[SCM] ffmpeg/stretch: New upstream version 3.2.8
sramacher at users.alioth.debian.org
sramacher at users.alioth.debian.org
Mon Oct 9 17:12:29 UTC 2017
The following commit has been merged in the stretch branch:
commit a802099b99a14be3aeb3a7752abf11eeeb6aae19
Author: Sebastian Ramacher <sramacher at debian.org>
Date: Mon Oct 9 18:40:02 2017 +0200
New upstream version 3.2.8
diff --git a/Changelog b/Changelog
index 9b5a654..96052b9 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,55 @@
Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.
+version 3.2.8:
+- avcodec/hevc_ps: Fix c?_qp_offset_list size
+- avcodec/shorten: Move buffer allocation and offset init to end of read_header()
+- avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int()
+- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels
+- avcodec/diracdec: Fix overflow in DC computation
+- avcodec/dirac_vlc: limit res_bits in APPEND_RESIDUE()
+- libavcodec/h264_parse: don't use uninitialized value when chroma_format_idc==0
+- avformat/asfdec: Fix DoS in asf_build_simple_index()
+- avformat/mov: Fix DoS in read_tfra()
+- avcodec/dirac_vlc: Fix invalid shift in ff_dirac_golomb_read_32bit()
+- avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting
+- avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED()
+- avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
+- avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()
+- avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.
+- avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()
+- avcodec/hevc_ps: Fix undefined shift in pcm code
+- avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate()
+- avformat/mvdec: Fix DoS due to lack of eof check
+- avformat/rl2: Fix DoS due to lack of eof check
+- avformat/rmdec: Fix DoS due to lack of eof check
+- avformat/cinedec: Fix DoS due to lack of eof check
+- avformat/asfdec: Fix DoS due to lack of eof check
+- avformat/hls: Fix DoS due to infinite loop
+- ffprobe: Fix NULL pointer handling in color parameter printing
+- ffprobe: Fix null pointer dereference with color primaries
+- avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()
+- avformat/rtpdec_h264: Fix heap-buffer-overflow
+- avformat/aviobuf: Fix signed integer overflow in avio_seek()
+- avformat/mov: Fix signed integer overflows with total_size
+- avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization
+- avcodec/aacdec_template: Fix running cleanup in decode_ics_info()
+- avcodec/me_cmp: Fix crashes on ARM due to misalignment
+- avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0()
+- avcodec/fic: Fixes signed integer overflow
+- avcodec/snowdec: Fix off by 1 error
+- avcodec/diracdec: Fixes integer overflow
+- avcodec/diracdec: Check perspective_exp and zrs_exp.
+- avcodec/ffv1dec_template: Fix undefined shift
+- avcodec/mpeg4videodec: Clear mcsel before decoding an image
+- avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*
+- avcodec/aacdec_fixed: fix invalid shift in predict()
+- avcodec/h264_slice: Fix overflow in slice offset
+- avformat/utils: fix memory leak in avformat_free_context
+- avcodec/diracdsp: fix integer overflow
+- avcodec/diracdec: Check weight_log2denom
+- avfilter/vf_ssim: fix temp size calculation
+
version 3.2.7:
- avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0()
- avcodec/diracdec: Fix integer overflow in divide3()
diff --git a/RELEASE b/RELEASE
index 406ebcb..f092941 100644
--- a/RELEASE
+++ b/RELEASE
@@ -1 +1 @@
-3.2.7
+3.2.8
diff --git a/VERSION b/VERSION
index 406ebcb..f092941 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.2.7
+3.2.8
diff --git a/doc/Doxyfile b/doc/Doxyfile
index d2df976..18f4da5 100644
--- a/doc/Doxyfile
+++ b/doc/Doxyfile
@@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg
# could be handy for archiving the generated documentation or if some version
# control system is used.
-PROJECT_NUMBER = 3.2.7
+PROJECT_NUMBER = 3.2.8
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
diff --git a/doc/demuxers.texi b/doc/demuxers.texi
index 2934a1c..d56ad16 100644
--- a/doc/demuxers.texi
+++ b/doc/demuxers.texi
@@ -293,6 +293,24 @@ used to end the output video at the length of the shortest input file,
which in this case is @file{input.mp4} as the GIF in this example loops
infinitely.
+ at section hls
+
+HLS demuxer
+
+It accepts the following options:
+
+ at table @option
+ at item live_start_index
+segment index to start live streams at (negative values are from the end).
+
+ at item allowed_extensions
+',' separated list of file extensions that hls is allowed to access.
+
+ at item max_reload
+Maximum number of times a insufficient list is attempted to be reloaded.
+Default value is 1000.
+ at end table
+
@section image2
Image file demuxer.
diff --git a/ffprobe.c b/ffprobe.c
index 79fe296..0c6c0f6 100644
--- a/ffprobe.c
+++ b/ffprobe.c
@@ -1789,6 +1789,56 @@ static void print_pkt_side_data(WriterContext *w,
writer_print_section_footer(w);
}
+static void print_color_range(WriterContext *w, enum AVColorRange color_range, const char *fallback)
+{
+ const char *val = av_color_range_name(color_range);
+ if (!val || color_range == AVCOL_RANGE_UNSPECIFIED) {
+ print_str_opt("color_range", fallback);
+ } else {
+ print_str("color_range", val);
+ }
+}
+
+static void print_color_space(WriterContext *w, enum AVColorSpace color_space)
+{
+ const char *val = av_color_space_name(color_space);
+ if (!val || color_space == AVCOL_SPC_UNSPECIFIED) {
+ print_str_opt("color_space", "unknown");
+ } else {
+ print_str("color_space", val);
+ }
+}
+
+static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries)
+{
+ const char *val = av_color_primaries_name(color_primaries);
+ if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) {
+ print_str_opt("color_primaries", "unknown");
+ } else {
+ print_str("color_primaries", val);
+ }
+}
+
+static void print_color_trc(WriterContext *w, enum AVColorTransferCharacteristic color_trc)
+{
+ const char *val = av_color_transfer_name(color_trc);
+ if (!val || color_trc == AVCOL_TRC_UNSPECIFIED) {
+ print_str_opt("color_transfer", "unknown");
+ } else {
+ print_str("color_transfer", val);
+ }
+}
+
+static void print_chroma_location(WriterContext *w, enum AVChromaLocation chroma_location)
+{
+ const char *val = av_chroma_location_name(chroma_location);
+ if (!val || chroma_location == AVCHROMA_LOC_UNSPECIFIED) {
+ print_str_opt("chroma_location", "unspecified");
+ } else {
+ print_str("chroma_location", val);
+ }
+}
+
static void show_packet(WriterContext *w, InputFile *ifile, AVPacket *pkt, int packet_idx)
{
char val_str[128];
@@ -2244,29 +2294,12 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id
if (s) print_str ("pix_fmt", s);
else print_str_opt("pix_fmt", "unknown");
print_int("level", par->level);
- if (par->color_range != AVCOL_RANGE_UNSPECIFIED)
- print_str ("color_range", av_color_range_name(par->color_range));
- else
- print_str_opt("color_range", "N/A");
-
- s = av_get_colorspace_name(par->color_space);
- if (s) print_str ("color_space", s);
- else print_str_opt("color_space", "unknown");
-
- if (par->color_trc != AVCOL_TRC_UNSPECIFIED)
- print_str("color_transfer", av_color_transfer_name(par->color_trc));
- else
- print_str_opt("color_transfer", av_color_transfer_name(par->color_trc));
-
- if (par->color_primaries != AVCOL_PRI_UNSPECIFIED)
- print_str("color_primaries", av_color_primaries_name(par->color_primaries));
- else
- print_str_opt("color_primaries", av_color_primaries_name(par->color_primaries));
- if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED)
- print_str("chroma_location", av_chroma_location_name(par->chroma_location));
- else
- print_str_opt("chroma_location", av_chroma_location_name(par->chroma_location));
+ print_color_range(w, par->color_range, "N/A");
+ print_color_space(w, par->color_space);
+ print_color_trc(w, par->color_trc);
+ print_primaries(w, par->color_primaries);
+ print_chroma_location(w, par->chroma_location);
if (par->field_order == AV_FIELD_PROGRESSIVE)
print_str("field_order", "progressive");
diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index ccc8205..e7c2d2d 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -305,8 +305,12 @@ static av_always_inline void predict(PredictorState *ps, int *coef,
if (output_enable) {
int shift = 28 - pv.exp;
- if (shift < 31)
- *coef += (pv.mant + (1 << (shift - 1))) >> shift;
+ if (shift < 31) {
+ if (shift > 0) {
+ *coef += (pv.mant + (1 << (shift - 1))) >> shift;
+ } else
+ *coef += pv.mant << -shift;
+ }
}
e0 = av_int2sf(*coef, 2);
diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c
index 1ac6503..d6880c9 100644
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -1259,6 +1259,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
const MPEG4AudioConfig *const m4ac = &ac->oc[1].m4ac;
const int aot = m4ac->object_type;
const int sampling_index = m4ac->sampling_index;
+ int ret_fail = AVERROR_INVALIDDATA;
+
if (aot != AOT_ER_AAC_ELD) {
if (get_bits1(gb)) {
av_log(ac->avctx, AV_LOG_ERROR, "Reserved bit set.\n");
@@ -1309,8 +1311,10 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
ics->num_swb = ff_aac_num_swb_512[sampling_index];
ics->tns_max_bands = ff_tns_max_bands_512[sampling_index];
}
- if (!ics->num_swb || !ics->swb_offset)
- return AVERROR_BUG;
+ if (!ics->num_swb || !ics->swb_offset) {
+ ret_fail = AVERROR_BUG;
+ goto fail;
+ }
} else {
ics->swb_offset = ff_swb_offset_1024[sampling_index];
ics->num_swb = ff_aac_num_swb_1024[sampling_index];
@@ -1334,7 +1338,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
if (aot == AOT_ER_AAC_LD) {
av_log(ac->avctx, AV_LOG_ERROR,
"LTP in ER AAC LD not yet implemented.\n");
- return AVERROR_PATCHWELCOME;
+ ret_fail = AVERROR_PATCHWELCOME;
+ goto fail;
}
if ((ics->ltp.present = get_bits(gb, 1)))
decode_ltp(&ics->ltp, gb, ics->max_sfb);
@@ -1353,7 +1358,7 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
return 0;
fail:
ics->max_sfb = 0;
- return AVERROR_INVALIDDATA;
+ return ret_fail;
}
/**
diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index 62f8472..adf5178 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
(b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8))
#define COMPOSE_DAUB97iL1(b0, b1, b2)\
- (b1 - ((1817*(b0 + b2) + 2048) >> 12))
+ (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12))
#define COMPOSE_DAUB97iH1(b0, b1, b2)\
- (b1 - (( 113*(b0 + b2) + 64) >> 7))
+ (b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7))
#define COMPOSE_DAUB97iL0(b0, b1, b2)\
- (b1 + (( 217*(b0 + b2) + 2048) >> 12))
+ (b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12))
#define COMPOSE_DAUB97iH0(b0, b1, b2)\
- (b1 + ((6497*(b0 + b2) + 2048) >> 12))
+ (b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12))
#endif /* AVCODEC_DWT_H */
diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c
index 972c711..e436c24 100644
--- a/libavcodec/dirac_dwt_template.c
+++ b/libavcodec/dirac_dwt_template.c
@@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_
TYPE *b1 = (TYPE *)_b1;
TYPE *b2 = (TYPE *)_b2;
for (i = 0; i < width; i++)
- b1[i] -= (b0[i] + b2[i] + 2) >> 2;
+ b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2;
}
static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2,
diff --git a/libavcodec/dirac_vlc.c b/libavcodec/dirac_vlc.c
index 773f720..496d817 100644
--- a/libavcodec/dirac_vlc.c
+++ b/libavcodec/dirac_vlc.c
@@ -37,7 +37,7 @@
#define APPEND_RESIDUE(N, M) \
N |= M >> (N ## _bits); \
- N ## _bits += (M ## _bits)
+ N ## _bits = (N ## _bits + (M ## _bits)) & 0x3F
int ff_dirac_golomb_read_32bit(DiracGolombLUT *lut_ctx, const uint8_t *buf,
int bytes, uint8_t *_dst, int coeffs)
diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index bc0eb90..0b8b799 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -436,7 +436,7 @@ static av_cold int dirac_decode_end(AVCodecContext *avctx)
static inline int coeff_unpack_golomb(GetBitContext *gb, int qfactor, int qoffset)
{
int coeff = dirac_get_se_golomb(gb);
- const int sign = FFSIGN(coeff);
+ const unsigned sign = FFSIGN(coeff);
if (coeff)
coeff = sign*((sign * coeff * qfactor + qoffset) >> 2);
return coeff;
@@ -580,7 +580,7 @@ static inline void codeblock(DiracContext *s, SubBand *b,
} \
INTRA_DC_PRED(8, int16_t)
-INTRA_DC_PRED(10, int32_t)
+INTRA_DC_PRED(10, uint32_t)
/**
* Dirac Specification ->
@@ -1155,6 +1155,10 @@ static int dirac_unpack_prediction_parameters(DiracContext *s)
s->globalmc[ref].perspective[0] = dirac_get_se_golomb(gb);
s->globalmc[ref].perspective[1] = dirac_get_se_golomb(gb);
}
+ if (s->globalmc[ref].perspective_exp + (uint64_t)s->globalmc[ref].zrs_exp > 30) {
+ return AVERROR_INVALIDDATA;
+ }
+
}
}
@@ -1173,6 +1177,11 @@ static int dirac_unpack_prediction_parameters(DiracContext *s)
if (get_bits1(gb)) {
s->weight_log2denom = get_interleaved_ue_golomb(gb);
+ if (s->weight_log2denom < 1 || s->weight_log2denom > 8) {
+ av_log(s->avctx, AV_LOG_ERROR, "weight_log2denom unsupported or invalid\n");
+ s->weight_log2denom = 1;
+ return AVERROR_INVALIDDATA;
+ }
s->weight[0] = dirac_get_se_golomb(gb);
if (s->num_refs == 2)
s->weight[1] = dirac_get_se_golomb(gb);
@@ -1407,7 +1416,7 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock
if (!block->ref) {
pred_block_dc(block, stride, x, y);
for (i = 0; i < 3; i++)
- block->u.dc[i] += dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA);
+ block->u.dc[i] += (unsigned)dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA);
return;
}
diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c
index cd1209e..8bc79b7 100644
--- a/libavcodec/diracdsp.c
+++ b/libavcodec/diracdsp.c
@@ -199,7 +199,7 @@ static void dequant_subband_ ## PX ## _c(uint8_t *src, uint8_t *dst, ptrdiff_t s
for (i = 0; i < tot_h; i++) { \
c = *src_r++; \
sign = FFSIGN(c)*(!!c); \
- c = (FFABS(c)*qf + qs) >> 2; \
+ c = (FFABS(c)*(unsigned)qf + qs) >> 2; \
*dst_r++ = c*sign; \
} \
src += tot_h << (sizeof(PX) >> 1); \
diff --git a/libavcodec/ffv1dec_template.c b/libavcodec/ffv1dec_template.c
index 892ccf2..f2f7432 100644
--- a/libavcodec/ffv1dec_template.c
+++ b/libavcodec/ffv1dec_template.c
@@ -149,7 +149,7 @@ static void RENAME(decode_rgb_frame)(FFV1Context *s, uint8_t *src[3], int w, int
}
if (lbd)
- *((uint32_t*)(src[0] + x*4 + stride[0]*y)) = b + (g<<8) + (r<<16) + (a<<24);
+ *((uint32_t*)(src[0] + x*4 + stride[0]*y)) = b + ((unsigned)g<<8) + ((unsigned)r<<16) + ((unsigned)a<<24);
else if (sizeof(TYPE) == 4) {
*((uint16_t*)(src[0] + x*2 + stride[0]*y)) = g;
*((uint16_t*)(src[1] + x*2 + stride[1]*y)) = b;
diff --git a/libavcodec/fic.c b/libavcodec/fic.c
index 2c11515..f66c05b 100644
--- a/libavcodec/fic.c
+++ b/libavcodec/fic.c
@@ -84,12 +84,12 @@ static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' };
static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd)
{
- const int t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step];
- const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step];
- const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step];
- const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step];
- const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12);
- const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12);
+ const unsigned t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step];
+ const unsigned t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step];
+ const unsigned t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step];
+ const unsigned t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step];
+ const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12);
+ const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12);
const unsigned t6 = t2 - t0;
const unsigned t7 = t3 - t1;
const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step];
diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c
index 3d20075..a7c71d9 100644
--- a/libavcodec/h264_parse.c
+++ b/libavcodec/h264_parse.c
@@ -34,21 +34,22 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps,
pwt->use_weight = 0;
pwt->use_weight_chroma = 0;
- pwt->luma_log2_weight_denom = get_ue_golomb(gb);
- if (sps->chroma_format_idc)
- pwt->chroma_log2_weight_denom = get_ue_golomb(gb);
+ pwt->luma_log2_weight_denom = get_ue_golomb(gb);
if (pwt->luma_log2_weight_denom > 7U) {
av_log(logctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is out of range\n", pwt->luma_log2_weight_denom);
pwt->luma_log2_weight_denom = 0;
}
- if (pwt->chroma_log2_weight_denom > 7U) {
- av_log(logctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", pwt->chroma_log2_weight_denom);
- pwt->chroma_log2_weight_denom = 0;
- }
+ luma_def = 1 << pwt->luma_log2_weight_denom;
- luma_def = 1 << pwt->luma_log2_weight_denom;
- chroma_def = 1 << pwt->chroma_log2_weight_denom;
+ if (sps->chroma_format_idc) {
+ pwt->chroma_log2_weight_denom = get_ue_golomb(gb);
+ if (pwt->chroma_log2_weight_denom > 7U) {
+ av_log(logctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", pwt->chroma_log2_weight_denom);
+ pwt->chroma_log2_weight_denom = 0;
+ }
+ chroma_def = 1 << pwt->chroma_log2_weight_denom;
+ }
for (list = 0; list < 2; list++) {
pwt->luma_weight_flag[list] = 0;
@@ -102,9 +103,11 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps,
if (picture_structure == PICT_FRAME) {
pwt->luma_weight[16 + 2 * i][list][0] = pwt->luma_weight[16 + 2 * i + 1][list][0] = pwt->luma_weight[i][list][0];
pwt->luma_weight[16 + 2 * i][list][1] = pwt->luma_weight[16 + 2 * i + 1][list][1] = pwt->luma_weight[i][list][1];
- for (j = 0; j < 2; j++) {
- pwt->chroma_weight[16 + 2 * i][list][j][0] = pwt->chroma_weight[16 + 2 * i + 1][list][j][0] = pwt->chroma_weight[i][list][j][0];
- pwt->chroma_weight[16 + 2 * i][list][j][1] = pwt->chroma_weight[16 + 2 * i + 1][list][j][1] = pwt->chroma_weight[i][list][j][1];
+ if (sps->chroma_format_idc) {
+ for (j = 0; j < 2; j++) {
+ pwt->chroma_weight[16 + 2 * i][list][j][0] = pwt->chroma_weight[16 + 2 * i + 1][list][j][0] = pwt->chroma_weight[i][list][j][0];
+ pwt->chroma_weight[16 + 2 * i][list][j][1] = pwt->chroma_weight[16 + 2 * i + 1][list][j][1] = pwt->chroma_weight[i][list][j][1];
+ }
}
}
}
diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 68b73da..ce1fc18 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1739,17 +1739,19 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl,
sl->deblocking_filter ^= 1; // 1<->0
if (sl->deblocking_filter) {
- sl->slice_alpha_c0_offset = get_se_golomb(&sl->gb) * 2;
- sl->slice_beta_offset = get_se_golomb(&sl->gb) * 2;
- if (sl->slice_alpha_c0_offset > 12 ||
- sl->slice_alpha_c0_offset < -12 ||
- sl->slice_beta_offset > 12 ||
- sl->slice_beta_offset < -12) {
+ int slice_alpha_c0_offset_div2 = get_se_golomb(&sl->gb);
+ int slice_beta_offset_div2 = get_se_golomb(&sl->gb);
+ if (slice_alpha_c0_offset_div2 > 6 ||
+ slice_alpha_c0_offset_div2 < -6 ||
+ slice_beta_offset_div2 > 6 ||
+ slice_beta_offset_div2 < -6) {
av_log(h->avctx, AV_LOG_ERROR,
"deblocking filter parameters %d %d out of range\n",
- sl->slice_alpha_c0_offset, sl->slice_beta_offset);
+ slice_alpha_c0_offset_div2, slice_beta_offset_div2);
return AVERROR_INVALIDDATA;
}
+ sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2;
+ sl->slice_beta_offset = slice_beta_offset_div2 * 2;
}
}
diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h
index 6a3c750..2afad01 100644
--- a/libavcodec/hevc.h
+++ b/libavcodec/hevc.h
@@ -545,8 +545,8 @@ typedef struct HEVCPPS {
uint8_t chroma_qp_offset_list_enabled_flag;
uint8_t diff_cu_chroma_qp_offset_depth;
uint8_t chroma_qp_offset_list_len_minus1;
- int8_t cb_qp_offset_list[5];
- int8_t cr_qp_offset_list[5];
+ int8_t cb_qp_offset_list[6];
+ int8_t cr_qp_offset_list[6];
uint8_t log2_sao_offset_scale_luma;
uint8_t log2_sao_offset_scale_chroma;
diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index 7b104e6..95d976f 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -224,6 +224,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx,
prev = 0;
for (i = 0; i < rps->num_negative_pics; i++) {
delta_poc = get_ue_golomb_long(gb) + 1;
+ if (delta_poc < 1 || delta_poc > 32768) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Invalid value of delta_poc: %d\n",
+ delta_poc);
+ return AVERROR_INVALIDDATA;
+ }
prev -= delta_poc;
rps->delta_poc[i] = prev;
rps->used[i] = get_bits1(gb);
@@ -231,6 +237,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx,
prev = 0;
for (i = 0; i < nb_positive_pics; i++) {
delta_poc = get_ue_golomb_long(gb) + 1;
+ if (delta_poc < 1 || delta_poc > 32768) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Invalid value of delta_poc: %d\n",
+ delta_poc);
+ return AVERROR_INVALIDDATA;
+ }
prev += delta_poc;
rps->delta_poc[rps->num_negative_pics + i] = prev;
rps->used[rps->num_negative_pics + i] = get_bits1(gb);
@@ -1014,10 +1026,10 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
sps->pcm.log2_min_pcm_cb_size = get_ue_golomb_long(gb) + 3;
sps->pcm.log2_max_pcm_cb_size = sps->pcm.log2_min_pcm_cb_size +
get_ue_golomb_long(gb);
- if (sps->pcm.bit_depth > sps->bit_depth) {
+ if (FFMAX(sps->pcm.bit_depth, sps->pcm.bit_depth_chroma) > sps->bit_depth) {
av_log(avctx, AV_LOG_ERROR,
- "PCM bit depth (%d) is greater than normal bit depth (%d)\n",
- sps->pcm.bit_depth, sps->bit_depth);
+ "PCM bit depth (%d, %d) is greater than normal bit depth (%d)\n",
+ sps->pcm.bit_depth, sps->pcm.bit_depth_chroma, sps->bit_depth);
return AVERROR_INVALIDDATA;
}
diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index b840d17..5bca023 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -599,7 +599,7 @@ static void FUNC(put_hevc_pel_bi_w_pixels)(uint8_t *_dst, ptrdiff_t _dststride,
ox1 = ox1 * (1 << (BIT_DEPTH - 8));
for (y = 0; y < height; y++) {
for (x = 0; x < width; x++) {
- dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
+ dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + (ox0 + ox1 + 1) * (1 << log2Wd)) >> (log2Wd + 1));
}
src += srcstride;
dst += dststride;
diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c
index c746aed..85a12d0 100644
--- a/libavcodec/jpeg2000dsp.c
+++ b/libavcodec/jpeg2000dsp.c
@@ -65,9 +65,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize)
for (i = 0; i < csize; i++) {
i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16);
- i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16)
+ i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16)
- (((i_ict_params[2] * *src2) + (1 << 15)) >> 16);
- i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16);
+ i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16);
*src0++ = i0;
*src1++ = i1;
*src2++ = i2;
diff --git a/libavcodec/me_cmp.c b/libavcodec/me_cmp.c
index 6639b91..5e34a11 100644
--- a/libavcodec/me_cmp.c
+++ b/libavcodec/me_cmp.c
@@ -628,7 +628,7 @@ static int dct_sad8x8_c(MpegEncContext *s, uint8_t *src1,
av_assert2(h == 8);
- s->pdsp.diff_pixels(temp, src1, src2, stride);
+ s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
s->fdsp.fdct(temp);
return s->mecc.sum_abs_dctelem(temp);
}
@@ -668,7 +668,7 @@ static int dct264_sad8x8_c(MpegEncContext *s, uint8_t *src1,
int16_t dct[8][8];
int i, sum = 0;
- s->pdsp.diff_pixels(dct[0], src1, src2, stride);
+ s->pdsp.diff_pixels_unaligned(dct[0], src1, src2, stride);
#define SRC(x) dct[i][x]
#define DST(x, v) dct[i][x] = v
@@ -695,7 +695,7 @@ static int dct_max8x8_c(MpegEncContext *s, uint8_t *src1,
av_assert2(h == 8);
- s->pdsp.diff_pixels(temp, src1, src2, stride);
+ s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
s->fdsp.fdct(temp);
for (i = 0; i < 64; i++)
@@ -714,7 +714,7 @@ static int quant_psnr8x8_c(MpegEncContext *s, uint8_t *src1,
av_assert2(h == 8);
s->mb_intra = 0;
- s->pdsp.diff_pixels(temp, src1, src2, stride);
+ s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
memcpy(bak, temp, 64 * sizeof(int16_t));
@@ -817,7 +817,7 @@ static int bit8x8_c(MpegEncContext *s, uint8_t *src1, uint8_t *src2,
av_assert2(h == 8);
- s->pdsp.diff_pixels(temp, src1, src2, stride);
+ s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
s->block_last_index[0 /* FIXME */] =
last =
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 5dfd295..758f77b 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -2290,6 +2290,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb)
int time_incr, time_increment;
int64_t pts;
+ s->mcsel = 0;
s->pict_type = get_bits(gb, 2) + AV_PICTURE_TYPE_I; /* pict type: I = 0 , P = 1 */
if (s->pict_type == AV_PICTURE_TYPE_B && s->low_delay &&
ctx->vol_control_parameters == 0 && !(s->avctx->flags & AV_CODEC_FLAG_LOW_DELAY)) {
diff --git a/libavcodec/pixblockdsp.c b/libavcodec/pixblockdsp.c
index f0883d3..6152fe4 100644
--- a/libavcodec/pixblockdsp.c
+++ b/libavcodec/pixblockdsp.c
@@ -82,6 +82,7 @@ av_cold void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx)
{
const unsigned high_bit_depth = avctx->bits_per_raw_sample > 8;
+ c->diff_pixels_unaligned =
c->diff_pixels = diff_pixels_c;
switch (avctx->bits_per_raw_sample) {
diff --git a/libavcodec/pixblockdsp.h b/libavcodec/pixblockdsp.h
index 79ed86c..b14514d 100644
--- a/libavcodec/pixblockdsp.h
+++ b/libavcodec/pixblockdsp.h
@@ -31,6 +31,11 @@ typedef struct PixblockDSPContext {
const uint8_t *s1 /* align 8 */,
const uint8_t *s2 /* align 8 */,
int stride);
+ void (*diff_pixels_unaligned)(int16_t *av_restrict block /* align 16 */,
+ const uint8_t *s1,
+ const uint8_t *s2,
+ int stride);
+
} PixblockDSPContext;
void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx);
diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c
index 7d593a1..f45bb84 100644
--- a/libavcodec/sbrdsp_fixed.c
+++ b/libavcodec/sbrdsp_fixed.c
@@ -136,19 +136,19 @@ static av_always_inline void autocorrelate(const int x[40][2], SoftFloat phi[3][
if (lag) {
for (i = 1; i < 38; i++) {
- accu_re += (int64_t)x[i][0] * x[i+lag][0];
- accu_re += (int64_t)x[i][1] * x[i+lag][1];
- accu_im += (int64_t)x[i][0] * x[i+lag][1];
- accu_im -= (int64_t)x[i][1] * x[i+lag][0];
+ accu_re += (uint64_t)x[i][0] * x[i+lag][0];
+ accu_re += (uint64_t)x[i][1] * x[i+lag][1];
+ accu_im += (uint64_t)x[i][0] * x[i+lag][1];
+ accu_im -= (uint64_t)x[i][1] * x[i+lag][0];
}
real_sum = accu_re;
imag_sum = accu_im;
- accu_re += (int64_t)x[ 0][0] * x[lag][0];
- accu_re += (int64_t)x[ 0][1] * x[lag][1];
- accu_im += (int64_t)x[ 0][0] * x[lag][1];
- accu_im -= (int64_t)x[ 0][1] * x[lag][0];
+ accu_re += (uint64_t)x[ 0][0] * x[lag][0];
+ accu_re += (uint64_t)x[ 0][1] * x[lag][1];
+ accu_im += (uint64_t)x[ 0][0] * x[lag][1];
+ accu_im -= (uint64_t)x[ 0][1] * x[lag][0];
phi[2-lag][1][0] = autocorr_calc(accu_re);
phi[2-lag][1][1] = autocorr_calc(accu_im);
@@ -156,28 +156,28 @@ static av_always_inline void autocorrelate(const int x[40][2], SoftFloat phi[3][
if (lag == 1) {
accu_re = real_sum;
accu_im = imag_sum;
- accu_re += (int64_t)x[38][0] * x[39][0];
- accu_re += (int64_t)x[38][1] * x[39][1];
- accu_im += (int64_t)x[38][0] * x[39][1];
- accu_im -= (int64_t)x[38][1] * x[39][0];
+ accu_re += (uint64_t)x[38][0] * x[39][0];
+ accu_re += (uint64_t)x[38][1] * x[39][1];
+ accu_im += (uint64_t)x[38][0] * x[39][1];
+ accu_im -= (uint64_t)x[38][1] * x[39][0];
phi[0][0][0] = autocorr_calc(accu_re);
phi[0][0][1] = autocorr_calc(accu_im);
}
} else {
for (i = 1; i < 38; i++) {
- accu_re += (int64_t)x[i][0] * x[i][0];
- accu_re += (int64_t)x[i][1] * x[i][1];
+ accu_re += (uint64_t)x[i][0] * x[i][0];
+ accu_re += (uint64_t)x[i][1] * x[i][1];
}
real_sum = accu_re;
- accu_re += (int64_t)x[ 0][0] * x[ 0][0];
- accu_re += (int64_t)x[ 0][1] * x[ 0][1];
+ accu_re += (uint64_t)x[ 0][0] * x[ 0][0];
+ accu_re += (uint64_t)x[ 0][1] * x[ 0][1];
phi[2][1][0] = autocorr_calc(accu_re);
accu_re = real_sum;
- accu_re += (int64_t)x[38][0] * x[38][0];
- accu_re += (int64_t)x[38][1] * x[38][1];
+ accu_re += (uint64_t)x[38][0] * x[38][0];
+ accu_re += (uint64_t)x[38][1] * x[38][1];
phi[1][0][0] = autocorr_calc(accu_re);
}
diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index a36a772..b56d205 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -453,12 +453,6 @@ static int read_header(ShortenContext *s)
}
s->nwrap = FFMAX(NWRAP, maxnlpc);
- if ((ret = allocate_buffers(s)) < 0)
- return ret;
-
- if ((ret = init_offset(s)) < 0)
- return ret;
-
if (s->version > 1)
s->lpcqoffset = V2LPCQOFFSET;
@@ -494,6 +488,13 @@ static int read_header(ShortenContext *s)
}
end:
+
+ if ((ret = allocate_buffers(s)) < 0)
+ return ret;
+
+ if ((ret = init_offset(s)) < 0)
+ return ret;
+
s->cur_chan = 0;
s->bitshift = 0;
diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 7d6d7ff..0ac0b55 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -140,7 +140,7 @@ static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, sli
v = b->x_coeff[new_index].coeff;
x = b->x_coeff[new_index++].x;
while(x < w){
- register int t= ( (v>>1)*qmul + qadd)>>QEXPSHIFT;
+ register int t= (int)( (v>>1)*(unsigned)qmul + qadd)>>QEXPSHIFT;
register int u= -(v&1);
line[x] = (t^u) - u;
@@ -355,7 +355,7 @@ static int decode_header(SnowContext *s){
Plane *p= &s->plane[plane_index];
p->diag_mc= get_rac(&s->c, s->header_state);
htaps= get_symbol(&s->c, s->header_state, 0)*2 + 2;
- if((unsigned)htaps > HTAPS_MAX || htaps==0)
+ if((unsigned)htaps >= HTAPS_MAX || htaps==0)
return AVERROR_INVALIDDATA;
p->htaps= htaps;
for(i= htaps/2; i; i--){
diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 2d57aea..6d6bbb7 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -1570,7 +1570,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
}
if (!avctx->rc_initial_buffer_occupancy)
- avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4;
+ avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3LL / 4;
if (avctx->ticks_per_frame && avctx->time_base.num &&
avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) {
diff --git a/libavcodec/x86/pixblockdsp_init.c b/libavcodec/x86/pixblockdsp_init.c
index 4d06a44..b9027de 100644
--- a/libavcodec/x86/pixblockdsp_init.c
+++ b/libavcodec/x86/pixblockdsp_init.c
@@ -39,12 +39,14 @@ av_cold void ff_pixblockdsp_init_x86(PixblockDSPContext *c,
if (EXTERNAL_MMX(cpu_flags)) {
if (!high_bit_depth)
c->get_pixels = ff_get_pixels_mmx;
+ c->diff_pixels_unaligned =
c->diff_pixels = ff_diff_pixels_mmx;
}
if (EXTERNAL_SSE2(cpu_flags)) {
if (!high_bit_depth)
c->get_pixels = ff_get_pixels_sse2;
+ c->diff_pixels_unaligned =
c->diff_pixels = ff_diff_pixels_sse2;
}
}
diff --git a/libavfilter/vf_ssim.c b/libavfilter/vf_ssim.c
index dd8f264..6fc8099 100644
--- a/libavfilter/vf_ssim.c
+++ b/libavfilter/vf_ssim.c
@@ -147,6 +147,8 @@ static float ssim_endn(const int (*sum0)[4], const int (*sum1)[4], int width)
return ssim;
}
+#define SUM_LEN(w) (((w) >> 2) + 3)
+
static float ssim_plane(SSIMDSPContext *dsp,
uint8_t *main, int main_stride,
uint8_t *ref, int ref_stride,
@@ -155,7 +157,7 @@ static float ssim_plane(SSIMDSPContext *dsp,
int z = 0, y;
float ssim = 0.0;
int (*sum0)[4] = temp;
- int (*sum1)[4] = sum0 + (width >> 2) + 3;
+ int (*sum1)[4] = sum0 + SUM_LEN(width);
width >>= 2;
height >>= 2;
@@ -297,7 +299,7 @@ static int config_input_ref(AVFilterLink *inlink)
for (i = 0; i < s->nb_components; i++)
s->coefs[i] = (double) s->planeheight[i] * s->planewidth[i] / sum;
- s->temp = av_malloc((2 * inlink->w + 12) * sizeof(*s->temp));
+ s->temp = av_mallocz_array(2 * SUM_LEN(inlink->w), sizeof(int[4]));
if (!s->temp)
return AVERROR(ENOMEM);
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index b973eff..d9dfbf0 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size)
count = avio_rl32(pb); // markers count
avio_rl16(pb); // reserved 2 bytes
name_len = avio_rl16(pb); // name length
- for (i = 0; i < name_len; i++)
- avio_r8(pb); // skip the name
+ avio_skip(pb, name_len);
for (i = 0; i < count; i++) {
int64_t pres_time;
int name_len;
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
+
avio_rl64(pb); // offset, 8 bytes
pres_time = avio_rl64(pb); // presentation time
pres_time -= asf->hdr.preroll * 10000;
@@ -1608,6 +1610,11 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index)
int64_t pos = s->internal->data_offset + s->packet_size * (int64_t)pktnum;
int64_t index_pts = FFMAX(av_rescale(itime, i, 10000) - asf->hdr.preroll, 0);
+ if (avio_feof(s->pb)) {
+ ret = AVERROR_INVALIDDATA;
+ goto end;
+ }
+
if (pos != last_pos) {
av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d pts: %"PRId64"\n",
pktnum, pktct, index_pts);
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index 134d627..02f6d38 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -249,6 +249,8 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence)
offset1 = pos + (s->buf_ptr - s->buffer);
if (offset == 0)
return offset1;
+ if (offset > INT64_MAX - offset1)
+ return AVERROR(EINVAL);
offset += offset1;
}
if (offset < 0)
diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c
index 32cccf5..c615d4f 100644
--- a/libavformat/cinedec.c
+++ b/libavformat/cinedec.c
@@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx)
/* parse image offsets */
avio_seek(pb, offImageOffsets, SEEK_SET);
- for (i = 0; i < st->duration; i++)
+ for (i = 0; i < st->duration; i++) {
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
+
av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME);
+ }
return 0;
}
diff --git a/libavformat/hls.c b/libavformat/hls.c
index ffefd28..8794872 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -205,6 +205,7 @@ typedef struct HLSContext {
AVDictionary *avio_opts;
int strict_std_compliance;
char *allowed_extensions;
+ int max_reload;
} HLSContext;
static int read_chomp_line(AVIOContext *s, char *buf, int maxlen)
@@ -1255,6 +1256,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size)
HLSContext *c = v->parent->priv_data;
int ret, i;
int just_opened = 0;
+ int reload_count = 0;
restart:
if (!v->needed)
@@ -1286,6 +1288,9 @@ restart:
reload_interval = default_reload_interval(v);
reload:
+ reload_count++;
+ if (reload_count > c->max_reload)
+ return AVERROR_EOF;
if (!v->finished &&
av_gettime_relative() - v->last_load_time >= reload_interval) {
if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {
@@ -2143,6 +2148,8 @@ static const AVOption hls_options[] = {
OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
{.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
INT_MIN, INT_MAX, FLAGS},
+ {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded",
+ OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS},
{NULL}
};
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 24a76a0..b97aa00 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4888,7 +4888,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom)
if (atom.size < 0)
atom.size = INT64_MAX;
- while (total_size + 8 <= atom.size && !avio_feof(pb)) {
+ while (total_size <= atom.size - 8 && !avio_feof(pb)) {
int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL;
a.size = atom.size;
a.type=0;
@@ -5394,6 +5394,13 @@ static int read_tfra(MOVContext *mov, AVIOContext *f)
}
for (i = 0; i < index->item_count; i++) {
int64_t time, offset;
+
+ if (avio_feof(f)) {
+ index->item_count = 0;
+ av_freep(&index->items);
+ return AVERROR_INVALIDDATA;
+ }
+
if (version == 1) {
time = avio_rb64(f);
offset = avio_rb64(f);
diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
index 80ef4b1..e9e9fab 100644
--- a/libavformat/mvdec.c
+++ b/libavformat/mvdec.c
@@ -338,6 +338,8 @@ static int mv_read_header(AVFormatContext *avctx)
uint32_t pos = avio_rb32(pb);
uint32_t asize = avio_rb32(pb);
uint32_t vsize = avio_rb32(pb);
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
avio_skip(pb, 8);
av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME);
av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME);
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 2ad0c28..0e91538 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -500,7 +500,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U
avpriv_request_sample(pb, "Primer pack item length %d", item_len);
return AVERROR_PATCHWELCOME;
}
- if (item_num > 65536) {
+ if (item_num > 65536 || item_num < 0) {
av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num);
return AVERROR_INVALIDDATA;
}
@@ -899,6 +899,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
segment->nb_index_entries = avio_rb32(pb);
length = avio_rb32(pb);
+ if(segment->nb_index_entries && length < 11)
+ return AVERROR_INVALIDDATA;
if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) ||
!(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) ||
@@ -909,6 +911,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
}
for (i = 0; i < segment->nb_index_entries; i++) {
+ if(avio_feof(pb))
+ return AVERROR_INVALIDDATA;
segment->temporal_offset_entries[i] = avio_r8(pb);
avio_r8(pb); /* KeyFrameOffset */
segment->flag_entries[i] = avio_r8(pb);
diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c
index 507fb39..16d2fa5 100644
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -350,8 +350,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s)
if (!nsv->nsvs_file_offset)
return AVERROR(ENOMEM);
- for(i=0;i<table_entries_used;i++)
+ for(i=0;i<table_entries_used;i++) {
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
nsv->nsvs_file_offset[i] = avio_rl32(pb) + size;
+ }
if(table_entries > table_entries_used &&
avio_rl32(pb) == MKTAG('T','O','C','2')) {
diff --git a/libavformat/rl2.c b/libavformat/rl2.c
index 0bec8f1..eb1682d 100644
--- a/libavformat/rl2.c
+++ b/libavformat/rl2.c
@@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s)
}
/** read offset and size tables */
- for(i=0; i < frame_count;i++)
+ for(i=0; i < frame_count;i++) {
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
chunk_size[i] = avio_rl32(pb);
- for(i=0; i < frame_count;i++)
+ }
+ for(i=0; i < frame_count;i++) {
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
chunk_offset[i] = avio_rl32(pb);
- for(i=0; i < frame_count;i++)
+ }
+ for(i=0; i < frame_count;i++) {
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
audio_size[i] = avio_rl32(pb) & 0xFFFF;
+ }
/** build the sample index */
for(i=0;i<frame_count;i++){
diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 4d56529..7656812 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -1238,8 +1238,11 @@ static int ivr_read_header(AVFormatContext *s)
av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val);
} else if (type == 4) {
av_log(s, AV_LOG_DEBUG, "%s = '0x", key);
- for (j = 0; j < len; j++)
+ for (j = 0; j < len; j++) {
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb));
+ }
av_log(s, AV_LOG_DEBUG, "'\n");
} else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", tlen)) {
nb_streams = value = avio_rb32(pb);
diff --git a/libavformat/rtpdec_h264.c b/libavformat/rtpdec_h264.c
index 8dd56a5..6f8148a 100644
--- a/libavformat/rtpdec_h264.c
+++ b/libavformat/rtpdec_h264.c
@@ -166,7 +166,7 @@ static int sdp_parse_fmtp_config_h264(AVFormatContext *s,
parse_profile_level_id(s, h264_data, value);
} else if (!strcmp(attr, "sprop-parameter-sets")) {
int ret;
- if (value[strlen(value) - 1] == ',') {
+ if (*value == 0 || value[strlen(value) - 1] == ',') {
av_log(s, AV_LOG_WARNING, "Missing PPS in sprop-parameter-sets, ignoring\n");
return 0;
}
diff --git a/libavformat/utils.c b/libavformat/utils.c
index cea3ab5..3e59e50 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -4172,8 +4172,8 @@ void avformat_free_context(AVFormatContext *s)
av_freep(&s->chapters);
av_dict_free(&s->metadata);
av_freep(&s->streams);
- av_freep(&s->internal);
flush_packet_queue(s);
+ av_freep(&s->internal);
av_free(s);
}
--
ffmpeg packaging
More information about the pkg-multimedia-commits
mailing list