[SCM] ffmpeg/stretch: New upstream version 3.2.9
sramacher at users.alioth.debian.org
sramacher at users.alioth.debian.org
Sun Nov 26 20:19:09 UTC 2017
The following commit has been merged in the stretch branch:
commit cc6e2b815ba9908014d6e77dda61bb609d9ecf3d
Author: Sebastian Ramacher <sramacher at debian.org>
Date: Sun Nov 26 21:05:29 2017 +0100
New upstream version 3.2.9
diff --git a/Changelog b/Changelog
index 96052b9..0004b6c 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,27 @@
Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.
+version 3.2.9:
+- avcodec/snowdec: Check mv_scale
+- avcodec/pafvideo: Check for bitstream end in decode_0()
+- avcodec/ffv1dec: Fix out of array read in slice counting
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_53iL0()
+- avcodec/mpeg_er: Clear mcsel in mpeg_er_decode_mb()
+- avcodec/mpeg4videodec: Use 64 bit intermediates for sprite delta
+- avcodec/x86/lossless_videoencdsp: Fix handling of small widths
+- avcodec/truemotion2: Fix integer overflows in tm2_high_chroma()
+- avcodec/aacdec_template: Clear tns present flag on error
+- avcodec/proresdec2: SKIP_BITS() does not work with len=32
+- avcodec/hevcdsp_template: Fix undefined shift
+- avcodec/jpeg2000: Check that codsty->log2_prec_widths/heights has been initialized
+- avcodec/takdec: Fix integer overflow in decode_lpc()
+- avcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift
+- avcodec/takdec: Fix integer overflows in decode_subframe()
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*()
+- avcodec/ffv1dec: Fix integer overflow in read_quant_table()
+- avcodec/svq3: Fix overflow in svq3_add_idct_c()
+- avcodec/pngdec: Clean up on av_frame_ref() failure
+
version 3.2.8:
- avcodec/hevc_ps: Fix c?_qp_offset_list size
- avcodec/shorten: Move buffer allocation and offset init to end of read_header()
diff --git a/RELEASE b/RELEASE
index f092941..e650c01 100644
--- a/RELEASE
+++ b/RELEASE
@@ -1 +1 @@
-3.2.8
+3.2.9
diff --git a/VERSION b/VERSION
index f092941..e650c01 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.2.8
+3.2.9
diff --git a/doc/Doxyfile b/doc/Doxyfile
index 18f4da5..954a0b2 100644
--- a/doc/Doxyfile
+++ b/doc/Doxyfile
@@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg
# could be handy for archiving the generated documentation or if some version
# control system is used.
-PROJECT_NUMBER = 3.2.8
+PROJECT_NUMBER = 3.2.9
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c
index d6880c9..e63324d 100644
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -1945,16 +1945,17 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
global_gain = get_bits(gb, 8);
if (!common_window && !scale_flag) {
- if (decode_ics_info(ac, ics, gb) < 0)
- return AVERROR_INVALIDDATA;
+ ret = decode_ics_info(ac, ics, gb);
+ if (ret < 0)
+ goto fail;
}
if ((ret = decode_band_types(ac, sce->band_type,
sce->band_type_run_end, gb, ics)) < 0)
- return ret;
+ goto fail;
if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics,
sce->band_type, sce->band_type_run_end)) < 0)
- return ret;
+ goto fail;
pulse_present = 0;
if (!scale_flag) {
@@ -1962,37 +1963,48 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) {
av_log(ac->avctx, AV_LOG_ERROR,
"Pulse tool not allowed in eight short sequence.\n");
- return AVERROR_INVALIDDATA;
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
}
if (decode_pulses(&pulse, gb, ics->swb_offset, ics->num_swb)) {
av_log(ac->avctx, AV_LOG_ERROR,
"Pulse data corrupt or invalid.\n");
- return AVERROR_INVALIDDATA;
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
}
}
tns->present = get_bits1(gb);
- if (tns->present && !er_syntax)
- if (decode_tns(ac, tns, gb, ics) < 0)
- return AVERROR_INVALIDDATA;
+ if (tns->present && !er_syntax) {
+ ret = decode_tns(ac, tns, gb, ics);
+ if (ret < 0)
+ goto fail;
+ }
if (!eld_syntax && get_bits1(gb)) {
avpriv_request_sample(ac->avctx, "SSR");
- return AVERROR_PATCHWELCOME;
+ ret = AVERROR_PATCHWELCOME;
+ goto fail;
}
// I see no textual basis in the spec for this occurring after SSR gain
// control, but this is what both reference and real implmentations do
- if (tns->present && er_syntax)
- if (decode_tns(ac, tns, gb, ics) < 0)
- return AVERROR_INVALIDDATA;
+ if (tns->present && er_syntax) {
+ ret = decode_tns(ac, tns, gb, ics);
+ if (ret < 0)
+ goto fail;
+ }
}
- if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present,
- &pulse, ics, sce->band_type) < 0)
- return AVERROR_INVALIDDATA;
+ ret = decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present,
+ &pulse, ics, sce->band_type);
+ if (ret < 0)
+ goto fail;
if (ac->oc[1].m4ac.object_type == AOT_AAC_MAIN && !common_window)
apply_prediction(ac, sce);
return 0;
+fail:
+ tns->present = 0;
+ return ret;
}
/**
diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index adf5178..35ed885 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -93,10 +93,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
// shared stuff for simd optimizations
#define COMPOSE_53iL0(b0, b1, b2)\
- (b1 - ((b0 + b2 + 2) >> 2))
+ (b1 - ((int)(b0 + (unsigned)(b2) + 2) >> 2))
#define COMPOSE_DIRAC53iH0(b0, b1, b2)\
- (b1 + ((b0 + b2 + 1) >> 1))
+ (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1))
#define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\
(b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))
@@ -111,10 +111,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
(b0 + b1)
#define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\
- (b4 - ((-8*(b0+b8) + 21*(b1+b7) - 46*(b2+b6) + 161*(b3+b5) + 128) >> 8))
+ (b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8))
#define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\
- (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8))
+ (b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8))
#define COMPOSE_DAUB97iL1(b0, b1, b2)\
(b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12))
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index a57ec53..1d8c4d4 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -359,7 +359,7 @@ static int read_quant_table(RangeCoder *c, int16_t *quant_table, int scale)
memset(state, 128, sizeof(state));
for (v = 0; i < 128; v++) {
- unsigned len = get_symbol(c, state, 0) + 1;
+ unsigned len = get_symbol(c, state, 0) + 1U;
if (len > 128 - i || !len)
return AVERROR_INVALIDDATA;
@@ -684,7 +684,7 @@ static int read_header(FFV1Context *f)
} else {
const uint8_t *p = c->bytestream_end;
for (f->slice_count = 0;
- f->slice_count < MAX_SLICES && 3 < p - c->bytestream_start;
+ f->slice_count < MAX_SLICES && 3 + 5*!!f->ec < p - c->bytestream_start;
f->slice_count++) {
int trailer = 3 + 5*!!f->ec;
int size = AV_RB24(p-trailer);
diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index 5bca023..dd1643f 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -1492,7 +1492,7 @@ static void FUNC(put_hevc_epel_bi_w_hv)(uint8_t *_dst, ptrdiff_t _dststride, uin
for (y = 0; y < height; y++) {
for (x = 0; x < width; x++)
dst[x] = av_clip_pixel(((EPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 + src2[x] * wx0 +
- ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
+ ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1));
tmp += MAX_PB_SIZE;
dst += dststride;
src2 += MAX_PB_SIZE;
diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c
index 94efc94..afeb9df 100644
--- a/libavcodec/jpeg2000.c
+++ b/libavcodec/jpeg2000.c
@@ -506,6 +506,9 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
// update precincts size: 2^n value
reslevel->log2_prec_width = codsty->log2_prec_widths[reslevelno];
reslevel->log2_prec_height = codsty->log2_prec_heights[reslevelno];
+ if (!reslevel->log2_prec_width || !reslevel->log2_prec_height) {
+ return AVERROR_INVALIDDATA;
+ }
/* Number of bands for each resolution level */
if (reslevelno == 0)
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 758f77b..02b87b3 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -179,6 +179,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
int sprite_ref[4][2];
int virtual_ref[2][2];
int64_t sprite_offset[2][2];
+ int64_t sprite_delta[2][2];
// only true for rectangle shapes
const int vop_ref[4][2] = { { 0, 0 }, { s->width, 0 },
@@ -262,10 +263,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
sprite_offset[0][1] =
sprite_offset[1][0] =
sprite_offset[1][1] = 0;
- s->sprite_delta[0][0] = a;
- s->sprite_delta[0][1] =
- s->sprite_delta[1][0] = 0;
- s->sprite_delta[1][1] = a;
+ sprite_delta[0][0] = a;
+ sprite_delta[0][1] =
+ sprite_delta[1][0] = 0;
+ sprite_delta[1][1] = a;
ctx->sprite_shift[0] =
ctx->sprite_shift[1] = 0;
break;
@@ -276,10 +277,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
a * (vop_ref[0][0] / 2);
sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) -
a * (vop_ref[0][1] / 2);
- s->sprite_delta[0][0] = a;
- s->sprite_delta[0][1] =
- s->sprite_delta[1][0] = 0;
- s->sprite_delta[1][1] = a;
+ sprite_delta[0][0] = a;
+ sprite_delta[0][1] =
+ sprite_delta[1][0] = 0;
+ sprite_delta[1][1] = a;
ctx->sprite_shift[0] =
ctx->sprite_shift[1] = 0;
break;
@@ -304,10 +305,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) *
((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r *
(int64_t) sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1)));
- s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]);
- s->sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]);
- s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]);
- s->sprite_delta[1][1] = (-r * sprite_ref[0][0] + virtual_ref[0][0]);
+ sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]);
+ sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]);
+ sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]);
+ sprite_delta[1][1] = (-r * sprite_ref[0][0] + virtual_ref[0][0]);
ctx->sprite_shift[0] = alpha + rho;
ctx->sprite_shift[1] = alpha + rho + 2;
@@ -332,28 +333,28 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-2 * vop_ref[0][1] + 1) +
(int64_t)2 * w2 * h3 * r * sprite_ref[0][1] - 16 * w2 * h3 +
((int64_t)1 << (alpha + beta + rho - min_ab + 1));
- s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3;
- s->sprite_delta[0][1] = (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3;
- s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3;
- s->sprite_delta[1][1] = (-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3;
+ sprite_delta[0][0] = (-r * (int64_t)sprite_ref[0][0] + virtual_ref[0][0]) * h3;
+ sprite_delta[0][1] = (-r * (int64_t)sprite_ref[0][0] + virtual_ref[1][0]) * w3;
+ sprite_delta[1][0] = (-r * (int64_t)sprite_ref[0][1] + virtual_ref[0][1]) * h3;
+ sprite_delta[1][1] = (-r * (int64_t)sprite_ref[0][1] + virtual_ref[1][1]) * w3;
ctx->sprite_shift[0] = alpha + beta + rho - min_ab;
ctx->sprite_shift[1] = alpha + beta + rho - min_ab + 2;
break;
}
/* try to simplify the situation */
- if (s->sprite_delta[0][0] == a << ctx->sprite_shift[0] &&
- s->sprite_delta[0][1] == 0 &&
- s->sprite_delta[1][0] == 0 &&
- s->sprite_delta[1][1] == a << ctx->sprite_shift[0]) {
+ if (sprite_delta[0][0] == a << ctx->sprite_shift[0] &&
+ sprite_delta[0][1] == 0 &&
+ sprite_delta[1][0] == 0 &&
+ sprite_delta[1][1] == a << ctx->sprite_shift[0]) {
sprite_offset[0][0] >>= ctx->sprite_shift[0];
sprite_offset[0][1] >>= ctx->sprite_shift[0];
sprite_offset[1][0] >>= ctx->sprite_shift[1];
sprite_offset[1][1] >>= ctx->sprite_shift[1];
- s->sprite_delta[0][0] = a;
- s->sprite_delta[0][1] = 0;
- s->sprite_delta[1][0] = 0;
- s->sprite_delta[1][1] = a;
+ sprite_delta[0][0] = a;
+ sprite_delta[0][1] = 0;
+ sprite_delta[1][0] = 0;
+ sprite_delta[1][1] = a;
ctx->sprite_shift[0] = 0;
ctx->sprite_shift[1] = 0;
s->real_sprite_warping_points = 1;
@@ -365,8 +366,8 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
if (shift_c < 0 || shift_y < 0 ||
FFABS( sprite_offset[0][i]) >= INT_MAX >> shift_y ||
FFABS( sprite_offset[1][i]) >= INT_MAX >> shift_c ||
- FFABS(s->sprite_delta[0][i]) >= INT_MAX >> shift_y ||
- FFABS(s->sprite_delta[1][i]) >= INT_MAX >> shift_y
+ FFABS( sprite_delta[0][i]) >= INT_MAX >> shift_y ||
+ FFABS( sprite_delta[1][i]) >= INT_MAX >> shift_y
) {
avpriv_request_sample(s->avctx, "Too large sprite shift, delta or offset");
goto overflow;
@@ -376,22 +377,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
for (i = 0; i < 2; i++) {
sprite_offset[0][i] *= 1 << shift_y;
sprite_offset[1][i] *= 1 << shift_c;
- s->sprite_delta[0][i] *= 1 << shift_y;
- s->sprite_delta[1][i] *= 1 << shift_y;
+ sprite_delta[0][i] *= 1 << shift_y;
+ sprite_delta[1][i] *= 1 << shift_y;
ctx->sprite_shift[i] = 16;
}
for (i = 0; i < 2; i++) {
int64_t sd[2] = {
- s->sprite_delta[i][0] - a * (1LL<<16),
- s->sprite_delta[i][1] - a * (1LL<<16)
+ sprite_delta[i][0] - a * (1LL<<16),
+ sprite_delta[i][1] - a * (1LL<<16)
};
- if (llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
- llabs(sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
- llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
- llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
- llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX ||
+ if (llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
+ llabs(sprite_offset[0][i] + sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
+ llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL) + sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
+ llabs(sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
+ llabs(sprite_delta[i][1] * (w+16LL)) >= INT_MAX ||
llabs(sd[0]) >= INT_MAX ||
llabs(sd[1]) >= INT_MAX ||
llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX ||
@@ -405,10 +406,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
s->real_sprite_warping_points = ctx->num_sprite_warping_points;
}
- s->sprite_offset[0][0] = sprite_offset[0][0];
- s->sprite_offset[0][1] = sprite_offset[0][1];
- s->sprite_offset[1][0] = sprite_offset[1][0];
- s->sprite_offset[1][1] = sprite_offset[1][1];
+ for (i = 0; i < 4; i++) {
+ s->sprite_offset[i&1][i>>1] = sprite_offset[i&1][i>>1];
+ s->sprite_delta [i&1][i>>1] = sprite_delta [i&1][i>>1];
+ }
return 0;
overflow:
diff --git a/libavcodec/mpeg_er.c b/libavcodec/mpeg_er.c
index dd87ae9..9bd269c 100644
--- a/libavcodec/mpeg_er.c
+++ b/libavcodec/mpeg_er.c
@@ -71,6 +71,7 @@ static void mpeg_er_decode_mb(void *opaque, int ref, int mv_dir, int mv_type,
s->mb_skipped = mb_skipped;
s->mb_x = mb_x;
s->mb_y = mb_y;
+ s->mcsel = 0;
memcpy(s->mv, mv, sizeof(*mv));
ff_init_block_index(s);
diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c
index 91bfe16..6980ae1 100644
--- a/libavcodec/pafvideo.c
+++ b/libavcodec/pafvideo.c
@@ -181,6 +181,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code)
dend = c->frame[page] + c->frame_size;
offset = (x & 0x7F) * 2;
j = bytestream2_get_le16(&c->gb) + offset;
+ if (bytestream2_get_bytes_left(&c->gb) < (j - offset) * 16)
+ return AVERROR_INVALIDDATA;
do {
offset++;
if (dst + 3 * c->width + 4 > dend)
@@ -198,7 +200,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code)
do {
set_src_position(c, &src, &send);
if ((src + 3 * c->width + 4 > send) ||
- (dst + 3 * c->width + 4 > dend))
+ (dst + 3 * c->width + 4 > dend) ||
+ bytestream2_get_bytes_left(&c->gb) < 4)
return AVERROR_INVALIDDATA;
copy_block4(dst, src, c->width, c->width, 4);
i++;
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 52b872a..7f0d416 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -1358,7 +1358,7 @@ static int decode_frame_png(AVCodecContext *avctx,
}
if ((ret = av_frame_ref(data, s->picture.f)) < 0)
- return ret;
+ goto the_end;
*got_frame = 1;
diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c
index a3a1ebd..57447d1 100644
--- a/libavcodec/proresdec2.c
+++ b/libavcodec/proresdec2.c
@@ -267,6 +267,8 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons
\
if (q > switch_bits) { /* exp golomb */ \
bits = exp_order - switch_bits + (q<<1); \
+ if (bits > FFMIN(MIN_CACHE_BITS, 31)) \
+ return AVERROR_INVALIDDATA; \
val = SHOW_UBITS(re, gb, bits) - (1 << exp_order) + \
((switch_bits + 1) << rice_order); \
SKIP_BITS(re, gb, bits); \
@@ -286,7 +288,7 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons
static const uint8_t dc_codebook[7] = { 0x04, 0x28, 0x28, 0x4D, 0x4D, 0x70, 0x70};
-static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out,
+static av_always_inline int decode_dc_coeffs(GetBitContext *gb, int16_t *out,
int blocks_per_slice)
{
int16_t prev_dc;
@@ -310,6 +312,7 @@ static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out,
out[0] = prev_dc;
}
CLOSE_READER(re, gb);
+ return 0;
}
// adaptive codebook switching lut according to previous run/level values
@@ -376,7 +379,8 @@ static int decode_slice_luma(AVCodecContext *avctx, SliceContext *slice,
init_get_bits(&gb, buf, buf_size << 3);
- decode_dc_coeffs(&gb, blocks, blocks_per_slice);
+ if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0)
+ return ret;
if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0)
return ret;
@@ -409,7 +413,8 @@ static int decode_slice_chroma(AVCodecContext *avctx, SliceContext *slice,
init_get_bits(&gb, buf, buf_size << 3);
- decode_dc_coeffs(&gb, blocks, blocks_per_slice);
+ if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0)
+ return ret;
if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0)
return ret;
diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 0ac0b55..6eff729 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -394,9 +394,10 @@ static int decode_header(SnowContext *s){
s->mv_scale += get_symbol(&s->c, s->header_state, 1);
s->qbias += get_symbol(&s->c, s->header_state, 1);
s->block_max_depth+= get_symbol(&s->c, s->header_state, 1);
- if(s->block_max_depth > 1 || s->block_max_depth < 0){
+ if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){
av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", s->block_max_depth);
s->block_max_depth= 0;
+ s->mv_scale = 0;
return AVERROR_INVALIDDATA;
}
if (FFABS(s->qbias) > 127) {
diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c
index 0199865..b16ae1b 100644
--- a/libavcodec/svq3.c
+++ b/libavcodec/svq3.c
@@ -285,7 +285,7 @@ static void svq3_add_idct_c(uint8_t *dst, int16_t *block,
const unsigned z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]);
const unsigned z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3];
const unsigned z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3];
- const int rr = (dc + 0x80000);
+ const int rr = (dc + 0x80000u);
dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((int)((z0 + z3) * qmul + rr) >> 20));
dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((int)((z1 + z2) * qmul + rr) >> 20));
diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c
index 1cfbc99..ba0ce99 100644
--- a/libavcodec/takdec.c
+++ b/libavcodec/takdec.c
@@ -206,7 +206,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length)
int a1 = *coeffs++;
for (i = 0; i < length - 1 >> 1; i++) {
*coeffs += a1;
- coeffs[1] += *coeffs;
+ coeffs[1] += (unsigned)*coeffs;
a1 = coeffs[1];
coeffs += 2;
}
@@ -486,10 +486,10 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded,
v += (unsigned)s->adsp.scalarproduct_int16(&s->residues[i], s->filter,
filter_order & -16);
for (j = filter_order & -16; j < filter_order; j += 4) {
- v += s->residues[i + j + 3] * s->filter[j + 3] +
- s->residues[i + j + 2] * s->filter[j + 2] +
- s->residues[i + j + 1] * s->filter[j + 1] +
- s->residues[i + j ] * s->filter[j ];
+ v += s->residues[i + j + 3] * (unsigned)s->filter[j + 3] +
+ s->residues[i + j + 2] * (unsigned)s->filter[j + 2] +
+ s->residues[i + j + 1] * (unsigned)s->filter[j + 1] +
+ s->residues[i + j ] * (unsigned)s->filter[j ];
}
v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - (unsigned)*decoded;
*decoded++ = v;
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index a463a92..f077f0e 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -465,7 +465,7 @@ static inline void tm2_apply_deltas(TM2Context *ctx, int* Y, int stride, int *de
}
}
-static inline void tm2_high_chroma(int *data, int stride, int *last, int *CD, int *deltas)
+static inline void tm2_high_chroma(int *data, int stride, int *last, unsigned *CD, int *deltas)
{
int i, j;
for (j = 0; j < 2; j++) {
diff --git a/libavcodec/x86/huffyuvencdsp.asm b/libavcodec/x86/huffyuvencdsp.asm
index a55a1de..7a1ce2e 100644
--- a/libavcodec/x86/huffyuvencdsp.asm
+++ b/libavcodec/x86/huffyuvencdsp.asm
@@ -42,10 +42,11 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w
%define i t0q
%endmacro
-; label to jump to if w < regsize
-%macro DIFF_BYTES_LOOP_PREP 1
+; labels to jump to if w < regsize and w < 0
+%macro DIFF_BYTES_LOOP_PREP 2
mov i, wq
and i, -2 * regsize
+ js %2
jz %1
add dstq, i
add src1q, i
@@ -87,7 +88,7 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w
%if mmsize > 16
; fall back to narrower xmm
%define regsize mmsize / 2
- DIFF_BYTES_LOOP_PREP .setup_loop_gpr_aa
+ DIFF_BYTES_LOOP_PREP .setup_loop_gpr_aa, .end_aa
.loop2_%1%2:
DIFF_BYTES_LOOP_CORE %1, %2, xm0, xm1
add i, 2 * regsize
@@ -114,7 +115,7 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w
INIT_MMX mmx
DIFF_BYTES_PROLOGUE
%define regsize mmsize
- DIFF_BYTES_LOOP_PREP .skip_main_aa
+ DIFF_BYTES_LOOP_PREP .skip_main_aa, .end_aa
DIFF_BYTES_BODY a, a
%undef i
%endif
@@ -122,7 +123,7 @@ DIFF_BYTES_PROLOGUE
INIT_XMM sse2
DIFF_BYTES_PROLOGUE
%define regsize mmsize
- DIFF_BYTES_LOOP_PREP .skip_main_aa
+ DIFF_BYTES_LOOP_PREP .skip_main_aa, .end_aa
test dstq, regsize - 1
jnz .loop_uu
test src1q, regsize - 1
@@ -138,7 +139,7 @@ DIFF_BYTES_PROLOGUE
%define regsize mmsize
; Directly using unaligned SSE2 version is marginally faster than
; branching based on arguments.
- DIFF_BYTES_LOOP_PREP .skip_main_uu
+ DIFF_BYTES_LOOP_PREP .skip_main_uu, .end_uu
test dstq, regsize - 1
jnz .loop_uu
test src1q, regsize - 1
diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 9969d7a..85a31f7 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -688,9 +688,9 @@ static void read_chapter(AVFormatContext *s, AVIOContext *pb, int len, const cha
}
if (decode_str(s, pb, 0, &dst, &len) < 0)
- return;
+ goto end;
if (len < 16)
- return;
+ goto end;
start = avio_rb32(pb);
end = avio_rb32(pb);
--
ffmpeg packaging
More information about the pkg-multimedia-commits
mailing list