y) ((int)((x) + (unsigned)(y)) >> 1)
#endif /* FFT_FIXED_32 */
#endif
@@ -181,13 +181,13 @@ void ff_mdct_calc_c(FFTContext *s, FFTSample *out, const FFTSample *input)
/* pre rotation */
for(i=0;i<n8;i++) {
re = RSCALE(-input[2*i+n3] - input[n3-1-2*i]);
im = RSCALE(-input[n4+2*i] + input[n4-1-2*i]);
re = RSCALE(-input[2*i+n3], - input[n3-1-2*i]);
im = RSCALE(-input[n4+2*i], + input[n4-1-2*i]);
j = revtab[i];
CMUL(x[j].re, x[j].im, re, im, -tcos[i], tsin[i]);
re = RSCALE( input[2*i] - input[n2-1-2*i]);
im = RSCALE(-input[n2+2*i] - input[ n-1-2*i]);
re = RSCALE( input[2*i] , - input[n2-1-2*i]);
im = RSCALE(-input[n2+2*i], - input[ n-1-2*i]);
j = revtab[n8 + i];
CMUL(x[j].re, x[j].im, re, im, -tcos[n8 + i], tsin[n8 + i]);
}
+5 -5
View File
@@ -555,7 +555,7 @@ static int dct_sad8x8_c(MpegEncContext *s, uint8_t *src1,
av_assert2(h == 8);
s->pdsp.diff_pixels(temp, src1, src2, stride);
s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
s->fdsp.fdct(temp);
return s->mecc.sum_abs_dctelem(temp);
}
@@ -595,7 +595,7 @@ static int dct264_sad8x8_c(MpegEncContext *s, uint8_t *src1,
int16_t dct[8][8];
int i, sum = 0;
s->pdsp.diff_pixels(dct[0], src1, src2, stride);
s->pdsp.diff_pixels_unaligned(dct[0], src1, src2, stride);
#define SRC(x) dct[i][x]
#define DST(x, v) dct[i][x] = v
@@ -622,7 +622,7 @@ static int dct_max8x8_c(MpegEncContext *s, uint8_t *src1,
av_assert2(h == 8);
s->pdsp.diff_pixels(temp, src1, src2, stride);
s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
s->fdsp.fdct(temp);
for (i = 0; i < 64; i++)
@@ -641,7 +641,7 @@ static int quant_psnr8x8_c(MpegEncContext *s, uint8_t *src1,
av_assert2(h == 8);
s->mb_intra = 0;
s->pdsp.diff_pixels(temp, src1, src2, stride);
s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
memcpy(bak, temp, 64 * sizeof(int16_t));
@@ -744,7 +744,7 @@ static int bit8x8_c(MpegEncContext *s, uint8_t *src1, uint8_t *src2,
av_assert2(h == 8);
s->pdsp.diff_pixels(temp, src1, src2, stride);
s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
s->block_last_index[0 /* FIXME */] =
last =
+15 -2
View File
@@ -306,6 +306,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height);
if (av_image_check_size(width, height, 0, s->avctx))
return AVERROR_INVALIDDATA;
if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size * 4LL)
return AVERROR_INVALIDDATA;
nb_components = get_bits(&s->gb, 8);
if (nb_components <= 0 ||
@@ -592,6 +594,10 @@ unk_pixfmt:
av_log(s->avctx, AV_LOG_ERROR, "lowres not supported for weird subsampling\n");
return AVERROR_PATCHWELCOME;
}
if ((AV_RB32(s->upscale_h) || AV_RB32(s->upscale_v)) && s->progressive && s->avctx->pix_fmt == AV_PIX_FMT_GBRP) {
avpriv_report_missing_feature(s->avctx, "progressive for weird subsampling");
return AVERROR_PATCHWELCOME;
}
if (s->ls) {
memset(s->upscale_h, 0, sizeof(s->upscale_h));
memset(s->upscale_v, 0, sizeof(s->upscale_v));
@@ -686,7 +692,7 @@ static int decode_block(MJpegDecodeContext *s, int16_t *block, int component,
av_log(s->avctx, AV_LOG_ERROR, "error dc\n");
return AVERROR_INVALIDDATA;
}
val = val * quant_matrix[0] + s->last_dc[component];
val = val * (unsigned)quant_matrix[0] + s->last_dc[component];
val = av_clip_int16(val);
s->last_dc[component] = val;
block[0] = val;
@@ -977,6 +983,11 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p
for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
int modified_predictor = predictor;
if (get_bits_left(&s->gb) < 1) {
av_log(s->avctx, AV_LOG_ERROR, "bitstream end in rgb_scan\n");
return AVERROR_INVALIDDATA;
}
if (s->restart_interval && !s->restart_count){
s->restart_count = s->restart_interval;
resync_mb_x = mb_x;
@@ -1000,7 +1011,7 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p
return -1;
left[i] = buffer[mb_x][i] =
mask & (pred + (dc * (1 << point_transform)));
mask & (pred + (unsigned)(dc * (1 << point_transform)));
}
if (s->restart_interval && !--s->restart_count) {
@@ -2078,6 +2089,8 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
int ret = 0;
int is16bit;
s->buf_size = buf_size;
av_dict_free(&s->exif_metadata);
av_freep(&s->stereo3d);
s->adobe_transform = -1;
+1
View File
@@ -45,6 +45,7 @@ typedef struct MJpegDecodeContext {
AVClass *class;
AVCodecContext *avctx;
GetBitContext gb;
int buf_size;
int start_code; /* current start code */
int buffer_size;
+5 -4
View File
@@ -474,7 +474,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,
uint8_t checksum;
uint8_t lossless_check;
int start_count = get_bits_count(gbp);
int min_channel, max_channel, max_matrix_channel;
int min_channel, max_channel, max_matrix_channel, noise_type;
const int std_max_matrix_channel = m->avctx->codec_id == AV_CODEC_ID_MLP
? MAX_MATRIX_CHANNEL_MLP
: MAX_MATRIX_CHANNEL_TRUEHD;
@@ -487,9 +487,9 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,
return AVERROR_INVALIDDATA;
}
s->noise_type = get_bits1(gbp);
noise_type = get_bits1(gbp);
if (m->avctx->codec_id == AV_CODEC_ID_MLP && s->noise_type) {
if (m->avctx->codec_id == AV_CODEC_ID_MLP && noise_type) {
av_log(m->avctx, AV_LOG_ERROR, "MLP must have 0x31ea sync word.\n");
return AVERROR_INVALIDDATA;
}
@@ -515,7 +515,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,
/* This should happen for TrueHD streams with >6 channels and MLP's noise
* type. It is not yet known if this is allowed. */
if (max_channel > MAX_MATRIX_CHANNEL_MLP && !s->noise_type) {
if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) {
avpriv_request_sample(m->avctx,
"%d channels (more than the "
"maximum supported by the decoder)",
@@ -532,6 +532,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,
s->min_channel = min_channel;
s->max_channel = max_channel;
s->max_matrix_channel = max_matrix_channel;
s->noise_type = noise_type;
if (m->avctx->request_channel_layout && (s->ch_layout & m->avctx->request_channel_layout) ==
m->avctx->request_channel_layout && m->max_decoded_substream > substr) {
+1 -1
View File
@@ -117,7 +117,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data,
(1U << output_shift[mat_ch]);
lossless_check_data ^= (sample & 0xffffff) << mat_ch;
if (is32)
*data_32++ = sample << 8;
*data_32++ = sample * 256U;
else
*data_16++ = sample >> 8;
}
+8
View File
@@ -298,6 +298,14 @@ static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt)
m->s_temp->style_start = AV_RB16(tsmb);
tsmb += 2;
m->s_temp->style_end = AV_RB16(tsmb);
if ( m->s_temp->style_end < m->s_temp->style_start
|| (m->count_s && m->s_temp->style_start < m->s[m->count_s - 1]->style_end)) {
av_freep(&m->s_temp);
mov_text_cleanup(m);
return AVERROR(ENOMEM);
}
tsmb += 2;
m->s_temp->style_fontID = AV_RB16(tsmb);
tsmb += 2;
+59 -47
View File
@@ -179,6 +179,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
int sprite_ref[4][2];
int virtual_ref[2][2];
int64_t sprite_offset[2][2];
int64_t sprite_delta[2][2];
// only true for rectangle shapes
const int vop_ref[4][2] = { { 0, 0 }, { s->width, 0 },
@@ -262,10 +263,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
sprite_offset[0][1] =
sprite_offset[1][0] =
sprite_offset[1][1] = 0;
s->sprite_delta[0][0] = a;
s->sprite_delta[0][1] =
s->sprite_delta[1][0] = 0;
s->sprite_delta[1][1] = a;
sprite_delta[0][0] = a;
sprite_delta[0][1] =
sprite_delta[1][0] = 0;
sprite_delta[1][1] = a;
ctx->sprite_shift[0] =
ctx->sprite_shift[1] = 0;
break;
@@ -276,10 +277,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
a * (vop_ref[0][0] / 2);
sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) -
a * (vop_ref[0][1] / 2);
s->sprite_delta[0][0] = a;
s->sprite_delta[0][1] =
s->sprite_delta[1][0] = 0;
s->sprite_delta[1][1] = a;
sprite_delta[0][0] = a;
sprite_delta[0][1] =
sprite_delta[1][0] = 0;
sprite_delta[1][1] = a;
ctx->sprite_shift[0] =
ctx->sprite_shift[1] = 0;
break;
@@ -304,10 +305,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) *
((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r *
(int64_t) sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1)));
s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]);
s->sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]);
s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]);
s->sprite_delta[1][1] = (-r * sprite_ref[0][0] + virtual_ref[0][0]);
sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]);
sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]);
sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]);
sprite_delta[1][1] = (-r * sprite_ref[0][0] + virtual_ref[0][0]);
ctx->sprite_shift[0] = alpha + rho;
ctx->sprite_shift[1] = alpha + rho + 2;
@@ -332,28 +333,28 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-2 * vop_ref[0][1] + 1) +
(int64_t)2 * w2 * h3 * r * sprite_ref[0][1] - 16 * w2 * h3 +
((int64_t)1 << (alpha + beta + rho - min_ab + 1));
s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3;
s->sprite_delta[0][1] = (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3;
s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3;
s->sprite_delta[1][1] = (-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3;
sprite_delta[0][0] = (-r * (int64_t)sprite_ref[0][0] + virtual_ref[0][0]) * h3;
sprite_delta[0][1] = (-r * (int64_t)sprite_ref[0][0] + virtual_ref[1][0]) * w3;
sprite_delta[1][0] = (-r * (int64_t)sprite_ref[0][1] + virtual_ref[0][1]) * h3;
sprite_delta[1][1] = (-r * (int64_t)sprite_ref[0][1] + virtual_ref[1][1]) * w3;
ctx->sprite_shift[0] = alpha + beta + rho - min_ab;
ctx->sprite_shift[1] = alpha + beta + rho - min_ab + 2;
break;
}
/* try to simplify the situation */
if (s->sprite_delta[0][0] == a << ctx->sprite_shift[0] &&
s->sprite_delta[0][1] == 0 &&
s->sprite_delta[1][0] == 0 &&
s->sprite_delta[1][1] == a << ctx->sprite_shift[0]) {
if (sprite_delta[0][0] == a << ctx->sprite_shift[0] &&
sprite_delta[0][1] == 0 &&
sprite_delta[1][0] == 0 &&
sprite_delta[1][1] == a << ctx->sprite_shift[0]) {
sprite_offset[0][0] >>= ctx->sprite_shift[0];
sprite_offset[0][1] >>= ctx->sprite_shift[0];
sprite_offset[1][0] >>= ctx->sprite_shift[1];
sprite_offset[1][1] >>= ctx->sprite_shift[1];
s->sprite_delta[0][0] = a;
s->sprite_delta[0][1] = 0;
s->sprite_delta[1][0] = 0;
s->sprite_delta[1][1] = a;
sprite_delta[0][0] = a;
sprite_delta[0][1] = 0;
sprite_delta[1][0] = 0;
sprite_delta[1][1] = a;
ctx->sprite_shift[0] = 0;
ctx->sprite_shift[1] = 0;
s->real_sprite_warping_points = 1;
@@ -365,8 +366,8 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
if (shift_c < 0 || shift_y < 0 ||
FFABS( sprite_offset[0][i]) >= INT_MAX >> shift_y ||
FFABS( sprite_offset[1][i]) >= INT_MAX >> shift_c ||
FFABS(s->sprite_delta[0][i]) >= INT_MAX >> shift_y ||
FFABS(s->sprite_delta[1][i]) >= INT_MAX >> shift_y
FFABS( sprite_delta[0][i]) >= INT_MAX >> shift_y ||
FFABS( sprite_delta[1][i]) >= INT_MAX >> shift_y
) {
avpriv_request_sample(s->avctx, "Too large sprite shift, delta or offset");
goto overflow;
@@ -376,22 +377,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
for (i = 0; i < 2; i++) {
sprite_offset[0][i] *= 1 << shift_y;
sprite_offset[1][i] *= 1 << shift_c;
s->sprite_delta[0][i] *= 1 << shift_y;
s->sprite_delta[1][i] *= 1 << shift_y;
sprite_delta[0][i] *= 1 << shift_y;
sprite_delta[1][i] *= 1 << shift_y;
ctx->sprite_shift[i] = 16;
}
for (i = 0; i < 2; i++) {
int64_t sd[2] = {
s->sprite_delta[i][0] - a * (1LL<<16),
s->sprite_delta[i][1] - a * (1LL<<16)
sprite_delta[i][0] - a * (1LL<<16),
sprite_delta[i][1] - a * (1LL<<16)
};
if (llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
llabs(sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX ||
if (llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
llabs(sprite_offset[0][i] + sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL) + sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
llabs(sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
llabs(sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
llabs(sd[0]) >= INT_MAX ||
llabs(sd[1]) >= INT_MAX ||
llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX ||
@@ -405,10 +406,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
s->real_sprite_warping_points = ctx->num_sprite_warping_points;
}
s->sprite_offset[0][0] = sprite_offset[0][0];
s->sprite_offset[0][1] = sprite_offset[0][1];
s->sprite_offset[1][0] = sprite_offset[1][0];
s->sprite_offset[1][1] = sprite_offset[1][1];
for (i = 0; i < 4; i++) {
s->sprite_offset[i&1][i>>1] = sprite_offset[i&1][i>>1];
s->sprite_delta [i&1][i>>1] = sprite_delta [i&1][i>>1];
}
return 0;
overflow:
@@ -458,7 +459,7 @@ int ff_mpeg4_decode_video_packet_header(Mpeg4DecContext *ctx)
}
mb_num = get_bits(&s->gb, mb_num_bits);
if (mb_num >= s->mb_num) {
if (mb_num >= s->mb_num || !mb_num) {
av_log(s->avctx, AV_LOG_ERROR,
"illegal mb_num in video packet (%d %d) \n", mb_num, s->mb_num);
return -1;
@@ -537,7 +538,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n)
len >>= s->quarter_sample;
if (s->real_sprite_warping_points == 1) {
if (ctx->divx_version == 500 && ctx->divx_build == 413)
if (ctx->divx_version == 500 && ctx->divx_build == 413 && a >= s->quarter_sample)
sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample));
else
sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a);
@@ -1249,10 +1250,12 @@ not_coded:
*/
static int mpeg4_decode_partitioned_mb(MpegEncContext *s, int16_t block[6][64])
{
Mpeg4DecContext *ctx = (Mpeg4DecContext *)s;
Mpeg4DecContext *ctx = s->avctx->priv_data;
int cbp, mb_type;
const int xy = s->mb_x + s->mb_y * s->mb_stride;
av_assert2(s == (void*)ctx);
mb_type = s->current_picture.mb_type[xy];
cbp = s->cbp_table[xy];
@@ -1334,12 +1337,13 @@ static int mpeg4_decode_partitioned_mb(MpegEncContext *s, int16_t block[6][64])
static int mpeg4_decode_mb(MpegEncContext *s, int16_t block[6][64])
{
Mpeg4DecContext *ctx = (Mpeg4DecContext *)s;
Mpeg4DecContext *ctx = s->avctx->priv_data;
int cbpc, cbpy, i, cbp, pred_x, pred_y, mx, my, dquant;
int16_t *mot_val;
static const int8_t quant_tab[4] = { -1, -2, 1, 2 };
const int xy = s->mb_x + s->mb_y * s->mb_stride;
av_assert2(s == (void*)ctx);
av_assert2(s->h263_pred);
if (s->pict_type == AV_PICTURE_TYPE_P ||
@@ -2138,8 +2142,15 @@ static int decode_user_data(Mpeg4DecContext *ctx, GetBitContext *gb)
e = sscanf(buf, "FFmpeg v%d.%d.%d / libavcodec build: %d", &ver, &ver2, &ver3, &build);
if (e != 4) {
e = sscanf(buf, "Lavc%d.%d.%d", &ver, &ver2, &ver3) + 1;
if (e > 1)
build = (ver << 16) + (ver2 << 8) + ver3;
if (e > 1) {
if (ver > 0xFFU || ver2 > 0xFFU || ver3 > 0xFFU) {
av_log(s->avctx, AV_LOG_WARNING,
"Unknown Lavc version string encountered, %d.%d.%d; "
"clamping sub-version values to 8-bits.\n",
ver, ver2, ver3);
}
build = ((ver & 0xFF) << 16) + ((ver2 & 0xFF) << 8) + (ver3 & 0xFF);
}
}
if (e != 4) {
if (strcmp(buf, "ffmpeg") == 0)
@@ -2273,6 +2284,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb)
int time_incr, time_increment;
int64_t pts;
s->mcsel = 0;
s->pict_type = get_bits(gb, 2) + AV_PICTURE_TYPE_I; /* pict type: I = 0 , P = 1 */
if (s->pict_type == AV_PICTURE_TYPE_B && s->low_delay &&
ctx->vol_control_parameters == 0 && !(s->avctx->flags & AV_CODEC_FLAG_LOW_DELAY)) {
@@ -2641,8 +2653,8 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb)
if (startcode >= 0x120 && startcode <= 0x12F) {
if (vol) {
av_log(s->avctx, AV_LOG_ERROR, "Multiple VOL headers");
return AVERROR_INVALIDDATA;
av_log(s->avctx, AV_LOG_WARNING, "Ignoring multiple VOL headers\n");
continue;
}
vol++;
if ((ret = decode_vol_header(ctx, gb)) < 0)
+1 -1
View File
@@ -910,7 +910,7 @@ void ff_set_mpeg4_time(MpegEncContext *s)
static void mpeg4_encode_gop_header(MpegEncContext *s)
{
int hours, minutes, seconds;
int64_t hours, minutes, seconds;
int64_t time;
put_bits(&s->pb, 16, 0);
+1
View File
@@ -71,6 +71,7 @@ static void mpeg_er_decode_mb(void *opaque, int ref, int mv_dir, int mv_type,
s->mb_skipped = mb_skipped;
s->mb_x = mb_x;
s->mb_y = mb_y;
s->mcsel = 0;
memcpy(s->mv, mv, sizeof(*mv));
ff_init_block_index(s);
+2
View File
@@ -98,6 +98,8 @@ static int mpegaudio_parse(AVCodecParserContext *s1,
} else if (codec_id == AV_CODEC_ID_MP3ADU) {
avpriv_report_missing_feature(avctx,
"MP3ADU full parser");
*poutbuf = NULL;
*poutbuf_size = 0;
return 0; /* parsers must not return error codes */
}
+6 -2
View File
@@ -20,17 +20,21 @@
#include "config.h"
#include "libavutil/attributes.h"
#include "libavutil/thread.h"
#include "mpegaudiodsp.h"
#include "dct.h"
#include "dct32.h"
static AVOnce mpadsp_float_table_init = AV_ONCE_INIT;
static AVOnce mpadsp_fixed_table_init = AV_ONCE_INIT;
av_cold void ff_mpadsp_init(MPADSPContext *s)
{
DCTContext dct;
ff_dct_init(&dct, 5, DCT_II);
ff_init_mpadsp_tabs_float();
ff_init_mpadsp_tabs_fixed();
ff_thread_once(&mpadsp_float_table_init, &ff_init_mpadsp_tabs_float);
ff_thread_once(&mpadsp_fixed_table_init, &ff_init_mpadsp_tabs_fixed);
s->apply_window_float = ff_mpadsp_apply_window_float;
s->apply_window_fixed = ff_mpadsp_apply_window_fixed;
+3
View File
@@ -95,6 +95,9 @@ static int msrle_decode_frame(AVCodecContext *avctx,
s->buf = buf;
s->size = buf_size;
if (buf_size < 2) //Minimally a end of picture code should be there
return AVERROR_INVALIDDATA;
if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
return ret;
+14
View File
@@ -161,6 +161,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
int orig_size = buf_size;
int keyframe, ret;
int size_change = 0;
int minsize = 0;
int result, init_frame = !avctx->frame_number;
enum {
NUV_UNCOMPRESSED = '0',
@@ -198,6 +199,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
case NUV_RTJPEG_IN_LZO:
case NUV_RTJPEG:
keyframe = !buf[2];
if (c->width < 16 || c->height < 16) {
return AVERROR_INVALIDDATA;
}
break;
case NUV_COPY_LAST:
keyframe = 0;
@@ -206,6 +210,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
keyframe = 1;
break;
}
switch (comptype) {
case NUV_UNCOMPRESSED:
minsize = c->width * c->height * 3 / 2;
break;
case NUV_RTJPEG:
minsize = c->width/16 * (c->height/16) * 6;
break;
}
if (buf_size < minsize / 4)
return AVERROR_INVALIDDATA;
retry:
// skip rest of the frameheader.
buf = &buf[12];
+13 -3
View File
@@ -43,6 +43,7 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le
const uint8_t *buf = start + 1;
int start_trim_flag, end_trim_flag, control_extension_flag, control_extension_length;
uint8_t flags;
uint64_t payload_len_tmp;
GetByteContext gb;
bytestream2_init(&gb, buf, buf_len);
@@ -52,11 +53,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le
end_trim_flag = (flags >> 3) & 1;
control_extension_flag = (flags >> 2) & 1;
*payload_len = 0;
payload_len_tmp = *payload_len = 0;
while (bytestream2_peek_byte(&gb) == 0xff)
*payload_len += bytestream2_get_byte(&gb);
payload_len_tmp += bytestream2_get_byte(&gb);
*payload_len += bytestream2_get_byte(&gb);
payload_len_tmp += bytestream2_get_byte(&gb);
if (start_trim_flag)
bytestream2_skip(&gb, 2);
@@ -67,6 +68,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le
bytestream2_skip(&gb, control_extension_length);
}
if (bytestream2_tell(&gb) + payload_len_tmp > buf_len)
return NULL;
*payload_len = payload_len_tmp;
return buf + bytestream2_tell(&gb);
}
@@ -104,6 +110,10 @@ static int opus_find_frame_end(AVCodecParserContext *ctx, AVCodecContext *avctx,
state = (state << 8) | payload[i];
if ((state & OPUS_TS_MASK) == OPUS_TS_HEADER) {
payload = parse_opus_ts_header(payload, &payload_len, buf_size - i);
if (!payload) {
av_log(avctx, AV_LOG_ERROR, "Error parsing Ogg TS header.\n");
return AVERROR_INVALIDDATA;
}
*header_len = payload - buf;
start_found = 1;
break;
+4 -2
View File
@@ -955,8 +955,10 @@ static void silk_lsf2lpc(const int16_t nlsf[16], float lpcf[16], int order)
/* reconstruct A(z) */
for (k = 0; k < order>>1; k++) {
lpc32[k] = -p[k + 1] - p[k] - q[k + 1] + q[k];
lpc32[order-k-1] = -p[k + 1] - p[k] + q[k + 1] - q[k];
int32_t p_tmp = p[k + 1] + p[k];
int32_t q_tmp = q[k + 1] - q[k];
lpc32[k] = -q_tmp - p_tmp;
lpc32[order-k-1] = q_tmp - p_tmp;
}
/* limit the range of the LPC coefficients to each fit within an int16_t */
+4 -1
View File
@@ -181,6 +181,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code)
dend = c->frame[page] + c->frame_size;
offset = (x & 0x7F) * 2;
j = bytestream2_get_le16(&c->gb) + offset;
if (bytestream2_get_bytes_left(&c->gb) < (j - offset) * 16)
return AVERROR_INVALIDDATA;
do {
offset++;
if (dst + 3 * c->width + 4 > dend)
@@ -198,7 +200,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code)
do {
set_src_position(c, &src, &send);
if ((src + 3 * c->width + 4 > send) ||
(dst + 3 * c->width + 4 > dend))
(dst + 3 * c->width + 4 > dend) ||
bytestream2_get_bytes_left(&c->gb) < 4)
return AVERROR_INVALIDDATA;
copy_block4(dst, src, c->width, c->width, 4);
i++;
+1
View File
@@ -82,6 +82,7 @@ av_cold void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx)
{
const unsigned high_bit_depth = avctx->bits_per_raw_sample > 8;
c->diff_pixels_unaligned =
c->diff_pixels = diff_pixels_c;
switch (avctx->bits_per_raw_sample) {
+5
View File
@@ -31,6 +31,11 @@ typedef struct PixblockDSPContext {
const uint8_t *s1 /* align 8 */,
const uint8_t *s2 /* align 8 */,
int stride);
void (*diff_pixels_unaligned)(int16_t *av_restrict block /* align 16 */,
const uint8_t *s1,
const uint8_t *s2,
int stride);
} PixblockDSPContext;
void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx);
+1 -1
View File
@@ -1358,7 +1358,7 @@ static int decode_frame_png(AVCodecContext *avctx,
}
if ((ret = av_frame_ref(data, s->picture.f)) < 0)
return ret;
goto the_end;
*got_frame = 1;
+8 -3
View File
@@ -267,6 +267,8 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons
\
if (q > switch_bits) { /* exp golomb */ \
bits = exp_order - switch_bits + (q<<1); \
if (bits > FFMIN(MIN_CACHE_BITS, 31)) \
return AVERROR_INVALIDDATA; \
val = SHOW_UBITS(re, gb, bits) - (1 << exp_order) + \
((switch_bits + 1) << rice_order); \
SKIP_BITS(re, gb, bits); \
@@ -286,7 +288,7 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons
static const uint8_t dc_codebook[7] = { 0x04, 0x28, 0x28, 0x4D, 0x4D, 0x70, 0x70};
static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out,
static av_always_inline int decode_dc_coeffs(GetBitContext *gb, int16_t *out,
int blocks_per_slice)
{
int16_t prev_dc;
@@ -310,6 +312,7 @@ static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out,
out[0] = prev_dc;
}
CLOSE_READER(re, gb);
return 0;
}
// adaptive codebook switching lut according to previous run/level values
@@ -376,7 +379,8 @@ static int decode_slice_luma(AVCodecContext *avctx, SliceContext *slice,
init_get_bits(&gb, buf, buf_size << 3);
decode_dc_coeffs(&gb, blocks, blocks_per_slice);
if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0)
return ret;
if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0)
return ret;
@@ -409,7 +413,8 @@ static int decode_slice_chroma(AVCodecContext *avctx, SliceContext *slice,
init_get_bits(&gb, buf, buf_size << 3);
decode_dc_coeffs(&gb, blocks, blocks_per_slice);
if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0)
return ret;
if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0)
return ret;
+10
View File
@@ -155,6 +155,8 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int row_ptr,
CHECK_PIXEL_PTR(0);
while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) {
if (bytestream2_get_bytes_left(&s->g) < 1)
return;
if (rle_code == 0) {
/* there's another skip code in the stream */
pixel_ptr += (num_pixels * (bytestream2_get_byte(&s->g) - 1));
@@ -210,6 +212,8 @@ static void qtrle_decode_8bpp(QtrleContext *s, int row_ptr, int lines_to_change)
CHECK_PIXEL_PTR(0);
while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) {
if (bytestream2_get_bytes_left(&s->g) < 1)
return;
if (rle_code == 0) {
/* there's another skip code in the stream */
pixel_ptr += (4 * (bytestream2_get_byte(&s->g) - 1));
@@ -259,6 +263,8 @@ static void qtrle_decode_16bpp(QtrleContext *s, int row_ptr, int lines_to_change
CHECK_PIXEL_PTR(0);
while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) {
if (bytestream2_get_bytes_left(&s->g) < 1)
return;
if (rle_code == 0) {
/* there's another skip code in the stream */
pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 2;
@@ -303,6 +309,8 @@ static void qtrle_decode_24bpp(QtrleContext *s, int row_ptr, int lines_to_change
CHECK_PIXEL_PTR(0);
while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) {
if (bytestream2_get_bytes_left(&s->g) < 1)
return;
if (rle_code == 0) {
/* there's another skip code in the stream */
pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 3;
@@ -350,6 +358,8 @@ static void qtrle_decode_32bpp(QtrleContext *s, int row_ptr, int lines_to_change
CHECK_PIXEL_PTR(0);
while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) {
if (bytestream2_get_bytes_left(&s->g) < 1)
return;
if (rle_code == 0) {
/* there's another skip code in the stream */
pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 4;
+3 -3
View File
@@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m,
if (v[0]) {
for (i=0; i < BLOCKSIZE; i++)
dest[i] = (s1[i]*v[0] + s2[i]*v[1] + s3[i]*v[2]) >> 12;
dest[i] = (int)((s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12;
} else {
for (i=0; i < BLOCKSIZE; i++)
dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12;
@@ -1569,11 +1569,11 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx)
b = 0x1000000 / b;
for (j=0; j <= i; j++) {
#if CONFIG_FTRAPV
int a = bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12);
int a = bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12);
if((int)(a*(unsigned)b) != a*(int64_t)b)
return 1;
#endif
bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12;
bp1[j] = (int)((bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12)) * (unsigned)b) >> 12;
}
if ((unsigned) bp1[i] + 0x1000 > 0x1fff)

Some files were not shown because too many files have changed in this diff Show More