[SCM] libav/master: Imported Upstream version 9.11
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Wed Feb 5 00:16:44 UTC 2014
The following commit has been merged in the master branch:
commit 40bd8c78f2269d0265460c78a48849de8f7092ad
Author: Reinhard Tartler <siretart at tauware.de>
Date: Wed Feb 5 00:02:46 2014 +0000
Imported Upstream version 9.11
diff --git a/Changelog b/Changelog
index 594a6ff..bc18fef 100644
--- a/Changelog
+++ b/Changelog
@@ -1,5 +1,35 @@
Releases are sorted from youngest to oldest.
+version 9.11:
+- oggparseogm: check timing variables
+- mathematics: remove asserts from av_rescale_rnd()
+- vc1: Always reset numref when parsing a new frame header.
+- h264: reset num_reorder_frames if it is invalid
+- h264: check that an IDR NAL only contains I slices
+- mov: Free an earlier allocated array if allocating a new one
+- mov: Free intermediate arrays in the normal cleanup function
+- segafilm: fix leaks if reading the header fails
+- h264_cavlc: check the size of the intra PCM data.
+- h263: Check init_get_bits return value
+- cavsdec: check ff_get_buffer() return value
+- cavs: Check for negative cbp
+- avi: DV in AVI must be considered single stream
+- vmnc: Check the cursor dimensions
+- vmnc: Port to bytestream2
+- vmnc: K&R formatting cosmetics
+- flashsv: Check diff_start diff_height values
+- dsputil/pngdsp: fix signed/unsigned type in end comparison (CVE-2013-7010, CVE-2013-7014)
+- lavf: make av_probe_input_buffer more robust (CVE-2012-6618)
+- lavf: use a fixed width type
+- lavf: simplify handling of offset in av_probe_input_buffer()
+- prores: Error out only on surely incomplete ac_coeffs
+- shorten: Fix out-of-array read
+- prores: Add a codepath for decoding errors
+- nut: Fix unchecked allocations
+- avi: directly resync on DV in AVI read failure
+- mov: Don't allocate arrays with av_malloc that will be realloced
+- shorten: Extend fixed_coeffs to properly support pred_order 0
+
version 9.10:
- alac: Do bounds checking of lpc_order read from the bitstream
- ape: Don't allow the seektable to be omitted
diff --git a/RELEASE b/RELEASE
index 5f3c440..d4ce17d 100644
--- a/RELEASE
+++ b/RELEASE
@@ -1 +1 @@
-9.10
+9.11
diff --git a/VERSION b/VERSION
index 5f3c440..d4ce17d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-9.10
+9.11
diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c
index 51ac334..ce14737 100644
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -1398,7 +1398,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
memcpy(s->outptr[channel_map[ch]], output[ch], 1024);
for (ch = 0; ch < s->out_channels; ch++)
output[ch] = s->outptr[channel_map[ch]];
- for (ch = 0; ch < s->channels; ch++)
+ for (ch = 0; ch < s->out_channels; ch++)
s->outptr[ch] += AC3_BLOCK_SIZE;
}
diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index f1d01a2..cb942c2 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1380,6 +1380,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
for (b = 0; b < ctx->num_blocks; b++) {
bd.block_length = div_blocks[b];
+ if (bd.block_length <= 0) {
+ av_log(ctx->avctx, AV_LOG_WARNING,
+ "Invalid block length %d in channel data!\n", bd.block_length);
+ continue;
+ }
for (c = 0; c < avctx->channels; c++) {
bd.const_block = ctx->const_block + c;
diff --git a/libavcodec/arm/int_neon.S b/libavcodec/arm/int_neon.S
index 04208c2..b1906c8 100644
--- a/libavcodec/arm/int_neon.S
+++ b/libavcodec/arm/int_neon.S
@@ -41,10 +41,10 @@ function ff_scalarproduct_int16_neon, export=1
vpadd.s32 d16, d0, d1
vpadd.s32 d17, d2, d3
- vpadd.s32 d10, d4, d5
- vpadd.s32 d11, d6, d7
+ vpadd.s32 d18, d4, d5
+ vpadd.s32 d19, d6, d7
vpadd.s32 d0, d16, d17
- vpadd.s32 d1, d10, d11
+ vpadd.s32 d1, d18, d19
vpadd.s32 d2, d0, d1
vpaddl.s32 d3, d2
vmov.32 r0, d3[0]
@@ -81,10 +81,10 @@ function ff_scalarproduct_and_madd_int16_neon, export=1
vpadd.s32 d16, d0, d1
vpadd.s32 d17, d2, d3
- vpadd.s32 d10, d4, d5
- vpadd.s32 d11, d6, d7
+ vpadd.s32 d18, d4, d5
+ vpadd.s32 d19, d6, d7
vpadd.s32 d0, d16, d17
- vpadd.s32 d1, d10, d11
+ vpadd.s32 d1, d18, d19
vpadd.s32 d2, d0, d1
vpaddl.s32 d3, d2
vmov.32 r0, d3[0]
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 7cfb2ca..c68f7b2 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -602,8 +602,8 @@ static inline int decode_residual_inter(AVSContext *h)
/* get coded block pattern */
int cbp = get_ue_golomb(&h->gb);
- if (cbp > 63) {
- av_log(h->avctx, AV_LOG_ERROR, "illegal inter cbp\n");
+ if (cbp > 63 || cbp < 0) {
+ av_log(h->avctx, AV_LOG_ERROR, "illegal inter cbp %d\n", cbp);
return -1;
}
h->cbp = cbp_tab[cbp][1];
@@ -673,7 +673,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
/* get coded block pattern */
if (h->cur.f->pict_type == AV_PICTURE_TYPE_I)
cbp_code = get_ue_golomb(gb);
- if (cbp_code > 63) {
+ if (cbp_code > 63 || cbp_code < 0) {
av_log(h->avctx, AV_LOG_ERROR, "illegal intra cbp\n");
return -1;
}
@@ -928,6 +928,7 @@ static inline int check_for_slice(AVSContext *h)
static int decode_pic(AVSContext *h)
{
+ int ret;
int skip_count = -1;
enum cavs_mb mb_type;
@@ -965,7 +966,9 @@ static int decode_pic(AVSContext *h)
if (h->cur.f->data[0])
h->avctx->release_buffer(h->avctx, h->cur.f);
- ff_get_buffer(h->avctx, h->cur.f);
+ ret = ff_get_buffer(h->avctx, h->cur.f);
+ if (ret < 0)
+ return ret;
if (!h->edge_emu_buffer) {
int alloc_size = FFALIGN(FFABS(h->cur.f->linesize[0]) + 32, 32);
diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c
index 4696bc7..338c314 100644
--- a/libavcodec/dsputil.c
+++ b/libavcodec/dsputil.c
@@ -1800,7 +1800,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){
static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){
long i;
- for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+ for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
long a = *(long*)(src+i);
long b = *(long*)(dst+i);
*(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
@@ -1825,7 +1825,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
}
}else
#endif
- for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+ for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
long a = *(long*)(src1+i);
long b = *(long*)(src2+i);
*(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80);
diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c
index b7e13b1..4c65f6f 100644
--- a/libavcodec/eacmv.c
+++ b/libavcodec/eacmv.c
@@ -119,7 +119,7 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t *
static void cmv_process_header(CmvContext *s, const uint8_t *buf, const uint8_t *buf_end)
{
- int pal_start, pal_count, i;
+ int pal_start, pal_count, i, fps;
if(buf_end - buf < 16) {
av_log(s->avctx, AV_LOG_WARNING, "truncated header\n");
@@ -131,8 +131,9 @@ static void cmv_process_header(CmvContext *s, const uint8_t *buf, const uint8_t
if (s->avctx->width!=s->width || s->avctx->height!=s->height)
avcodec_set_dimensions(s->avctx, s->width, s->height);
- s->avctx->time_base.num = 1;
- s->avctx->time_base.den = AV_RL16(&buf[10]);
+ fps = AV_RL16(&buf[10]);
+ if (fps > 0)
+ s->avctx->time_base = (AVRational){ 1, fps };
pal_start = AV_RL16(&buf[12]);
pal_count = AV_RL16(&buf[14]);
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 97e2bd5..e74598c 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -670,6 +670,7 @@ static int read_header(FFV1Context *f)
return AVERROR(ENOSYS);
}
switch (f->avctx->bits_per_raw_sample) {
+ case 0:
case 8:
f->avctx->pix_fmt = AV_PIX_FMT_RGB32;
break;
diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c
index 3c5a35c..d55616e 100644
--- a/libavcodec/flashsv.c
+++ b/libavcodec/flashsv.c
@@ -384,6 +384,12 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
}
s->diff_start = get_bits(&gb, 8);
s->diff_height = get_bits(&gb, 8);
+ if (s->diff_start + s->diff_height > cur_blk_height) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Block parameters invalid: %d + %d > %d\n",
+ s->diff_start, s->diff_height, cur_blk_height);
+ return AVERROR_INVALIDDATA;
+ }
av_log(avctx, AV_LOG_DEBUG,
"%dx%d diff start %d height %d\n",
i, j, s->diff_start, s->diff_height);
diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c
index 8f1d694..99c24d5 100644
--- a/libavcodec/gifdec.c
+++ b/libavcodec/gifdec.c
@@ -49,8 +49,7 @@ typedef struct GifState {
int gce_delay;
/* LZW compatible decoder */
- const uint8_t *bytestream;
- const uint8_t *bytestream_end;
+ GetByteContext gb;
LZWState *lzw;
/* aux buffers */
@@ -69,11 +68,11 @@ static int gif_read_image(GifState *s)
int is_interleaved, has_local_palette, y, pass, y1, linesize, n, i;
uint8_t *ptr, *spal, *palette, *ptr1;
- left = bytestream_get_le16(&s->bytestream);
- top = bytestream_get_le16(&s->bytestream);
- width = bytestream_get_le16(&s->bytestream);
- height = bytestream_get_le16(&s->bytestream);
- flags = bytestream_get_byte(&s->bytestream);
+ left = bytestream2_get_le16(&s->gb);
+ top = bytestream2_get_le16(&s->gb);
+ width = bytestream2_get_le16(&s->gb);
+ height = bytestream2_get_le16(&s->gb);
+ flags = bytestream2_get_byte(&s->gb);
is_interleaved = flags & 0x40;
has_local_palette = flags & 0x80;
bits_per_pixel = (flags & 0x07) + 1;
@@ -81,7 +80,7 @@ static int gif_read_image(GifState *s)
av_dlog(s->avctx, "gif: image x=%d y=%d w=%d h=%d\n", left, top, width, height);
if (has_local_palette) {
- bytestream_get_buffer(&s->bytestream, s->local_palette, 3 * (1 << bits_per_pixel));
+ bytestream2_get_buffer(&s->gb, s->local_palette, 3 * (1 << bits_per_pixel));
palette = s->local_palette;
} else {
palette = s->global_palette;
@@ -90,8 +89,11 @@ static int gif_read_image(GifState *s)
/* verify that all the image is inside the screen dimensions */
if (left + width > s->screen_width ||
- top + height > s->screen_height)
- return AVERROR(EINVAL);
+ top + height > s->screen_height ||
+ !width || !height) {
+ av_log(s->avctx, AV_LOG_ERROR, "Invalid image dimensions.\n");
+ return AVERROR_INVALIDDATA;
+ }
/* build the palette */
n = (1 << bits_per_pixel);
@@ -107,9 +109,9 @@ static int gif_read_image(GifState *s)
s->image_palette[s->transparent_color_index] = 0;
/* now get the image data */
- code_size = bytestream_get_byte(&s->bytestream);
- ff_lzw_decode_init(s->lzw, code_size, s->bytestream,
- s->bytestream_end - s->bytestream, FF_LZW_GIF);
+ code_size = bytestream2_get_byte(&s->gb);
+ ff_lzw_decode_init(s->lzw, code_size, s->gb.buffer,
+ bytestream2_get_bytes_left(&s->gb), FF_LZW_GIF);
/* read all the image */
linesize = s->picture.linesize[0];
@@ -152,7 +154,8 @@ static int gif_read_image(GifState *s)
}
/* read the garbage data until end marker is found */
ff_lzw_decode_tail(s->lzw);
- s->bytestream = ff_lzw_cur_ptr(s->lzw);
+
+ bytestream2_skip(&s->gb, ff_lzw_size_read(s->lzw));
return 0;
}
@@ -161,8 +164,8 @@ static int gif_read_extension(GifState *s)
int ext_code, ext_len, i, gce_flags, gce_transparent_index;
/* extension */
- ext_code = bytestream_get_byte(&s->bytestream);
- ext_len = bytestream_get_byte(&s->bytestream);
+ ext_code = bytestream2_get_byte(&s->gb);
+ ext_len = bytestream2_get_byte(&s->gb);
av_dlog(s->avctx, "gif: ext_code=0x%x len=%d\n", ext_code, ext_len);
@@ -171,9 +174,9 @@ static int gif_read_extension(GifState *s)
if (ext_len != 4)
goto discard_ext;
s->transparent_color_index = -1;
- gce_flags = bytestream_get_byte(&s->bytestream);
- s->gce_delay = bytestream_get_le16(&s->bytestream);
- gce_transparent_index = bytestream_get_byte(&s->bytestream);
+ gce_flags = bytestream2_get_byte(&s->gb);
+ s->gce_delay = bytestream2_get_le16(&s->gb);
+ gce_transparent_index = bytestream2_get_byte(&s->gb);
if (gce_flags & 0x01)
s->transparent_color_index = gce_transparent_index;
else
@@ -184,7 +187,7 @@ static int gif_read_extension(GifState *s)
gce_flags, s->gce_delay,
s->transparent_color_index, s->gce_disposal);
- ext_len = bytestream_get_byte(&s->bytestream);
+ ext_len = bytestream2_get_byte(&s->gb);
break;
}
@@ -192,8 +195,8 @@ static int gif_read_extension(GifState *s)
discard_ext:
while (ext_len != 0) {
for (i = 0; i < ext_len; i++)
- bytestream_get_byte(&s->bytestream);
- ext_len = bytestream_get_byte(&s->bytestream);
+ bytestream2_get_byte(&s->gb);
+ ext_len = bytestream2_get_byte(&s->gb);
av_dlog(s->avctx, "gif: ext_len1=%d\n", ext_len);
}
@@ -206,31 +209,31 @@ static int gif_read_header1(GifState *s)
int v, n;
int has_global_palette;
- if (s->bytestream_end < s->bytestream + 13)
- return -1;
+ if (bytestream2_get_bytes_left(&s->gb) < 13)
+ return AVERROR_INVALIDDATA;
/* read gif signature */
- bytestream_get_buffer(&s->bytestream, sig, 6);
+ bytestream2_get_buffer(&s->gb, sig, 6);
if (memcmp(sig, gif87a_sig, 6) != 0 &&
memcmp(sig, gif89a_sig, 6) != 0)
- return -1;
+ return AVERROR_INVALIDDATA;
/* read screen header */
s->transparent_color_index = -1;
- s->screen_width = bytestream_get_le16(&s->bytestream);
- s->screen_height = bytestream_get_le16(&s->bytestream);
+ s->screen_width = bytestream2_get_le16(&s->gb);
+ s->screen_height = bytestream2_get_le16(&s->gb);
if( (unsigned)s->screen_width > 32767
|| (unsigned)s->screen_height > 32767){
av_log(NULL, AV_LOG_ERROR, "picture size too large\n");
- return -1;
+ return AVERROR_INVALIDDATA;
}
- v = bytestream_get_byte(&s->bytestream);
+ v = bytestream2_get_byte(&s->gb);
s->color_resolution = ((v & 0x70) >> 4) + 1;
has_global_palette = (v & 0x80);
s->bits_per_pixel = (v & 0x07) + 1;
- s->background_color_index = bytestream_get_byte(&s->bytestream);
- bytestream_get_byte(&s->bytestream); /* ignored */
+ s->background_color_index = bytestream2_get_byte(&s->gb);
+ bytestream2_get_byte(&s->gb); /* ignored */
av_dlog(s->avctx, "gif: screen_w=%d screen_h=%d bpp=%d global_palette=%d\n",
s->screen_width, s->screen_height, s->bits_per_pixel,
@@ -238,17 +241,18 @@ static int gif_read_header1(GifState *s)
if (has_global_palette) {
n = 1 << s->bits_per_pixel;
- if (s->bytestream_end < s->bytestream + n * 3)
- return -1;
- bytestream_get_buffer(&s->bytestream, s->global_palette, n * 3);
+ if (bytestream2_get_bytes_left(&s->gb) < n * 3)
+ return AVERROR_INVALIDDATA;
+ bytestream2_get_buffer(&s->gb, s->global_palette, n * 3);
}
return 0;
}
static int gif_parse_next_image(GifState *s)
{
- while (s->bytestream < s->bytestream_end) {
- int code = bytestream_get_byte(&s->bytestream);
+ while (bytestream2_get_bytes_left(&s->gb) > 0) {
+ int code = bytestream2_get_byte(&s->gb);
+ int ret;
av_dlog(s->avctx, "gif: code=%02x '%c'\n", code, code);
@@ -256,17 +260,17 @@ static int gif_parse_next_image(GifState *s)
case ',':
return gif_read_image(s);
case '!':
- if (gif_read_extension(s) < 0)
- return -1;
+ if ((ret = gif_read_extension(s)) < 0)
+ return ret;
break;
case ';':
/* end of image */
default:
/* error or erroneous EOF */
- return -1;
+ return AVERROR_INVALIDDATA;
}
}
- return -1;
+ return AVERROR_INVALIDDATA;
}
static av_cold int gif_decode_init(AVCodecContext *avctx)
@@ -291,21 +295,20 @@ static int gif_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
AVFrame *picture = data;
int ret;
- s->bytestream = buf;
- s->bytestream_end = buf + buf_size;
- if (gif_read_header1(s) < 0)
- return -1;
+ bytestream2_init(&s->gb, buf, buf_size);
+ if ((ret = gif_read_header1(s)) < 0)
+ return ret;
avctx->pix_fmt = AV_PIX_FMT_PAL8;
- if (av_image_check_size(s->screen_width, s->screen_height, 0, avctx))
- return -1;
+ if ((ret = av_image_check_size(s->screen_width, s->screen_height, 0, avctx)) < 0)
+ return ret;
avcodec_set_dimensions(avctx, s->screen_width, s->screen_height);
if (s->picture.data[0])
avctx->release_buffer(avctx, &s->picture);
- if (ff_get_buffer(avctx, &s->picture) < 0) {
+ if ((ret = ff_get_buffer(avctx, &s->picture)) < 0) {
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
- return -1;
+ return ret;
}
s->image_palette = (uint32_t *)s->picture.data[1];
ret = gif_parse_next_image(s);
@@ -314,7 +317,7 @@ static int gif_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
*picture = s->picture;
*got_frame = 1;
- return s->bytestream - buf;
+ return bytestream2_tell(&s->gb);
}
static av_cold int gif_decode_close(AVCodecContext *avctx)
diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c
index db58fd2..47e903a 100644
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -384,17 +384,20 @@ uint64_t time= rdtsc();
return buf_size;
}
+ if (s->bitstream_buffer_size && (s->divx_packed || buf_size < 20)) // divx 5.01+/xvid frame reorder
+ ret = init_get_bits8(&s->gb, s->bitstream_buffer,
+ s->bitstream_buffer_size);
+ else
+ ret = init_get_bits8(&s->gb, buf, buf_size);
+ s->bitstream_buffer_size = 0;
- if(s->bitstream_buffer_size && (s->divx_packed || buf_size<20)){ //divx 5.01+/xvid frame reorder
- init_get_bits(&s->gb, s->bitstream_buffer, s->bitstream_buffer_size*8);
- }else
- init_get_bits(&s->gb, buf, buf_size*8);
- s->bitstream_buffer_size=0;
+ if (ret < 0)
+ return ret;
- if (!s->context_initialized) {
- if (ff_MPV_common_init(s) < 0) //we need the idct permutaton for reading a custom matrix
- return -1;
- }
+ if (!s->context_initialized)
+ // we need the idct permutaton for reading a custom matrix
+ if ((ret = ff_MPV_common_init(s)) < 0)
+ return ret;
/* We need to set current_picture_ptr before reading the header,
* otherwise we cannot store anyting in there */
@@ -414,8 +417,11 @@ uint64_t time= rdtsc();
if(s->avctx->extradata_size && s->picture_number==0){
GetBitContext gb;
- init_get_bits(&gb, s->avctx->extradata, s->avctx->extradata_size*8);
- ret = ff_mpeg4_decode_picture_header(s, &gb);
+ ret = init_get_bits8(&gb, s->avctx->extradata,
+ s->avctx->extradata_size);
+ if (ret < 0)
+ return ret;
+ ff_mpeg4_decode_picture_header(s, &gb);
}
ret = ff_mpeg4_decode_picture_header(s, &s->gb);
} else if (CONFIG_H263I_DECODER && s->codec_id == AV_CODEC_ID_H263I) {
diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 8625b0f..b256969 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -60,9 +60,15 @@ static const uint8_t div6[QP_MAX_NUM + 1] = {
};
static const enum AVPixelFormat hwaccel_pixfmt_list_h264_jpeg_420[] = {
+#if CONFIG_H264_DXVA2_HWACCEL
AV_PIX_FMT_DXVA2_VLD,
+#endif
+#if CONFIG_H264_VAAPI_HWACCEL
AV_PIX_FMT_VAAPI_VLD,
+#endif
+#if CONFIG_H264_VDA_HWACCEL
AV_PIX_FMT_VDA_VLD,
+#endif
AV_PIX_FMT_YUVJ420P,
AV_PIX_FMT_NONE
};
@@ -2649,6 +2655,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
h->slice_type = slice_type;
h->slice_type_nos = slice_type & 3;
+ if (h->nal_unit_type == NAL_IDR_SLICE &&
+ h->slice_type_nos != AV_PICTURE_TYPE_I) {
+ av_log(h->s.avctx, AV_LOG_ERROR, "A non-intra slice in an IDR NAL unit.\n");
+ return AVERROR_INVALIDDATA;
+ }
+
// to make a few old functions happy, it's wrong though
s->pict_type = h->slice_type;
diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index 0cc7214..c01e94b 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -770,6 +770,10 @@ decode_intra_mb:
// We assume these blocks are very rare so we do not optimize it.
align_get_bits(&s->gb);
+ if (get_bits_left(&s->gb) < mb_size) {
+ av_log(s->avctx, AV_LOG_ERROR, "Not enough data for an intra PCM block.\n");
+ return AVERROR_INVALIDDATA;
+ }
// The pixels are stored in the same order as levels in h->mb array.
for(x=0; x < mb_size; x++){
diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index ff6c077..fad2d77 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -236,7 +236,9 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps){
}
if(sps->num_reorder_frames > 16U /*max_dec_frame_buffering || max_dec_frame_buffering > 16*/){
- av_log(h->s.avctx, AV_LOG_ERROR, "illegal num_reorder_frames %d\n", sps->num_reorder_frames);
+ av_log(h->s.avctx, AV_LOG_ERROR, "Clipping illegal num_reorder_frames %d\n",
+ sps->num_reorder_frames);
+ sps->num_reorder_frames = 16;
return -1;
}
}
diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c
index 42b1130..b250f50 100644
--- a/libavcodec/indeo4.c
+++ b/libavcodec/indeo4.c
@@ -294,6 +294,7 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
band->is_empty = get_bits1(&ctx->gb);
if (!band->is_empty) {
+ int old_blk_size = band->blk_size;
/* skip header size
* If header size is not given, header size is 4 bytes. */
if (get_bits1(&ctx->gb))
@@ -370,13 +371,28 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
band->scan = scan_index_to_tab[scan_indx];
band->quant_mat = get_bits(&ctx->gb, 5);
- if (band->quant_mat == 31) {
- av_log(avctx, AV_LOG_ERROR, "Custom quant matrix encountered!\n");
- return AVERROR_INVALIDDATA;
- }
if (band->quant_mat >= FF_ARRAY_ELEMS(quant_index_to_tab)) {
av_log_ask_for_sample(avctx, "Quantization matrix %d",
band->quant_mat);
+
+ if (band->quant_mat == 31)
+ av_log(avctx, AV_LOG_ERROR,
+ "Custom quant matrix encountered!\n");
+ else
+ av_log_ask_for_sample(avctx, "Quantization matrix %d",
+ band->quant_mat);
+ band->quant_mat = -1;
+ return AVERROR_INVALIDDATA;
+ }
+ } else {
+ if (old_blk_size != band->blk_size) {
+ av_log(avctx, AV_LOG_ERROR,
+ "The band block size does not match the configuration "
+ "inherited\n");
+ return AVERROR_INVALIDDATA;
+ }
+ if (band->quant_mat < 0) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid quant_mat inherited\n");
return AVERROR_INVALIDDATA;
}
}
diff --git a/libavcodec/lzw.c b/libavcodec/lzw.c
index 2c99014..fae5687 100644
--- a/libavcodec/lzw.c
+++ b/libavcodec/lzw.c
@@ -28,6 +28,7 @@
*/
#include "avcodec.h"
+#include "bytestream.h"
#include "lzw.h"
#include "libavutil/mem.h"
@@ -43,7 +44,7 @@ static const uint16_t mask[17] =
};
struct LZWState {
- const uint8_t *pbuf, *ebuf;
+ GetByteContext gb;
int bbits;
unsigned int bbuf;
@@ -73,9 +74,9 @@ static int lzw_get_code(struct LZWState * s)
if(s->mode == FF_LZW_GIF) {
while (s->bbits < s->cursize) {
if (!s->bs) {
- s->bs = *s->pbuf++;
+ s->bs = bytestream2_get_byte(&s->gb);
}
- s->bbuf |= (*s->pbuf++) << s->bbits;
+ s->bbuf |= bytestream2_get_byte(&s->gb) << s->bbits;
s->bbits += 8;
s->bs--;
}
@@ -83,7 +84,7 @@ static int lzw_get_code(struct LZWState * s)
s->bbuf >>= s->cursize;
} else { // TIFF
while (s->bbits < s->cursize) {
- s->bbuf = (s->bbuf << 8) | (*s->pbuf++);
+ s->bbuf = (s->bbuf << 8) | bytestream2_get_byte(&s->gb);
s->bbits += 8;
}
c = s->bbuf >> (s->bbits - s->cursize);
@@ -92,9 +93,10 @@ static int lzw_get_code(struct LZWState * s)
return c & s->curmask;
}
-const uint8_t* ff_lzw_cur_ptr(LZWState *p)
+int ff_lzw_size_read(LZWState *p)
{
- return ((struct LZWState*)p)->pbuf;
+ struct LZWState *s = p;
+ return bytestream2_tell(&s->gb);
}
void ff_lzw_decode_tail(LZWState *p)
@@ -102,17 +104,12 @@ void ff_lzw_decode_tail(LZWState *p)
struct LZWState *s = (struct LZWState *)p;
if(s->mode == FF_LZW_GIF) {
- while (s->bs > 0) {
- if (s->bs >= s->ebuf - s->pbuf) {
- s->pbuf = s->ebuf;
- break;
- } else {
- s->pbuf += s->bs;
- s->bs = *s->pbuf++;
- }
+ while (s->bs > 0 && bytestream2_get_bytes_left(&s->gb)) {
+ bytestream2_skip(&s->gb, s->bs);
+ s->bs = bytestream2_get_byte(&s->gb);
}
}else
- s->pbuf= s->ebuf;
+ bytestream2_skip(&s->gb, bytestream2_get_bytes_left(&s->gb));
}
av_cold void ff_lzw_decode_open(LZWState **p)
@@ -140,8 +137,7 @@ int ff_lzw_decode_init(LZWState *p, int csize, const uint8_t *buf, int buf_size,
if(csize < 1 || csize >= LZW_MAXBITS)
return -1;
/* read buffer */
- s->pbuf = buf;
- s->ebuf = s->pbuf + buf_size;
+ bytestream2_init(&s->gb, buf, buf_size);
s->bbuf = 0;
s->bbits = 0;
s->bs = 0;
diff --git a/libavcodec/lzw.h b/libavcodec/lzw.h
index ab782f5..d925d35 100644
--- a/libavcodec/lzw.h
+++ b/libavcodec/lzw.h
@@ -47,7 +47,7 @@ void ff_lzw_decode_open(LZWState **p);
void ff_lzw_decode_close(LZWState **p);
int ff_lzw_decode_init(LZWState *s, int csize, const uint8_t *buf, int buf_size, int mode);
int ff_lzw_decode(LZWState *s, uint8_t *buf, int len);
-const uint8_t* ff_lzw_cur_ptr(LZWState *lzw);
+int ff_lzw_size_read(LZWState *lzw);
void ff_lzw_decode_tail(LZWState *lzw);
/** LZW encode state */
diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c
index c2bd0f4..4c0b98b 100644
--- a/libavcodec/motionpixels.c
+++ b/libavcodec/motionpixels.c
@@ -159,6 +159,7 @@ static int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb)
int i;
i = (mp->codes_count == 1) ? 0 : get_vlc2(gb, mp->vlc.table, mp->max_codes_bits, 1);
+ i = FFMIN(i, FF_ARRAY_ELEMS(mp->codes) - 1);
return mp->codes[i].delta;
}
diff --git a/libavcodec/mpeg4video.h b/libavcodec/mpeg4video.h
index 64c0243..0dec893 100644
--- a/libavcodec/mpeg4video.h
+++ b/libavcodec/mpeg4video.h
@@ -110,6 +110,7 @@ int ff_mpeg4_set_direct_mv(MpegEncContext *s, int mx, int my);
extern uint8_t ff_mpeg4_static_rl_table_store[3][2][2*MAX_RUN + MAX_LEVEL + 3];
+void ff_mpeg4_init_tables(void);
#if 0 //3IV1 is quite rare and it slows things down a tiny bit
#define IS_3IV1 s->codec_tag == AV_RL32("3IV1")
diff --git a/libavcodec/mpeg4video_parser.c b/libavcodec/mpeg4video_parser.c
index e291262..6587d7f 100644
--- a/libavcodec/mpeg4video_parser.c
+++ b/libavcodec/mpeg4video_parser.c
@@ -100,6 +100,8 @@ static av_cold int mpeg4video_parse_init(AVCodecParserContext *s)
{
struct Mp4vParseContext *pc = s->priv_data;
+ ff_mpeg4_init_tables();
+
pc->first_picture = 1;
pc->enc.slice_context_count = 1;
return 0;
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 7ff290c..3e8c8f7 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -45,6 +45,33 @@ static const int mb_type_b_map[4]= {
MB_TYPE_L0 | MB_TYPE_16x16,
};
+void ff_mpeg4_init_tables(void)
+{
+ static int done = 0;
+ if (!done) {
+ done = 1;
+
+ ff_init_rl(&ff_mpeg4_rl_intra, ff_mpeg4_static_rl_table_store[0]);
+ ff_init_rl(&ff_rvlc_rl_inter, ff_mpeg4_static_rl_table_store[1]);
+ ff_init_rl(&ff_rvlc_rl_intra, ff_mpeg4_static_rl_table_store[2]);
+ INIT_VLC_RL(ff_mpeg4_rl_intra, 554);
+ INIT_VLC_RL(ff_rvlc_rl_inter, 1072);
+ INIT_VLC_RL(ff_rvlc_rl_intra, 1072);
+ INIT_VLC_STATIC(&dc_lum, DC_VLC_BITS, 10 /* 13 */,
+ &ff_mpeg4_DCtab_lum[0][1], 2, 1,
+ &ff_mpeg4_DCtab_lum[0][0], 2, 1, 512);
+ INIT_VLC_STATIC(&dc_chrom, DC_VLC_BITS, 10 /* 13 */,
+ &ff_mpeg4_DCtab_chrom[0][1], 2, 1,
+ &ff_mpeg4_DCtab_chrom[0][0], 2, 1, 512);
+ INIT_VLC_STATIC(&sprite_trajectory, SPRITE_TRAJ_VLC_BITS, 15,
+ &ff_sprite_trajectory_tab[0][1], 4, 2,
+ &ff_sprite_trajectory_tab[0][0], 4, 2, 128);
+ INIT_VLC_STATIC(&mb_type_b_vlc, MB_TYPE_B_VLC_BITS, 4,
+ &ff_mb_type_b_tab[0][1], 2, 1,
+ &ff_mb_type_b_tab[0][0], 2, 1, 16);
+ }
+}
+
/**
* Predict the ac.
* @param n block index (0-3 are luma, 4-5 are chroma)
@@ -2202,7 +2229,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
{
MpegEncContext *s = avctx->priv_data;
int ret;
- static int done = 0;
+
+ ff_mpeg4_init_tables();
s->divx_version=
s->divx_build=
@@ -2212,29 +2240,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
if((ret=ff_h263_decode_init(avctx)) < 0)
return ret;
- if (!done) {
- done = 1;
-
- ff_init_rl(&ff_mpeg4_rl_intra, ff_mpeg4_static_rl_table_store[0]);
- ff_init_rl(&ff_rvlc_rl_inter, ff_mpeg4_static_rl_table_store[1]);
- ff_init_rl(&ff_rvlc_rl_intra, ff_mpeg4_static_rl_table_store[2]);
- INIT_VLC_RL(ff_mpeg4_rl_intra, 554);
- INIT_VLC_RL(ff_rvlc_rl_inter, 1072);
- INIT_VLC_RL(ff_rvlc_rl_intra, 1072);
- INIT_VLC_STATIC(&dc_lum, DC_VLC_BITS, 10 /* 13 */,
- &ff_mpeg4_DCtab_lum[0][1], 2, 1,
- &ff_mpeg4_DCtab_lum[0][0], 2, 1, 512);
- INIT_VLC_STATIC(&dc_chrom, DC_VLC_BITS, 10 /* 13 */,
- &ff_mpeg4_DCtab_chrom[0][1], 2, 1,
- &ff_mpeg4_DCtab_chrom[0][0], 2, 1, 512);
- INIT_VLC_STATIC(&sprite_trajectory, SPRITE_TRAJ_VLC_BITS, 15,
- &ff_sprite_trajectory_tab[0][1], 4, 2,
- &ff_sprite_trajectory_tab[0][0], 4, 2, 128);
- INIT_VLC_STATIC(&mb_type_b_vlc, MB_TYPE_B_VLC_BITS, 4,
- &ff_mb_type_b_tab[0][1], 2, 1,
- &ff_mb_type_b_tab[0][0], 2, 1, 16);
- }
-
s->h263_pred = 1;
s->low_delay = 0; //default, might be overriden in the vol header during header parsing
s->decode_mb= mpeg4_decode_mb;
diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c
index 0274f01..eb71670 100644
--- a/libavcodec/mpegvideo.c
+++ b/libavcodec/mpegvideo.c
@@ -131,9 +131,15 @@ const enum AVPixelFormat ff_pixfmt_list_420[] = {
};
const enum AVPixelFormat ff_hwaccel_pixfmt_list_420[] = {
+#if CONFIG_H264_DXVA2_HWACCEL
AV_PIX_FMT_DXVA2_VLD,
+#endif
+#if CONFIG_H264_VAAPI_HWACCEL
AV_PIX_FMT_VAAPI_VLD,
+#endif
+#if CONFIG_H264_VDA_HWACCEL
AV_PIX_FMT_VDA_VLD,
+#endif
AV_PIX_FMT_YUV420P,
AV_PIX_FMT_NONE
};
@@ -1515,8 +1521,12 @@ int ff_MPV_frame_start(MpegEncContext *s, AVCodecContext *avctx)
s->last_picture_ptr->owner2 = s;
}
- assert(s->pict_type == AV_PICTURE_TYPE_I || (s->last_picture_ptr &&
- s->last_picture_ptr->f.data[0]));
+ if (s->pict_type != AV_PICTURE_TYPE_I &&
+ !(s->last_picture_ptr && s->last_picture_ptr->f.data[0])) {
+ av_log(s, AV_LOG_ERROR,
+ "Non-reference picture received and no reference available\n");
+ return AVERROR_INVALIDDATA;
+ }
if (s->picture_structure!= PICT_FRAME && s->out_format != FMT_H264) {
int i;
diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c
index 223429d..4bc9adc 100644
--- a/libavcodec/pcx.c
+++ b/libavcodec/pcx.c
@@ -120,7 +120,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
nplanes = buf[65];
bytes_per_scanline = nplanes * bytes_per_line;
- if (bytes_per_scanline < w * bits_per_pixel * nplanes / 8 ||
+ if (bytes_per_scanline < (w * bits_per_pixel * nplanes + 7) / 8 ||
(!compressed && bytes_per_scanline > buf_size / h)) {
av_log(avctx, AV_LOG_ERROR, "PCX data is corrupted\n");
return -1;
diff --git a/libavcodec/pngdsp.c b/libavcodec/pngdsp.c
index 00734d7..9220c20 100644
--- a/libavcodec/pngdsp.c
+++ b/libavcodec/pngdsp.c
@@ -30,7 +30,7 @@
static void add_bytes_l2_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w)
{
long i;
- for (i = 0; i <= w - sizeof(long); i += sizeof(long)) {
+ for (i = 0; i <= w - (int)sizeof(long); i += sizeof(long)) {
long a = *(long *)(src1 + i);
long b = *(long *)(src2 + i);
*(long *)(dst + i) = ((a & pb_7f) + (b & pb_7f)) ^ ((a ^ b) & pb_80);
diff --git a/libavcodec/proresdec.c b/libavcodec/proresdec.c
index 4b196f6..2049545 100644
--- a/libavcodec/proresdec.c
+++ b/libavcodec/proresdec.c
@@ -368,7 +368,7 @@ static inline void decode_dc_coeffs(GetBitContext *gb, DCTELEM *out,
/**
* Decode AC coefficients for all blocks in a slice.
*/
-static inline void decode_ac_coeffs(GetBitContext *gb, DCTELEM *out,
+static inline int decode_ac_coeffs(GetBitContext *gb, DCTELEM *out,
int blocks_per_slice,
int plane_size_factor,
const uint8_t *scan)
@@ -389,15 +389,19 @@ static inline void decode_ac_coeffs(GetBitContext *gb, DCTELEM *out,
bits_left = get_bits_left(gb);
if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left)))
- return;
+ return 0;
run = decode_vlc_codeword(gb, ff_prores_ac_codebook[run_cb_index]);
+ if (run < 0)
+ return AVERROR_INVALIDDATA;
bits_left = get_bits_left(gb);
if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left)))
- return;
+ return AVERROR_INVALIDDATA;
level = decode_vlc_codeword(gb, ff_prores_ac_codebook[lev_cb_index]) + 1;
+ if (level < 0)
+ return AVERROR_INVALIDDATA;
pos += run + 1;
if (pos >= max_coeffs)
@@ -407,22 +411,24 @@ static inline void decode_ac_coeffs(GetBitContext *gb, DCTELEM *out,
out[((pos & block_mask) << 6) + scan[pos >> plane_size_factor]] =
(level ^ sign) - sign;
}
+
+ return 0;
}
/**
* Decode a slice plane (luma or chroma).
*/
-static void decode_slice_plane(ProresContext *ctx, ProresThreadData *td,
- const uint8_t *buf,
- int data_size, uint16_t *out_ptr,
- int linesize, int mbs_per_slice,
- int blocks_per_mb, int plane_size_factor,
- const int16_t *qmat, int is_chroma)
+static int decode_slice_plane(ProresContext *ctx, ProresThreadData *td,
+ const uint8_t *buf,
+ int data_size, uint16_t *out_ptr,
+ int linesize, int mbs_per_slice,
+ int blocks_per_mb, int plane_size_factor,
+ const int16_t *qmat, int is_chroma)
{
GetBitContext gb;
DCTELEM *block_ptr;
- int mb_num, blocks_per_slice;
+ int mb_num, blocks_per_slice, ret;
blocks_per_slice = mbs_per_slice * blocks_per_mb;
@@ -432,8 +438,10 @@ static void decode_slice_plane(ProresContext *ctx, ProresThreadData *td,
decode_dc_coeffs(&gb, td->blocks, blocks_per_slice);
- decode_ac_coeffs(&gb, td->blocks, blocks_per_slice,
- plane_size_factor, ctx->scantable.permutated);
+ ret = decode_ac_coeffs(&gb, td->blocks, blocks_per_slice,
+ plane_size_factor, ctx->scantable.permutated);
+ if (ret < 0)
+ return ret;
/* inverse quantization, inverse transform and output */
block_ptr = td->blocks;
@@ -467,6 +475,7 @@ static void decode_slice_plane(ProresContext *ctx, ProresThreadData *td,
}
}
}
+ return 0;
}
@@ -485,6 +494,7 @@ static int decode_slice(AVCodecContext *avctx, void *tdata)
int i, sf, slice_width_factor;
int slice_data_size, hdr_size, y_data_size, u_data_size, v_data_size;
int y_linesize, u_linesize, v_linesize;
+ int ret;
buf = ctx->slice_data[slice_num].index;
slice_data_size = ctx->slice_data[slice_num + 1].index - buf;
@@ -541,28 +551,34 @@ static int decode_slice(AVCodecContext *avctx, void *tdata)
}
/* decode luma plane */
- decode_slice_plane(ctx, td, buf + hdr_size, y_data_size,
- (uint16_t*) (y_data + (mb_y_pos << 4) * y_linesize +
- (mb_x_pos << 5)), y_linesize,
- mbs_per_slice, 4, slice_width_factor + 2,
- td->qmat_luma_scaled, 0);
+ ret = decode_slice_plane(ctx, td, buf + hdr_size, y_data_size,
+ (uint16_t*) (y_data + (mb_y_pos << 4) * y_linesize +
+ (mb_x_pos << 5)), y_linesize,
+ mbs_per_slice, 4, slice_width_factor + 2,
+ td->qmat_luma_scaled, 0);
+ if (ret < 0)
+ return ret;
/* decode U chroma plane */
- decode_slice_plane(ctx, td, buf + hdr_size + y_data_size, u_data_size,
- (uint16_t*) (u_data + (mb_y_pos << 4) * u_linesize +
- (mb_x_pos << ctx->mb_chroma_factor)),
- u_linesize, mbs_per_slice, ctx->num_chroma_blocks,
- slice_width_factor + ctx->chroma_factor - 1,
- td->qmat_chroma_scaled, 1);
+ ret = decode_slice_plane(ctx, td, buf + hdr_size + y_data_size, u_data_size,
+ (uint16_t*) (u_data + (mb_y_pos << 4) * u_linesize +
+ (mb_x_pos << ctx->mb_chroma_factor)),
+ u_linesize, mbs_per_slice, ctx->num_chroma_blocks,
+ slice_width_factor + ctx->chroma_factor - 1,
+ td->qmat_chroma_scaled, 1);
+ if (ret < 0)
+ return ret;
/* decode V chroma plane */
- decode_slice_plane(ctx, td, buf + hdr_size + y_data_size + u_data_size,
- v_data_size,
- (uint16_t*) (v_data + (mb_y_pos << 4) * v_linesize +
- (mb_x_pos << ctx->mb_chroma_factor)),
- v_linesize, mbs_per_slice, ctx->num_chroma_blocks,
- slice_width_factor + ctx->chroma_factor - 1,
- td->qmat_chroma_scaled, 1);
+ ret = decode_slice_plane(ctx, td, buf + hdr_size + y_data_size + u_data_size,
+ v_data_size,
+ (uint16_t*) (v_data + (mb_y_pos << 4) * v_linesize +
+ (mb_x_pos << ctx->mb_chroma_factor)),
+ v_linesize, mbs_per_slice, ctx->num_chroma_blocks,
+ slice_width_factor + ctx->chroma_factor - 1,
+ td->qmat_chroma_scaled, 1);
+ if (ret < 0)
+ return ret;
return 0;
}
diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c
index 73d9da3..8ae494b 100644
--- a/libavcodec/pthread.c
+++ b/libavcodec/pthread.c
@@ -76,6 +76,7 @@ typedef struct ThreadContext {
pthread_cond_t last_job_cond;
pthread_cond_t current_job_cond;
pthread_mutex_t current_job_lock;
+ unsigned current_execute;
int current_job;
int done;
} ThreadContext;
@@ -196,6 +197,7 @@ static void* attribute_align_arg worker(void *v)
{
AVCodecContext *avctx = v;
ThreadContext *c = avctx->thread_opaque;
+ unsigned last_execute = 0;
int our_job = c->job_count;
int thread_count = avctx->thread_count;
int self_id;
@@ -207,7 +209,9 @@ static void* attribute_align_arg worker(void *v)
if (c->current_job == thread_count + c->job_count)
pthread_cond_signal(&c->last_job_cond);
- pthread_cond_wait(&c->current_job_cond, &c->current_job_lock);
+ while (last_execute == c->current_execute && !c->done)
+ pthread_cond_wait(&c->current_job_cond, &c->current_job_lock);
+ last_execute = c->current_execute;
our_job = self_id;
if (c->done) {
@@ -227,7 +231,8 @@ static void* attribute_align_arg worker(void *v)
static av_always_inline void avcodec_thread_park_workers(ThreadContext *c, int thread_count)
{
- pthread_cond_wait(&c->last_job_cond, &c->current_job_lock);
+ while (c->current_job != thread_count + c->job_count)
+ pthread_cond_wait(&c->last_job_cond, &c->current_job_lock);
pthread_mutex_unlock(&c->current_job_lock);
}
@@ -276,6 +281,7 @@ static int avcodec_thread_execute(AVCodecContext *avctx, action_func* func, void
c->rets = &dummy_ret;
c->rets_count = 1;
}
+ c->current_execute++;
pthread_cond_broadcast(&c->current_job_cond);
avcodec_thread_park_workers(c, avctx->thread_count);
diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c
index b61b75d..ffd4d96 100644
--- a/libavcodec/rv30.c
+++ b/libavcodec/rv30.c
@@ -35,6 +35,7 @@
static int rv30_parse_slice_header(RV34DecContext *r, GetBitContext *gb, SliceInfo *si)
{
+ AVCodecContext *avctx = r->s.avctx;
int mb_bits;
int w = r->s.width, h = r->s.height;
int mb_size;
@@ -52,6 +53,13 @@ static int rv30_parse_slice_header(RV34DecContext *r, GetBitContext *gb, SliceIn
si->pts = get_bits(gb, 13);
rpr = get_bits(gb, r->rpr);
if(rpr){
+ if (avctx->extradata_size < rpr * 2 + 8) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Insufficient extradata - need at least %d bytes, got %d\n",
+ 8 + rpr * 2, avctx->extradata_size);
+ return AVERROR(EINVAL);
+ }
+
w = r->s.avctx->extradata[6 + rpr*2] << 2;
h = r->s.avctx->extradata[7 + rpr*2] << 2;
}
@@ -255,11 +263,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx)
}
r->rpr = (avctx->extradata[1] & 7) >> 1;
r->rpr = FFMIN(r->rpr + 1, 3);
- if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){
- av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n",
- 6 + r->rpr * 2, avctx->extradata_size);
- return AVERROR(EINVAL);
- }
+
r->parse_slice_header = rv30_parse_slice_header;
r->decode_intra_types = rv30_decode_intra_types;
r->decode_mb_info = rv30_decode_mb_info;
diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index fda90fe..22976e0 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -277,7 +277,8 @@ static void output_buffer(int16_t **samples, int nchan, int blocksize,
}
}
-static const int fixed_coeffs[3][3] = {
+static const int fixed_coeffs[][3] = {
+ { 0, 0, 0 },
{ 1, 0, 0 },
{ 2, -1, 0 },
{ 3, -3, 1 }
@@ -306,7 +307,12 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel,
} else {
/* fixed LPC coeffs */
pred_order = command;
- coeffs = fixed_coeffs[pred_order - 1];
+ if (pred_order >= FF_ARRAY_ELEMS(fixed_coeffs)) {
+ av_log(s->avctx, AV_LOG_ERROR, "invalid pred_order %d\n",
+ pred_order);
+ return AVERROR_INVALIDDATA;
+ }
+ coeffs = fixed_coeffs[pred_order];
qshift = 0;
}
diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c
index c49f9fe..63cd05b 100644
--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -512,6 +512,15 @@ hres,vres,i,i%vres (0 < i < 4)
index = s->index_stream[index_stream_index++] * 4; \
}
+#define INC_INDEX \
+do { \
+ if (index >= 1023) { \
+ av_log(s->avctx, AV_LOG_ERROR, "Invalid index value.\n"); \
+ return; \
+ } \
+ index++; \
+} while (0)
+
#define APPLY_C_PREDICTOR() \
predictor_pair = s->c_predictor_table[index]; \
horiz_pred += (predictor_pair >> 1); \
@@ -524,10 +533,10 @@ hres,vres,i,i%vres (0 < i < 4)
if (predictor_pair & 1) \
GET_NEXT_INDEX() \
else \
- index++; \
+ INC_INDEX; \
} \
} else \
- index++;
+ INC_INDEX;
#define APPLY_C_PREDICTOR_24() \
predictor_pair = s->c_predictor_table[index]; \
@@ -541,10 +550,10 @@ hres,vres,i,i%vres (0 < i < 4)
if (predictor_pair & 1) \
GET_NEXT_INDEX() \
else \
- index++; \
+ INC_INDEX; \
} \
} else \
- index++;
+ INC_INDEX;
#define APPLY_Y_PREDICTOR() \
@@ -559,10 +568,10 @@ hres,vres,i,i%vres (0 < i < 4)
if (predictor_pair & 1) \
GET_NEXT_INDEX() \
else \
- index++; \
+ INC_INDEX; \
} \
} else \
- index++;
+ INC_INDEX;
#define APPLY_Y_PREDICTOR_24() \
predictor_pair = s->y_predictor_table[index]; \
@@ -576,10 +585,10 @@ hres,vres,i,i%vres (0 < i < 4)
if (predictor_pair & 1) \
GET_NEXT_INDEX() \
else \
- index++; \
+ INC_INDEX; \
} \
} else \
- index++;
+ INC_INDEX;
#define OUTPUT_PIXEL_PAIR() \
*current_pixel_pair = *vert_pred + horiz_pred; \
diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c
index a8dd38a..d2e1e69 100644
--- a/libavcodec/vc1.c
+++ b/libavcodec/vc1.c
@@ -826,6 +826,7 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb)
int mbmodetab, imvtab, icbptab, twomvbptab, fourmvbptab; /* useful only for debugging */
int scale, shift, i; /* for initializing LUT for intensity compensation */
+ v->numref = 0;
v->p_frame_skipped = 0;
if (v->second_field) {
v->s.pict_type = (v->fptype & 1) ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I;
diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c
index 4071cdf..346fdb5 100644
--- a/libavcodec/vmnc.c
+++ b/libavcodec/vmnc.c
@@ -31,6 +31,7 @@
#include "libavutil/common.h"
#include "libavutil/intreadwrite.h"
#include "avcodec.h"
+#include "bytestream.h"
enum EncTypes {
MAGIC_WMVd = 0x574D5664,
@@ -62,55 +63,66 @@ typedef struct VmncContext {
int bigendian;
uint8_t pal[768];
int width, height;
+ GetByteContext gb;
/* cursor data */
int cur_w, cur_h;
int cur_x, cur_y;
int cur_hx, cur_hy;
- uint8_t* curbits, *curmask;
- uint8_t* screendta;
+ uint8_t *curbits, *curmask;
+ uint8_t *screendta;
} VmncContext;
/* read pixel value from stream */
-static av_always_inline int vmnc_get_pixel(const uint8_t* buf, int bpp, int be) {
- switch(bpp * 2 + be) {
+static av_always_inline int vmnc_get_pixel(GetByteContext *gb, int bpp, int be)
+{
+ switch (bpp * 2 + be) {
case 2:
- case 3: return *buf;
- case 4: return AV_RL16(buf);
- case 5: return AV_RB16(buf);
- case 8: return AV_RL32(buf);
- case 9: return AV_RB32(buf);
+ case 3:
+ return bytestream2_get_byte(gb);
+ case 4:
+ return bytestream2_get_le16(gb);
+ case 5:
+ return bytestream2_get_be16(gb);
+ case 8:
+ return bytestream2_get_le32(gb);
+ case 9:
+ return bytestream2_get_be32(gb);
default: return 0;
}
}
-static void load_cursor(VmncContext *c, const uint8_t *src)
+static void load_cursor(VmncContext *c)
{
int i, j, p;
- const int bpp = c->bpp2;
- uint8_t *dst8 = c->curbits;
- uint16_t *dst16 = (uint16_t*)c->curbits;
- uint32_t *dst32 = (uint32_t*)c->curbits;
-
- for(j = 0; j < c->cur_h; j++) {
- for(i = 0; i < c->cur_w; i++) {
- p = vmnc_get_pixel(src, bpp, c->bigendian);
- src += bpp;
- if(bpp == 1) *dst8++ = p;
- if(bpp == 2) *dst16++ = p;
- if(bpp == 4) *dst32++ = p;
+ const int bpp = c->bpp2;
+ uint8_t *dst8 = c->curbits;
+ uint16_t *dst16 = (uint16_t *)c->curbits;
+ uint32_t *dst32 = (uint32_t *)c->curbits;
+
+ for (j = 0; j < c->cur_h; j++) {
+ for (i = 0; i < c->cur_w; i++) {
+ p = vmnc_get_pixel(&c->gb, bpp, c->bigendian);
+ if (bpp == 1)
+ *dst8++ = p;
+ if (bpp == 2)
+ *dst16++ = p;
+ if (bpp == 4)
+ *dst32++ = p;
}
}
- dst8 = c->curmask;
+ dst8 = c->curmask;
dst16 = (uint16_t*)c->curmask;
dst32 = (uint32_t*)c->curmask;
- for(j = 0; j < c->cur_h; j++) {
- for(i = 0; i < c->cur_w; i++) {
- p = vmnc_get_pixel(src, bpp, c->bigendian);
- src += bpp;
- if(bpp == 1) *dst8++ = p;
- if(bpp == 2) *dst16++ = p;
- if(bpp == 4) *dst32++ = p;
+ for (j = 0; j < c->cur_h; j++) {
+ for (i = 0; i < c->cur_w; i++) {
+ p = vmnc_get_pixel(&c->gb, bpp, c->bigendian);
+ if (bpp == 1)
+ *dst8++ = p;
+ if (bpp == 2)
+ *dst16++ = p;
+ if (bpp == 4)
+ *dst32++ = p;
}
}
}
@@ -120,96 +132,100 @@ static void put_cursor(uint8_t *dst, int stride, VmncContext *c, int dx, int dy)
int i, j;
int w, h, x, y;
w = c->cur_w;
- if(c->width < c->cur_x + c->cur_w) w = c->width - c->cur_x;
+ if (c->width < c->cur_x + c->cur_w)
+ w = c->width - c->cur_x;
h = c->cur_h;
- if(c->height < c->cur_y + c->cur_h) h = c->height - c->cur_y;
+ if (c->height < c->cur_y + c->cur_h)
+ h = c->height - c->cur_y;
x = c->cur_x;
y = c->cur_y;
- if(x < 0) {
+ if (x < 0) {
w += x;
- x = 0;
+ x = 0;
}
- if(y < 0) {
+ if (y < 0) {
h += y;
- y = 0;
+ y = 0;
}
- if((w < 1) || (h < 1)) return;
+ if ((w < 1) || (h < 1))
+ return;
dst += x * c->bpp2 + y * stride;
- if(c->bpp2 == 1) {
- uint8_t* cd = c->curbits, *msk = c->curmask;
- for(j = 0; j < h; j++) {
- for(i = 0; i < w; i++)
+ if (c->bpp2 == 1) {
+ uint8_t *cd = c->curbits, *msk = c->curmask;
+ for (j = 0; j < h; j++) {
+ for (i = 0; i < w; i++)
dst[i] = (dst[i] & cd[i]) ^ msk[i];
msk += c->cur_w;
- cd += c->cur_w;
+ cd += c->cur_w;
dst += stride;
}
- } else if(c->bpp2 == 2) {
- uint16_t* cd = (uint16_t*)c->curbits, *msk = (uint16_t*)c->curmask;
- uint16_t* dst2;
- for(j = 0; j < h; j++) {
+ } else if (c->bpp2 == 2) {
+ uint16_t *cd = (uint16_t*)c->curbits, *msk = (uint16_t*)c->curmask;
+ uint16_t *dst2;
+ for (j = 0; j < h; j++) {
dst2 = (uint16_t*)dst;
- for(i = 0; i < w; i++)
+ for (i = 0; i < w; i++)
dst2[i] = (dst2[i] & cd[i]) ^ msk[i];
msk += c->cur_w;
- cd += c->cur_w;
+ cd += c->cur_w;
dst += stride;
}
- } else if(c->bpp2 == 4) {
- uint32_t* cd = (uint32_t*)c->curbits, *msk = (uint32_t*)c->curmask;
- uint32_t* dst2;
- for(j = 0; j < h; j++) {
+ } else if (c->bpp2 == 4) {
+ uint32_t *cd = (uint32_t*)c->curbits, *msk = (uint32_t*)c->curmask;
+ uint32_t *dst2;
+ for (j = 0; j < h; j++) {
dst2 = (uint32_t*)dst;
- for(i = 0; i < w; i++)
+ for (i = 0; i < w; i++)
dst2[i] = (dst2[i] & cd[i]) ^ msk[i];
msk += c->cur_w;
- cd += c->cur_w;
+ cd += c->cur_w;
dst += stride;
}
}
}
/* fill rectangle with given color */
-static av_always_inline void paint_rect(uint8_t *dst, int dx, int dy, int w, int h, int color, int bpp, int stride)
+static av_always_inline void paint_rect(uint8_t *dst, int dx, int dy,
+ int w, int h, int color,
+ int bpp, int stride)
{
int i, j;
dst += dx * bpp + dy * stride;
- if(bpp == 1){
- for(j = 0; j < h; j++) {
+ if (bpp == 1) {
+ for (j = 0; j < h; j++) {
memset(dst, color, w);
dst += stride;
}
- }else if(bpp == 2){
- uint16_t* dst2;
- for(j = 0; j < h; j++) {
+ } else if (bpp == 2) {
+ uint16_t *dst2;
+ for (j = 0; j < h; j++) {
dst2 = (uint16_t*)dst;
- for(i = 0; i < w; i++) {
+ for (i = 0; i < w; i++)
*dst2++ = color;
- }
dst += stride;
}
- }else if(bpp == 4){
- uint32_t* dst2;
- for(j = 0; j < h; j++) {
+ } else if (bpp == 4) {
+ uint32_t *dst2;
+ for (j = 0; j < h; j++) {
dst2 = (uint32_t*)dst;
- for(i = 0; i < w; i++) {
+ for (i = 0; i < w; i++)
dst2[i] = color;
- }
dst += stride;
}
}
}
-static av_always_inline void paint_raw(uint8_t *dst, int w, int h, const uint8_t* src, int bpp, int be, int stride)
+static av_always_inline void paint_raw(uint8_t *dst, int w, int h,
+ GetByteContext *gb, int bpp,
+ int be, int stride)
{
int i, j, p;
- for(j = 0; j < h; j++) {
- for(i = 0; i < w; i++) {
- p = vmnc_get_pixel(src, bpp, be);
- src += bpp;
- switch(bpp){
+ for (j = 0; j < h; j++) {
+ for (i = 0; i < w; i++) {
+ p = vmnc_get_pixel(gb, bpp, be);
+ switch (bpp) {
case 1:
dst[i] = p;
break;
@@ -225,74 +241,81 @@ static av_always_inline void paint_raw(uint8_t *dst, int w, int h, const uint8_t
}
}
-static int decode_hextile(VmncContext *c, uint8_t* dst, const uint8_t* src, int ssize, int w, int h, int stride)
+static int decode_hextile(VmncContext *c, uint8_t* dst, GetByteContext *gb,
+ int w, int h, int stride)
{
int i, j, k;
int bg = 0, fg = 0, rects, color, flags, xy, wh;
const int bpp = c->bpp2;
uint8_t *dst2;
int bw = 16, bh = 16;
- const uint8_t *ssrc=src;
- for(j = 0; j < h; j += 16) {
+ for (j = 0; j < h; j += 16) {
dst2 = dst;
- bw = 16;
- if(j + 16 > h) bh = h - j;
- for(i = 0; i < w; i += 16, dst2 += 16 * bpp) {
- if(src - ssrc >= ssize) {
+ bw = 16;
+ if (j + 16 > h)
+ bh = h - j;
+ for (i = 0; i < w; i += 16, dst2 += 16 * bpp) {
+ if (bytestream2_get_bytes_left(gb) <= 0) {
av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n");
return -1;
}
- if(i + 16 > w) bw = w - i;
- flags = *src++;
- if(flags & HT_RAW) {
- if(src - ssrc > ssize - bw * bh * bpp) {
+ if (i + 16 > w)
+ bw = w - i;
+ flags = bytestream2_get_byte(gb);
+ if (flags & HT_RAW) {
+ if (bytestream2_get_bytes_left(gb) < bw * bh * bpp) {
av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n");
return -1;
}
- paint_raw(dst2, bw, bh, src, bpp, c->bigendian, stride);
- src += bw * bh * bpp;
+ paint_raw(dst2, bw, bh, gb, bpp, c->bigendian, stride);
} else {
- if(flags & HT_BKG) {
- bg = vmnc_get_pixel(src, bpp, c->bigendian); src += bpp;
- }
- if(flags & HT_FG) {
- fg = vmnc_get_pixel(src, bpp, c->bigendian); src += bpp;
- }
+ if (flags & HT_BKG)
+ bg = vmnc_get_pixel(gb, bpp, c->bigendian);
+ if (flags & HT_FG)
+ fg = vmnc_get_pixel(gb, bpp, c->bigendian);
rects = 0;
- if(flags & HT_SUB)
- rects = *src++;
+ if (flags & HT_SUB)
+ rects = bytestream2_get_byte(gb);
color = !!(flags & HT_CLR);
paint_rect(dst2, 0, 0, bw, bh, bg, bpp, stride);
- if(src - ssrc > ssize - rects * (color * bpp + 2)) {
+ if (bytestream2_get_bytes_left(gb) < rects * (color * bpp + 2)) {
av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n");
return -1;
}
- for(k = 0; k < rects; k++) {
- if(color) {
- fg = vmnc_get_pixel(src, bpp, c->bigendian); src += bpp;
- }
- xy = *src++;
- wh = *src++;
- paint_rect(dst2, xy >> 4, xy & 0xF, (wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride);
+ for (k = 0; k < rects; k++) {
+ if (color)
+ fg = vmnc_get_pixel(gb, bpp, c->bigendian);
+ xy = bytestream2_get_byte(gb);
+ wh = bytestream2_get_byte(gb);
+ paint_rect(dst2, xy >> 4, xy & 0xF,
+ (wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride);
}
}
}
dst += stride * 16;
}
- return src - ssrc;
+ return 0;
+}
+
+static void reset_buffers(VmncContext *c)
+{
+ av_freep(&c->curbits);
+ av_freep(&c->curmask);
+ av_freep(&c->screendta);
+ c->cur_w = c->cur_h = 0;
}
static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
AVPacket *avpkt)
{
const uint8_t *buf = avpkt->data;
- int buf_size = avpkt->size;
+ int buf_size = avpkt->size;
VmncContext * const c = avctx->priv_data;
+ GetByteContext *gb = &c->gb;
uint8_t *outptr;
- const uint8_t *src = buf;
int dx, dy, w, h, depth, enc, chunks, res, size_left;
c->pic.reference = 1;
@@ -302,178 +325,199 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
return -1;
}
+ bytestream2_init(gb, buf, buf_size);
+
c->pic.key_frame = 0;
c->pic.pict_type = AV_PICTURE_TYPE_P;
- //restore screen after cursor
- if(c->screendta) {
+ // restore screen after cursor
+ if (c->screendta) {
int i;
w = c->cur_w;
- if(c->width < c->cur_x + w) w = c->width - c->cur_x;
+ if (c->width < c->cur_x + w)
+ w = c->width - c->cur_x;
h = c->cur_h;
- if(c->height < c->cur_y + h) h = c->height - c->cur_y;
+ if (c->height < c->cur_y + h)
+ h = c->height - c->cur_y;
dx = c->cur_x;
- if(dx < 0) {
+ if (dx < 0) {
w += dx;
dx = 0;
}
dy = c->cur_y;
- if(dy < 0) {
+ if (dy < 0) {
h += dy;
dy = 0;
}
- if((w > 0) && (h > 0)) {
+ if ((w > 0) && (h > 0)) {
outptr = c->pic.data[0] + dx * c->bpp2 + dy * c->pic.linesize[0];
- for(i = 0; i < h; i++) {
- memcpy(outptr, c->screendta + i * c->cur_w * c->bpp2, w * c->bpp2);
+ for (i = 0; i < h; i++) {
+ memcpy(outptr, c->screendta + i * c->cur_w * c->bpp2,
+ w * c->bpp2);
outptr += c->pic.linesize[0];
}
}
}
- src += 2;
- chunks = AV_RB16(src); src += 2;
- while(chunks--) {
- dx = AV_RB16(src); src += 2;
- dy = AV_RB16(src); src += 2;
- w = AV_RB16(src); src += 2;
- h = AV_RB16(src); src += 2;
- enc = AV_RB32(src); src += 4;
+ bytestream2_skip(gb, 2);
+ chunks = bytestream2_get_be16(gb);
+ while (chunks--) {
+ dx = bytestream2_get_be16(gb);
+ dy = bytestream2_get_be16(gb);
+ w = bytestream2_get_be16(gb);
+ h = bytestream2_get_be16(gb);
+ enc = bytestream2_get_be32(gb);
outptr = c->pic.data[0] + dx * c->bpp2 + dy * c->pic.linesize[0];
- size_left = buf_size - (src - buf);
- switch(enc) {
+ size_left = bytestream2_get_bytes_left(gb);
+ switch (enc) {
case MAGIC_WMVd: // cursor
- if(size_left < 2 + w * h * c->bpp2 * 2) {
- av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", 2 + w * h * c->bpp2 * 2, size_left);
+ if (size_left < 2 + w * h * c->bpp2 * 2) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Premature end of data! (need %i got %i)\n",
+ 2 + w * h * c->bpp2 * 2, size_left);
return -1;
}
- src += 2;
- c->cur_w = w;
- c->cur_h = h;
+ bytestream2_skip(gb, 2);
+ c->cur_w = w;
+ c->cur_h = h;
c->cur_hx = dx;
c->cur_hy = dy;
- if((c->cur_hx > c->cur_w) || (c->cur_hy > c->cur_h)) {
- av_log(avctx, AV_LOG_ERROR, "Cursor hot spot is not in image: %ix%i of %ix%i cursor size\n", c->cur_hx, c->cur_hy, c->cur_w, c->cur_h);
+ if ((c->cur_hx > c->cur_w) || (c->cur_hy > c->cur_h)) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Cursor hot spot is not in image: "
+ "%ix%i of %ix%i cursor size\n",
+ c->cur_hx, c->cur_hy, c->cur_w, c->cur_h);
c->cur_hx = c->cur_hy = 0;
}
- c->curbits = av_realloc(c->curbits, c->cur_w * c->cur_h * c->bpp2);
- c->curmask = av_realloc(c->curmask, c->cur_w * c->cur_h * c->bpp2);
- c->screendta = av_realloc(c->screendta, c->cur_w * c->cur_h * c->bpp2);
- load_cursor(c, src);
- src += w * h * c->bpp2 * 2;
+ if (c->cur_w * c->cur_h >= INT_MAX / c->bpp2) {
+ reset_buffers(c);
+ return AVERROR(EINVAL);
+ } else {
+ int screen_size = c->cur_w * c->cur_h * c->bpp2;
+ if ((c->curbits = av_realloc(c->curbits, screen_size)) == NULL ||
+ (c->curmask = av_realloc(c->curmask, screen_size)) == NULL ||
+ (c->screendta = av_realloc(c->screendta, screen_size)) == NULL) {
+ reset_buffers(c);
+ return screen_size ? AVERROR(ENOMEM) : 0;
+ }
+ }
+ load_cursor(c);
break;
case MAGIC_WMVe: // unknown
- src += 2;
+ bytestream2_skip(gb, 2);
break;
case MAGIC_WMVf: // update cursor position
c->cur_x = dx - c->cur_hx;
c->cur_y = dy - c->cur_hy;
break;
case MAGIC_WMVg: // unknown
- src += 10;
+ bytestream2_skip(gb, 10);
break;
case MAGIC_WMVh: // unknown
- src += 4;
+ bytestream2_skip(gb, 4);
break;
case MAGIC_WMVi: // ServerInitialization struct
c->pic.key_frame = 1;
c->pic.pict_type = AV_PICTURE_TYPE_I;
- depth = *src++;
- if(depth != c->bpp) {
- av_log(avctx, AV_LOG_INFO, "Depth mismatch. Container %i bpp, Frame data: %i bpp\n", c->bpp, depth);
+ depth = bytestream2_get_byte(gb);
+ if (depth != c->bpp) {
+ av_log(avctx, AV_LOG_INFO,
+ "Depth mismatch. Container %i bpp, "
+ "Frame data: %i bpp\n",
+ c->bpp, depth);
}
- src++;
- c->bigendian = *src++;
- if(c->bigendian & (~1)) {
- av_log(avctx, AV_LOG_INFO, "Invalid header: bigendian flag = %i\n", c->bigendian);
+ bytestream2_skip(gb, 1);
+ c->bigendian = bytestream2_get_byte(gb);
+ if (c->bigendian & (~1)) {
+ av_log(avctx, AV_LOG_INFO,
+ "Invalid header: bigendian flag = %i\n", c->bigendian);
return -1;
}
//skip the rest of pixel format data
- src += 13;
+ bytestream2_skip(gb, 13);
break;
case MAGIC_WMVj: // unknown
- src += 2;
+ bytestream2_skip(gb, 2);
break;
case 0x00000000: // raw rectangle data
- if((dx + w > c->width) || (dy + h > c->height)) {
- av_log(avctx, AV_LOG_ERROR, "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", w, h, dx, dy, c->width, c->height);
+ if ((dx + w > c->width) || (dy + h > c->height)) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Incorrect frame size: %ix%i+%ix%i of %ix%i\n",
+ w, h, dx, dy, c->width, c->height);
return -1;
}
- if(size_left < w * h * c->bpp2) {
- av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", w * h * c->bpp2, size_left);
+ if (size_left < w * h * c->bpp2) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Premature end of data! (need %i got %i)\n",
+ w * h * c->bpp2, size_left);
return -1;
}
- paint_raw(outptr, w, h, src, c->bpp2, c->bigendian, c->pic.linesize[0]);
- src += w * h * c->bpp2;
+ paint_raw(outptr, w, h, gb, c->bpp2, c->bigendian,
+ c->pic.linesize[0]);
break;
case 0x00000005: // HexTile encoded rectangle
- if((dx + w > c->width) || (dy + h > c->height)) {
- av_log(avctx, AV_LOG_ERROR, "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", w, h, dx, dy, c->width, c->height);
+ if ((dx + w > c->width) || (dy + h > c->height)) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Incorrect frame size: %ix%i+%ix%i of %ix%i\n",
+ w, h, dx, dy, c->width, c->height);
return -1;
}
- res = decode_hextile(c, outptr, src, size_left, w, h, c->pic.linesize[0]);
- if(res < 0)
+ res = decode_hextile(c, outptr, gb, w, h, c->pic.linesize[0]);
+ if (res < 0)
return -1;
- src += res;
break;
default:
av_log(avctx, AV_LOG_ERROR, "Unsupported block type 0x%08X\n", enc);
chunks = 0; // leave chunks decoding loop
}
}
- if(c->screendta){
+ if (c->screendta) {
int i;
- //save screen data before painting cursor
+ // save screen data before painting cursor
w = c->cur_w;
- if(c->width < c->cur_x + w) w = c->width - c->cur_x;
+ if (c->width < c->cur_x + w)
+ w = c->width - c->cur_x;
h = c->cur_h;
- if(c->height < c->cur_y + h) h = c->height - c->cur_y;
+ if (c->height < c->cur_y + h)
+ h = c->height - c->cur_y;
dx = c->cur_x;
- if(dx < 0) {
+ if (dx < 0) {
w += dx;
dx = 0;
}
dy = c->cur_y;
- if(dy < 0) {
+ if (dy < 0) {
h += dy;
dy = 0;
}
- if((w > 0) && (h > 0)) {
+ if ((w > 0) && (h > 0)) {
outptr = c->pic.data[0] + dx * c->bpp2 + dy * c->pic.linesize[0];
- for(i = 0; i < h; i++) {
- memcpy(c->screendta + i * c->cur_w * c->bpp2, outptr, w * c->bpp2);
+ for (i = 0; i < h; i++) {
+ memcpy(c->screendta + i * c->cur_w * c->bpp2, outptr,
+ w * c->bpp2);
outptr += c->pic.linesize[0];
}
outptr = c->pic.data[0];
put_cursor(outptr, c->pic.linesize[0], c, c->cur_x, c->cur_y);
}
}
- *got_frame = 1;
+ *got_frame = 1;
*(AVFrame*)data = c->pic;
/* always report that the buffer was completely consumed */
return buf_size;
}
-
-
-/*
- *
- * Init VMnc decoder
- *
- */
static av_cold int decode_init(AVCodecContext *avctx)
{
VmncContext * const c = avctx->priv_data;
- c->avctx = avctx;
-
- c->width = avctx->width;
+ c->avctx = avctx;
+ c->width = avctx->width;
c->height = avctx->height;
+ c->bpp = avctx->bits_per_coded_sample;
+ c->bpp2 = c->bpp / 8;
- c->bpp = avctx->bits_per_coded_sample;
- c->bpp2 = c->bpp/8;
-
- switch(c->bpp){
+ switch (c->bpp) {
case 8:
avctx->pix_fmt = AV_PIX_FMT_PAL8;
break;
@@ -491,13 +535,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
return 0;
}
-
-
-/*
- *
- * Uninit VMnc decoder
- *
- */
static av_cold int decode_end(AVCodecContext *avctx)
{
VmncContext * const c = avctx->priv_data;
diff --git a/libavcodec/x86/ac3dsp.asm b/libavcodec/x86/ac3dsp.asm
index 45c30d1..4facf32 100644
--- a/libavcodec/x86/ac3dsp.asm
+++ b/libavcodec/x86/ac3dsp.asm
@@ -382,42 +382,6 @@ cglobal ac3_compute_mantissa_size, 1, 2, 4, mant_cnt, sum
%endif
%endmacro
-%if HAVE_AMD3DNOW_EXTERNAL
-INIT_MMX 3dnow
-cglobal ac3_extract_exponents, 3, 3, 0, exp, coef, len
- add expq, lenq
- lea coefq, [coefq+4*lenq]
- neg lenq
- movq m3, [pd_1]
- movq m4, [pd_151]
-.loop:
- movq m0, [coefq+4*lenq ]
- movq m1, [coefq+4*lenq+8]
- PABSD m0, m2
- PABSD m1, m2
- pslld m0, 1
- por m0, m3
- pi2fd m2, m0
- psrld m2, 23
- movq m0, m4
- psubd m0, m2
- pslld m1, 1
- por m1, m3
- pi2fd m2, m1
- psrld m2, 23
- movq m1, m4
- psubd m1, m2
- packssdw m0, m0
- packuswb m0, m0
- packssdw m1, m1
- packuswb m1, m1
- punpcklwd m0, m1
- movd [expq+lenq], m0
- add lenq, 4
- jl .loop
- REP_RET
-%endif
-
%macro AC3_EXTRACT_EXPONENTS 0
cglobal ac3_extract_exponents, 3, 3, 4, exp, coef, len
add expq, lenq
diff --git a/libavcodec/x86/ac3dsp_init.c b/libavcodec/x86/ac3dsp_init.c
index e8f7304..e144440 100644
--- a/libavcodec/x86/ac3dsp_init.c
+++ b/libavcodec/x86/ac3dsp_init.c
@@ -189,7 +189,6 @@ av_cold void ff_ac3dsp_init_x86(AC3DSPContext *c, int bit_exact)
c->ac3_rshift_int32 = ff_ac3_rshift_int32_mmx;
}
if (EXTERNAL_AMD3DNOW(mm_flags)) {
- c->extract_exponents = ff_ac3_extract_exponents_3dnow;
if (!bit_exact) {
c->float_to_fixed24 = ff_float_to_fixed24_3dnow;
}
diff --git a/libavdevice/alsa-audio-dec.c b/libavdevice/alsa-audio-dec.c
index 5b32ed9..0687a4a 100644
--- a/libavdevice/alsa-audio-dec.c
+++ b/libavdevice/alsa-audio-dec.c
@@ -142,7 +142,7 @@ static int audio_read_packet(AVFormatContext *s1, AVPacket *pkt)
ts_delay += res;
pkt->pts = timestamp.tv_sec * 1000000LL
+ (timestamp.tv_nsec * st->codec->sample_rate
- - ts_delay * 1000000000LL + st->codec->sample_rate * 500LL)
+ - (int64_t)ts_delay * 1000000000LL + st->codec->sample_rate * 500LL)
/ (st->codec->sample_rate * 1000LL);
pkt->size = res * s->frame_size;
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index e17d932..759abbc 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -456,13 +456,15 @@ static int avi_read_header(AVFormatContext *s)
ast = s->streams[0]->priv_data;
av_freep(&s->streams[0]->codec->extradata);
av_freep(&s->streams[0]->codec);
+ av_freep(&s->streams[0]->info);
av_freep(&s->streams[0]);
s->nb_streams = 0;
if (CONFIG_DV_DEMUXER) {
avi->dv_demux = avpriv_dv_init_demux(s);
if (!avi->dv_demux)
goto fail;
- }
+ } else
+ goto fail;
s->streams[0]->priv_data = ast;
avio_skip(pb, 3 * 4);
ast->scale = avio_rl32(pb);
@@ -885,7 +887,7 @@ start_sync:
goto start_sync;
}
- n= get_stream_idx(d);
+ n = avi->dv_demux ? 0 : get_stream_idx(d);
if(!((i-avi->last_pkt_pos)&1) && get_stream_idx(d+1) < s->nb_streams)
continue;
@@ -988,6 +990,8 @@ static int avi_read_packet(AVFormatContext *s, AVPacket *pkt)
int size = avpriv_dv_get_packet(avi->dv_demux, pkt);
if (size >= 0)
return size;
+ else
+ goto resync;
}
if(avi->non_interleaved){
@@ -1287,12 +1291,17 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp
int64_t pos;
AVIStream *ast;
+ /* Does not matter which stream is requested dv in avi has the
+ * stream information in the first video stream.
+ */
+ if (avi->dv_demux)
+ stream_index = 0;
+
if (!avi->index_loaded) {
/* we only load the index on demand */
avi_load_index(s);
avi->index_loaded = 1;
}
- assert(stream_index>= 0);
st = s->streams[stream_index];
ast= st->priv_data;
@@ -1311,7 +1320,6 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp
/* One and only one real stream for DV in AVI, and it has video */
/* offsets. Calling with other stream indexes should have failed */
/* the av_index_search_timestamp call above. */
- assert(stream_index == 0);
/* Feed the DV video stream version of the timestamp to the */
/* DV demux so it can synthesize correct timestamps. */
diff --git a/libavformat/avio.c b/libavformat/avio.c
index ad39e6f..689d4a1 100644
--- a/libavformat/avio.c
+++ b/libavformat/avio.c
@@ -197,7 +197,7 @@ int ffurl_alloc(URLContext **puc, const char *filename, int flags,
return url_alloc_for_protocol (puc, up, filename, flags, int_cb);
}
*puc = NULL;
- return AVERROR(ENOENT);
+ return AVERROR_PROTOCOL_NOT_FOUND;
}
int ffurl_open(URLContext **puc, const char *filename, int flags,
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 8a0c91b..730285a 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -704,9 +704,11 @@ static int ebml_read_ascii(AVIOContext *pb, int size, char **str)
static int ebml_read_binary(AVIOContext *pb, int length, EbmlBin *bin)
{
av_free(bin->data);
- if (!(bin->data = av_malloc(length)))
+ if (!(bin->data = av_malloc(length + FF_INPUT_BUFFER_PADDING_SIZE)))
return AVERROR(ENOMEM);
+ memset(bin->data + length, 0, FF_INPUT_BUFFER_PADDING_SIZE);
+
bin->size = length;
bin->pos = avio_tell(pb);
if (avio_read(pb, bin->data, length) != length) {
@@ -1405,7 +1407,7 @@ static int matroska_read_header(AVFormatContext *s)
for (i=0; i < matroska->tracks.nb_elem; i++) {
MatroskaTrack *track = &tracks[i];
enum AVCodecID codec_id = AV_CODEC_ID_NONE;
- EbmlList *encodings_list = &tracks->encodings;
+ EbmlList *encodings_list = &track->encodings;
MatroskaTrackEncoding *encodings = encodings_list->elem;
uint8_t *extradata = NULL;
int extradata_size = 0;
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 6b89a2d..e5d8311 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1649,6 +1649,7 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
if (entries >= UINT_MAX / sizeof(*sc->stts_data))
return AVERROR(EINVAL);
+ av_free(sc->stts_data);
sc->stts_data = av_malloc(entries * sizeof(*sc->stts_data));
if (!sc->stts_data)
return AVERROR(ENOMEM);
@@ -2313,7 +2314,7 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom)
if (!sc->ctts_count && sc->sample_count)
{
/* Complement ctts table if moov atom doesn't have ctts atom. */
- ctts_data = av_malloc(sizeof(*sc->ctts_data));
+ ctts_data = av_realloc(NULL, sizeof(*sc->ctts_data));
if (!ctts_data)
return AVERROR(ENOMEM);
sc->ctts_data = ctts_data;
@@ -2758,6 +2759,14 @@ static int mov_read_close(AVFormatContext *s)
av_freep(&sc->drefs);
if (sc->pb && sc->pb != s->pb)
avio_close(sc->pb);
+
+ av_freep(&sc->chunk_offsets);
+ av_freep(&sc->stsc_data);
+ av_freep(&sc->sample_sizes);
+ av_freep(&sc->keyframes);
+ av_freep(&sc->stts_data);
+ av_freep(&sc->stps_data);
+ av_freep(&sc->rap_group);
}
if (mov->dv_demux) {
diff --git a/libavformat/nut.c b/libavformat/nut.c
index 196e04e..65d84d1 100644
--- a/libavformat/nut.c
+++ b/libavformat/nut.c
@@ -179,10 +179,16 @@ int ff_nut_sp_pts_cmp(const Syncpoint *a, const Syncpoint *b){
return ((a->ts - b->ts) >> 32) - ((b->ts - a->ts) >> 32);
}
-void ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts){
+int ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts){
Syncpoint *sp= av_mallocz(sizeof(Syncpoint));
struct AVTreeNode *node = av_tree_node_alloc();
+ if (!sp || !node) {
+ av_freep(&sp);
+ av_freep(&node);
+ return AVERROR(ENOMEM);
+ }
+
sp->pos= pos;
sp->back_ptr= back_ptr;
sp->ts= ts;
@@ -191,6 +197,8 @@ void ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts){
av_free(sp);
av_free(node);
}
+
+ return 0;
}
static int enu_free(void *opaque, void *elem)
diff --git a/libavformat/nut.h b/libavformat/nut.h
index 89b0248..066d186 100644
--- a/libavformat/nut.h
+++ b/libavformat/nut.h
@@ -119,7 +119,7 @@ void ff_nut_reset_ts(NUTContext *nut, AVRational time_base, int64_t val);
int64_t ff_lsb2full(StreamContext *stream, int64_t lsb);
int ff_nut_sp_pos_cmp(const Syncpoint *a, const Syncpoint *b);
int ff_nut_sp_pts_cmp(const Syncpoint *a, const Syncpoint *b);
-void ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts);
+int ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts);
void ff_nut_free_sp(NUTContext *nut);
extern const Dispositions ff_nut_dispositions[];
diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index b705987..1a9390c 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -526,6 +526,7 @@ static int decode_syncpoint(NUTContext *nut, int64_t *ts, int64_t *back_ptr)
AVFormatContext *s = nut->avf;
AVIOContext *bc = s->pb;
int64_t end, tmp;
+ int ret;
nut->last_syncpoint_pos = avio_tell(bc) - 8;
@@ -547,7 +548,9 @@ static int decode_syncpoint(NUTContext *nut, int64_t *ts, int64_t *back_ptr)
*ts = tmp / s->nb_streams *
av_q2d(nut->time_base[tmp % s->nb_streams]) * AV_TIME_BASE;
- ff_nut_add_sp(nut, nut->last_syncpoint_pos, *back_ptr, *ts);
+
+ if ((ret = ff_nut_add_sp(nut, nut->last_syncpoint_pos, *back_ptr, *ts)) < 0)
+ return ret;
return 0;
}
diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c
index df70f94..51bddf0 100644
--- a/libavformat/nutenc.c
+++ b/libavformat/nutenc.c
@@ -815,7 +815,8 @@ static int nut_write_packet(AVFormatContext *s, AVPacket *pkt)
ff_put_v(dyn_bc, sp ? (nut->last_syncpoint_pos - sp->pos) >> 4 : 0);
put_packet(nut, bc, dyn_bc, 1, SYNCPOINT_STARTCODE);
- ff_nut_add_sp(nut, nut->last_syncpoint_pos, 0 /*unused*/, pkt->dts);
+ if ((ret = ff_nut_add_sp(nut, nut->last_syncpoint_pos, 0 /*unused*/, pkt->dts)) < 0)
+ return ret;
}
assert(nus->last_pts != AV_NOPTS_VALUE);
diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c
index 56ea557..2313625 100644
--- a/libavformat/oggparseogm.c
+++ b/libavformat/oggparseogm.c
@@ -75,6 +75,11 @@ ogm_header(AVFormatContext *s, int idx)
time_unit = bytestream2_get_le64(&p);
spu = bytestream2_get_le64(&p);
+ if (!time_unit || !spu) {
+ av_log(s, AV_LOG_ERROR, "Invalid timing values.\n");
+ return AVERROR_INVALIDDATA;
+ }
+
bytestream2_skip(&p, 4); /* default_len */
bytestream2_skip(&p, 8); /* buffersize + bits_per_sample */
diff --git a/libavformat/omadec.c b/libavformat/omadec.c
index 0403451..e3b1518 100644
--- a/libavformat/omadec.c
+++ b/libavformat/omadec.c
@@ -234,6 +234,11 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header)
av_log(s, AV_LOG_ERROR, "Invalid encryption header\n");
return -1;
}
+ if (OMA_ENC_HEADER_SIZE + oc->k_size + oc->e_size + oc->i_size + 8 > geob->datasize ||
+ OMA_ENC_HEADER_SIZE + 48 > geob->datasize) {
+ av_log(s, AV_LOG_ERROR, "Too little GEOB data\n");
+ return AVERROR_INVALIDDATA;
+ }
oc->rid = AV_RB32(&gdata[OMA_ENC_HEADER_SIZE + 28]);
av_log(s, AV_LOG_DEBUG, "RID: %.8x\n", oc->rid);
@@ -258,7 +263,7 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header)
!nprobe(s, gdata, geob->datasize, oc->n_val))
break;
}
- if (i >= sizeof(leaf_table)) {
+ if (i >= FF_ARRAY_ELEMS(leaf_table)) {
av_log(s, AV_LOG_ERROR, "Invalid key\n");
return -1;
}
diff --git a/libavformat/pmpdec.c b/libavformat/pmpdec.c
index 6cdce10..b2c613a 100644
--- a/libavformat/pmpdec.c
+++ b/libavformat/pmpdec.c
@@ -124,6 +124,11 @@ static int pmp_packet(AVFormatContext *s, AVPacket *pkt)
if (pmp->cur_stream == 0) {
int num_packets;
pmp->audio_packets = avio_r8(pb);
+ if (!pmp->audio_packets) {
+ av_log(s, AV_LOG_ERROR, "No audio packets.\n");
+ return AVERROR_INVALIDDATA;
+ }
+
num_packets = (pmp->num_streams - 1) * pmp->audio_packets + 1;
avio_skip(pb, 8);
pmp->current_packet = 0;
diff --git a/libavformat/sdp.c b/libavformat/sdp.c
index 57044d4..e6e6f82 100644
--- a/libavformat/sdp.c
+++ b/libavformat/sdp.c
@@ -402,7 +402,7 @@ static char *sdp_write_media_attributes(char *buff, int size, AVCodecContext *c,
switch (c->codec_id) {
case AV_CODEC_ID_H264: {
int mode = 1;
- if (fmt && fmt->oformat->priv_class &&
+ if (fmt && fmt->oformat && fmt->oformat->priv_class &&
av_opt_flag_is_set(fmt->priv_data, "rtpflags", "h264_mode0"))
mode = 0;
if (c->extradata_size) {
diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c
index 5643f33..53e2066 100644
--- a/libavformat/segafilm.c
+++ b/libavformat/segafilm.c
@@ -75,13 +75,23 @@ static int film_probe(AVProbeData *p)
return AVPROBE_SCORE_MAX;
}
+static int film_read_close(AVFormatContext *s)
+{
+ FilmDemuxContext *film = s->priv_data;
+
+ av_freep(&film->sample_table);
+ av_freep(&film->stereo_buffer);
+
+ return 0;
+}
+
static int film_read_header(AVFormatContext *s)
{
FilmDemuxContext *film = s->priv_data;
AVIOContext *pb = s->pb;
AVStream *st;
unsigned char scratch[256];
- int i;
+ int i, ret;
unsigned int data_offset;
unsigned int audio_frame_counter;
@@ -213,14 +223,16 @@ static int film_read_header(AVFormatContext *s)
for (i = 0; i < film->sample_count; i++) {
/* load the next sample record and transfer it to an internal struct */
if (avio_read(pb, scratch, 16) != 16) {
- av_free(film->sample_table);
- return AVERROR(EIO);
+ ret = AVERROR(EIO);
+ goto fail;
}
film->sample_table[i].sample_offset =
data_offset + AV_RB32(&scratch[0]);
film->sample_table[i].sample_size = AV_RB32(&scratch[4]);
- if (film->sample_table[i].sample_size > INT_MAX / 4)
- return AVERROR_INVALIDDATA;
+ if (film->sample_table[i].sample_size > INT_MAX / 4) {
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
+ }
if (AV_RB32(&scratch[8]) == 0xFFFFFFFF) {
film->sample_table[i].stream = film->audio_stream_index;
film->sample_table[i].pts = audio_frame_counter;
@@ -241,6 +253,9 @@ static int film_read_header(AVFormatContext *s)
film->current_sample = 0;
return 0;
+fail:
+ film_read_close(s);
+ return ret;
}
static int film_read_packet(AVFormatContext *s,
@@ -319,16 +334,6 @@ static int film_read_packet(AVFormatContext *s,
return ret;
}
-static int film_read_close(AVFormatContext *s)
-{
- FilmDemuxContext *film = s->priv_data;
-
- av_free(film->sample_table);
- av_free(film->stereo_buffer);
-
- return 0;
-}
-
AVInputFormat ff_segafilm_demuxer = {
.name = "film_cpk",
.long_name = NULL_IF_CONFIG_SMALL("Sega FILM / CPK"),
diff --git a/libavformat/utils.c b/libavformat/utils.c
index b0bfea2..43790c7 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -357,8 +357,8 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
const char *filename, void *logctx,
unsigned int offset, unsigned int max_probe_size)
{
- AVProbeData pd = { filename ? filename : "", NULL, -offset };
- unsigned char *buf = NULL;
+ AVProbeData pd = { filename ? filename : "" };
+ uint8_t *buf = NULL;
int ret = 0, probe_size;
if (!max_probe_size) {
@@ -372,19 +372,16 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
if (offset >= max_probe_size) {
return AVERROR(EINVAL);
}
+ avio_skip(pb, offset);
+ max_probe_size -= offset;
for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt;
probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) {
int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0;
- int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1;
-
- if (probe_size < offset) {
- continue;
- }
/* read probe data */
buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE);
- if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) {
+ if ((ret = avio_read(pb, buf + pd.buf_size, probe_size - pd.buf_size)) < 0) {
/* fail if error was not end of file, otherwise, lower score */
if (ret != AVERROR_EOF) {
av_free(buf);
@@ -394,7 +391,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
ret = 0; /* error was end of file, nothing read */
}
pd.buf_size += ret;
- pd.buf = &buf[offset];
+ pd.buf = buf;
memset(pd.buf + pd.buf_size, 0, AVPROBE_PADDING_SIZE);
diff --git a/libavresample/audio_mix.c b/libavresample/audio_mix.c
index c056028..f737a30 100644
--- a/libavresample/audio_mix.c
+++ b/libavresample/audio_mix.c
@@ -195,23 +195,23 @@ static void mix_1_to_2_fltp_flt_c(float **samples, float **matrix, int len,
while (len > 4) {
v = *src++;
- *dst0++ = v * m1;
- *dst1++ = v * m0;
+ *dst0++ = v * m0;
+ *dst1++ = v * m1;
v = *src++;
- *dst0++ = v * m1;
- *dst1++ = v * m0;
+ *dst0++ = v * m0;
+ *dst1++ = v * m1;
v = *src++;
- *dst0++ = v * m1;
- *dst1++ = v * m0;
+ *dst0++ = v * m0;
+ *dst1++ = v * m1;
v = *src++;
- *dst0++ = v * m1;
- *dst1++ = v * m0;
+ *dst0++ = v * m0;
+ *dst1++ = v * m1;
len -= 4;
}
while (len > 0) {
v = *src++;
- *dst0++ = v * m1;
- *dst1++ = v * m0;
+ *dst0++ = v * m0;
+ *dst1++ = v * m1;
len--;
}
}
diff --git a/libavresample/utils.c b/libavresample/utils.c
index ed7f470..36d9d04 100644
--- a/libavresample/utils.c
+++ b/libavresample/utils.c
@@ -350,7 +350,8 @@ int attribute_align_arg avresample_convert(AVAudioResampleContext *avr,
resample_out = &output_buffer;
else
resample_out = avr->resample_out_buffer;
- av_dlog(avr, "[resample] %s to %s\n", current_buffer->name,
+ av_dlog(avr, "[resample] %s to %s\n",
+ current_buffer ? current_buffer->name : "null",
resample_out->name);
ret = ff_audio_resample(avr->resample, resample_out,
current_buffer);
diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c
index 137683e..1a38f64 100644
--- a/libavutil/mathematics.c
+++ b/libavutil/mathematics.c
@@ -23,7 +23,6 @@
* miscellaneous math routines and tables
*/
-#include <assert.h>
#include <stdint.h>
#include <limits.h>
@@ -58,9 +57,9 @@ int64_t av_gcd(int64_t a, int64_t b){
int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd){
int64_t r=0;
- assert(c > 0);
- assert(b >=0);
- assert((unsigned)rnd<=5 && rnd!=4);
+
+ if (c <= 0 || b < 0 || rnd == 4 || rnd > 5)
+ return INT64_MIN;
if(a<0 && a != INT64_MIN) return -av_rescale_rnd(-a, b, c, rnd ^ ((rnd>>1)&1));
diff --git a/tests/fate/ac3.mak b/tests/fate/ac3.mak
index 46e7a38..fa9f893 100644
--- a/tests/fate/ac3.mak
+++ b/tests/fate/ac3.mak
@@ -52,14 +52,12 @@ fate-ac3-encode: CMD = enc_dec_pcm ac3 wav s16le $(REF) -c:a ac3 -b:a 128k
fate-ac3-encode: CMP_SHIFT = -1024
fate-ac3-encode: CMP_TARGET = 399.62
fate-ac3-encode: SIZE_TOLERANCE = 488
-fate-ac3-encode: FUZZ = 3
FATE_EAC3-$(call ENCDEC, EAC3, EAC3) += fate-eac3-encode
fate-eac3-encode: CMD = enc_dec_pcm eac3 wav s16le $(REF) -c:a eac3 -b:a 128k
fate-eac3-encode: CMP_SHIFT = -1024
fate-eac3-encode: CMP_TARGET = 514.02
fate-eac3-encode: SIZE_TOLERANCE = 488
-fate-eac3-encode: FUZZ = 3
fate-ac3-encode fate-eac3-encode: CMP = stddev
fate-ac3-encode fate-eac3-encode: REF = $(SAMPLES)/audio-reference/luckynight_2ch_44kHz_s16.wav
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list