Compare commits

...

105 Commits

Author SHA1 Message Date
Michael Niedermayer 6d7192bcb7 Update for 3.3.2
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 22:11:21 +02:00
Michael Niedermayer 4c7477f132 avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int'
Fixes: 2106/clusterfuzz-testcase-minimized-6136503639998464

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 18bca25adb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 16:56:47 +02:00
Michael Niedermayer 90b6425b12 avcodec/pafvideo: Fix assertion failure
Fixes: 2100/clusterfuzz-testcase-minimized-4522961547558912

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c4360559ee)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 16:56:38 +02:00
Michael Niedermayer 07944df9a7 avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int'
Fixes: 2079/clusterfuzz-testcase-minimized-5345861779324928

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e4efd41b83)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 16:56:23 +02:00
Michael Niedermayer 34887d091d avcodec/mjpegdec: Check that reference frame matches the current frame
Fixes: out of array read
Fixes: 2097/clusterfuzz-testcase-minimized-5036861833609216

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4705edbbb9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer ec5e262e1d avcodec/tiff: Avoid loosing allocated geotag values
Fixes memleak
Fixes: 2076/clusterfuzz-testcase-minimized-6542640243802112

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d7cbeab4c1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer 0fb432a23b avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int'
Fixes: 2067/clusterfuzz-testcase-minimized-5578430902960128

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1e6ee86d92)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer 3dd1f38329 avformat/hls: Check local file extensions
This reduces the attack surface of local file-system
information leaking.

It prevents the existing exploit leading to an information leak. As
well as similar hypothetical attacks.

Leaks of information from files and symlinks ending in common multimedia extensions
are still possible. But files with sensitive information like private keys and passwords
generally do not use common multimedia filename extensions.
It does not stop leaks via remote addresses in the LAN.

The existing exploit depends on a specific decoder as well.
It does appear though that the exploit should be possible with any decoder.
The problem is that as long as sensitive information gets into the decoder,
the output of the decoder becomes sensitive as well.
The only obvious solution is to prevent access to sensitive information. Or to
disable hls or possibly some of its feature. More complex solutions like
checking the path to limit access to only subdirectories of the hls path may
work as an alternative. But such solutions are fragile and tricky to implement
portably and would not stop every possible attack nor would they work with all
valid hls files.

Developers have expressed their dislike / objected to disabling hls by default as well
as disabling hls with local files. There also where objections against restricting
remote url file extensions. This here is a less robust but also lower
inconvenience solution.
It can be applied stand alone or together with other solutions.
limiting the check to local files was suggested by nevcairiel

This recommits the security fix without the author name joke which was
originally requested by Nicolas.

Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu <tfoucu@google.com>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 189ff42196)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer d34d06d1e2 avcodec/qdrw: Fix null pointer dereference
The RGB555 PACKBITSRGN case tries to read a palette, if such
palette is actually stored then it accesses a null pointer.
All 16bit samples i could find use DIRECTBITSRGN.

Fixes: 2065/clusterfuzz-testcase-minimized-6298930457346048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 46b865ea9f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer cefbc513ea avutil/softfloat: Fix sign error in and improve documentation of av_int2sf()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6019d721d4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer 0d19167a65 avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]'
Fixes: 2010/clusterfuzz-testcase-minimized-6209288450080768

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 29808fff33)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer 00312b5ea4 avcodec/dxv: Check remaining bytes in dxv_decompress_raw()
Fixes: Timeout
Fixes: 2006/clusterfuzz-testcase-minimized-5766515037044736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit eb50492270)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer b7904b58af avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer()
Fixes 1745/clusterfuzz-testcase-minimized-6160693365571584
Fixes: Timeout

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit faa5a2181d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer aae731b9d3 avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int'
Fixes: 1352/clusterfuzz-testcase-minimized-5757565017260032

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 136ce8baa4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer 4e6de49a5a avformat/options: log filename on open
The loglevel is choosen so that the main filename and any images of
multi image sequences are shown only at debug level to avoid
clutter.

This makes exploits in playlists more visible. As they would show
accesses to private/sensitive files

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 53e0d5d724)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer 52a7ae844b avcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'INTFLOAT' (aka 'int')
Fixes: 2005/clusterfuzz-testcase-minimized-5744226438479872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9faf098163)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer 3dc62e679a avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int'
Fixes: 1967/clusterfuzz-testcase-minimized-5757031199801344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8b3e580b7f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer 4f02447d45 avcodec/cfhd: Fix runtime error: signed integer overflow: 65280 * 65288 cannot be represented in type 'int'
Fixes: 1925/clusterfuzz-testcase-minimized-5564569688735744

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cd6f319a74)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer 30abd8e6f9 avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int'
Fixes: 1922/clusterfuzz-testcase-minimized-5561194112876544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a47273c803)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer 706b427ff5 avcodec/cinepak: Check input packet size before frame reallocation
Reduces time spend decoding 1917/clusterfuzz-testcase-minimized-5023221273329664

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e47057e932)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer 797621afab avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int'
Fixes: 1909/clusterfuzz-testcase-minimized-6732072662073344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6726328f79)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer e3a1d133f7 avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int'
Fixes: 1908/clusterfuzz-testcase-minimized-5392712477966336

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 08cb69e870)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer fc74ac463c avcodec/pnm: Use ff_set_dimensions()
Fixes: OOM
Fixes: 1906/clusterfuzz-testcase-minimized-4599315114754048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a1c0d1d906)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Michael Niedermayer eac6114e01 avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int'
Fixes: 1903/clusterfuzz-testcase-minimized-5359318167715840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 58f8cd4ac5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-06 03:44:35 +02:00
Ganapathy Kasi 9b351d0d88 avcodec/nvenc: fix hw accelerated transcode with bframes
hw accelerated transcode (h264_cuvid -> h264_nvenc with -hwaccel cuvid) was
broken after the filtergraph initialization was changed to intialize decoder
first followed by encoder (commit af1761f7b5).
During initialzing encoder with bframes, local buffers are allocated
internally in encoder which fails since no cuda context is available. Now
pushing the correct cuda context before encoder initialization fixes the issue.
Also adding push/pop cuda ctx during create/destroy/map/unmap resources and
destroy encoder session.

Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
2017-06-02 21:37:43 +02:00
Micah Galizia e5e01d2477 libavformat/hls: Observe Set-Cookie headers
Signed-off-by: Micah Galizia <micahgalizia@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c4c73020f4)
Signed-off-by: Micah Galizia <micahgalizia@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Micah Galizia 771206c0db libavformat/http: Ignore expired cookies
Signed-off-by: Micah Galizia <micahgalizia@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 28b2467074)
Signed-off-by: Micah Galizia <micahgalizia@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 1998147f2e avformat/avidec: Limit formats in gab2 to srt and ass/ssa
This prevents part of one exploit leading to an information leak

Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu <tfoucu@google.com>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5d849b149)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 003cce421d avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float'
Fixes: 1902/clusterfuzz-testcase-minimized-4762451407011840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 87bddba43b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 795f65eed5 avcodec/wavpack: Check float_shift
Fixes: runtime error: shift exponent 40 is too large for 32-bit type 'unsigned int'
Fixes: 1898/clusterfuzz-testcase-minimized-5970744880136192

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4020b009d1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer a24cd04074 avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int'
Fixes: 1894/clusterfuzz-testcase-minimized-4716739789062144

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d90c5bf105)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer c1074aea71 avcodec/ansi: Fix frame memleak
Fixes: 1892/clusterfuzz-testcase-minimized-4519341733183488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e091b9b3c7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer d59e6cef79 avcodec/dds: Fix runtime error: left shift of 145 by 24 places cannot be represented in type 'int'
Fixes: 1891/clusterfuzz-testcase-minimized-6274417925554176

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c49fa2a514)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 0a0eec60c8 avcodec/jpeg2000dec: Use ff_set_dimensions()
Fixes: OOM
Fixes: 1890/clusterfuzz-testcase-minimized-6329019509243904

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f3da6fbff8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer ece91a3918 avcodec/truemotion2: Fix passing null pointer to memset()
Fixes part of: 1888/clusterfuzz-testcase-minimized-5237704826552320

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c901627918)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 722cc62baa avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
Fixes part of: 1888/clusterfuzz-testcase-minimized-5237704826552320

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c9e884f3d9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 3a0e4368ec avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int'
Fixes: 1885/clusterfuzz-testcase-minimized-5336328549957632

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7c845450d2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 22dab0f4e1 avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int'
Fixes: 1884/clusterfuzz-testcase-minimized-4637425835966464

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4c472c5252)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer b578ba915f avcodec/aac_defines: Add missing () to AAC_HALF_SUM() macro
Fixes: runtime error: shift exponent 1073741848 is too large for 32-bit type 'INTFLOAT' (aka 'int')
Fixes: 1880/clusterfuzz-testcase-minimized-4900645322620928

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 872bac8159)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 080edf29e7 avcodec/webp: Fixes null pointer dereference
Fixes: 1470/clusterfuzz-testcase-minimized-5404421666111488
Fixes: 1472/clusterfuzz-testcase-minimized-5677426430443520
Fixes: 1875/clusterfuzz-testcase-minimized-5536474562822144

Approved-by: BBB

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 67020711b7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer be9268e350 avcodec/aacdec_fixed: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
Fixes: 1878/clusterfuzz-testcase-minimized-6441918630199296

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6b9cb5d26a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer b419c7564c avcodec/ylc: Check count in build_vlc()
Fixes: runtime error: signed integer overflow: 211633430 + 2147483647 cannot be represented in type 'int'
Fixes: 1874/clusterfuzz-testcase-minimized-5037763613163520

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 67b30decf7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 586e00d7d3 avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int'
Fixes: 1871/clusterfuzz-testcase-minimized-5719950331215872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b9c032ebc0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer bc2cbb3077 avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int'
Fixes: 1870/clusterfuzz-testcase-minimized-4686788029317120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 781f88bb26)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer cd3314552b avcodec/jpeg2000dec: Check tile offsets more completely
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9c1812491f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 3e18f0fddd avcodec/sheervideo: Check input buffer size before allocating and decoding
Fixes: Timeout
Fixes: 1858/clusterfuzz-testcase-minimized-6450473802399744

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d8030c14bd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer b330fec1ce avcodec/aacdec_fixed: Fix multiple runtime error: shift exponent 127 is too large for 32-bit type 'int'
Fixes: 1851/clusterfuzz-testcase-minimized-5692607495667712

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6c3a63fc3d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 1d589a93b0 avcodec/wnv1: More strict buffer size check
This requires at least 25% of a picture to allocate and decode it

Fixes: Timeout
Fixes: 1845/clusterfuzz-testcase-minimized-5075974343360512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7f50c25124)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer d2476bd465 avcodec/libfdk-aacdec: Correct buffer_size parameter
the timeDataSize argument to aacDecoder_DecodeFrame() seems undocumented and until
2016 04 (203e3f28fbebec7011342017fafc2a0bda0ce530) unused.
after that commit libfdk-aacdec interprets it as size in sample units and memsets that on error.
FFmpeg as well as others (like GStreamer) did interpret it as size in bytes

Fixes: 1442/clusterfuzz-testcase-minimized-4540199973421056 (This requires recent libfdk to reproduce)

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ca6776a993)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer c0895d64f5 avcodec/sbrdsp_template: Fix: runtime error: signed integer overflow: 849815297 + 1315389781 cannot be represented in type 'int'
Fixes: 1770/clusterfuzz-testcase-minimized-5285511235108864

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7c36ee216f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer f5626db24e avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2
Fixes: 1839/clusterfuzz-testcase-minimized-6238490993885184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 357f2316a0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Kevin Mark 573e40e8f1 doc/filters: Clarify scale2ref example
Signed-off-by: Kevin Mark <kmark937@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 114e871621)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 75d881f1a9 avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error
Fixes: runtime error: index 12 out of bounds for type 'uint8_t [8]'
Fixes: 1832/clusterfuzz-testcase-minimized-6574546079449088

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ac8dfcbd89)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer b803624aae avcodec/ra144dec: Fix runtime error: left shift of negative value -17
Fixes: 1830/clusterfuzz-testcase-minimized-5828293733384192

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 53c0c637d3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer dbff2d602d avcodec/pixlet: Fix runtime error: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int'
Fixes: 1829/clusterfuzz-testcase-minimized-5527165321871360

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 77d9889821)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 92a23e2a63 avformat/mux: Fix copy an paste typo
Found-by: Roger Scott <rscott@grammatech.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1a36354698)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 42163d4c55 avutil/internal: Do not enable CHECKED with DEBUG
This avoids potential undefined behavior in debug mode while still allowing
developers which want to check for potential additional overflows to do so
by manually enabling this.

Reviewed-by: wm4
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a44b3abb4c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 4e8c5721b3 avcodec/clearvideo: Check buf_size before decoding frame
Fixes; Timeout
Fixes: 1826/clusterfuzz-testcase-minimized-5728569256837120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 43c394dcae)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer f85a71527a avcodec/aacdec_fixed: Fix runtime error: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int'
Fixes: 1825/clusterfuzz-testcase-minimized-6002833050566656

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8e87d146d7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer a49743407b avcodec/smc: Check remaining input
Fixes: Timeout
Fixes: 1818/clusterfuzz-testcase-minimized-5039166473633792

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 356194fcb1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 190787a026 avcodec/diracdec: Fix off by 1 error in quant check
Fixes: out of array read
Fixes: 1781/clusterfuzz-testcase-minimized-4617176877105152

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b946bd8ef2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 80cebb992c avcodec/jpeg2000dec: Fix copy and paste error
Found-by: jamrial
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5782e0ba8c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 38fd2a33b9 avcodec/jpeg2000dec: Check tile offsets
Fixes: runtime error: signed integer overflow: 4096 - -2147483648 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 89325417e7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Max Justicz 861c05b286 avcodec/sanm: Fix uninitialized reference frames
Fixes: poc.snm

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ca616b0f72)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer ba7ea7c4b1 avcodec/jpeglsdec: Check get_bits_left() before decoding a picture
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4bc3008d04)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Max Justicz 6b839e9aa3 avcodec/fmvc: Fix use of uninitialized memory when the first frame is not a keyframe
Fixes: fmvc-poc.avi

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3766aa7343)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer abd5277318 avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71
Fixes: 1734/clusterfuzz-testcase-minimized-5385630815092736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8fb00b3e85)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 17a4e791bf avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int'
Fixes: 1724/clusterfuzz-testcase-minimized-4842395432648704

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 40fa6a2fa2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer e73efe4691 avcodec/aacdec_fixed: Fix runtime error: shift exponent 34 is too large for 32-bit type 'int'
Fixes: 1721/clusterfuzz-testcase-minimized-4719352135811072

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b5228e44c7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer a7442f8d35 avcodec/mpeg4videodec: Check for multiple VOL headers
Fixes multiple: runtime error: signed integer overflow: 2147115008 + 413696 cannot be represented in type 'int'
Fixes: 1723/clusterfuzz-testcase-minimized-5309409372667904
Fixes: 1727/clusterfuzz-testcase-minimized-5900685306494976
Fixes: 1737/clusterfuzz-testcase-minimized-5922321338466304

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit efeb47fd5d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer d11c686204 avcodec/vp9block: fix runtime error: signed integer overflow: 196675 * 20670 cannot be represented in type 'int'
Fixes: 1710/clusterfuzz-testcase-minimized-4837032931098624

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: "Ronald S. Bultje" <rsbultje@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d4ee767808)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 0ea475942e avcodec/vmnc: Check location before use
Fixes: runtime error: signed integer overflow: 65535 * 64256 cannot be represented in type 'int'
Fixes: 1717/clusterfuzz-testcase-minimized-5491696676634624

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ec2b76aab4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 3cfb016071 avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308 cannot be represented in type 'int'
Fixes: 1630/clusterfuzz-testcase-minimized-6326111917047808

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 955db41192)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer f832d7361d avcodec/aac_defines: Fix: runtime error: left shift of negative value -2
Fixes: 1716/clusterfuzz-testcase-minimized-4691012196761600

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c3547dcbc3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer ff4f525905 avcodec/takdec: Fix runtime error: left shift of negative value -63
Fixes: 1713/clusterfuzz-testcase-minimized-5791887476654080

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d66193252b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer a5875f8a1e avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128 cannot be represented in type 'int'
Fixes: 1711/clusterfuzz-testcase-minimized-5248503515185152

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1d04fc94e1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer f397613f05 avcodec/sbrdsp_fixed: fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
Fixes: part of 1709/clusterfuzz-testcase-minimized-4513580554649600

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 384508b2ff)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 9c65a87bd4 avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 170 is too large for 32-bit type 'int'
Fixes part of 1709/clusterfuzz-testcase-minimized-4513580554649600

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6310fc714d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer e605faaabc avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context
Fixes: runtime error: index 8 out of bounds for type 'uint8_t [8]'
Fixes: 1699/clusterfuzz-testcase-minimized-6327177438035968

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 64ea4d102a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer f3b6ea1408 avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 150 is too large for 32-bit type 'int'
Fixes: 1681/clusterfuzz-testcase-minimized-5970545365483520

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3fb104f447)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer e46bc3052d avcodec/mimic: Use ff_set_dimensions() to set the dimensions
Fixes: OOM
Fixes: 1671/clusterfuzz-testcase-minimized-4759078033162240

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e434840fd4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer f254c7ea13 avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int'
Fixes: 1669/clusterfuzz-testcase-minimized-5287529198649344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a173f484b5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer fc7c379060 avcodec/pixlet: Fix reading invalid numbers of bits
Fixes: asertion failure
Fixes: 1664/clusterfuzz-testcase-minimized-6587801187385344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d32ebce8fd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 686eb3b1ed avcodec/mlpdec: Fix: runtime error: left shift of negative value -8
Fixes: 1658/clusterfuzz-testcase-minimized-4889937130291200

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 25c81e4b73)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer b6c0ad571f avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877 cannot be represented in type 'int'
Fixes: 1657/clusterfuzz-testcase-minimized-4710000079405056

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 58ac7fb9c3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 72e5607c87 avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int'
Fixes: 1656/clusterfuzz-testcase-minimized-5900404925661184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 94d05ff159)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 4186702184 avcodec/aacdec_template: Fix fixed point scale in decode_cce()
Fixes: runtime error: shift exponent 1073741824 is too large for 32-bit type 'int'
Fixes: 1654/clusterfuzz-testcase-minimized-5151903795118080

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 53a502206a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer fedd8b6507 avcodec/fmvc: Fix off by 1 error
Fixes: out of array access
Fixes: 1643/clusterfuzz-testcase-minimized-6117573403869184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e11dcc35bb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 6ebb9e7b77 avcodec/flicvideo: Check frame_size before decrementing
Fixes: runtime error: signed integer overflow: -2147483627 - 22 cannot be represented in type 'int'
Fixes: 1637/clusterfuzz-testcase-minimized-5376582493405184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 355e27e24d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 6e788fadae avcodec/mlpdec: Fix runtime error: left shift of negative value -1
Fixes: 1636/clusterfuzz-testcase-minimized-5310494757879808

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 552adf1dd3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer f34dc82d56 avcodec/takdec: Fix runtime error: left shift of negative value -42
Fixes: 1635/clusterfuzz-testcase-minimized-4992749856096256

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 99c4c76cfb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer b7b28b6aad avcodec/hq_hqa: Fix: runtime error: signed integer overflow: -255 * 10180917 cannot be represented in type 'int'
Fixes: 1626/clusterfuzz-testcase-minimized-6416580571299840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3d9cb583c8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 21d50c185d avcodec/scpr: mask bits to prevent out of array read
Fixes: 1615/clusterfuzz-testcase-minimized-6625214647500800

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5666b95c9f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 72e5ccfe37 avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int'
Fixes: 1616/clusterfuzz-testcase-minimized-5119196578971648

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5ea6bc2a166edac37042f2bbc28eb603a0fbeccb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer b147ded288 avcodec/svq3: Fix runtime error: left shift of negative value -6
Fixes: 1604/clusterfuzz-testcase-minimized-5312060206350336

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a6eb006ad4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Michael Niedermayer 75697b500c avcodec/tiff: reset sampling[] if its invalid
Fixes divission by 0
Fixes: clusterfuzz-testcase-minimized-5592896440893440

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f08122fbe0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-02 01:14:38 +02:00
Martin Storsjö 1cbeb16187 configure: Fix the msvcrt version check for mingw32
This was actually broken when committed in 46e3936fb04; the
test never succeeded, and thus, _aligned_malloc wasn't actually
used on legacy mingw.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 427f7a1f9e)
2017-05-31 13:03:07 +02:00
Matthieu Bouron 6ee4b20f4a lavf/mov: make invalid m{d,v}hd time_scale default to 1 instead of erroring out
Some samples have their metadata track time_scale incorrectly set to 0
and the check introduced by a398f054fd
prevents playback of those samples. Setting the time_scale to 1 fixes
playback.
2017-05-23 15:53:37 +02:00
Matthieu Bouron 3e38bf95c5 lavc/ffjni: add missing '\n' 2017-05-23 15:50:46 +02:00
Matthieu Bouron cbae648eb8 lavc/mediacodec_wrapper: do not declare JNIAMedia{Codec,CodecList,Format}Fields on the stack 2017-05-23 15:50:42 +02:00
Matthieu Bouron 2fb25e2dd6 lavc/mediacodec_wrapper: fix local reference leaks 2017-05-23 15:50:38 +02:00
Timo Rothenpieler 3bc5e427e4 avcodec/nvenc: remove unnecessary alignment
Fixes #6260
2017-05-23 11:50:45 +02:00
Hendrik Leppkes 8640339dbb Use AVOnce as a static variable consistently
Using AVOnce as a stack variable makes no sense as the state is lost
when the function exits.

This fixes repeated calls to av(filter/device)_register_all
2017-05-22 12:36:52 +02:00
Muhammad Faiz 7fae0ea21d avfilter: take_samples: do not directly return frame when samples are skipped
Modifying data pointer when skipping samples may make it unaligned.
Workaround for Ticket6349.

This should fix the crash of ticket's testcase and a crash/regression
with avxsynth (reported by Michael Niedermayer).

Also change frame->nb_samples < max to frame->nb_samples <= max.
This improves performance. Benchmark:
./ffmpeg -filter_complex "aevalsrc=0:n=1166,firequalizer=fixed=on" -f null null
old:
  25767 decicycles in take_samples,    1023 runs,      1 skips
  25422 decicycles in take_samples,    2047 runs,      1 skips
  25181 decicycles in take_samples,    4095 runs,      1 skips
  24904 decicycles in take_samples,    8191 runs,      1 skips

new:
    550 decicycles in take_samples,    1024 runs,      0 skips
    548 decicycles in take_samples,    2048 runs,      0 skips
    545 decicycles in take_samples,    4096 runs,      0 skips
    544 decicycles in take_samples,    8192 runs,      0 skips

Reviewed-by: Nicolas George <george@nsup.org>
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Muhammad Faiz <mfcc64@gmail.com>
(cherry picked from commit fc3a03fcf9)
2017-05-20 23:30:29 +07:00
Aaron Levinson 19fea7d703 avutil/hwcontext_dxva2: Don't improperly free IDirect3DSurface9 objects
Add dxva2_pool_release_dummy() and use it in call to
av_buffer_create() in dxva2_pool_alloc().

Prior to this change, av_buffer_create() was called with NULL for the
third argument, which indicates that av_buffer_default_free() should
be used to free the buffer's data.  Eventually, it gets to
buffer_pool_free() and calls buf->free() on a surface object (which is
av_buffer_default_free()).

This can result in a crash when the debug version of the C-runtime is
used on Windows.  While it doesn't appear to result in a crash when
the release version of the C-runtime is used on Windows, it likely
results in memory corruption, since av_free() is being called on
memory that was allocated using
IDirectXVideoAccelerationService::CreateSurface().

Signed-off-by: Aaron Levinson <alevinsn@aracnet.com>
Reviewed-by: wm4 <nfxjfg@googlemail.com>
Reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Reviewed-by: Mark Thompson <sw@jkqxz.net>
(cherry picked from commit 0c1c514643)
2017-05-16 22:00:48 +01:00
81 changed files with 734 additions and 245 deletions
+106
View File
@@ -2,6 +2,112 @@ Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.
version 3.3.2:
- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int'
- avcodec/pafvideo: Fix assertion failure
- avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int'
- avcodec/mjpegdec: Check that reference frame matches the current frame
- avcodec/tiff: Avoid loosing allocated geotag values
- avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int'
- avformat/hls: Check local file extensions
- avcodec/qdrw: Fix null pointer dereference
- avutil/softfloat: Fix sign error in and improve documentation of av_int2sf()
- avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]'
- avcodec/dxv: Check remaining bytes in dxv_decompress_raw()
- avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer()
- avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int'
- avformat/options: log filename on open
- avcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'INTFLOAT' (aka 'int')
- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int'
- avcodec/cfhd: Fix runtime error: signed integer overflow: 65280 * 65288 cannot be represented in type 'int'
- avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int'
- avcodec/cinepak: Check input packet size before frame reallocation
- avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int'
- avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int'
- avcodec/pnm: Use ff_set_dimensions()
- avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int'
- avcodec/nvenc: fix hw accelerated transcode with bframes
- libavformat/hls: Observe Set-Cookie headers
- libavformat/http: Ignore expired cookies
- avformat/avidec: Limit formats in gab2 to srt and ass/ssa
- avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float'
- avcodec/wavpack: Check float_shift
- avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int'
- avcodec/ansi: Fix frame memleak
- avcodec/dds: Fix runtime error: left shift of 145 by 24 places cannot be represented in type 'int'
- avcodec/jpeg2000dec: Use ff_set_dimensions()
- avcodec/truemotion2: Fix passing null pointer to memset()
- avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
- avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int'
- avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int'
- avcodec/aac_defines: Add missing () to AAC_HALF_SUM() macro
- avcodec/webp: Fixes null pointer dereference
- avcodec/aacdec_fixed: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
- avcodec/ylc: Check count in build_vlc()
- avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int'
- avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int'
- avcodec/jpeg2000dec: Check tile offsets more completely
- avcodec/sheervideo: Check input buffer size before allocating and decoding
- avcodec/aacdec_fixed: Fix multiple runtime error: shift exponent 127 is too large for 32-bit type 'int'
- avcodec/wnv1: More strict buffer size check
- avcodec/libfdk-aacdec: Correct buffer_size parameter
- avcodec/sbrdsp_template: Fix: runtime error: signed integer overflow: 849815297 + 1315389781 cannot be represented in type 'int'
- avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2
- doc/filters: Clarify scale2ref example
- avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error
- avcodec/ra144dec: Fix runtime error: left shift of negative value -17
- avcodec/pixlet: Fix runtime error: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int'
- avformat/mux: Fix copy an paste typo
- avutil/internal: Do not enable CHECKED with DEBUG
- avcodec/clearvideo: Check buf_size before decoding frame
- avcodec/aacdec_fixed: Fix runtime error: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int'
- avcodec/smc: Check remaining input
- avcodec/diracdec: Fix off by 1 error in quant check
- avcodec/jpeg2000dec: Fix copy and paste error
- avcodec/jpeg2000dec: Check tile offsets
- avcodec/sanm: Fix uninitialized reference frames
- avcodec/jpeglsdec: Check get_bits_left() before decoding a picture
- avcodec/fmvc: Fix use of uninitialized memory when the first frame is not a keyframe
- avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71
- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int'
- avcodec/aacdec_fixed: Fix runtime error: shift exponent 34 is too large for 32-bit type 'int'
- avcodec/mpeg4videodec: Check for multiple VOL headers
- avcodec/vp9block: fix runtime error: signed integer overflow: 196675 * 20670 cannot be represented in type 'int'
- avcodec/vmnc: Check location before use
- avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308 cannot be represented in type 'int'
- avcodec/aac_defines: Fix: runtime error: left shift of negative value -2
- avcodec/takdec: Fix runtime error: left shift of negative value -63
- avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128 cannot be represented in type 'int'
- avcodec/sbrdsp_fixed: fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
- avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 170 is too large for 32-bit type 'int'
- avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context
- avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 150 is too large for 32-bit type 'int'
- avcodec/mimic: Use ff_set_dimensions() to set the dimensions
- avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int'
- avcodec/pixlet: Fix reading invalid numbers of bits
- avcodec/mlpdec: Fix: runtime error: left shift of negative value -8
- avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877 cannot be represented in type 'int'
- avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int'
- avcodec/aacdec_template: Fix fixed point scale in decode_cce()
- avcodec/fmvc: Fix off by 1 error
- avcodec/flicvideo: Check frame_size before decrementing
- avcodec/mlpdec: Fix runtime error: left shift of negative value -1
- avcodec/takdec: Fix runtime error: left shift of negative value -42
- avcodec/hq_hqa: Fix: runtime error: signed integer overflow: -255 * 10180917 cannot be represented in type 'int'
- avcodec/scpr: mask bits to prevent out of array read
- avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int'
- avcodec/svq3: Fix runtime error: left shift of negative value -6
- avcodec/tiff: reset sampling[] if its invalid
- configure: Fix the msvcrt version check for mingw32
- lavf/mov: make invalid m{d,v}hd time_scale default to 1 instead of erroring out
- lavc/ffjni: add missing '\n'
- lavc/mediacodec_wrapper: do not declare JNIAMedia{Codec,CodecList,Format}Fields on the stack
- lavc/mediacodec_wrapper: fix local reference leaks
- avcodec/nvenc: remove unnecessary alignment
- Use AVOnce as a static variable consistently
- avfilter: take_samples: do not directly return frame when samples are skipped
- avutil/hwcontext_dxva2: Don't improperly free IDirect3DSurface9 objects
version 3.3.1:
- libswscale/tests/swscale: Fix uninitialized variables
- avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int'
+1 -1
View File
@@ -1 +1 @@
3.3.1
3.3.2
Vendored
+1 -1
View File
@@ -5067,7 +5067,7 @@ probe_libc(){
add_${pfx}cppflags -U__STRICT_ANSI__ -D__USE_MINGW_ANSI_STDIO=1
check_${pfx}cpp_condition _mingw.h "defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x0502" ||
add_${pfx}cppflags -D_WIN32_WINNT=0x0502
check_${pfx}cpp_condition _mingw.h "__MSVCRT_VERSION__ < 0x0700__" &&
check_${pfx}cpp_condition _mingw.h "__MSVCRT_VERSION__ < 0x0700" &&
add_${pfx}cppflags -D__MSVCRT_VERSION__=0x0700
eval test \$${pfx_no_}cc_type = "gcc" &&
add_${pfx}cppflags -D__printf__=__gnu_printf__
+1 -1
View File
@@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg
# could be handy for archiving the generated documentation or if some version
# control system is used.
PROJECT_NUMBER = 3.3.1
PROJECT_NUMBER = 3.3.2
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
+1 -1
View File
@@ -12077,7 +12077,7 @@ uses the reference video instead of the main input as basis.
@itemize
@item
Scale a subtitle stream to match the main video in size before overlaying
Scale a subtitle stream (b) to match the main video (a) in size before overlaying
@example
'scale2ref[b][a];[a][b]overlay'
@end example
+2 -2
View File
@@ -45,7 +45,7 @@ typedef int AAC_SIGNE;
#define Q30(x) (int)((x)*1073741824.0 + 0.5)
#define Q31(x) (int)((x)*2147483648.0 + 0.5)
#define RANGE15(x) x
#define GET_GAIN(x, y) (-(y) << (x)) + 1024
#define GET_GAIN(x, y) (-(y) * (1 << (x))) + 1024
#define AAC_MUL16(x, y) (int)(((int64_t)(x) * (y) + 0x8000) >> 16)
#define AAC_MUL26(x, y) (int)(((int64_t)(x) * (y) + 0x2000000) >> 26)
#define AAC_MUL30(x, y) (int)(((int64_t)(x) * (y) + 0x20000000) >> 30)
@@ -72,7 +72,7 @@ typedef int AAC_SIGNE;
#define AAC_MSUB31_V3(x, y, z) (int)((((int64_t)(x) * (z)) - \
((int64_t)(y) * (z)) + \
0x40000000) >> 31)
#define AAC_HALF_SUM(x, y) (x) >> 1 + (y) >> 1
#define AAC_HALF_SUM(x, y) (((x) >> 1) + ((y) >> 1))
#define AAC_SRA_R(x, y) (int)(((x) + (1 << ((y) - 1))) >> (y))
#else
+3 -1
View File
@@ -431,6 +431,8 @@ static int read_payload_length_info(struct LATMContext *ctx, GetBitContext *gb)
if (ctx->frame_length_type == 0) {
int mux_slot_length = 0;
do {
if (get_bits_left(gb) < 8)
return AVERROR_INVALIDDATA;
tmp = get_bits(gb, 8);
mux_slot_length += tmp;
} while (tmp == 255);
@@ -460,7 +462,7 @@ static int read_audio_mux_element(struct LATMContext *latmctx,
}
if (latmctx->audio_mux_version_A == 0) {
int mux_slot_length_bytes = read_payload_length_info(latmctx, gb);
if (mux_slot_length_bytes * 8 > get_bits_left(gb)) {
if (mux_slot_length_bytes < 0 || mux_slot_length_bytes * 8LL > get_bits_left(gb)) {
av_log(latmctx->aac_ctx.avctx, AV_LOG_ERROR, "incomplete frame\n");
return AVERROR_INVALIDDATA;
} else if (mux_slot_length_bytes * 8 + 256 < get_bits_left(gb)) {
+10 -4
View File
@@ -187,7 +187,7 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len)
round = 1 << (s-1);
for (i=0; i<len; i++) {
out = (int)((int64_t)((int64_t)src[i] * c + round) >> s);
dst[i] = out * ssign;
dst[i] = out * (unsigned)ssign;
}
}
}
@@ -207,8 +207,12 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len)
c /= band_energy;
s = 21 + nlz - (s >> 2);
if (s > 0) {
round = 1 << (s-1);
if (s > 31) {
for (i=0; i<len; i++) {
coefs[i] = 0;
}
} else if (s >= 0) {
round = s ? 1 << (s-1) : 0;
for (i=0; i<len; i++) {
out = (int)(((int64_t)coefs[i] * c) >> 32);
coefs[i] = ((int)(out+round) >> s) * ssign;
@@ -366,7 +370,9 @@ static void apply_dependent_coupling_fixed(AACContext *ac,
shift = (gain-1024) >> 3;
}
if (shift < 0) {
if (shift < -31) {
// Nothing to do
} else if (shift < 0) {
shift = -shift;
round = 1 << (shift - 1);
+5 -1
View File
@@ -2181,7 +2181,11 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che)
coup->coupling_point += get_bits1(gb) || (coup->coupling_point >> 1);
sign = get_bits(gb, 1);
scale = AAC_RENAME(cce_scale)[get_bits(gb, 2)];
#if USE_FIXED
scale = get_bits(gb, 2);
#else
scale = cce_scale[get_bits(gb, 2)];
#endif
if ((ret = decode_ics(ac, sce, gb, 0, 0)))
return ret;
+1 -1
View File
@@ -942,7 +942,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r)
int stop = ps->border_position[e+1];
INTFLOAT width = Q30(1.f) / ((stop - start) ? (stop - start) : 1);
#if USE_FIXED
width <<= 1;
width = FFMIN(2U*width, INT_MAX);
#endif
b = k_to_i[k];
h[0][0] = H11[0][e][b];
+23 -10
View File
@@ -288,6 +288,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp,
shift = a00.exp;
if (shift >= 3)
alpha0[k][0] = 0x7fffffff;
else if (shift <= -30)
alpha0[k][0] = 0;
else {
a00.mant <<= 1;
shift = 2-shift;
@@ -302,6 +304,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp,
shift = a01.exp;
if (shift >= 3)
alpha0[k][1] = 0x7fffffff;
else if (shift <= -30)
alpha0[k][1] = 0;
else {
a01.mant <<= 1;
shift = 2-shift;
@@ -315,6 +319,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp,
shift = a10.exp;
if (shift >= 3)
alpha1[k][0] = 0x7fffffff;
else if (shift <= -30)
alpha1[k][0] = 0;
else {
a10.mant <<= 1;
shift = 2-shift;
@@ -329,6 +335,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp,
shift = a11.exp;
if (shift >= 3)
alpha1[k][1] = 0x7fffffff;
else if (shift <= -30)
alpha1[k][1] = 0;
else {
a11.mant <<= 1;
shift = 2-shift;
@@ -567,20 +575,25 @@ static void sbr_hf_assemble(int Y1[38][64][2],
SoftFloat *in = sbr->s_m[e];
for (m = 0; m+1 < m_max; m+=2) {
shift = 22 - in[m ].exp;
round = 1 << (shift-1);
out[2*m ] += (in[m ].mant * A + round) >> shift;
shift = 22 - in[m ].exp;
if (shift < 32) {
round = 1 << (shift-1);
out[2*m ] += (in[m ].mant * A + round) >> shift;
}
shift = 22 - in[m+1].exp;
round = 1 << (shift-1);
out[2*m+2] += (in[m+1].mant * B + round) >> shift;
shift = 22 - in[m+1].exp;
if (shift < 32) {
round = 1 << (shift-1);
out[2*m+2] += (in[m+1].mant * B + round) >> shift;
}
}
if(m_max&1)
{
shift = 22 - in[m ].exp;
round = 1 << (shift-1);
out[2*m ] += (in[m ].mant * A + round) >> shift;
shift = 22 - in[m ].exp;
if (shift < 32) {
round = 1 << (shift-1);
out[2*m ] += (in[m ].mant * A + round) >> shift;
}
}
}
indexnoise = (indexnoise + m_max) & 0x1ff;
+1 -1
View File
@@ -69,7 +69,7 @@ static void scale_coefs (
int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7;
mul = (dynrng & 0x1f) + 0x20;
shift = 4 - ((dynrng << 23) >> 28);
shift = 4 - (sign_extend(dynrng, 9) >> 5);
if (shift > 0 ) {
round = 1 << (shift-1);
for (i=0; i<len; i+=8) {
+1 -1
View File
@@ -135,7 +135,7 @@ float ff_amr_set_fixed_gain(float fixed_gain_factor, float fixed_mean_energy,
ff_exp10(0.05 *
(avpriv_scalarproduct_float_c(pred_table, prediction_error, 4) +
energy_mean)) /
sqrtf(fixed_mean_energy);
sqrtf(fixed_mean_energy ? fixed_mean_energy : 1.0);
// update quantified prediction error energy history
memmove(&prediction_error[0], &prediction_error[1],
+5 -4
View File
@@ -80,10 +80,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
AnsiContext *s = avctx->priv_data;
avctx->pix_fmt = AV_PIX_FMT_PAL8;
s->frame = av_frame_alloc();
if (!s->frame)
return AVERROR(ENOMEM);
/* defaults */
s->font = avpriv_vga16_font;
s->font_height = 16;
@@ -98,6 +94,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
av_log(avctx, AV_LOG_ERROR, "Invalid dimensions %d %d\n", avctx->width, avctx->height);
return AVERROR(EINVAL);
}
s->frame = av_frame_alloc();
if (!s->frame)
return AVERROR(ENOMEM);
return 0;
}
+1 -2
View File
@@ -537,8 +537,7 @@ void ff_cavs_inter(AVSContext *h, enum cavs_mb mb_type)
static inline void scale_mv(AVSContext *h, int *d_x, int *d_y,
cavs_vector *src, int distp)
{
int den = h->scale_den[FFMAX(src->ref, 0)];
int64_t den = h->scale_den[FFMAX(src->ref, 0)];
*d_x = (src->x * distp * den + 256 + FF_SIGNBIT(src->x)) >> 9;
*d_y = (src->y * distp * den + 256 + FF_SIGNBIT(src->y)) >> 9;
}
+1 -1
View File
@@ -615,7 +615,7 @@ static inline int decode_residual_inter(AVSContext *h)
/* get quantizer */
if (h->cbp && !h->qp_fixed)
h->qp = (h->qp + get_se_golomb(&h->gb)) & 63;
h->qp = (h->qp + (unsigned)get_se_golomb(&h->gb)) & 63;
for (block = 0; block < 4; block++)
if (h->cbp & (1 << block))
decode_residual_block(h, &h->gb, inter_dec, 0, h->qp,
+3 -2
View File
@@ -501,7 +501,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
int highpass_a_width = s->plane[s->channel_num].band[s->level][s->subband_num].a_width;
int highpass_a_height = s->plane[s->channel_num].band[s->level][s->subband_num].a_height;
int highpass_stride = s->plane[s->channel_num].band[s->level][s->subband_num].stride;
int expected = highpass_height * highpass_stride;
int expected;
int a_expected = highpass_a_height * highpass_a_width;
int level, run, coeff;
int count = 0, bytes;
@@ -512,11 +512,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
goto end;
}
if (highpass_height > highpass_a_height || highpass_width > highpass_a_width || a_expected < expected) {
if (highpass_height > highpass_a_height || highpass_width > highpass_a_width || a_expected < highpass_height * (uint64_t)highpass_stride) {
av_log(avctx, AV_LOG_ERROR, "Too many highpass coefficients\n");
ret = AVERROR(EINVAL);
goto end;
}
expected = highpass_height * highpass_stride;
av_log(avctx, AV_LOG_DEBUG, "Start subband coeffs plane %i level %i codebook %i expected %i\n", s->channel_num, s->level, s->codebook, expected);
+3 -3
View File
@@ -322,9 +322,6 @@ static int cinepak_decode (CinepakContext *s)
int y0 = 0;
int encoded_buf_size;
if (s->size < 10)
return AVERROR_INVALIDDATA;
frame_flags = s->data[0];
num_strips = AV_RB16 (&s->data[8]);
encoded_buf_size = AV_RB24(&s->data[1]);
@@ -439,6 +436,9 @@ static int cinepak_decode_frame(AVCodecContext *avctx,
s->data = buf;
s->size = buf_size;
if (s->size < 10)
return AVERROR_INVALIDDATA;
if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
return ret;
+5
View File
@@ -297,6 +297,11 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data,
c->pic->pict_type = frame_type & 0x20 ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P;
if (frame_type & 0x2) {
if (buf_size < c->mb_width * c->mb_height) {
av_log(avctx, AV_LOG_ERROR, "Packet too small\n");
return AVERROR_INVALIDDATA;
}
bytestream2_get_be32(&gb); // frame size;
c->ac_quant = bytestream2_get_byte(&gb);
c->luma_dc_quant = 32;
+1 -1
View File
@@ -687,7 +687,7 @@ static int dds_decode(AVCodecContext *avctx, void *data,
(frame->data[1][2+i*4]<<0)+
(frame->data[1][1+i*4]<<8)+
(frame->data[1][0+i*4]<<16)+
(frame->data[1][3+i*4]<<24)
((unsigned)frame->data[1][3+i*4]<<24)
);
}
frame->palette_has_changed = 1;
+1 -1
View File
@@ -250,7 +250,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height
segments = bytestream2_get_le16u(gb);
while ((segments & 0xC000) == 0xC000) {
unsigned skip_lines = -(int16_t)segments;
unsigned delta = -((int16_t)segments * width);
int64_t delta = -((int16_t)segments * (int64_t)width);
if (frame_end - frame <= delta || y + lines + skip_lines > height)
return AVERROR_INVALIDDATA;
frame += delta;
+1 -1
View File
@@ -823,7 +823,7 @@ static int decode_hq_slice(DiracContext *s, DiracSlice *slice, uint8_t *tmp_buf)
skip_bits_long(gb, 8*s->highquality.prefix_bytes);
quant_idx = get_bits(gb, 8);
if (quant_idx > DIRAC_MAX_QUANT_INDEX) {
if (quant_idx > DIRAC_MAX_QUANT_INDEX - 1) {
av_log(s->avctx, AV_LOG_ERROR, "Invalid quantization index - %i\n", quant_idx);
return AVERROR_INVALIDDATA;
}
+3
View File
@@ -335,6 +335,9 @@ static int dxv_decompress_raw(AVCodecContext *avctx)
DXVContext *ctx = avctx->priv_data;
GetByteContext *gbc = &ctx->gbc;
if (bytestream2_get_bytes_left(gbc) < ctx->tex_size)
return AVERROR_INVALIDDATA;
bytestream2_get_buffer(gbc, ctx->tex_data, ctx->tex_size);
return 0;
}
+1 -1
View File
@@ -85,7 +85,7 @@ JNIEnv *ff_jni_get_env(void *log_ctx)
av_log(log_ctx, AV_LOG_ERROR, "The specified JNI version is not supported\n");
break;
default:
av_log(log_ctx, AV_LOG_ERROR, "Failed to get the JNI environment attached to this thread");
av_log(log_ctx, AV_LOG_ERROR, "Failed to get the JNI environment attached to this thread\n");
break;
}
+16 -16
View File
@@ -89,22 +89,22 @@ static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd
const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step];
const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step];
const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step];
const int t4 = 5793 * (t2 + t0 + 0x800 >> 12);
const int t5 = 5793 * (t3 + t1 + 0x800 >> 12);
const int t6 = t2 - t0;
const int t7 = t3 - t1;
const int t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step];
const int t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step];
const int tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd;
const int tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd;
blk[0 * step] = ( t4 + t9 + tB) >> shift;
blk[1 * step] = ( t6 + t7 + t8 + tA) >> shift;
blk[2 * step] = ( t6 - t7 - t8 + tA) >> shift;
blk[3 * step] = ( t5 - t9 + tB) >> shift;
blk[4 * step] = ( -t5 - t9 + tB) >> shift;
blk[5 * step] = (-(t6 - t7) - t8 + tA) >> shift;
blk[6 * step] = (-(t6 + t7) + t8 + tA) >> shift;
blk[7 * step] = ( -t4 + t9 + tB) >> shift;
const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12);
const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12);
const unsigned t6 = t2 - t0;
const unsigned t7 = t3 - t1;
const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step];
const unsigned t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step];
const unsigned tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd;
const unsigned tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd;
blk[0 * step] = (int)( t4 + t9 + tB) >> shift;
blk[1 * step] = (int)( t6 + t7 + t8 + tA) >> shift;
blk[2 * step] = (int)( t6 - t7 - t8 + tA) >> shift;
blk[3 * step] = (int)( t5 - t9 + tB) >> shift;
blk[4 * step] = (int)( -t5 - t9 + tB) >> shift;
blk[5 * step] = (int)(-(t6 - t7) - t8 + tA) >> shift;
blk[6 * step] = (int)(-(t6 + t7) + t8 + tA) >> shift;
blk[7 * step] = (int)( -t4 + t9 + tB) >> shift;
}
static void fic_idct_put(uint8_t *dst, int stride, int16_t *block)
+7
View File
@@ -199,6 +199,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
num_chunks = bytestream2_get_le16(&g2);
bytestream2_skip(&g2, 8); /* skip padding */
if (frame_size < 16)
return AVERROR_INVALIDDATA;
frame_size -= 16;
/* iterate through the chunks */
@@ -519,6 +522,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
if (frame_size > buf_size)
frame_size = buf_size;
if (frame_size < 16)
return AVERROR_INVALIDDATA;
frame_size -= 16;
/* iterate through the chunks */
@@ -804,6 +809,8 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx,
if (frame_size > buf_size)
frame_size = buf_size;
if (frame_size < 16)
return AVERROR_INVALIDDATA;
frame_size -= 16;
/* iterate through the chunks */
+3 -3
View File
@@ -459,7 +459,7 @@ static int decode_frame(AVCodecContext *avctx,
int size, offset, start = 0;
offset = bytestream2_get_le16(gb);
if (offset > s->nb_blocks)
if (offset >= s->nb_blocks)
return AVERROR_INVALIDDATA;
size = bytestream2_get_le16(gb);
@@ -596,8 +596,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
s->bpp = avctx->bits_per_coded_sample >> 3;
s->buffer_size = avctx->width * avctx->height * 4;
s->pbuffer_size = avctx->width * avctx->height * 4;
s->buffer = av_malloc(s->buffer_size);
s->pbuffer = av_malloc(s->pbuffer_size);
s->buffer = av_mallocz(s->buffer_size);
s->pbuffer = av_mallocz(s->pbuffer_size);
if (!s->buffer || !s->pbuffer)
return AVERROR(ENOMEM);
+7 -1
View File
@@ -170,6 +170,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx,
}
}
if (k >= FF_ARRAY_ELEMS(rps->used)) {
av_log(avctx, AV_LOG_ERROR,
"Invalid num_delta_pocs: %d\n", k);
return AVERROR_INVALIDDATA;
}
rps->num_delta_pocs = k;
rps->num_negative_pics = k0;
// sort in increasing order (smallest first)
@@ -751,7 +757,7 @@ static int scaling_list_data(GetBitContext *gb, AVCodecContext *avctx, ScalingLi
ff_hevc_diag_scan8x8_x[i];
scaling_list_delta_coef = get_se_golomb(gb);
next_coef = (next_coef + scaling_list_delta_coef + 256) % 256;
next_coef = (next_coef + 256U + scaling_list_delta_coef) % 256;
sl->sl[size_id][matrix_id][pos] = next_coef;
}
}
+1 -1
View File
@@ -83,7 +83,7 @@ static int hq_decode_block(HQContext *c, GetBitContext *gb, int16_t block[64],
pos += ff_hq_ac_skips[val];
if (pos >= 64)
break;
block[ff_zigzag_direct[pos]] = (ff_hq_ac_syms[val] * q[pos]) >> 12;
block[ff_zigzag_direct[pos]] = (int)(ff_hq_ac_syms[val] * (unsigned)q[pos]) >> 12;
pos++;
}
+17 -17
View File
@@ -116,10 +116,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst,
b0_2 = b0_ptr[pitch+indx+1];
tmp1 = tmp0 + b0_1;
p0 = tmp0 << 4;
p1 = tmp1 << 3;
p2 = (tmp0 + tmp2) << 3;
p3 = (tmp1 + tmp2 + b0_2) << 2;
p0 = tmp0 * 16;
p1 = tmp1 * 8;
p2 = (tmp0 + tmp2) * 8;
p3 = (tmp1 + tmp2 + b0_2) * 4;
}
/* process the HL-band by applying HPF vertically and LPF horizontally */
@@ -132,10 +132,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst,
tmp2 = tmp1 - tmp0*6 + b1_3;
b1_3 = b1_1 - b1_2*6 + b1_ptr[pitch+indx+1];
p0 += (tmp0 + tmp1) << 3;
p1 += (tmp0 + tmp1 + b1_1 + b1_2) << 2;
p2 += tmp2 << 2;
p3 += (tmp2 + b1_3) << 1;
p0 += (tmp0 + tmp1) * 8;
p1 += (tmp0 + tmp1 + b1_1 + b1_2) * 4;
p2 += tmp2 * 4;
p3 += (tmp2 + b1_3) * 2;
}
/* process the LH-band by applying LPF vertically and HPF horizontally */
@@ -146,10 +146,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst,
tmp0 = b2_1 + b2_2;
tmp1 = b2_1 - b2_2*6 + b2_3;
p0 += tmp0 << 3;
p1 += tmp1 << 2;
p2 += (tmp0 + b2_4 + b2_5) << 2;
p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) << 1;
p0 += tmp0 * 8;
p1 += tmp1 * 4;
p2 += (tmp0 + b2_4 + b2_5) * 4;
p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) * 2;
}
/* process the HH-band by applying HPF both vertically and horizontally */
@@ -163,9 +163,9 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst,
b3_9 = b3_3 - b3_6*6 + b3_ptr[pitch+indx+1];
p0 += (tmp0 + tmp1) << 2;
p1 += (tmp0 - tmp1*6 + tmp2) << 1;
p2 += (b3_7 + b3_8) << 1;
p0 += (tmp0 + tmp1) * 4;
p1 += (tmp0 - tmp1*6 + tmp2) * 2;
p2 += (b3_7 + b3_8) * 2;
p3 += b3_7 - b3_8*6 + b3_9;
}
@@ -393,8 +393,8 @@ void ff_ivi_inverse_haar_4x4(const int32_t *in, int16_t *out, ptrdiff_t pitch,
if (flags[i]) {
/* pre-scaling */
shift = !(i & 2);
sp1 = src[0] << shift;
sp2 = src[4] << shift;
sp1 = src[0] * (1 << shift);
sp2 = src[4] * (1 << shift);
INV_HAAR4( sp1, sp2, src[8], src[12],
dst[0], dst[4], dst[8], dst[12],
t0, t1, t2, t3, t4);
+1 -1
View File
@@ -220,7 +220,7 @@ static inline int ff_jpeg2000_ceildivpow2(int a, int b)
static inline int ff_jpeg2000_ceildiv(int a, int b)
{
return (a + b - 1) / b;
return (a + (int64_t)b - 1) / b;
}
/* TIER-1 routines */
+18 -4
View File
@@ -260,6 +260,7 @@ static int get_siz(Jpeg2000DecoderContext *s)
uint32_t log2_chroma_wh = 0;
const enum AVPixelFormat *possible_fmts = NULL;
int possible_fmts_nb = 0;
int ret;
if (bytestream2_get_bytes_left(&s->g) < 36) {
av_log(s->avctx, AV_LOG_ERROR, "Insufficient space for SIZ\n");
@@ -298,6 +299,16 @@ static int get_siz(Jpeg2000DecoderContext *s)
return AVERROR_PATCHWELCOME;
}
if (s->tile_offset_x < 0 || s->tile_offset_y < 0 ||
s->image_offset_x < s->tile_offset_x ||
s->image_offset_y < s->tile_offset_y ||
s->tile_width + (int64_t)s->tile_offset_x <= s->image_offset_x ||
s->tile_height + (int64_t)s->tile_offset_y <= s->image_offset_y
) {
av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n");
return AVERROR_INVALIDDATA;
}
s->ncomponents = ncomponents;
if (s->tile_width <= 0 || s->tile_height <= 0) {
@@ -349,10 +360,13 @@ static int get_siz(Jpeg2000DecoderContext *s)
}
/* compute image size with reduction factor */
s->avctx->width = ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x,
s->reduction_factor);
s->avctx->height = ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y,
s->reduction_factor);
ret = ff_set_dimensions(s->avctx,
ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x,
s->reduction_factor),
ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y,
s->reduction_factor));
if (ret < 0)
return ret;
if (s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_2K ||
s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_4K) {
+4
View File
@@ -390,6 +390,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n",
ilv, point_transform, s->bits, s->cur_scan);
}
if (get_bits_left(&s->gb) < s->height) {
ret = AVERROR_INVALIDDATA;
goto end;
}
if (ilv == 0) { /* separate planes */
if (s->cur_scan > s->nb_components) {
ret = AVERROR_INVALIDDATA;
+1 -1
View File
@@ -325,7 +325,7 @@ static int fdk_aac_decode_frame(AVCodecContext *avctx, void *data,
return AVERROR_INVALIDDATA;
}
err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) s->decoder_buffer, s->decoder_buffer_size, 0);
err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) s->decoder_buffer, s->decoder_buffer_size / sizeof(INT_PCM), 0);
if (err == AAC_DEC_NOT_ENOUGH_BITS) {
ret = avpkt->size - valid;
goto end;
+31 -16
View File
@@ -66,7 +66,7 @@ struct JNIAMediaCodecListFields {
jfieldID hevc_profile_main10_id;
jfieldID hevc_profile_main10_hdr10_id;
} JNIAMediaCodecListFields;
};
static const struct FFJniField jni_amediacodeclist_mapping[] = {
{ "android/media/MediaCodecList", NULL, NULL, FF_JNI_CLASS, offsetof(struct JNIAMediaCodecListFields, mediacodec_list_class), 1 },
@@ -125,7 +125,7 @@ struct JNIAMediaFormatFields {
jmethodID to_string_id;
} JNIAMediaFormatFields;
};
static const struct FFJniField jni_amediaformat_mapping[] = {
{ "android/media/MediaFormat", NULL, NULL, FF_JNI_CLASS, offsetof(struct JNIAMediaFormatFields, mediaformat_class), 1 },
@@ -210,7 +210,7 @@ struct JNIAMediaCodecFields {
jfieldID presentation_time_us_id;
jfieldID size_id;
} JNIAMediaCodecFields;
};
static const struct FFJniField jni_amediacodec_mapping[] = {
{ "android/media/MediaCodec", NULL, NULL, FF_JNI_CLASS, offsetof(struct JNIAMediaCodecFields, mediacodec_class), 1 },
@@ -608,6 +608,7 @@ FFAMediaFormat *ff_AMediaFormat_new(void)
{
JNIEnv *env = NULL;
FFAMediaFormat *format = NULL;
jobject object = NULL;
format = av_mallocz(sizeof(FFAMediaFormat));
if (!format) {
@@ -625,23 +626,27 @@ FFAMediaFormat *ff_AMediaFormat_new(void)
goto fail;
}
format->object = (*env)->NewObject(env, format->jfields.mediaformat_class, format->jfields.init_id);
object = (*env)->NewObject(env, format->jfields.mediaformat_class, format->jfields.init_id);
if (!object) {
goto fail;
}
format->object = (*env)->NewGlobalRef(env, object);
if (!format->object) {
goto fail;
}
format->object = (*env)->NewGlobalRef(env, format->object);
fail:
if (object) {
(*env)->DeleteLocalRef(env, object);
}
if (!format->object) {
goto fail;
ff_jni_reset_jfields(env, &format->jfields, jni_amediaformat_mapping, 1, format);
av_freep(&format);
}
return format;
fail:
ff_jni_reset_jfields(env, &format->jfields, jni_amediaformat_mapping, 1, format);
av_freep(&format);
return NULL;
}
static FFAMediaFormat *ff_AMediaFormat_newFromObject(void *object)
@@ -1562,6 +1567,7 @@ uint8_t* ff_AMediaCodec_getInputBuffer(FFAMediaCodec* codec, size_t idx, size_t
JNIEnv *env = NULL;
jobject buffer = NULL;
jobject input_buffers = NULL;
JNI_GET_ENV_OR_RETURN(env, codec, NULL);
@@ -1572,12 +1578,12 @@ uint8_t* ff_AMediaCodec_getInputBuffer(FFAMediaCodec* codec, size_t idx, size_t
}
} else {
if (!codec->input_buffers) {
codec->input_buffers = (*env)->CallObjectMethod(env, codec->object, codec->jfields.get_input_buffers_id);
input_buffers = (*env)->CallObjectMethod(env, codec->object, codec->jfields.get_input_buffers_id);
if (ff_jni_exception_check(env, 1, codec) < 0) {
goto fail;
}
codec->input_buffers = (*env)->NewGlobalRef(env, codec->input_buffers);
codec->input_buffers = (*env)->NewGlobalRef(env, input_buffers);
if (ff_jni_exception_check(env, 1, codec) < 0) {
goto fail;
}
@@ -1596,6 +1602,10 @@ fail:
(*env)->DeleteLocalRef(env, buffer);
}
if (input_buffers) {
(*env)->DeleteLocalRef(env, input_buffers);
}
return ret;
}
@@ -1605,6 +1615,7 @@ uint8_t* ff_AMediaCodec_getOutputBuffer(FFAMediaCodec* codec, size_t idx, size_t
JNIEnv *env = NULL;
jobject buffer = NULL;
jobject output_buffers = NULL;
JNI_GET_ENV_OR_RETURN(env, codec, NULL);
@@ -1615,12 +1626,12 @@ uint8_t* ff_AMediaCodec_getOutputBuffer(FFAMediaCodec* codec, size_t idx, size_t
}
} else {
if (!codec->output_buffers) {
codec->output_buffers = (*env)->CallObjectMethod(env, codec->object, codec->jfields.get_output_buffers_id);
output_buffers = (*env)->CallObjectMethod(env, codec->object, codec->jfields.get_output_buffers_id);
if (ff_jni_exception_check(env, 1, codec) < 0) {
goto fail;
}
codec->output_buffers = (*env)->NewGlobalRef(env, codec->output_buffers);
codec->output_buffers = (*env)->NewGlobalRef(env, output_buffers);
if (ff_jni_exception_check(env, 1, codec) < 0) {
goto fail;
}
@@ -1639,6 +1650,10 @@ fail:
(*env)->DeleteLocalRef(env, buffer);
}
if (output_buffers) {
(*env)->DeleteLocalRef(env, output_buffers);
}
return ret;
}
+4 -2
View File
@@ -390,9 +390,11 @@ static int mimic_decode_frame(AVCodecContext *avctx, void *data,
return AVERROR_INVALIDDATA;
}
res = ff_set_dimensions(avctx, width, height);
if (res < 0)
return res;
ctx->avctx = avctx;
avctx->width = width;
avctx->height = height;
avctx->pix_fmt = AV_PIX_FMT_YUV420P;
for (i = 0; i < 3; i++) {
ctx->num_vblocks[i] = AV_CEIL_RSHIFT(height, 3 + !!i);
+10 -1
View File
@@ -738,7 +738,7 @@ static int decode_dc_progressive(MJpegDecodeContext *s, int16_t *block,
int component, int dc_index,
uint16_t *quant_matrix, int Al)
{
int val;
unsigned val;
s->bdsp.clear_block(block);
val = mjpeg_decode_dc(s, dc_index);
if (val == 0xfffff) {
@@ -1479,6 +1479,15 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask,
return -1;
}
if (reference) {
if (reference->width != s->picture_ptr->width ||
reference->height != s->picture_ptr->height ||
reference->format != s->picture_ptr->format) {
av_log(s->avctx, AV_LOG_ERROR, "Reference mismatching\n");
return AVERROR_INVALIDDATA;
}
}
av_assert0(s->picture_ptr->data[0]);
/* XXX: verify len field validity */
len = get_bits(&s->gb, 16);
+10 -5
View File
@@ -701,7 +701,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp,
/* TODO: Check validity of state data. */
for (i = 0; i < order; i++)
fp->state[i] = state_bits ? get_sbits(gbp, state_bits) << state_shift : 0;
fp->state[i] = state_bits ? get_sbits(gbp, state_bits) * (1 << state_shift) : 0;
}
}
@@ -729,7 +729,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo
av_log(m->avctx, AV_LOG_ERROR,
"Number of primitive matrices cannot be greater than %d.\n",
max_primitive_matrices);
return AVERROR_INVALIDDATA;
goto error;
}
for (mat = 0; mat < s->num_primitive_matrices; mat++) {
@@ -742,12 +742,12 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo
av_log(m->avctx, AV_LOG_ERROR,
"Invalid channel %d specified as output from matrix.\n",
s->matrix_out_ch[mat]);
return AVERROR_INVALIDDATA;
goto error;
}
if (frac_bits > 14) {
av_log(m->avctx, AV_LOG_ERROR,
"Too many fractional bits specified.\n");
return AVERROR_INVALIDDATA;
goto error;
}
max_chan = s->max_matrix_channel;
@@ -759,7 +759,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo
if (get_bits1(gbp))
coeff_val = get_sbits(gbp, frac_bits + 2);
s->matrix_coeff[mat][ch] = coeff_val << (14 - frac_bits);
s->matrix_coeff[mat][ch] = coeff_val * (1 << (14 - frac_bits));
}
if (s->noise_type)
@@ -769,6 +769,11 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo
}
return 0;
error:
s->num_primitive_matrices = 0;
memset(s->matrix_out_ch, 0, sizeof(s->matrix_out_ch));
return AVERROR_INVALIDDATA;
}
/** Read channel parameters. */
+1 -1
View File
@@ -114,7 +114,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data,
for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) {
int mat_ch = ch_assign[out_ch];
int32_t sample = sample_buffer[i][mat_ch] *
(1 << output_shift[mat_ch]);
(1U << output_shift[mat_ch]);
lossless_check_data ^= (sample & 0xffffff) << mat_ch;
if (is32)
*data_32++ = sample << 8;
+8 -2
View File
@@ -2340,7 +2340,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb)
if (s->pict_type != AV_PICTURE_TYPE_B) {
s->last_time_base = s->time_base;
s->time_base += time_incr;
s->time = s->time_base * s->avctx->framerate.num + time_increment;
s->time = s->time_base * (int64_t)s->avctx->framerate.num + time_increment;
if (s->workaround_bugs & FF_BUG_UMP4) {
if (s->time < s->last_non_b_time) {
/* header is not mpeg-4-compatible, broken encoder,
@@ -2352,7 +2352,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb)
s->pp_time = s->time - s->last_non_b_time;
s->last_non_b_time = s->time;
} else {
s->time = (s->last_time_base + time_incr) * s->avctx->framerate.num + time_increment;
s->time = (s->last_time_base + time_incr) * (int64_t)s->avctx->framerate.num + time_increment;
s->pb_time = s->pp_time - (s->last_non_b_time - s->time);
if (s->pp_time <= s->pb_time ||
s->pp_time <= s->pp_time - s->pb_time ||
@@ -2566,6 +2566,7 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb)
MpegEncContext *s = &ctx->m;
unsigned startcode, v;
int ret;
int vol = 0;
/* search next start code */
align_get_bits(gb);
@@ -2654,6 +2655,11 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb)
}
if (startcode >= 0x120 && startcode <= 0x12F) {
if (vol) {
av_log(s->avctx, AV_LOG_ERROR, "Multiple VOL headers");
return AVERROR_INVALIDDATA;
}
vol++;
if ((ret = decode_vol_header(ctx, gb)) < 0)
return ret;
} else if (startcode == USER_DATA_STARTCODE) {
+79 -4
View File
@@ -373,9 +373,21 @@ static av_cold int nvenc_check_device(AVCodecContext *avctx, int idx)
return 0;
fail3:
cu_res = dl_fn->cuda_dl->cuCtxPushCurrent(ctx->cu_context);
if (cu_res != CUDA_SUCCESS) {
av_log(avctx, AV_LOG_ERROR, "cuCtxPushCurrent failed\n");
return AVERROR_EXTERNAL;
}
p_nvenc->nvEncDestroyEncoder(ctx->nvencoder);
ctx->nvencoder = NULL;
cu_res = dl_fn->cuda_dl->cuCtxPopCurrent(&dummy);
if (cu_res != CUDA_SUCCESS) {
av_log(avctx, AV_LOG_ERROR, "cuCtxPopCurrent failed\n");
return AVERROR_EXTERNAL;
}
fail2:
dl_fn->cuda_dl->cuCtxDestroy(ctx->cu_context_internal);
ctx->cu_context_internal = NULL;
@@ -951,6 +963,8 @@ static av_cold int nvenc_setup_encoder(AVCodecContext *avctx)
NV_ENC_PRESET_CONFIG preset_config = { 0 };
NVENCSTATUS nv_status = NV_ENC_SUCCESS;
AVCPBProperties *cpb_props;
CUresult cu_res;
CUcontext dummy;
int res = 0;
int dw, dh;
@@ -1038,7 +1052,20 @@ static av_cold int nvenc_setup_encoder(AVCodecContext *avctx)
if (res)
return res;
cu_res = dl_fn->cuda_dl->cuCtxPushCurrent(ctx->cu_context);
if (cu_res != CUDA_SUCCESS) {
av_log(avctx, AV_LOG_ERROR, "cuCtxPushCurrent failed\n");
return AVERROR_EXTERNAL;
}
nv_status = p_nvenc->nvEncInitializeEncoder(ctx->nvencoder, &ctx->init_encode_params);
cu_res = dl_fn->cuda_dl->cuCtxPopCurrent(&dummy);
if (cu_res != CUDA_SUCCESS) {
av_log(avctx, AV_LOG_ERROR, "cuCtxPopCurrent failed\n");
return AVERROR_EXTERNAL;
}
if (nv_status != NV_ENC_SUCCESS) {
return nvenc_print_error(avctx, nv_status, "InitializeEncoder failed");
}
@@ -1106,8 +1133,8 @@ static av_cold int nvenc_alloc_surface(AVCodecContext *avctx, int idx)
}
allocSurf.version = NV_ENC_CREATE_INPUT_BUFFER_VER;
allocSurf.width = (avctx->width + 31) & ~31;
allocSurf.height = (avctx->height + 31) & ~31;
allocSurf.width = avctx->width;
allocSurf.height = avctx->height;
allocSurf.memoryHeap = NV_ENC_MEMORY_HEAP_SYSMEM_CACHED;
allocSurf.bufferFmt = ctx->surfaces[idx].format;
@@ -1147,6 +1174,9 @@ static av_cold int nvenc_alloc_surface(AVCodecContext *avctx, int idx)
static av_cold int nvenc_setup_surfaces(AVCodecContext *avctx)
{
NvencContext *ctx = avctx->priv_data;
NvencDynLoadFunctions *dl_fn = &ctx->nvenc_dload_funcs;
CUresult cu_res;
CUcontext dummy;
int i, res;
ctx->surfaces = av_mallocz_array(ctx->nb_surfaces, sizeof(*ctx->surfaces));
@@ -1163,9 +1193,28 @@ static av_cold int nvenc_setup_surfaces(AVCodecContext *avctx)
if (!ctx->output_surface_ready_queue)
return AVERROR(ENOMEM);
cu_res = dl_fn->cuda_dl->cuCtxPushCurrent(ctx->cu_context);
if (cu_res != CUDA_SUCCESS) {
av_log(avctx, AV_LOG_ERROR, "cuCtxPushCurrent failed\n");
return AVERROR_EXTERNAL;
}
for (i = 0; i < ctx->nb_surfaces; i++) {
if ((res = nvenc_alloc_surface(avctx, i)) < 0)
{
cu_res = dl_fn->cuda_dl->cuCtxPopCurrent(&dummy);
if (cu_res != CUDA_SUCCESS) {
av_log(avctx, AV_LOG_ERROR, "cuCtxPopCurrent failed\n");
return AVERROR_EXTERNAL;
}
return res;
}
}
cu_res = dl_fn->cuda_dl->cuCtxPopCurrent(&dummy);
if (cu_res != CUDA_SUCCESS) {
av_log(avctx, AV_LOG_ERROR, "cuCtxPopCurrent failed\n");
return AVERROR_EXTERNAL;
}
return 0;
@@ -1209,8 +1258,16 @@ av_cold int ff_nvenc_encode_close(AVCodecContext *avctx)
NvencContext *ctx = avctx->priv_data;
NvencDynLoadFunctions *dl_fn = &ctx->nvenc_dload_funcs;
NV_ENCODE_API_FUNCTION_LIST *p_nvenc = &dl_fn->nvenc_funcs;
CUresult cu_res;
CUcontext dummy;
int i;
cu_res = dl_fn->cuda_dl->cuCtxPushCurrent(ctx->cu_context);
if (cu_res != CUDA_SUCCESS) {
av_log(avctx, AV_LOG_ERROR, "cuCtxPushCurrent failed\n");
return AVERROR_EXTERNAL;
}
/* the encoder has to be flushed before it can be closed */
if (ctx->nvencoder) {
NV_ENC_PIC_PARAMS params = { .version = NV_ENC_PIC_PARAMS_VER,
@@ -1251,6 +1308,12 @@ av_cold int ff_nvenc_encode_close(AVCodecContext *avctx)
p_nvenc->nvEncDestroyEncoder(ctx->nvencoder);
ctx->nvencoder = NULL;
cu_res = dl_fn->cuda_dl->cuCtxPopCurrent(&dummy);
if (cu_res != CUDA_SUCCESS) {
av_log(avctx, AV_LOG_ERROR, "cuCtxPopCurrent failed\n");
return AVERROR_EXTERNAL;
}
if (ctx->cu_context_internal)
dl_fn->cuda_dl->cuCtxDestroy(ctx->cu_context_internal);
ctx->cu_context = ctx->cu_context_internal = NULL;
@@ -1718,8 +1781,8 @@ int ff_nvenc_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
pic_params.inputBuffer = inSurf->input_surface;
pic_params.bufferFmt = inSurf->format;
pic_params.inputWidth = avctx->width;
pic_params.inputHeight = avctx->height;
pic_params.inputWidth = inSurf->width;
pic_params.inputHeight = inSurf->height;
pic_params.inputPitch = inSurf->pitch;
pic_params.outputBitstream = inSurf->output_surface;
@@ -1785,8 +1848,20 @@ int ff_nvenc_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
if (output_ready(avctx, !frame)) {
av_fifo_generic_read(ctx->output_surface_ready_queue, &tmpoutsurf, sizeof(tmpoutsurf), NULL);
cu_res = dl_fn->cuda_dl->cuCtxPushCurrent(ctx->cu_context);
if (cu_res != CUDA_SUCCESS) {
av_log(avctx, AV_LOG_ERROR, "cuCtxPushCurrent failed\n");
return AVERROR_EXTERNAL;
}
res = process_output_surface(avctx, pkt, tmpoutsurf);
cu_res = dl_fn->cuda_dl->cuCtxPopCurrent(&dummy);
if (cu_res != CUDA_SUCCESS) {
av_log(avctx, AV_LOG_ERROR, "cuCtxPopCurrent failed\n");
return AVERROR_EXTERNAL;
}
if (res)
return res;
+11 -4
View File
@@ -267,12 +267,20 @@ static int paf_video_decode(AVCodecContext *avctx, void *data,
uint8_t code, *dst, *end;
int i, frame, ret;
if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
return ret;
if (pkt->size < 2)
return AVERROR_INVALIDDATA;
bytestream2_init(&c->gb, pkt->data, pkt->size);
code = bytestream2_get_byte(&c->gb);
if ((code & 0xF) > 4 || (code & 0xF) == 3) {
avpriv_request_sample(avctx, "unknown/invalid code");
return AVERROR_INVALIDDATA;
}
if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
return ret;
if (code & 0x20) { // frame is keyframe
for (i = 0; i < 4; i++)
memset(c->frame[i], 0, c->frame_size);
@@ -367,8 +375,7 @@ static int paf_video_decode(AVCodecContext *avctx, void *data,
}
break;
default:
avpriv_request_sample(avctx, "unknown/invalid code");
return AVERROR_INVALIDDATA;
av_assert0(0);
}
av_image_copy_plane(c->pic->data[0], c->pic->linesize[0],
+6
View File
@@ -229,6 +229,8 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, i
cnt1 = get_bits(b, nbits);
} else {
pfx = 14 + ((((uint64_t)(value - 14)) >> 32) & (value - 14));
if (pfx < 1 || pfx > 25)
return AVERROR_INVALIDDATA;
cnt1 *= (1 << pfx) - 1;
shbits = show_bits(b, pfx);
if (shbits <= 1) {
@@ -592,6 +594,10 @@ static int pixlet_decode_frame(AVCodecContext *avctx, void *data,
width = bytestream2_get_be32(&ctx->gb);
height = bytestream2_get_be32(&ctx->gb);
if ( width > INT_MAX - (1U << (NB_LEVELS + 1))
|| height > INT_MAX - (1U << (NB_LEVELS + 1)))
return AVERROR_INVALIDDATA;
w = FFALIGN(width, 1 << (NB_LEVELS + 1));
h = FFALIGN(height, 1 << (NB_LEVELS + 1));
+8 -4
View File
@@ -24,6 +24,7 @@
#include "libavutil/imgutils.h"
#include "avcodec.h"
#include "internal.h"
#include "pnm.h"
static inline int pnm_space(int c)
@@ -61,6 +62,7 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s)
{
char buf1[32], tuple_type[32];
int h, w, depth, maxval;
int ret;
pnm_get(s, buf1, sizeof(buf1));
if(buf1[0] != 'P')
@@ -111,8 +113,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s)
av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end)
return AVERROR_INVALIDDATA;
avctx->width = w;
avctx->height = h;
ret = ff_set_dimensions(avctx, w, h);
if (ret < 0)
return ret;
s->maxval = maxval;
if (depth == 1) {
if (maxval == 1) {
@@ -154,8 +157,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s)
if(w <= 0 || h <= 0 || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end)
return AVERROR_INVALIDDATA;
avctx->width = w;
avctx->height = h;
ret = ff_set_dimensions(avctx, w, h);
if (ret < 0)
return ret;
if (avctx->pix_fmt != AV_PIX_FMT_MONOWHITE && avctx->pix_fmt != AV_PIX_FMT_MONOBLACK) {
pnm_get(s, buf1, sizeof(buf1));
+5 -1
View File
@@ -58,6 +58,8 @@ static int parse_palette(AVCodecContext *avctx, GetByteContext *gbc,
bytestream2_skip(gbc, 6);
continue;
}
if (avctx->pix_fmt != AV_PIX_FMT_PAL8)
return AVERROR_INVALIDDATA;
r = bytestream2_get_byte(gbc);
bytestream2_skip(gbc, 1);
g = bytestream2_get_byte(gbc);
@@ -378,7 +380,9 @@ static int decode_frame(AVCodecContext *avctx,
if ((ret = ff_get_buffer(avctx, p, 0)) < 0)
return ret;
parse_palette(avctx, &gbc, (uint32_t *)p->data[1], colors);
ret = parse_palette(avctx, &gbc, (uint32_t *)p->data[1], colors);
if (ret < 0)
return ret;
p->palette_has_changed = 1;
/* jump to image data */
+3 -3
View File
@@ -1512,7 +1512,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m,
v[0] = 0;
for (i=!skip_first; i<3; i++)
v[i] = (ff_gain_val_tab[n][i] * m[i]) >> ff_gain_exp_tab[n];
v[i] = (ff_gain_val_tab[n][i] * (unsigned)m[i]) >> ff_gain_exp_tab[n];
if (v[0]) {
for (i=0; i < BLOCKSIZE; i++)
@@ -1573,7 +1573,7 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx)
if((int)(a*(unsigned)b) != a*(int64_t)b)
return 1;
#endif
bp1[j] = ((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * b) >> 12;
bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12;
}
if ((unsigned) bp1[i] + 0x1000 > 0x1fff)
@@ -1701,7 +1701,7 @@ void ff_subblock_synthesis(RA144Context *ractx, const int16_t *lpc_coefs,
if (cba_idx) {
cba_idx += BLOCKSIZE/2 - 1;
ff_copy_and_dup(ractx->buffer_a, ractx->adapt_cb, cba_idx);
m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * gval) >> 12;
m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * (unsigned)gval) >> 12;
} else {
m[0] = 0;
}
+1 -1
View File
@@ -113,7 +113,7 @@ static int ra144_decode_frame(AVCodecContext * avctx, void *data,
do_output_subblock(ractx, block_coefs[i], refl_rms[i], &gb);
for (j=0; j < BLOCKSIZE; j++)
*samples++ = av_clip_int16(ractx->curr_sblock[j + 10] << 2);
*samples++ = av_clip_int16(ractx->curr_sblock[j + 10] * (1 << 2));
}
ractx->old_energy = energy;
+4 -4
View File
@@ -462,11 +462,11 @@ static void destroy_buffers(SANMVideoContext *ctx)
static av_cold int init_buffers(SANMVideoContext *ctx)
{
av_fast_padded_malloc(&ctx->frm0, &ctx->frm0_size, ctx->buf_size);
av_fast_padded_malloc(&ctx->frm1, &ctx->frm1_size, ctx->buf_size);
av_fast_padded_malloc(&ctx->frm2, &ctx->frm2_size, ctx->buf_size);
av_fast_padded_mallocz(&ctx->frm0, &ctx->frm0_size, ctx->buf_size);
av_fast_padded_mallocz(&ctx->frm1, &ctx->frm1_size, ctx->buf_size);
av_fast_padded_mallocz(&ctx->frm2, &ctx->frm2_size, ctx->buf_size);
if (!ctx->version)
av_fast_padded_malloc(&ctx->stored_frame,
av_fast_padded_mallocz(&ctx->stored_frame,
&ctx->stored_frame_size, ctx->buf_size);
if (!ctx->frm0 || !ctx->frm1 || !ctx->frm2 ||
+2 -2
View File
@@ -229,11 +229,11 @@ static void sbr_hf_gen_c(int (*X_high)[2], const int (*X_low)[2],
static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2],
const SoftFloat *g_filt, int m_max, intptr_t ixh)
{
int m, r;
int m;
int64_t accu;
for (m = 0; m < m_max; m++) {
r = 1 << (22-g_filt[m].exp);
int64_t r = 1LL << (22-g_filt[m].exp);
accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7);
Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp));
+7 -2
View File
@@ -33,8 +33,13 @@ static void sbr_qmf_deint_bfly_c(INTFLOAT *v, const INTFLOAT *src0, const INTFLO
{
int i;
for (i = 0; i < 64; i++) {
v[ i] = AAC_SRA_R((src0[i] - src1[63 - i]), 5);
v[127 - i] = AAC_SRA_R((src0[i] + src1[63 - i]), 5);
#if USE_FIXED
v[ i] = (int)(0x10U + src0[i] - src1[63 - i]) >> 5;
v[127 - i] = (int)(0x10U + src0[i] + src1[63 - i]) >> 5;
#else
v[ i] = src0[i] - src1[63 - i];
v[127 - i] = src0[i] + src1[63 - i];
#endif
}
}
+2 -2
View File
@@ -488,7 +488,7 @@ static int decompress_i(AVCodecContext *avctx, uint32_t *dst, int linesize)
if (avctx->bits_per_coded_sample == 16) {
cx1 = (clr & 0x3F00) >> 2;
cx = (clr & 0xFFFFFF) >> 16;
cx = (clr & 0x3FFFFF) >> 16;
} else {
cx1 = (clr & 0xFC00) >> 4;
cx = (clr & 0xFFFFFF) >> 18;
@@ -726,7 +726,7 @@ static int decompress_p(AVCodecContext *avctx,
if (avctx->bits_per_coded_sample == 16) {
cx1 = (clr & 0x3F00) >> 2;
cx = (clr & 0xFFFFFF) >> 16;
cx = (clr & 0x3FFFFF) >> 16;
} else {
cx1 = (clr & 0xFC00) >> 4;
cx = (clr & 0xFFFFFF) >> 18;
+5
View File
@@ -3105,6 +3105,11 @@ static int decode_frame(AVCodecContext *avctx,
return AVERROR_PATCHWELCOME;
}
if (avpkt->size < 20 + avctx->width * avctx->height / 16) {
av_log(avctx, AV_LOG_ERROR, "Input packet too small\n");
return AVERROR_INVALIDDATA;
}
if (s->format != format) {
if (ret < 0)
return ret;
+4
View File
@@ -132,6 +132,10 @@ static void smc_decode_stream(SmcContext *s)
row_ptr, image_size);
return;
}
if (bytestream2_get_bytes_left(&s->gb) < 1) {
av_log(s->avctx, AV_LOG_ERROR, "input too small\n");
return;
}
opcode = bytestream2_get_byte(&s->gb);
switch (opcode & 0xF0) {
+2 -1
View File
@@ -540,7 +540,8 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state, int is_signed){
if(get_rac(c, state+0))
return 0;
else{
int i, e, a;
int i, e;
unsigned a;
e= 0;
while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10
e++;
+2 -2
View File
@@ -524,8 +524,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode,
if (mode != PREDICT_MODE) {
svq3_pred_motion(s, k, part_width >> 2, dir, 1, &mx, &my);
} else {
mx = s->next_pic->motion_val[0][b_xy][0] << 1;
my = s->next_pic->motion_val[0][b_xy][1] << 1;
mx = s->next_pic->motion_val[0][b_xy][0] * 2;
my = s->next_pic->motion_val[0][b_xy][1] * 2;
if (dir == 0) {
mx = mx * s->frame_num_offset /
+4 -4
View File
@@ -267,11 +267,11 @@ static int decode_segment(TAKDecContext *s, int8_t mode, int32_t *decoded, int l
code = xcodes[mode - 1];
for (i = 0; i < len; i++) {
int x = get_bits_long(gb, code.init);
unsigned x = get_bits_long(gb, code.init);
if (x >= code.escape && get_bits1(gb)) {
x |= 1 << code.init;
if (x >= code.aescape) {
int scale = get_unary(gb, 1, 9);
unsigned scale = get_unary(gb, 1, 9);
if (scale == 9) {
int scale_bits = get_bits(gb, 3);
if (scale_bits > 0) {
@@ -862,7 +862,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data,
if (s->sample_shift[chan] > 0)
for (i = 0; i < s->nb_samples; i++)
decoded[i] <<= s->sample_shift[chan];
decoded[i] *= 1U << s->sample_shift[chan];
}
}
@@ -904,7 +904,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data,
for (chan = 0; chan < avctx->channels; chan++) {
int32_t *samples = (int32_t *)frame->extended_data[chan];
for (i = 0; i < s->nb_samples; i++)
samples[i] <<= 8;
samples[i] *= 1U << 8;
}
break;
}
+3
View File
@@ -1033,6 +1033,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
s->subsampling[i] = ff_tget(&s->gb, type, s->le);
if (s->subsampling[i] <= 0) {
av_log(s->avctx, AV_LOG_ERROR, "subsampling %d is invalid\n", s->subsampling[i]);
s->subsampling[i] = 1;
return AVERROR_INVALIDDATA;
}
}
@@ -1136,6 +1137,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
bytestream2_seek(&s->gb, pos + s->geotags[i].offset, SEEK_SET);
if (bytestream2_get_bytes_left(&s->gb) < s->geotags[i].count)
return AVERROR_INVALIDDATA;
if (s->geotags[i].val)
return AVERROR_INVALIDDATA;
ap = av_malloc(s->geotags[i].count);
if (!ap) {
av_log(s->avctx, AV_LOG_ERROR, "Error allocating temporary buffer\n");
+2 -2
View File
@@ -180,7 +180,7 @@ static int make_ydt15_entry(int p1, int p2, int16_t *ydt)
lo += (lo * 32) + (lo * 1024);
hi = ydt[p2];
hi += (hi * 32) + (hi * 1024);
return (lo + (hi * (1 << 16))) * 2;
return (lo + (hi * (1U << 16))) * 2;
}
static int make_cdt15_entry(int p1, int p2, int16_t *cdt)
@@ -190,7 +190,7 @@ static int make_cdt15_entry(int p1, int p2, int16_t *cdt)
b = cdt[p2];
r = cdt[p1] * 1024;
lo = b + r;
return (lo + (lo * (1 << 16))) * 2;
return (lo + (lo * (1U << 16))) * 2;
}
#if HAVE_BIGENDIAN
+3 -2
View File
@@ -272,7 +272,7 @@ static int tm2_read_deltas(TM2Context *ctx, int stream_id)
for (i = 0; i < d; i++) {
v = get_bits_long(&ctx->gb, mb);
if (v & (1 << (mb - 1)))
ctx->deltas[stream_id][i] = v - (1 << mb);
ctx->deltas[stream_id][i] = v - (1U << mb);
else
ctx->deltas[stream_id][i] = v;
}
@@ -915,7 +915,8 @@ static int decode_frame(AVCodecContext *avctx,
buf_size - offset);
if (t < 0) {
int j = tm2_stream_order[i];
memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]);
if (l->tok_lens[j])
memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]);
return t;
}
offset += t;
+6 -12
View File
@@ -381,6 +381,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
w = bytestream2_get_be16(gb);
h = bytestream2_get_be16(gb);
enc = bytestream2_get_be32(gb);
if ((dx + w > c->width) || (dy + h > c->height)) {
av_log(avctx, AV_LOG_ERROR,
"Incorrect frame size: %ix%i+%ix%i of %ix%i\n",
w, h, dx, dy, c->width, c->height);
return AVERROR_INVALIDDATA;
}
outptr = c->pic->data[0] + dx * c->bpp2 + dy * c->pic->linesize[0];
size_left = bytestream2_get_bytes_left(gb);
switch (enc) {
@@ -458,12 +464,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
bytestream2_skip(gb, 2);
break;
case 0x00000000: // raw rectangle data
if ((dx + w > c->width) || (dy + h > c->height)) {
av_log(avctx, AV_LOG_ERROR,
"Incorrect frame size: %ix%i+%ix%i of %ix%i\n",
w, h, dx, dy, c->width, c->height);
return AVERROR_INVALIDDATA;
}
if (size_left < w * h * c->bpp2) {
av_log(avctx, AV_LOG_ERROR,
"Premature end of data! (need %i got %i)\n",
@@ -474,12 +474,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
c->pic->linesize[0]);
break;
case 0x00000005: // HexTile encoded rectangle
if ((dx + w > c->width) || (dy + h > c->height)) {
av_log(avctx, AV_LOG_ERROR,
"Incorrect frame size: %ix%i+%ix%i of %ix%i\n",
w, h, dx, dy, c->width, c->height);
return AVERROR_INVALIDDATA;
}
res = decode_hextile(c, outptr, gb, w, h, c->pic->linesize[0]);
if (res < 0)
return res;
+2 -2
View File
@@ -915,9 +915,9 @@ skip_eob:
if (!--band_left)
band_left = band_counts[++band];
if (is_tx32x32)
STORE_COEF(coef, rc, ((vp8_rac_get(c) ? -val : val) * qmul[!!i]) / 2);
STORE_COEF(coef, rc, (int)((vp8_rac_get(c) ? -val : val) * (unsigned)qmul[!!i]) / 2);
else
STORE_COEF(coef, rc, (vp8_rac_get(c) ? -val : val) * qmul[!!i]);
STORE_COEF(coef, rc, (vp8_rac_get(c) ? -val : val) * (unsigned)qmul[!!i]);
nnz = (1 + cache[nb[i][0]] + cache[nb[i][1]]) >> 1;
tp = p[band][nnz];
} while (++i < n_coeffs);
+9 -3
View File
@@ -188,7 +188,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb,
goto error;
t += t2;
} else {
if (get_bits_left(gb) < t2 - 1)
if (t2 >= 32 || get_bits_left(gb) < t2 - 1)
goto error;
t += get_bits_long(gb, t2 - 1) | (1 << (t2 - 1));
}
@@ -245,7 +245,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb,
if (get_bits_left(gb) <= 0)
goto error;
if (get_bits1(gb)) {
add -= (mid - base);
add -= (mid - (unsigned)base);
base = mid;
} else
add = mid - base - 1;
@@ -554,7 +554,7 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb,
if (type != AV_SAMPLE_FMT_S16P)
S = T + ((s->decorr[i].weightA * (int64_t)A + 512) >> 10);
else
S = T + ((s->decorr[i].weightA * A + 512) >> 10);
S = T + ((int)(s->decorr[i].weightA * (unsigned)A + 512) >> 10);
if (A && T)
s->decorr[i].weightA -= ((((T ^ A) >> 30) & 2) - 1) * s->decorr[i].delta;
s->decorr[i].samplesA[j] = T = S;
@@ -887,6 +887,12 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
s->float_flag = bytestream2_get_byte(&gb);
s->float_shift = bytestream2_get_byte(&gb);
s->float_max_exp = bytestream2_get_byte(&gb);
if (s->float_shift > 31) {
av_log(avctx, AV_LOG_ERROR,
"Invalid FLOATINFO, shift = %d (> 31)\n", s->float_shift);
s->float_shift = 0;
continue;
}
got_float = 1;
bytestream2_skip(&gb, 1);
break;
+3
View File
@@ -1351,6 +1351,9 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p,
if (ret < 0)
return ret;
if (!*got_frame)
return AVERROR_INVALIDDATA;
update_canvas_size(avctx, avctx->width, avctx->height);
if (s->has_alpha) {
+1 -1
View File
@@ -68,7 +68,7 @@ static int decode_frame(AVCodecContext *avctx,
int prev_y = 0, prev_u = 0, prev_v = 0;
uint8_t *rbuf;
if (buf_size <= 8) {
if (buf_size < 8 + avctx->height * (avctx->width/2)/8) {
av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size);
return AVERROR_INVALIDDATA;
}
+5 -1
View File
@@ -109,7 +109,7 @@ static int build_vlc(AVCodecContext *avctx, VLC *vlc, const uint32_t *table)
int new_node = j;
int first_node = cur_node;
int second_node = cur_node;
int nd, st;
unsigned nd, st;
nodes[cur_node].count = -1;
@@ -133,6 +133,10 @@ static int build_vlc(AVCodecContext *avctx, VLC *vlc, const uint32_t *table)
st = nodes[first_node].count;
nodes[second_node].count = 0;
nodes[first_node].count = 0;
if (nd >= UINT32_MAX - st) {
av_log(avctx, AV_LOG_ERROR, "count overflow\n");
return AVERROR_INVALIDDATA;
}
nodes[cur_node].count = nd + st;
nodes[cur_node].sym = -1;
nodes[cur_node].n0 = cur_node;
+1 -1
View File
@@ -73,7 +73,7 @@ static void register_all(void)
void avdevice_register_all(void)
{
AVOnce control = AV_ONCE_INIT;
static AVOnce control = AV_ONCE_INIT;
ff_thread_once(&control, register_all);
}
+1 -1
View File
@@ -381,7 +381,7 @@ static void register_all(void)
void avfilter_register_all(void)
{
AVOnce control = AV_ONCE_INIT;
static AVOnce control = AV_ONCE_INIT;
ff_thread_once(&control, register_all);
}
+7 -1
View File
@@ -1191,7 +1191,7 @@ static int take_samples(AVFilterLink *link, unsigned min, unsigned max,
called with enough samples. */
av_assert1(samples_ready(link, link->min_samples));
frame0 = frame = ff_framequeue_peek(&link->fifo, 0);
if (frame->nb_samples >= min && frame->nb_samples < max) {
if (!link->fifo.samples_skipped && frame->nb_samples >= min && frame->nb_samples <= max) {
*rframe = ff_framequeue_take(&link->fifo);
return 0;
}
@@ -1522,6 +1522,12 @@ int ff_inlink_consume_frame(AVFilterLink *link, AVFrame **rframe)
*rframe = NULL;
if (!ff_inlink_check_available_frame(link))
return 0;
if (link->fifo.samples_skipped) {
frame = ff_framequeue_peek(&link->fifo, 0);
return ff_inlink_consume_samples(link, frame->nb_samples, frame->nb_samples, rframe);
}
frame = ff_framequeue_take(&link->fifo);
consume_update(link, frame);
*rframe = frame;
+2
View File
@@ -107,6 +107,7 @@ AVFrame *ff_framequeue_take(FFFrameQueue *fq)
fq->tail &= fq->allocated - 1;
fq->total_frames_tail++;
fq->total_samples_tail += b->frame->nb_samples;
fq->samples_skipped = 0;
check_consistency(fq);
return b->frame;
}
@@ -146,5 +147,6 @@ void ff_framequeue_skip_samples(FFFrameQueue *fq, size_t samples, AVRational tim
for (i = 0; i < planes && i < AV_NUM_DATA_POINTERS; i++)
b->frame->data[i] = b->frame->extended_data[i];
fq->total_samples_tail += samples;
fq->samples_skipped = 1;
ff_framequeue_update_peeked(fq, 0);
}
+5
View File
@@ -100,6 +100,11 @@ typedef struct FFFrameQueue {
*/
uint64_t total_samples_tail;
/**
* Indicate that samples are skipped
*/
int samples_skipped;
} FFFrameQueue;
/**
+1 -1
View File
@@ -384,7 +384,7 @@ static void register_all(void)
void av_register_all(void)
{
AVOnce control = AV_ONCE_INIT;
static AVOnce control = AV_ONCE_INIT;
ff_thread_once(&control, register_all);
}
+3
View File
@@ -1098,6 +1098,9 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt)
if (!sub_demuxer)
goto error;
if (strcmp(sub_demuxer->name, "srt") && strcmp(sub_demuxer->name, "ass"))
goto error;
if (!(ast->sub_ctx = avformat_alloc_context()))
goto error;
+27 -3
View File
@@ -204,6 +204,7 @@ typedef struct HLSContext {
char *http_proxy; ///< holds the address of the HTTP proxy server
AVDictionary *avio_opts;
int strict_std_compliance;
char *allowed_extensions;
} HLSContext;
static int read_chomp_line(AVIOContext *s, char *buf, int maxlen)
@@ -618,8 +619,19 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url,
return AVERROR_INVALIDDATA;
// only http(s) & file are allowed
if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL))
if (av_strstart(proto_name, "file", NULL)) {
if (strcmp(c->allowed_extensions, "ALL") && !av_match_ext(url, c->allowed_extensions)) {
av_log(s, AV_LOG_ERROR,
"Filename extension of \'%s\' is not a common multimedia extension, blocked for security reasons.\n"
"If you wish to override this adjust allowed_extensions, you can set it to \'ALL\' to allow all\n",
url);
return AVERROR_INVALIDDATA;
}
} else if (av_strstart(proto_name, "http", NULL)) {
;
} else
return AVERROR_INVALIDDATA;
if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':')
;
else if (av_strstart(url, "crypto", NULL) && !strncmp(proto_name, url + 7, strlen(proto_name)) && url[7 + strlen(proto_name)] == ':')
@@ -630,8 +642,16 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url,
ret = s->io_open(s, pb, url, AVIO_FLAG_READ, &tmp);
if (ret >= 0) {
// update cookies on http response with setcookies.
void *u = (s->flags & AVFMT_FLAG_CUSTOM_IO) ? NULL : s->pb;
update_options(&c->cookies, "cookies", u);
char *new_cookies = NULL;
if (!(s->flags & AVFMT_FLAG_CUSTOM_IO))
av_opt_get(*pb, "cookies", AV_OPT_SEARCH_CHILDREN, (uint8_t**)&new_cookies);
if (new_cookies) {
av_free(c->cookies);
c->cookies = new_cookies;
}
av_dict_set(&opts, "cookies", c->cookies, 0);
}
@@ -2126,6 +2146,10 @@ static int hls_probe(AVProbeData *p)
static const AVOption hls_options[] = {
{"live_start_index", "segment index to start live streams at (negative values are from the end)",
OFFSET(live_start_index), AV_OPT_TYPE_INT, {.i64 = -3}, INT_MIN, INT_MAX, FLAGS},
{"allowed_extensions", "List of file extensions that hls is allowed to access",
OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
{.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
INT_MIN, INT_MAX, FLAGS},
{NULL}
};
+156 -57
View File
@@ -29,6 +29,7 @@
#include "libavutil/avstring.h"
#include "libavutil/opt.h"
#include "libavutil/time.h"
#include "libavutil/parseutils.h"
#include "avformat.h"
#include "http.h"
@@ -48,6 +49,8 @@
#define MAX_REDIRECTS 8
#define HTTP_SINGLE 1
#define HTTP_MUTLI 2
#define MAX_EXPIRY 19
#define WHITESPACES " \n\t\r"
typedef enum {
LOWER_PROTO,
READ_HEADERS,
@@ -680,10 +683,112 @@ static int parse_icy(HTTPContext *s, const char *tag, const char *p)
return 0;
}
static int parse_set_cookie_expiry_time(const char *exp_str, struct tm *buf)
{
char exp_buf[MAX_EXPIRY];
int i, j, exp_buf_len = MAX_EXPIRY-1;
char *expiry;
// strip off any punctuation or whitespace
for (i = 0, j = 0; exp_str[i] != '\0' && j < exp_buf_len; i++) {
if ((exp_str[i] >= '0' && exp_str[i] <= '9') ||
(exp_str[i] >= 'A' && exp_str[i] <= 'Z') ||
(exp_str[i] >= 'a' && exp_str[i] <= 'z')) {
exp_buf[j] = exp_str[i];
j++;
}
}
exp_buf[j] = '\0';
expiry = exp_buf;
// move the string beyond the day of week
while ((*expiry < '0' || *expiry > '9') && *expiry != '\0')
expiry++;
return av_small_strptime(expiry, "%d%b%Y%H%M%S", buf) ? 0 : AVERROR(EINVAL);
}
static int parse_set_cookie(const char *set_cookie, AVDictionary **dict)
{
char *param, *next_param, *cstr, *back;
if (!(cstr = av_strdup(set_cookie)))
return AVERROR(EINVAL);
// strip any trailing whitespace
back = &cstr[strlen(cstr)-1];
while (strchr(WHITESPACES, *back)) {
*back='\0';
back--;
}
next_param = cstr;
while ((param = av_strtok(next_param, ";", &next_param))) {
char *name, *value;
param += strspn(param, WHITESPACES);
if ((name = av_strtok(param, "=", &value))) {
if (av_dict_set(dict, name, value, 0) < 0) {
av_free(cstr);
return -1;
}
}
}
av_free(cstr);
return 0;
}
static int parse_cookie(HTTPContext *s, const char *p, AVDictionary **cookies)
{
AVDictionary *new_params = NULL;
AVDictionaryEntry *e, *cookie_entry;
char *eql, *name;
// ensure the cookie is parsable
if (parse_set_cookie(p, &new_params))
return -1;
// if there is no cookie value there is nothing to parse
cookie_entry = av_dict_get(new_params, "", NULL, AV_DICT_IGNORE_SUFFIX);
if (!cookie_entry || !cookie_entry->value) {
av_dict_free(&new_params);
return -1;
}
// ensure the cookie is not expired or older than an existing value
if ((e = av_dict_get(new_params, "expires", NULL, 0)) && e->value) {
struct tm new_tm = {0};
if (!parse_set_cookie_expiry_time(e->value, &new_tm)) {
AVDictionaryEntry *e2;
// if the cookie has already expired ignore it
if (av_timegm(&new_tm) < av_gettime() / 1000000) {
av_dict_free(&new_params);
return -1;
}
// only replace an older cookie with the same name
e2 = av_dict_get(*cookies, cookie_entry->key, NULL, 0);
if (e2 && e2->value) {
AVDictionary *old_params = NULL;
if (!parse_set_cookie(p, &old_params)) {
e2 = av_dict_get(old_params, "expires", NULL, 0);
if (e2 && e2->value) {
struct tm old_tm = {0};
if (!parse_set_cookie_expiry_time(e->value, &old_tm)) {
if (av_timegm(&new_tm) < av_timegm(&old_tm)) {
av_dict_free(&new_params);
av_dict_free(&old_params);
return -1;
}
}
}
}
av_dict_free(&old_params);
}
}
}
// duplicate the cookie name (dict will dupe the value)
if (!(eql = strchr(p, '='))) return AVERROR(EINVAL);
if (!(name = av_strndup(p, eql - p))) return AVERROR(ENOMEM);
@@ -868,7 +973,7 @@ static int get_cookies(HTTPContext *s, char **cookies, const char *path,
// cookie strings will look like Set-Cookie header field values. Multiple
// Set-Cookie fields will result in multiple values delimited by a newline
int ret = 0;
char *next, *cookie, *set_cookies = av_strdup(s->cookies), *cset_cookies = set_cookies;
char *cookie, *set_cookies = av_strdup(s->cookies), *next = set_cookies;
if (!set_cookies) return AVERROR(EINVAL);
@@ -876,87 +981,81 @@ static int get_cookies(HTTPContext *s, char **cookies, const char *path,
av_dict_free(&s->cookie_dict);
*cookies = NULL;
while ((cookie = av_strtok(set_cookies, "\n", &next))) {
int domain_offset = 0;
char *param, *next_param, *cdomain = NULL, *cpath = NULL, *cvalue = NULL;
set_cookies = NULL;
while ((cookie = av_strtok(next, "\n", &next))) {
AVDictionary *cookie_params = NULL;
AVDictionaryEntry *cookie_entry, *e;
// store the cookie in a dict in case it is updated in the response
if (parse_cookie(s, cookie, &s->cookie_dict))
av_log(s, AV_LOG_WARNING, "Unable to parse '%s'\n", cookie);
while ((param = av_strtok(cookie, "; ", &next_param))) {
if (cookie) {
// first key-value pair is the actual cookie value
cvalue = av_strdup(param);
cookie = NULL;
} else if (!av_strncasecmp("path=", param, 5)) {
av_free(cpath);
cpath = av_strdup(&param[5]);
} else if (!av_strncasecmp("domain=", param, 7)) {
// if the cookie specifies a sub-domain, skip the leading dot thereby
// supporting URLs that point to sub-domains and the master domain
int leading_dot = (param[7] == '.');
av_free(cdomain);
cdomain = av_strdup(&param[7+leading_dot]);
} else {
// ignore unknown attributes
// continue on to the next cookie if this one cannot be parsed
if (parse_set_cookie(cookie, &cookie_params))
continue;
// if the cookie has no value, skip it
cookie_entry = av_dict_get(cookie_params, "", NULL, AV_DICT_IGNORE_SUFFIX);
if (!cookie_entry || !cookie_entry->value) {
av_dict_free(&cookie_params);
continue;
}
// if the cookie has expired, don't add it
if ((e = av_dict_get(cookie_params, "expires", NULL, 0)) && e->value) {
struct tm tm_buf = {0};
if (!parse_set_cookie_expiry_time(e->value, &tm_buf)) {
if (av_timegm(&tm_buf) < av_gettime() / 1000000) {
av_dict_free(&cookie_params);
continue;
}
}
}
if (!cdomain)
cdomain = av_strdup(domain);
// ensure all of the necessary values are valid
if (!cdomain || !cpath || !cvalue) {
av_log(s, AV_LOG_WARNING,
"Invalid cookie found, no value, path or domain specified\n");
goto done_cookie;
// if no domain in the cookie assume it appied to this request
if ((e = av_dict_get(cookie_params, "domain", NULL, 0)) && e->value) {
// find the offset comparison is on the min domain (b.com, not a.b.com)
int domain_offset = strlen(domain) - strlen(e->value);
if (domain_offset < 0) {
av_dict_free(&cookie_params);
continue;
}
// match the cookie domain
if (av_strcasecmp(&domain[domain_offset], e->value)) {
av_dict_free(&cookie_params);
continue;
}
}
// check if the request path matches the cookie path
if (av_strncasecmp(path, cpath, strlen(cpath)))
goto done_cookie;
// the domain should be at least the size of our cookie domain
domain_offset = strlen(domain) - strlen(cdomain);
if (domain_offset < 0)
goto done_cookie;
// match the cookie domain
if (av_strcasecmp(&domain[domain_offset], cdomain))
goto done_cookie;
// ensure this cookie matches the path
e = av_dict_get(cookie_params, "path", NULL, 0);
if (!e || av_strncasecmp(path, e->value, strlen(e->value))) {
av_dict_free(&cookie_params);
continue;
}
// cookie parameters match, so copy the value
if (!*cookies) {
if (!(*cookies = av_strdup(cvalue))) {
if (!(*cookies = av_asprintf("%s=%s", cookie_entry->key, cookie_entry->value))) {
ret = AVERROR(ENOMEM);
goto done_cookie;
break;
}
} else {
char *tmp = *cookies;
size_t str_size = strlen(cvalue) + strlen(*cookies) + 3;
size_t str_size = strlen(cookie_entry->key) + strlen(cookie_entry->value) + strlen(*cookies) + 4;
if (!(*cookies = av_malloc(str_size))) {
ret = AVERROR(ENOMEM);
goto done_cookie;
av_free(tmp);
break;
}
snprintf(*cookies, str_size, "%s; %s", tmp, cvalue);
snprintf(*cookies, str_size, "%s; %s=%s", tmp, cookie_entry->key, cookie_entry->value);
av_free(tmp);
}
done_cookie:
av_freep(&cdomain);
av_freep(&cpath);
av_freep(&cvalue);
if (ret < 0) {
if (*cookies) av_freep(cookies);
av_free(cset_cookies);
return ret;
}
}
av_free(cset_cookies);
av_free(set_cookies);
return 0;
return ret;
}
static inline int has_header(const char *str, const char *header)
+4 -4
View File
@@ -1232,8 +1232,8 @@ static int mov_read_mdhd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
sc->time_scale = avio_rb32(pb);
if (sc->time_scale <= 0) {
av_log(c->fc, AV_LOG_ERROR, "Invalid mdhd time scale %d\n", sc->time_scale);
return AVERROR_INVALIDDATA;
av_log(c->fc, AV_LOG_ERROR, "Invalid mdhd time scale %d, defaulting to 1\n", sc->time_scale);
sc->time_scale = 1;
}
st->duration = (version == 1) ? avio_rb64(pb) : avio_rb32(pb); /* duration */
@@ -1262,8 +1262,8 @@ static int mov_read_mvhd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
mov_metadata_creation_time(&c->fc->metadata, creation_time);
c->time_scale = avio_rb32(pb); /* time scale */
if (c->time_scale <= 0) {
av_log(c->fc, AV_LOG_ERROR, "Invalid mvhd time scale %d\n", c->time_scale);
return AVERROR_INVALIDDATA;
av_log(c->fc, AV_LOG_ERROR, "Invalid mvhd time scale %d, defaulting to 1\n", c->time_scale);
c->time_scale = 1;
}
av_log(c->fc, AV_LOG_TRACE, "time scale = %i\n", c->time_scale);
+1 -1
View File
@@ -732,7 +732,7 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt)
av_log(s, AV_LOG_WARNING, "failed to avoid negative "
"pts %s in stream %d.\n"
"Try -avoid_negative_ts 1 as a possible workaround.\n",
av_ts2str(pkt->dts),
av_ts2str(pkt->pts),
pkt->stream_index
);
}
+12
View File
@@ -102,6 +102,18 @@ static const AVClass av_format_context_class = {
static int io_open_default(AVFormatContext *s, AVIOContext **pb,
const char *url, int flags, AVDictionary **options)
{
int loglevel;
if (!strcmp(url, s->filename) ||
s->iformat && !strcmp(s->iformat->name, "image2") ||
s->oformat && !strcmp(s->oformat->name, "image2")
) {
loglevel = AV_LOG_DEBUG;
} else
loglevel = AV_LOG_INFO;
av_log(s, loglevel, "Opening \'%s\' for %s\n", url, flags & AVIO_FLAG_WRITE ? "writing" : "reading");
#if FF_API_OLD_OPEN_CALLBACKS
FF_DISABLE_DEPRECATION_WARNINGS
if (s->open_cb)
+1 -1
View File
@@ -533,6 +533,7 @@ int avformat_open_input(AVFormatContext **ps, const char *filename,
if ((ret = av_opt_set_dict(s, &tmp)) < 0)
goto fail;
av_strlcpy(s->filename, filename ? filename : "", sizeof(s->filename));
if ((ret = init_input(s, filename, &tmp)) < 0)
goto fail;
s->probe_score = ret;
@@ -570,7 +571,6 @@ int avformat_open_input(AVFormatContext **ps, const char *filename,
}
s->duration = s->start_time = AV_NOPTS_VALUE;
av_strlcpy(s->filename, filename ? filename : "", sizeof(s->filename));
/* Allocate private data. */
if (s->iformat->priv_data_size > 0) {
+8 -1
View File
@@ -121,6 +121,13 @@ static void dxva2_frames_uninit(AVHWFramesContext *ctx)
}
}
static void dxva2_pool_release_dummy(void *opaque, uint8_t *data)
{
// important not to free anything here--data is a surface object
// associated with the call to CreateSurface(), and these surfaces are
// released in dxva2_frames_uninit()
}
static AVBufferRef *dxva2_pool_alloc(void *opaque, int size)
{
AVHWFramesContext *ctx = (AVHWFramesContext*)opaque;
@@ -130,7 +137,7 @@ static AVBufferRef *dxva2_pool_alloc(void *opaque, int size)
if (s->nb_surfaces_used < hwctx->nb_surfaces) {
s->nb_surfaces_used++;
return av_buffer_create((uint8_t*)s->surfaces_internal[s->nb_surfaces_used - 1],
sizeof(*hwctx->surfaces), NULL, 0, 0);
sizeof(*hwctx->surfaces), dxva2_pool_release_dummy, 0, 0);
}
return NULL;
+2 -3
View File
@@ -30,9 +30,8 @@
# define NDEBUG
#endif
#if defined(DEBUG) && !defined(CHECKED)
# define CHECKED
#endif
// This can be enabled to allow detection of additional integer overflows with ubsan
//#define CHECKED
#include <limits.h>
#include <stdint.h>
+4 -2
View File
@@ -177,8 +177,10 @@ static inline av_const SoftFloat av_sub_sf(SoftFloat a, SoftFloat b){
//FIXME log, exp, pow
/**
* Converts a mantisse and exponent to a SoftFloat
* @returns a SoftFloat with value v * 2^frac_bits
* Converts a mantisse and exponent to a SoftFloat.
* This converts a fixed point value v with frac_bits fractional bits to a
* SoftFloat.
* @returns a SoftFloat with value v * 2^-frac_bits
*/
static inline av_const SoftFloat av_int2sf(int v, int frac_bits){
int exp_offset = 0;