[SCM] ffmpeg/master: Imported Upstream version 2.8.4
aca-guest at users.alioth.debian.org
aca-guest at users.alioth.debian.org
Sun Dec 20 23:19:26 UTC 2015
The following commit has been merged in the master branch:
commit 5e2845189af763afb81fe44b8270359078a749ea
Author: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
Date: Sun Dec 20 17:15:59 2015 +0100
Imported Upstream version 2.8.4
diff --git a/Changelog b/Changelog
index 7e70b11..b7f32b1 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,74 @@
Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.
+version 2.8.4
+- rawdec: only exempt BIT0 with need_copy from buffer sanity check
+- mlvdec: check that index_entries exist
+- avcodec/mpeg4videodec: also for empty partitioned slices
+- avcodec/h264_refs: Fix long_idx check
+- avcodec/h264_mc_template: prefetch list1 only if it is used in the MB
+- avcodec/h264_slice: Simplify ref2frm indexing
+- avfilter/vf_mpdecimate: Add missing emms_c()
+- sonic: make sure num_taps * channels is not larger than frame_size
+- opus_silk: fix typo causing overflow in silk_stabilize_lsf
+- ffm: reject invalid codec_id and codec_type
+- golomb: always check for invalid UE golomb codes in get_ue_golomb
+- sbr_qmf_analysis: sanitize input for 32-bit imdct
+- sbrdsp_fixed: assert that input values are in the valid range
+- aacsbr: ensure strictly monotone time borders
+- aacenc: update max_sfb when num_swb changes
+- aaccoder: prevent crash of anmr coder
+- ffmdec: reject zero-sized chunks
+- swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment is insufficient for SSE*
+- swscale/x86/rgb2rgb_template: Do not crash on misaligend stride
+- avformat/mxfenc: Do not crash if there is no packet in the first stream
+- lavf/tee: fix side data double free.
+- avformat/hlsenc: Check the return code of avformat_write_header()
+- avformat/mov: Enable parser for mp3s by old HandBrake
+- avformat/mxfenc: Fix integer overflow in length computation
+- avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec
+- avformat/matroskaenc: Check codecdelay before use
+- avutil/mathematics: Fix division by 0
+- mjpegdec: consider chroma subsampling in size check
+- libvpxenc: remove some unused ctrl id mappings
+- avcodec/vp3: ensure header is parsed successfully before tables
+- avcodec/jpeg2000dec: Check bpno in decode_cblk()
+- avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in type int
+- swscale/utils: Fix for runtime error: left shift of negative value -1
+- avcodec/hevc: Fix integer overflow of entry_point_offset
+- avcodec/dirac_parser: Check that there is a previous PU before accessing it
+- avcodec/dirac_parser: Add basic validity checks for next_pu_offset and prev_pu_offset
+- avcodec/dirac_parser: Fix potential overflows in pointer checks
+- avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows
+- avcodec/wmaprodec: Fix overflow of cutoff
+- avformat/smacker: fix integer overflow with pts_inc
+- avcodec/vp3: Fix "runtime error: left shift of negative value"
+- avformat/riffdec: Initialize bitrate
+- mpegencts: Fix overflow in cbr mode period calculations
+- avutil/timecode: Fix fps check
+- avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() for overflows
+- avcodec/apedec: Check length in long_filter_high_3800()
+- avcodec/vp3: always set pix_fmt in theora_decode_header()
+- avcodec/mpeg4videodec: Check available data before reading custom matrix
+- avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd
+- avutil/integer: Fix av_mod_i() with negative dividend
+- avformat/dump: Fix integer overflow in av_dump_format()
+- avcodec/h264_refs: Check that long references match before use
+- avcodec/utils: Clear dimensions in ff_get_buffer() on failure
+- avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string()
+- avcodec/hevc: Check max ctb addresses for WPP
+- avcodec/vp3: Clear context on reinitialization failure
+- avcodec/hevc: allocate entries unconditionally
+- avcodec/hevc_cabac: Fix multiple integer overflows
+- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*()
+- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*()
+- avcodec/hevc: Check entry_point_offsets
+- lavf/rtpenc_jpeg: Less strict check for standard Huffman tables.
+- avcodec/ffv1dec: Clear quant_table_count if its invalid
+- avcodec/ffv1dec: Print an error if the quant table count is invalid
+- doc/filters/drawtext: fix centering example
+
+
version 2.8.3
- avcodec/cabac: Check initial cabac decoder state
- avcodec/cabac_functions: Fix "left shift of negative value -31767"
diff --git a/RELEASE b/RELEASE
index 9f8d8a9..2701a22 100644
--- a/RELEASE
+++ b/RELEASE
@@ -1 +1 @@
-2.8.3
+2.8.4
diff --git a/VERSION b/VERSION
index 9f8d8a9..2701a22 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.8.3
+2.8.4
diff --git a/doc/Doxyfile b/doc/Doxyfile
index f4e3ca8..5c4b466 100644
--- a/doc/Doxyfile
+++ b/doc/Doxyfile
@@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg
# This could be handy for archiving the generated documentation or
# if some version control system is used.
-PROJECT_NUMBER = 2.8.3
+PROJECT_NUMBER = 2.8.4
# With the PROJECT_LOGO tag one can specify a logo or icon that is included
# in the documentation. The maximum height of the logo should not exceed 55
diff --git a/doc/filters.texi b/doc/filters.texi
index d714a27..2a2fab6 100644
--- a/doc/filters.texi
+++ b/doc/filters.texi
@@ -4967,7 +4967,7 @@ within the parameter list.
@item
Show the text at the center of the video frame:
@example
-drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h-line_h)/2"
+drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h)/2"
@end example
@item
diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c
index 86d598f..e6b57aa 100644
--- a/libavcodec/aaccoder.c
+++ b/libavcodec/aaccoder.c
@@ -499,7 +499,7 @@ static void search_for_quantizers_anmr(AVCodecContext *avctx, AACEncContext *s,
}
while (idx) {
sce->sf_idx[bandaddr[idx]] = minq + q0;
- minq = paths[idx][minq].prev;
+ minq = FFMAX(paths[idx][minq].prev, 0);
idx--;
}
//set the same quantizers inside window groups
diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c
index 9cce1a2..a7c7336 100644
--- a/libavcodec/aacenc.c
+++ b/libavcodec/aacenc.c
@@ -547,6 +547,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
ics->num_windows = wi[ch].num_windows;
ics->swb_sizes = s->psy.bands [ics->num_windows == 8];
ics->num_swb = tag == TYPE_LFE ? ics->num_swb : s->psy.num_bands[ics->num_windows == 8];
+ ics->max_sfb = FFMIN(ics->max_sfb, ics->num_swb);
ics->swb_offset = wi[ch].window_type[0] == EIGHT_SHORT_SEQUENCE ?
ff_swb_offset_128 [s->samplerate_index]:
ff_swb_offset_1024[s->samplerate_index];
diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c
index a49940a..b36c266 100644
--- a/libavcodec/aacsbr_template.c
+++ b/libavcodec/aacsbr_template.c
@@ -718,8 +718,8 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
}
for (i = 1; i <= ch_data->bs_num_env; i++) {
- if (ch_data->t_env[i-1] > ch_data->t_env[i]) {
- av_log(ac->avctx, AV_LOG_ERROR, "Non monotone time borders\n");
+ if (ch_data->t_env[i-1] >= ch_data->t_env[i]) {
+ av_log(ac->avctx, AV_LOG_ERROR, "Not strictly monotone time borders\n");
return -1;
}
}
@@ -1154,6 +1154,9 @@ static void sbr_qmf_analysis(AVFloatDSPContext *dsp, FFTContext *mdct,
INTFLOAT z[320], INTFLOAT W[2][32][32][2], int buf_idx)
{
int i;
+#if USE_FIXED
+ int j;
+#endif
memcpy(x , x+1024, (320-32)*sizeof(x[0]));
memcpy(x+288, in, 1024*sizeof(x[0]));
for (i = 0; i < 32; i++) { // numTimeSlots*RATE = 16*2 as 960 sample frames
@@ -1161,6 +1164,21 @@ static void sbr_qmf_analysis(AVFloatDSPContext *dsp, FFTContext *mdct,
dsp->vector_fmul_reverse(z, sbr_qmf_window_ds, x, 320);
sbrdsp->sum64x5(z);
sbrdsp->qmf_pre_shuffle(z);
+#if USE_FIXED
+ for (j = 64; j < 128; j++) {
+ if (z[j] > 1<<24) {
+ av_log(NULL, AV_LOG_WARNING,
+ "sbr_qmf_analysis: value %09d too large, setting to %09d\n",
+ z[j], 1<<24);
+ z[j] = 1<<24;
+ } else if (z[j] < -(1<<24)) {
+ av_log(NULL, AV_LOG_WARNING,
+ "sbr_qmf_analysis: value %09d too small, setting to %09d\n",
+ z[j], -(1<<24));
+ z[j] = -(1<<24);
+ }
+ }
+#endif
mdct->imdct_half(mdct, z, z+64);
sbrdsp->qmf_post_shuffle(W[buf_idx][i], z);
x += 32;
diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index 5536e0f..c6eae55 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -892,6 +892,9 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len
int32_t dotprod, sign;
int32_t coeffs[256], delay[256];
+ if (order >= length)
+ return;
+
memset(coeffs, 0, order * sizeof(*coeffs));
for (i = 0; i < order; i++)
delay[i] = buffer[i];
diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c
index 83c35a2..1ca7e31 100644
--- a/libavcodec/dirac_parser.c
+++ b/libavcodec/dirac_parser.c
@@ -100,10 +100,12 @@ typedef struct DiracParseUnit {
static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc,
int offset)
{
- uint8_t *start = pc->buffer + offset;
- uint8_t *end = pc->buffer + pc->index;
- if (start < pc->buffer || (start + 13 > end))
+ int8_t *start;
+
+ if (offset < 0 || pc->index - 13 < offset)
return 0;
+
+ start = pc->buffer + offset;
pu->pu_type = start[4];
pu->next_pu_offset = AV_RB32(start + 5);
@@ -112,6 +114,15 @@ static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc,
if (pu->pu_type == 0x10 && pu->next_pu_offset == 0)
pu->next_pu_offset = 13;
+ if (pu->next_pu_offset && pu->next_pu_offset < 13) {
+ av_log(NULL, AV_LOG_ERROR, "next_pu_offset %d is invalid\n", pu->next_pu_offset);
+ return 0;
+ }
+ if (pu->prev_pu_offset && pu->prev_pu_offset < 13) {
+ av_log(NULL, AV_LOG_ERROR, "prev_pu_offset %d is invalid\n", pu->prev_pu_offset);
+ return 0;
+ }
+
return 1;
}
@@ -190,7 +201,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx,
}
/* Get the picture number to set the pts and dts*/
- if (parse_timing_info) {
+ if (parse_timing_info && pu1.prev_pu_offset >= 13) {
uint8_t *cur_pu = pc->buffer +
pc->index - 13 - pu1.prev_pu_offset;
int pts = AV_RB32(cur_pu + 13);
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 680abcf..9c941fa 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -569,8 +569,11 @@ static int read_extra_header(FFV1Context *f)
}
f->quant_table_count = get_symbol(c, state, 0);
- if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count)
+ if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) {
+ av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count);
+ f->quant_table_count = 0;
return AVERROR_INVALIDDATA;
+ }
for (i = 0; i < f->quant_table_count; i++) {
f->context_count[i] = read_quant_tables(c, f->quant_tables[i]);
diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h
index d30bb6b..5136a04 100644
--- a/libavcodec/golomb.h
+++ b/libavcodec/golomb.h
@@ -68,7 +68,7 @@ static inline int get_ue_golomb(GetBitContext *gb)
int log = 2 * av_log2(buf) - 31;
LAST_SKIP_BITS(re, gb, 32 - log);
CLOSE_READER(re, gb);
- if (CONFIG_FTRAPV && log < 0) {
+ if (log < 7) {
av_log(NULL, AV_LOG_ERROR, "Invalid UE golomb code\n");
return AVERROR_INVALIDDATA;
}
diff --git a/libavcodec/h264_mc_template.c b/libavcodec/h264_mc_template.c
index eaead35..e4333a7 100644
--- a/libavcodec/h264_mc_template.c
+++ b/libavcodec/h264_mc_template.c
@@ -158,6 +158,7 @@ static void MCFUNC(hl_motion)(const H264Context *h, H264SliceContext *sl,
}
}
- prefetch_motion(h, sl, 1, PIXEL_SHIFT, CHROMA_IDC);
+ if (USES_LIST(mb_type, 1))
+ prefetch_motion(h, sl, 1, PIXEL_SHIFT, CHROMA_IDC);
}
diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c
index 619f2ed..a3de6b2 100644
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@@ -122,6 +122,14 @@ static int add_sorted(H264Picture **sorted, H264Picture **src, int len, int limi
return out_i;
}
+static int mismatches_ref(H264Context *h, H264Picture *pic)
+{
+ AVFrame *f = pic->f;
+ return (h->cur_pic_ptr->f->width != f->width ||
+ h->cur_pic_ptr->f->height != f->height ||
+ h->cur_pic_ptr->f->format != f->format);
+}
+
int ff_h264_fill_default_ref_list(H264Context *h, H264SliceContext *sl)
{
int i, len;
@@ -193,10 +201,7 @@ int ff_h264_fill_default_ref_list(H264Context *h, H264SliceContext *sl)
for (j = 0; j<1+(sl->slice_type_nos == AV_PICTURE_TYPE_B); j++) {
for (i = 0; i < sl->ref_count[j]; i++) {
if (h->default_ref_list[j][i].parent) {
- AVFrame *f = h->default_ref_list[j][i].parent->f;
- if (h->cur_pic_ptr->f->width != f->width ||
- h->cur_pic_ptr->f->height != f->height ||
- h->cur_pic_ptr->f->format != f->format) {
+ if (mismatches_ref(h, h->default_ref_list[j][i].parent)) {
av_log(h->avctx, AV_LOG_ERROR, "Discarding mismatching reference\n");
memset(&h->default_ref_list[j][i], 0, sizeof(h->default_ref_list[j][i]));
}
@@ -298,14 +303,14 @@ int ff_h264_decode_ref_pic_list_reordering(H264Context *h, H264SliceContext *sl)
long_idx = pic_num_extract(h, pic_id, &pic_structure);
- if (long_idx > 31) {
+ if (long_idx > 31U) {
av_log(h->avctx, AV_LOG_ERROR,
"long_term_pic_idx overflow\n");
return AVERROR_INVALIDDATA;
}
ref = h->long_ref[long_idx];
assert(!(ref && !ref->reference));
- if (ref && (ref->reference & pic_structure)) {
+ if (ref && (ref->reference & pic_structure) && !mismatches_ref(h, ref)) {
ref->pic_id = pic_id;
assert(ref->long_ref);
i = 0;
diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 843cfd0..8be803b 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1993,12 +1993,12 @@ static av_always_inline void fill_filter_caches_inter(const H264Context *h,
if (USES_LIST(top_type, list)) {
const int b_xy = h->mb2b_xy[top_xy] + 3 * b_stride;
const int b8_xy = 4 * top_xy + 2;
- int (*ref2frm)[64] = (void*)(sl->ref2frm[h->slice_table[top_xy] & (MAX_SLICES - 1)][0] + (MB_MBAFF(sl) ? 20 : 2));
+ int *ref2frm = sl->ref2frm[h->slice_table[top_xy] & (MAX_SLICES - 1)][list] + (MB_MBAFF(sl) ? 20 : 2);
AV_COPY128(mv_dst - 1 * 8, h->cur_pic.motion_val[list][b_xy + 0]);
ref_cache[0 - 1 * 8] =
- ref_cache[1 - 1 * 8] = ref2frm[list][h->cur_pic.ref_index[list][b8_xy + 0]];
+ ref_cache[1 - 1 * 8] = ref2frm[h->cur_pic.ref_index[list][b8_xy + 0]];
ref_cache[2 - 1 * 8] =
- ref_cache[3 - 1 * 8] = ref2frm[list][h->cur_pic.ref_index[list][b8_xy + 1]];
+ ref_cache[3 - 1 * 8] = ref2frm[h->cur_pic.ref_index[list][b8_xy + 1]];
} else {
AV_ZERO128(mv_dst - 1 * 8);
AV_WN32A(&ref_cache[0 - 1 * 8], ((LIST_NOT_USED) & 0xFF) * 0x01010101u);
@@ -2008,15 +2008,15 @@ static av_always_inline void fill_filter_caches_inter(const H264Context *h,
if (USES_LIST(left_type[LTOP], list)) {
const int b_xy = h->mb2b_xy[left_xy[LTOP]] + 3;
const int b8_xy = 4 * left_xy[LTOP] + 1;
- int (*ref2frm)[64] =(void*)( sl->ref2frm[h->slice_table[left_xy[LTOP]] & (MAX_SLICES - 1)][0] + (MB_MBAFF(sl) ? 20 : 2));
+ int *ref2frm = sl->ref2frm[h->slice_table[left_xy[LTOP]] & (MAX_SLICES - 1)][list] + (MB_MBAFF(sl) ? 20 : 2);
AV_COPY32(mv_dst - 1 + 0, h->cur_pic.motion_val[list][b_xy + b_stride * 0]);
AV_COPY32(mv_dst - 1 + 8, h->cur_pic.motion_val[list][b_xy + b_stride * 1]);
AV_COPY32(mv_dst - 1 + 16, h->cur_pic.motion_val[list][b_xy + b_stride * 2]);
AV_COPY32(mv_dst - 1 + 24, h->cur_pic.motion_val[list][b_xy + b_stride * 3]);
ref_cache[-1 + 0] =
- ref_cache[-1 + 8] = ref2frm[list][h->cur_pic.ref_index[list][b8_xy + 2 * 0]];
+ ref_cache[-1 + 8] = ref2frm[h->cur_pic.ref_index[list][b8_xy + 2 * 0]];
ref_cache[-1 + 16] =
- ref_cache[-1 + 24] = ref2frm[list][h->cur_pic.ref_index[list][b8_xy + 2 * 1]];
+ ref_cache[-1 + 24] = ref2frm[h->cur_pic.ref_index[list][b8_xy + 2 * 1]];
} else {
AV_ZERO32(mv_dst - 1 + 0);
AV_ZERO32(mv_dst - 1 + 8);
@@ -2041,9 +2041,9 @@ static av_always_inline void fill_filter_caches_inter(const H264Context *h,
{
int8_t *ref = &h->cur_pic.ref_index[list][4 * mb_xy];
- int (*ref2frm)[64] = (void*)(sl->ref2frm[sl->slice_num & (MAX_SLICES - 1)][0] + (MB_MBAFF(sl) ? 20 : 2));
- uint32_t ref01 = (pack16to32(ref2frm[list][ref[0]], ref2frm[list][ref[1]]) & 0x00FF00FF) * 0x0101;
- uint32_t ref23 = (pack16to32(ref2frm[list][ref[2]], ref2frm[list][ref[3]]) & 0x00FF00FF) * 0x0101;
+ int *ref2frm = sl->ref2frm[sl->slice_num & (MAX_SLICES - 1)][list] + (MB_MBAFF(sl) ? 20 : 2);
+ uint32_t ref01 = (pack16to32(ref2frm[ref[0]], ref2frm[ref[1]]) & 0x00FF00FF) * 0x0101;
+ uint32_t ref23 = (pack16to32(ref2frm[ref[2]], ref2frm[ref[3]]) & 0x00FF00FF) * 0x0101;
AV_WN32A(&ref_cache[0 * 8], ref01);
AV_WN32A(&ref_cache[1 * 8], ref01);
AV_WN32A(&ref_cache[2 * 8], ref23);
diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index e8c78b0..5f77761 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -744,7 +744,7 @@ static int hls_slice_header(HEVCContext *s)
av_freep(&sh->entry_point_offset);
av_freep(&sh->offset);
av_freep(&sh->size);
- sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int));
+ sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(unsigned));
sh->offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int));
sh->size = av_malloc_array(sh->num_entry_point_offsets, sizeof(int));
if (!sh->entry_point_offset || !sh->offset || !sh->size) {
@@ -2440,8 +2440,8 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal)
HEVCLocalContext *lc = s->HEVClc;
int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
- int offset;
- int startheader, cmpt = 0;
+ int64_t offset;
+ int64_t startheader, cmpt = 0;
int i, j, res = 0;
if (!ret || !arg) {
@@ -2450,11 +2450,18 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal)
return AVERROR(ENOMEM);
}
+ if (s->sh.slice_ctb_addr_rs + s->sh.num_entry_point_offsets * s->ps.sps->ctb_width >= s->ps.sps->ctb_width * s->ps.sps->ctb_height) {
+ av_log(s->avctx, AV_LOG_ERROR, "WPP ctb addresses are wrong (%d %d %d %d)\n",
+ s->sh.slice_ctb_addr_rs, s->sh.num_entry_point_offsets,
+ s->ps.sps->ctb_width, s->ps.sps->ctb_height
+ );
+ res = AVERROR_INVALIDDATA;
+ goto error;
+ }
- if (!s->sList[1]) {
- ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1);
-
+ ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1);
+ if (!s->sList[1]) {
for (i = 1; i < s->threads_number; i++) {
s->sList[i] = av_malloc(sizeof(HEVCContext));
memcpy(s->sList[i], s, sizeof(HEVCContext));
@@ -2487,6 +2494,11 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal)
}
if (s->sh.num_entry_point_offsets != 0) {
offset += s->sh.entry_point_offset[s->sh.num_entry_point_offsets - 1] - cmpt;
+ if (length < offset) {
+ av_log(s->avctx, AV_LOG_ERROR, "entry_point_offset table is corrupted\n");
+ res = AVERROR_INVALIDDATA;
+ goto error;
+ }
s->sh.size[s->sh.num_entry_point_offsets - 1] = length - offset;
s->sh.offset[s->sh.num_entry_point_offsets - 1] = offset;
@@ -2513,6 +2525,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal)
for (i = 0; i <= s->sh.num_entry_point_offsets; i++)
res += ret[i];
+error:
av_free(ret);
av_free(arg);
return res;
diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h
index 66b9a2f..d84e661 100644
--- a/libavcodec/hevc.h
+++ b/libavcodec/hevc.h
@@ -622,7 +622,7 @@ typedef struct SliceHeader {
unsigned int max_num_merge_cand; ///< 5 - 5_minus_max_num_merge_cand
- int *entry_point_offset;
+ unsigned *entry_point_offset;
int * offset;
int * size;
int num_entry_point_offsets;
diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
index ffff87d..d1bef83 100644
--- a/libavcodec/hevc_cabac.c
+++ b/libavcodec/hevc_cabac.c
@@ -831,11 +831,13 @@ static av_always_inline int mvd_decode(HEVCContext *s)
int k = 1;
while (k < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) {
- ret += 1 << k;
+ ret += 1U << k;
k++;
}
- if (k == CABAC_MAX_BIN)
+ if (k == CABAC_MAX_BIN) {
av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k);
+ return 0;
+ }
while (k--)
ret += get_cabac_bypass(&s->HEVClc->cc) << k;
return get_cabac_bypass_sign(&s->HEVClc->cc, -ret);
@@ -973,8 +975,10 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int
while (prefix < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc))
prefix++;
- if (prefix == CABAC_MAX_BIN)
+ if (prefix == CABAC_MAX_BIN) {
av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
+ return 0;
+ }
if (prefix < 3) {
for (i = 0; i < rc_rice_param; i++)
suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc);
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 214ff05..36ef001 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1489,6 +1489,10 @@ static int decode_cblk(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty,
ff_mqc_initdec(&t1->mqc, cblk->data, 0, 1);
while (passno--) {
+ if (bpno < 0) {
+ av_log(s->avctx, AV_LOG_ERROR, "bpno became negative\n");
+ return AVERROR_INVALIDDATA;
+ }
switch(pass_t) {
case 0:
decode_sigpass(t1, width, height, bpno + 1, bandpos,
diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c
index 2bf25a8..a46c93a 100644
--- a/libavcodec/jpeg2000dwt.c
+++ b/libavcodec/jpeg2000dwt.c
@@ -580,6 +580,9 @@ int ff_jpeg2000_dwt_init(DWTContext *s, int border[2][2],
int ff_dwt_encode(DWTContext *s, void *t)
{
+ if (s->ndeclevels == 0)
+ return 0;
+
switch(s->type){
case FF_DWT97:
dwt_encode97_float(s, t); break;
@@ -595,6 +598,9 @@ int ff_dwt_encode(DWTContext *s, void *t)
int ff_dwt_decode(DWTContext *s, void *t)
{
+ if (s->ndeclevels == 0)
+ return 0;
+
switch (s->type) {
case FF_DWT97:
dwt_decode97_float(s, t);
diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c
index 5f39783..992122c 100644
--- a/libavcodec/libvpxenc.c
+++ b/libavcodec/libvpxenc.c
@@ -104,19 +104,11 @@ typedef struct VP8EncoderContext {
/** String mappings for enum vp8e_enc_control_id */
static const char *const ctlidstr[] = {
- [VP8E_UPD_ENTROPY] = "VP8E_UPD_ENTROPY",
- [VP8E_UPD_REFERENCE] = "VP8E_UPD_REFERENCE",
- [VP8E_USE_REFERENCE] = "VP8E_USE_REFERENCE",
- [VP8E_SET_ROI_MAP] = "VP8E_SET_ROI_MAP",
- [VP8E_SET_ACTIVEMAP] = "VP8E_SET_ACTIVEMAP",
- [VP8E_SET_SCALEMODE] = "VP8E_SET_SCALEMODE",
[VP8E_SET_CPUUSED] = "VP8E_SET_CPUUSED",
[VP8E_SET_ENABLEAUTOALTREF] = "VP8E_SET_ENABLEAUTOALTREF",
[VP8E_SET_NOISE_SENSITIVITY] = "VP8E_SET_NOISE_SENSITIVITY",
- [VP8E_SET_SHARPNESS] = "VP8E_SET_SHARPNESS",
[VP8E_SET_STATIC_THRESHOLD] = "VP8E_SET_STATIC_THRESHOLD",
[VP8E_SET_TOKEN_PARTITIONS] = "VP8E_SET_TOKEN_PARTITIONS",
- [VP8E_GET_LAST_QUANTIZER] = "VP8E_GET_LAST_QUANTIZER",
[VP8E_SET_ARNR_MAXFRAMES] = "VP8E_SET_ARNR_MAXFRAMES",
[VP8E_SET_ARNR_STRENGTH] = "VP8E_SET_ARNR_STRENGTH",
[VP8E_SET_ARNR_TYPE] = "VP8E_SET_ARNR_TYPE",
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 6c6598f..3f81fdf 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1246,7 +1246,7 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah,
int mb_bitmask_size,
const AVFrame *reference)
{
- int i, mb_x, mb_y;
+ int i, mb_x, mb_y, chroma_h_shift, chroma_v_shift, chroma_width, chroma_height;
uint8_t *data[MAX_COMPONENTS];
const uint8_t *reference_data[MAX_COMPONENTS];
int linesize[MAX_COMPONENTS];
@@ -1263,6 +1263,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah,
s->restart_count = 0;
+ av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, &chroma_h_shift,
+ &chroma_v_shift);
+ chroma_width = FF_CEIL_RSHIFT(s->width, chroma_h_shift);
+ chroma_height = FF_CEIL_RSHIFT(s->height, chroma_v_shift);
+
for (i = 0; i < nb_components; i++) {
int c = s->comp_index[i];
data[c] = s->picture_ptr->data[c];
@@ -1299,8 +1304,8 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah,
if (s->interlaced && s->bottom_field)
block_offset += linesize[c] >> 1;
- if ( 8*(h * mb_x + x) < s->width
- && 8*(v * mb_y + y) < s->height) {
+ if ( 8*(h * mb_x + x) < ((c == 1) || (c == 2) ? chroma_width : s->width)
+ && 8*(v * mb_y + y) < ((c == 1) || (c == 2) ? chroma_height : s->height)) {
ptr = data[c] + block_offset;
} else
ptr = NULL;
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index f15747f..2c34d21 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -883,7 +883,7 @@ int ff_mpeg4_decode_partitions(Mpeg4DecContext *ctx)
const int part_a_end = s->pict_type == AV_PICTURE_TYPE_I ? (ER_DC_END | ER_MV_END) : ER_MV_END;
mb_num = mpeg4_decode_partition_a(ctx);
- if (mb_num < 0) {
+ if (mb_num <= 0) {
ff_er_add_slice(&s->er, s->resync_mb_x, s->resync_mb_y,
s->mb_x, s->mb_y, part_a_error);
return -1;
@@ -1881,6 +1881,10 @@ static int decode_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb)
int last = 0;
for (i = 0; i < 64; i++) {
int j;
+ if (get_bits_left(gb) < 8) {
+ av_log(s->avctx, AV_LOG_ERROR, "insufficient data for custom matrix\n");
+ return AVERROR_INVALIDDATA;
+ }
v = get_bits(gb, 8);
if (v == 0)
break;
@@ -1904,6 +1908,10 @@ static int decode_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb)
int last = 0;
for (i = 0; i < 64; i++) {
int j;
+ if (get_bits_left(gb) < 8) {
+ av_log(s->avctx, AV_LOG_ERROR, "insufficient data for custom matrix\n");
+ return AVERROR_INVALIDDATA;
+ }
v = get_bits(gb, 8);
if (v == 0)
break;
diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c
index 841d1ed..73526f9 100644
--- a/libavcodec/opus_silk.c
+++ b/libavcodec/opus_silk.c
@@ -824,7 +824,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_
/* upper extent */
for (i = order; i > k; i--)
- max_center -= min_delta[k];
+ max_center -= min_delta[i];
max_center -= min_delta[k] >> 1;
/* move apart */
diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
index 0d307f5..e567f53 100644
--- a/libavcodec/pgssubdec.c
+++ b/libavcodec/pgssubdec.c
@@ -33,7 +33,7 @@
#include "libavutil/imgutils.h"
#include "libavutil/opt.h"
-#define RGBA(r,g,b,a) (((a) << 24) | ((r) << 16) | ((g) << 8) | (b))
+#define RGBA(r,g,b,a) (((unsigned)(a) << 24) | ((r) << 16) | ((g) << 8) | (b))
#define MAX_EPOCH_PALETTES 8 // Max 8 allowed per PGS epoch
#define MAX_EPOCH_OBJECTS 64 // Max 64 allowed per PGS epoch
#define MAX_OBJECT_REFS 2 // Max objects per display set
diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c
index d8d77fc..af764ab 100644
--- a/libavcodec/rawdec.c
+++ b/libavcodec/rawdec.c
@@ -258,7 +258,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame,
buf += buf_size - context->frame_size;
len = context->frame_size - (avctx->pix_fmt==AV_PIX_FMT_PAL8 ? AVPALETTE_SIZE : 0);
- if (buf_size < len && (avctx->codec_tag & 0xFFFFFF) != MKTAG('B','I','T', 0)) {
+ if (buf_size < len && ((avctx->codec_tag & 0xFFFFFF) != MKTAG('B','I','T', 0) || !need_copy)) {
av_log(avctx, AV_LOG_ERROR, "Invalid buffer size, packet size %d < expected frame_size %d\n", buf_size, len);
av_buffer_unref(&frame->buf[0]);
return AVERROR(EINVAL);
diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c
index 5b7b7a6..f4e3de0 100644
--- a/libavcodec/sbrdsp_fixed.c
+++ b/libavcodec/sbrdsp_fixed.c
@@ -38,9 +38,14 @@ static SoftFloat sbr_sum_square_c(int (*x)[2], int n)
int i, nz, round;
for (i = 0; i < n; i += 2) {
+ // Larger values are inavlid and could cause overflows of accu.
+ av_assert2(FFABS(x[i + 0][0]) >> 29 == 0);
accu += (int64_t)x[i + 0][0] * x[i + 0][0];
+ av_assert2(FFABS(x[i + 0][1]) >> 29 == 0);
accu += (int64_t)x[i + 0][1] * x[i + 0][1];
+ av_assert2(FFABS(x[i + 1][0]) >> 29 == 0);
accu += (int64_t)x[i + 1][0] * x[i + 1][0];
+ av_assert2(FFABS(x[i + 1][1]) >> 29 == 0);
accu += (int64_t)x[i + 1][1] * x[i + 1][1];
}
diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c
index 4ec7d89..2e3ca79 100644
--- a/libavcodec/sonic.c
+++ b/libavcodec/sonic.c
@@ -928,6 +928,13 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx)
s->frame_size = s->channels*s->block_align*s->downsampling;
// avctx->frame_size = s->block_align;
+ if (s->num_taps * s->channels > s->frame_size) {
+ av_log(avctx, AV_LOG_ERROR,
+ "number of taps times channels (%d * %d) larger than frame size %d\n",
+ s->num_taps, s->channels, s->frame_size);
+ return AVERROR_INVALIDDATA;
+ }
+
av_log(avctx, AV_LOG_INFO, "Sonic: ver: %d.%d ls: %d dr: %d taps: %d block: %d frame: %d downsamp: %d\n",
s->version, s->minor_version, s->lossless, s->decorrelation, s->num_taps, s->block_align, s->frame_size, s->downsampling);
diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 735e71a..892ddb9 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -1040,8 +1040,10 @@ end:
int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame, int flags)
{
int ret = get_buffer_internal(avctx, frame, flags);
- if (ret < 0)
+ if (ret < 0) {
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
+ frame->width = frame->height = 0;
+ }
return ret;
}
@@ -3178,8 +3180,8 @@ void avcodec_string(char *buf, int buf_size, AVCodecContext *enc, int encode)
if (enc->sample_aspect_ratio.num) {
av_reduce(&display_aspect_ratio.num, &display_aspect_ratio.den,
- enc->width * enc->sample_aspect_ratio.num,
- enc->height * enc->sample_aspect_ratio.den,
+ enc->width * (int64_t)enc->sample_aspect_ratio.num,
+ enc->height * (int64_t)enc->sample_aspect_ratio.den,
1024 * 1024);
snprintf(buf + strlen(buf), buf_size - strlen(buf),
" [SAR %d:%d DAR %d:%d]",
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index 09e6f75..9bdbbb8 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -131,7 +131,7 @@ static const uint8_t hilbert_offset[16][2] = {
typedef struct Vp3DecodeContext {
AVCodecContext *avctx;
- int theora, theora_tables;
+ int theora, theora_tables, theora_header;
int version;
int width, height;
int chroma_x_shift, chroma_y_shift;
@@ -209,8 +209,8 @@ typedef struct Vp3DecodeContext {
int16_t *dct_tokens[3][64];
int16_t *dct_tokens_base;
#define TOKEN_EOB(eob_run) ((eob_run) << 2)
-#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) << 9) + ((zero_run) << 2) + 1)
-#define TOKEN_COEFF(coeff) (((coeff) << 2) + 2)
+#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) * 512) + ((zero_run) << 2) + 1)
+#define TOKEN_COEFF(coeff) (((coeff) * 4) + 2)
/**
* number of blocks that contain DCT coefficients at
@@ -2016,17 +2016,19 @@ static int vp3_decode_frame(AVCodecContext *avctx,
vp3_decode_end(avctx);
ret = theora_decode_header(avctx, &gb);
+ if (ret >= 0)
+ ret = vp3_decode_init(avctx);
if (ret < 0) {
vp3_decode_end(avctx);
- } else
- ret = vp3_decode_init(avctx);
+ }
return ret;
} else if (type == 2) {
ret = theora_decode_tables(avctx, &gb);
+ if (ret >= 0)
+ ret = vp3_decode_init(avctx);
if (ret < 0) {
vp3_decode_end(avctx);
- } else
- ret = vp3_decode_init(avctx);
+ }
return ret;
}
@@ -2251,6 +2253,7 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb)
int ret;
AVRational fps, aspect;
+ s->theora_header = 0;
s->theora = get_bits_long(gb, 24);
av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora);
@@ -2321,7 +2324,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb)
return AVERROR_INVALIDDATA;
}
skip_bits(gb, 3); /* reserved */
- }
+ } else
+ avctx->pix_fmt = AV_PIX_FMT_YUV420P;
ret = ff_set_dimensions(avctx, s->width, s->height);
if (ret < 0)
@@ -2355,6 +2359,7 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb)
avctx->color_trc = AVCOL_TRC_BT709;
}
+ s->theora_header = 1;
return 0;
}
@@ -2363,6 +2368,9 @@ static int theora_decode_tables(AVCodecContext *avctx, GetBitContext *gb)
Vp3DecodeContext *s = avctx->priv_data;
int i, n, matrices, inter, plane;
+ if (!s->theora_header)
+ return AVERROR_INVALIDDATA;
+
if (s->theora >= 0x030200) {
n = get_bits(gb, 3);
/* loop filter limit values table */
diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c
index 7f6d3ed..6f5a170 100644
--- a/libavcodec/wmaprodec.c
+++ b/libavcodec/wmaprodec.c
@@ -300,6 +300,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
s->decode_flags = AV_RL16(edata_ptr+14);
channel_mask = AV_RL32(edata_ptr+2);
s->bits_per_sample = AV_RL16(edata_ptr);
+
+ if (s->bits_per_sample > 32 || s->bits_per_sample < 1) {
+ avpriv_request_sample(avctx, "bits per sample is %d", s->bits_per_sample);
+ return AVERROR_PATCHWELCOME;
+ }
+
/** dump the extradata */
for (i = 0; i < avctx->extradata_size; i++)
ff_dlog(avctx, "[%x] ", avctx->extradata[i]);
@@ -477,7 +483,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
/** calculate subwoofer cutoff values */
for (i = 0; i < num_possible_block_sizes; i++) {
int block_size = s->samples_per_frame >> i;
- int cutoff = (440*block_size + 3 * (s->avctx->sample_rate >> 1) - 1)
+ int cutoff = (440*block_size + 3LL * (s->avctx->sample_rate >> 1) - 1)
/ s->avctx->sample_rate;
s->subwoofer_cutoffs[i] = av_clip(cutoff, 4, block_size);
}
diff --git a/libavfilter/vf_mpdecimate.c b/libavfilter/vf_mpdecimate.c
index 25efacf..20b15a2 100644
--- a/libavfilter/vf_mpdecimate.c
+++ b/libavfilter/vf_mpdecimate.c
@@ -131,10 +131,13 @@ static int decimate_frame(AVFilterContext *ctx,
cur->data[plane], cur->linesize[plane],
ref->data[plane], ref->linesize[plane],
FF_CEIL_RSHIFT(ref->width, hsub),
- FF_CEIL_RSHIFT(ref->height, vsub)))
+ FF_CEIL_RSHIFT(ref->height, vsub))) {
+ emms_c();
return 0;
+ }
}
+ emms_c();
return 1;
}
diff --git a/libavformat/dump.c b/libavformat/dump.c
index 705da82..08b8693 100644
--- a/libavformat/dump.c
+++ b/libavformat/dump.c
@@ -496,7 +496,7 @@ void av_dump_format(AVFormatContext *ic, int index,
av_log(NULL, AV_LOG_INFO, " Duration: ");
if (ic->duration != AV_NOPTS_VALUE) {
int hours, mins, secs, us;
- int64_t duration = ic->duration + 5000;
+ int64_t duration = ic->duration + (ic->duration <= INT64_MAX - 5000 ? 5000 : 0);
secs = duration / AV_TIME_BASE;
us = duration % AV_TIME_BASE;
mins = secs / 60;
diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c
index b743c87..db9fb6b 100644
--- a/libavformat/ffmdec.c
+++ b/libavformat/ffmdec.c
@@ -268,6 +268,7 @@ static int ffm2_read_header(AVFormatContext *s)
AVStream *st;
AVIOContext *pb = s->pb;
AVCodecContext *codec;
+ const AVCodecDescriptor *codec_desc;
int ret;
int f_main = 0, f_cprv = -1, f_stvi = -1, f_stau = -1;
AVCodec *enc;
@@ -322,7 +323,20 @@ static int ffm2_read_header(AVFormatContext *s)
codec = st->codec;
/* generic info */
codec->codec_id = avio_rb32(pb);
+ codec_desc = avcodec_descriptor_get(codec->codec_id);
+ if (!codec_desc) {
+ av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id);
+ codec->codec_id = AV_CODEC_ID_NONE;
+ goto fail;
+ }
codec->codec_type = avio_r8(pb);
+ if (codec->codec_type != codec_desc->type) {
+ av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n",
+ codec_desc->type, codec->codec_type);
+ codec->codec_id = AV_CODEC_ID_NONE;
+ codec->codec_type = AVMEDIA_TYPE_UNKNOWN;
+ goto fail;
+ }
codec->bit_rate = avio_rb32(pb);
codec->flags = avio_rb32(pb);
codec->flags2 = avio_rb32(pb);
@@ -415,7 +429,7 @@ static int ffm2_read_header(AVFormatContext *s)
}
break;
case MKBETAG('S', '2', 'V', 'I'):
- if (f_stvi++) {
+ if (f_stvi++ || !size) {
ret = AVERROR(EINVAL);
goto fail;
}
@@ -430,7 +444,7 @@ static int ffm2_read_header(AVFormatContext *s)
goto fail;
break;
case MKBETAG('S', '2', 'A', 'U'):
- if (f_stau++) {
+ if (f_stau++ || !size) {
ret = AVERROR(EINVAL);
goto fail;
}
@@ -471,6 +485,7 @@ static int ffm_read_header(AVFormatContext *s)
AVStream *st;
AVIOContext *pb = s->pb;
AVCodecContext *codec;
+ const AVCodecDescriptor *codec_desc;
int i, nb_streams;
uint32_t tag;
@@ -508,7 +523,20 @@ static int ffm_read_header(AVFormatContext *s)
codec = st->codec;
/* generic info */
codec->codec_id = avio_rb32(pb);
+ codec_desc = avcodec_descriptor_get(codec->codec_id);
+ if (!codec_desc) {
+ av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id);
+ codec->codec_id = AV_CODEC_ID_NONE;
+ goto fail;
+ }
codec->codec_type = avio_r8(pb); /* codec_type */
+ if (codec->codec_type != codec_desc->type) {
+ av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n",
+ codec_desc->type, codec->codec_type);
+ codec->codec_id = AV_CODEC_ID_NONE;
+ codec->codec_type = AVMEDIA_TYPE_UNKNOWN;
+ goto fail;
+ }
codec->bit_rate = avio_rb32(pb);
codec->flags = avio_rb32(pb);
codec->flags2 = avio_rb32(pb);
diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c
index 6827b79..ebc5e11 100644
--- a/libavformat/hlsenc.c
+++ b/libavformat/hlsenc.c
@@ -548,8 +548,11 @@ static int hls_start(AVFormatContext *s)
if (oc->oformat->priv_class && oc->priv_data)
av_opt_set(oc->priv_data, "mpegts_flags", "resend_headers", 0);
- if (c->vtt_basename)
- avformat_write_header(vtt_oc,NULL);
+ if (c->vtt_basename) {
+ err = avformat_write_header(vtt_oc,NULL);
+ if (err < 0)
+ return err;
+ }
return 0;
}
diff --git a/libavformat/isom.h b/libavformat/isom.h
index 6e921c0..1f466f0 100644
--- a/libavformat/isom.h
+++ b/libavformat/isom.h
@@ -184,6 +184,7 @@ typedef struct MOVContext {
MOVTrackExt *trex_data;
unsigned trex_count;
int itunes_metadata; ///< metadata are itunes style
+ int handbrake_version;
int chapter_track;
int use_absolute_path;
int ignore_editlist;
diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c
index 2b2d034..7918346 100644
--- a/libavformat/matroskaenc.c
+++ b/libavformat/matroskaenc.c
@@ -926,14 +926,18 @@ static int mkv_write_track(AVFormatContext *s, MatroskaMuxContext *mkv,
}
if (codec->codec_type == AVMEDIA_TYPE_AUDIO && codec->initial_padding && codec->codec_id == AV_CODEC_ID_OPUS) {
+ int64_t codecdelay = av_rescale_q(codec->initial_padding,
+ (AVRational){ 1, codec->sample_rate },
+ (AVRational){ 1, 1000000000 });
+ if (codecdelay < 0) {
+ av_log(s, AV_LOG_ERROR, "Initial padding is invalid\n");
+ return AVERROR(EINVAL);
+ }
// mkv->tracks[i].ts_offset = av_rescale_q(codec->initial_padding,
// (AVRational){ 1, codec->sample_rate },
// st->time_base);
- put_ebml_uint(pb, MATROSKA_ID_CODECDELAY,
- av_rescale_q(codec->initial_padding,
- (AVRational){ 1, codec->sample_rate },
- (AVRational){ 1, 1000000000 }));
+ put_ebml_uint(pb, MATROSKA_ID_CODECDELAY, codecdelay);
}
if (codec->codec_id == AV_CODEC_ID_OPUS) {
put_ebml_uint(pb, MATROSKA_ID_SEEKPREROLL, OPUS_SEEK_PREROLL);
diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
index 48a429e..4b3bdc1 100644
--- a/libavformat/mlvdec.c
+++ b/libavformat/mlvdec.c
@@ -365,6 +365,11 @@ static int read_header(AVFormatContext *avctx)
if (ast)
ast->duration = ast->nb_index_entries;
+ if ((vst && !vst->nb_index_entries) || (ast && !ast->nb_index_entries)) {
+ av_log(avctx, AV_LOG_ERROR, "no index entries found\n");
+ return AVERROR_INVALIDDATA;
+ }
+
if (vst && ast)
avio_seek(pb, FFMIN(vst->index_entries[0].pos, ast->index_entries[0].pos), SEEK_SET);
else if (vst)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 735e956..4ce4e2d 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -419,6 +419,12 @@ retry:
snprintf(key2, sizeof(key2), "%s-%s", key, language);
av_dict_set(&c->fc->metadata, key2, str, 0);
}
+ if (!strcmp(key, "encoder")) {
+ int major, minor, micro;
+ if (sscanf(str, "HandBrake %d.%d.%d", &major, &minor, µ) == 3) {
+ c->handbrake_version = 1000000*major + 1000*minor + micro;
+ }
+ }
}
av_log(c->fc, AV_LOG_TRACE, "lang \"%3s\" ", language);
av_log(c->fc, AV_LOG_TRACE, "tag \"%s\" value \"%s\" atom \"%.4s\" %d %"PRId64"\n",
@@ -4528,6 +4534,13 @@ static int mov_read_header(AVFormatContext *s)
return err;
}
}
+ if (mov->handbrake_version &&
+ mov->handbrake_version <= 1000000*0 + 1000*10 + 0 && // 0.10.0
+ st->codec->codec_id == AV_CODEC_ID_MP3
+ ) {
+ av_log(s, AV_LOG_VERBOSE, "Forcing full parsing for mp3 stream\n");
+ st->need_parsing = AVSTREAM_PARSE_FULL;
+ }
}
if (mov->trex_data) {
diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c
index 45bab1c..9b5864d 100644
--- a/libavformat/mpegtsenc.c
+++ b/libavformat/mpegtsenc.c
@@ -756,11 +756,11 @@ static int mpegts_write_header(AVFormatContext *s)
ts_st = pcr_st->priv_data;
if (ts->mux_rate > 1) {
- service->pcr_packet_period = (ts->mux_rate * ts->pcr_period) /
+ service->pcr_packet_period = (int64_t)ts->mux_rate * ts->pcr_period /
(TS_PACKET_SIZE * 8 * 1000);
- ts->sdt_packet_period = (ts->mux_rate * SDT_RETRANS_TIME) /
+ ts->sdt_packet_period = (int64_t)ts->mux_rate * SDT_RETRANS_TIME /
(TS_PACKET_SIZE * 8 * 1000);
- ts->pat_packet_period = (ts->mux_rate * PAT_RETRANS_TIME) /
+ ts->pat_packet_period = (int64_t)ts->mux_rate * PAT_RETRANS_TIME /
(TS_PACKET_SIZE * 8 * 1000);
if (ts->copyts < 1)
diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c
index 66e1f07..4013be0 100644
--- a/libavformat/mxfenc.c
+++ b/libavformat/mxfenc.c
@@ -1266,11 +1266,11 @@ static void mxf_write_package(AVFormatContext *s, enum MXFMetadataSetType type,
user_comment_count = mxf_write_user_comments(s, s->metadata);
mxf_write_metadata_key(pb, 0x013600);
PRINT_KEY(s, "Material Package key", pb->buf_ptr - 16);
- klv_encode_ber_length(pb, 92 + name_size + (16*track_count) + (16*user_comment_count) + 12*mxf->store_user_comments);
+ klv_encode_ber_length(pb, 92 + name_size + (16*track_count) + (16*user_comment_count) + 12LL*mxf->store_user_comments);
} else {
mxf_write_metadata_key(pb, 0x013700);
PRINT_KEY(s, "Source Package key", pb->buf_ptr - 16);
- klv_encode_ber_length(pb, 112 + name_size + (16*track_count) + 12*mxf->store_user_comments); // 20 bytes length for descriptor reference
+ klv_encode_ber_length(pb, 112 + name_size + (16*track_count) + 12LL*mxf->store_user_comments); // 20 bytes length for descriptor reference
}
// write uid
@@ -2467,6 +2467,10 @@ static int mxf_write_packet(AVFormatContext *s, AVPacket *pkt)
}
mxf->edit_units_count++;
} else if (!mxf->edit_unit_byte_count && st->index == 1) {
+ if (!mxf->edit_units_count) {
+ av_log(s, AV_LOG_ERROR, "No packets in first stream\n");
+ return AVERROR_PATCHWELCOME;
+ }
mxf->index_entries[mxf->edit_units_count-1].slice_offset =
mxf->body_offset - mxf->index_entries[mxf->edit_units_count-1].offset;
}
diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c
index 7eecdb2..bd9bca0 100644
--- a/libavformat/riffdec.c
+++ b/libavformat/riffdec.c
@@ -87,7 +87,7 @@ int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb,
AVCodecContext *codec, int size, int big_endian)
{
int id;
- uint64_t bitrate;
+ uint64_t bitrate = 0;
if (size < 14) {
avpriv_request_sample(codec, "wav header size < 14");
diff --git a/libavformat/rtpenc_jpeg.c b/libavformat/rtpenc_jpeg.c
index a6f2b32..60629cf 100644
--- a/libavformat/rtpenc_jpeg.c
+++ b/libavformat/rtpenc_jpeg.c
@@ -36,6 +36,7 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size)
int off = 0; /* fragment offset of the current JPEG frame */
int len;
int i;
+ int default_huffman_tables = 0;
s->buf_ptr = s->buf;
s->timestamp = s->cur_timestamp;
@@ -90,23 +91,66 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size)
return;
}
} else if (buf[i + 1] == DHT) {
- if ( AV_RB16(&buf[i + 2]) < 418
- || i + 420 >= size
- || buf[i + 4] != 0x00
- || buf[i + 33] != 0x01
- || buf[i + 62] != 0x10
- || buf[i + 241] != 0x11
- || memcmp(buf + i + 5, avpriv_mjpeg_bits_dc_luminance + 1, 16)
- || memcmp(buf + i + 21, avpriv_mjpeg_val_dc, 12)
- || memcmp(buf + i + 34, avpriv_mjpeg_bits_dc_chrominance + 1, 16)
- || memcmp(buf + i + 50, avpriv_mjpeg_val_dc, 12)
- || memcmp(buf + i + 63, avpriv_mjpeg_bits_ac_luminance + 1, 16)
- || memcmp(buf + i + 79, avpriv_mjpeg_val_ac_luminance, 162)
- || memcmp(buf + i + 242, avpriv_mjpeg_bits_ac_chrominance + 1, 16)
- || memcmp(buf + i + 258, avpriv_mjpeg_val_ac_chrominance, 162)) {
- av_log(s1, AV_LOG_ERROR,
- "RFC 2435 requires standard Huffman tables for jpeg\n");
- return;
+ int dht_size = AV_RB16(&buf[i + 2]);
+ default_huffman_tables |= 1 << 4;
+ i += 3;
+ dht_size -= 2;
+ if (i + dht_size >= size)
+ continue;
+ while (dht_size > 0)
+ switch (buf[i + 1]) {
+ case 0x00:
+ if ( dht_size >= 29
+ && !memcmp(buf + i + 2, avpriv_mjpeg_bits_dc_luminance + 1, 16)
+ && !memcmp(buf + i + 18, avpriv_mjpeg_val_dc, 12)) {
+ default_huffman_tables |= 1;
+ i += 29;
+ dht_size -= 29;
+ } else {
+ i += dht_size;
+ dht_size = 0;
+ }
+ break;
+ case 0x01:
+ if ( dht_size >= 29
+ && !memcmp(buf + i + 2, avpriv_mjpeg_bits_dc_chrominance + 1, 16)
+ && !memcmp(buf + i + 18, avpriv_mjpeg_val_dc, 12)) {
+ default_huffman_tables |= 1 << 1;
+ i += 29;
+ dht_size -= 29;
+ } else {
+ i += dht_size;
+ dht_size = 0;
+ }
+ break;
+ case 0x10:
+ if ( dht_size >= 179
+ && !memcmp(buf + i + 2, avpriv_mjpeg_bits_ac_luminance + 1, 16)
+ && !memcmp(buf + i + 18, avpriv_mjpeg_val_ac_luminance, 162)) {
+ default_huffman_tables |= 1 << 2;
+ i += 179;
+ dht_size -= 179;
+ } else {
+ i += dht_size;
+ dht_size = 0;
+ }
+ break;
+ case 0x11:
+ if ( dht_size >= 179
+ && !memcmp(buf + i + 2, avpriv_mjpeg_bits_ac_chrominance + 1, 16)
+ && !memcmp(buf + i + 18, avpriv_mjpeg_val_ac_chrominance, 162)) {
+ default_huffman_tables |= 1 << 3;
+ i += 179;
+ dht_size -= 179;
+ } else {
+ i += dht_size;
+ dht_size = 0;
+ }
+ break;
+ default:
+ i += dht_size;
+ dht_size = 0;
+ continue;
}
} else if (buf[i + 1] == SOS) {
/* SOS is last marker in the header */
@@ -119,6 +163,11 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size)
break;
}
}
+ if (default_huffman_tables && default_huffman_tables != 31) {
+ av_log(s1, AV_LOG_ERROR,
+ "RFC 2435 requires standard Huffman tables for jpeg\n");
+ return;
+ }
if (nb_qtables && nb_qtables != 2)
av_log(s1, AV_LOG_WARNING,
"RFC 2435 suggests two quantization tables, %d provided\n",
diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 5dcf4ad..de8bbdb 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -120,6 +120,11 @@ static int smacker_read_header(AVFormatContext *s)
smk->height = avio_rl32(pb);
smk->frames = avio_rl32(pb);
smk->pts_inc = (int32_t)avio_rl32(pb);
+ if (smk->pts_inc > INT_MAX / 100) {
+ av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", smk->pts_inc);
+ return AVERROR_INVALIDDATA;
+ }
+
smk->flags = avio_rl32(pb);
if(smk->flags & SMACKER_FLAG_RING_FRAME)
smk->frames++;
diff --git a/libavformat/tee.c b/libavformat/tee.c
index bc2e522..a916841 100644
--- a/libavformat/tee.c
+++ b/libavformat/tee.c
@@ -409,6 +409,8 @@ FF_ENABLE_DEPRECATION_WARNINGS
}
if (ret > 0) {
+ pkt->side_data = NULL;
+ pkt->side_data_elems = 0;
av_free_packet(pkt);
new_pkt.buf = av_buffer_create(new_pkt.data, new_pkt.size,
av_buffer_default_free, NULL, 0);
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 386ce37..30567fa 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -2451,7 +2451,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic)
}
#define DURATION_MAX_READ_SIZE 250000LL
-#define DURATION_MAX_RETRY 4
+#define DURATION_MAX_RETRY 6
/* only usable for MPEG-PS streams */
static void estimate_timings_from_pts(AVFormatContext *ic, int64_t old_offset)
diff --git a/libavutil/integer.c b/libavutil/integer.c
index 5bcde0d..6d6855f 100644
--- a/libavutil/integer.c
+++ b/libavutil/integer.c
@@ -29,6 +29,8 @@
#include "integer.h"
#include "avassert.h"
+static const AVInteger zero_i;
+
AVInteger av_add_i(AVInteger a, AVInteger b){
int i, carry=0;
@@ -111,6 +113,12 @@ AVInteger av_mod_i(AVInteger *quot, AVInteger a, AVInteger b){
AVInteger quot_temp;
if(!quot) quot = "_temp;
+ if ((int16_t)a.v[AV_INTEGER_SIZE-1] < 0) {
+ a = av_mod_i(quot, av_sub_i(zero_i, a), b);
+ *quot = av_sub_i(zero_i, *quot);
+ return av_sub_i(zero_i, a);
+ }
+
av_assert2((int16_t)a.v[AV_INTEGER_SIZE-1] >= 0 && (int16_t)b.v[AV_INTEGER_SIZE-1] >= 0);
av_assert2(av_log2_i(b)>=0);
diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c
index 126cffc..78a87d8 100644
--- a/libavutil/mathematics.c
+++ b/libavutil/mathematics.c
@@ -76,8 +76,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd)
rnd -= AV_ROUND_PASS_MINMAX;
}
- if (a < 0 && a != INT64_MIN)
- return -av_rescale_rnd(-a, b, c, rnd ^ ((rnd >> 1) & 1));
+ if (a < 0)
+ return -(uint64_t)av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1));
if (rnd == AV_ROUND_NEAR_INF)
r = c / 2;
@@ -87,8 +87,13 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd)
if (b <= INT_MAX && c <= INT_MAX) {
if (a <= INT_MAX)
return (a * b + r) / c;
- else
- return a / c * b + (a % c * b + r) / c;
+ else {
+ int64_t ad = a / c;
+ int64_t a2 = (a % c * b + r) / c;
+ if (ad >= INT32_MAX && b && ad > (INT64_MAX - a2) / b)
+ return INT64_MIN;
+ return ad * b + a2;
+ }
} else {
#if 1
uint64_t a0 = a & 0xFFFFFFFF;
@@ -112,6 +117,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd)
t1++;
}
}
+ if (t1 > INT64_MAX)
+ return INT64_MIN;
return t1;
}
#else
diff --git a/libavutil/timecode.c b/libavutil/timecode.c
index 1dfd040..bf463ed 100644
--- a/libavutil/timecode.c
+++ b/libavutil/timecode.c
@@ -151,7 +151,7 @@ static int check_fps(int fps)
static int check_timecode(void *log_ctx, AVTimecode *tc)
{
- if (tc->fps <= 0) {
+ if ((int)tc->fps <= 0) {
av_log(log_ctx, AV_LOG_ERROR, "Timecode frame rate must be specified\n");
return AVERROR(EINVAL);
}
diff --git a/libswscale/utils.c b/libswscale/utils.c
index 0c4b4d7..2a88dc9 100644
--- a/libswscale/utils.c
+++ b/libswscale/utils.c
@@ -385,7 +385,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos,
xDstInSrc = ((dstPos*(int64_t)xInc)>>7) - ((srcPos*0x10000LL)>>7);
for (i = 0; i < dstW; i++) {
- int xx = (xDstInSrc - ((int64_t)(filterSize - 2) << 16)) / (1 << 17);
+ int xx = (xDstInSrc - (filterSize - 2) * (1LL<<16)) / (1 << 17);
int j;
(*filterPos)[i] = xx;
for (j = 0; j < filterSize; j++) {
diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c
index e97ba4f..a10f268 100644
--- a/libswscale/x86/rgb2rgb_template.c
+++ b/libswscale/x86/rgb2rgb_template.c
@@ -1887,8 +1887,9 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui
for (h=0; h < height; h++) {
int w;
- if (width >= 16)
+ if (width >= 16) {
#if COMPILE_TEMPLATE_SSE2
+ if (!((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15)) {
__asm__(
"xor %%"REG_a", %%"REG_a" \n\t"
"1: \n\t"
@@ -1907,7 +1908,8 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui
::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15)
: "memory", XMM_CLOBBERS("xmm0", "xmm1", "xmm2",) "%"REG_a
);
-#else
+ } else
+#endif
__asm__(
"xor %%"REG_a", %%"REG_a" \n\t"
"1: \n\t"
@@ -1933,7 +1935,8 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui
::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15)
: "memory", "%"REG_a
);
-#endif
+
+ }
for (w= (width&(~15)); w < width; w++) {
dest[2*w+0] = src1[w];
dest[2*w+1] = src2[w];
@@ -1943,9 +1946,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui
src2 += src2Stride;
}
__asm__(
-#if !COMPILE_TEMPLATE_SSE2
EMMS" \n\t"
-#endif
SFENCE" \n\t"
::: "memory"
);
--
ffmpeg packaging
More information about the pkg-multimedia-commits
mailing list