[FFmpeg-cvslog] avcodec/ffv1dec: Clear quant_table_count if its invalid

[Michael Niedermayer]

ffmpeg | branch: release/2.2 | Michael Niedermayer  | 
Sat Nov 14 13:21:58 2015 +0100| [a9e4be1cdf6f15b37935fcefa99d8a8610dd2c08] | 
committer: Carl Eugen Hoyos

avcodec/ffv1dec: Clear quant_table_count if its invalid

Fixes deallocation of corrupted pointer
Fixes: 
343dfbe142a38b521ed069dc4ea7c03b/signal_sigsegv_421427_4074_ffb11959610278cd40dbc153464aa254.avi
No releases affected

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit e04126072e984f8db5db9da9303c89ae01f7d6bb)

Fixes ticket #5052.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a9e4be1cdf6f15b37935fcefa99d8a8610dd2c08
---

 libavcodec/ffv1dec.c |1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 60be443..af94d34 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -552,6 +552,7 @@ static int read_extra_header(FFV1Context *f)
 f->quant_table_count = get_symbol(c, state, 0);
 if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count) {
 av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", 
f->quant_table_count);
+f->quant_table_count = 0;
 return AVERROR_INVALIDDATA;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec: Print an error if the quant table count is invalid

[Michael Niedermayer]

ffmpeg | branch: release/2.3 | Michael Niedermayer  | 
Thu Nov  5 01:25:50 2015 +0100| [1fff9947098b406127565bf9dac997607fbeacb8] | 
committer: Carl Eugen Hoyos

avcodec/ffv1dec: Print an error if the quant table count is invalid

Signed-off-by: Michael Niedermayer 
(cherry picked from commit a8b254e436dce2f5c8c6459108dab4b02cc6b79b)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1fff9947098b406127565bf9dac997607fbeacb8
---

 libavcodec/ffv1dec.c |4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index c61afe3..3fc307b 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -554,8 +554,10 @@ static int read_extra_header(FFV1Context *f)
 }
 
 f->quant_table_count = get_symbol(c, state, 0);
-if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count)
+if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count) {
+av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", 
f->quant_table_count);
 return AVERROR_INVALIDDATA;
+}
 
 for (i = 0; i < f->quant_table_count; i++) {
 f->context_count[i] = read_quant_tables(c, f->quant_tables[i]);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec: Check for 0 quant tables

[Michael Niedermayer]

ffmpeg | branch: release/2.3 | Michael Niedermayer  | 
Thu Nov  5 00:36:59 2015 +0100| [eb0a9cd68a25e8537f4134c928f3cde09ac9c785] | 
committer: Carl Eugen Hoyos

avcodec/ffv1dec: Check for 0 quant tables

Fixes assertion failure
Fixes: 
07ec1fc3c1cbf2d3edcd7d9b52ca156c/asan_heap-oob_13624c5_491_ecd4720a03e697ba750b235690656c8f.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5745cf799a4389bc5d14f2b4daf32fe4631c50bc)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eb0a9cd68a25e8537f4134c928f3cde09ac9c785
---

 libavcodec/ffv1dec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index f50bb5d..c61afe3 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -554,7 +554,7 @@ static int read_extra_header(FFV1Context *f)
 }
 
 f->quant_table_count = get_symbol(c, state, 0);
-if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES)
+if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count)
 return AVERROR_INVALIDDATA;
 
 for (i = 0; i < f->quant_table_count; i++) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec: Check for 0 quant tables

[Michael Niedermayer]

ffmpeg | branch: release/2.0 | Michael Niedermayer  | 
Thu Nov  5 00:36:59 2015 +0100| [58986f0fa15185e48561dc0da5b278d40a697a51] | 
committer: Carl Eugen Hoyos

avcodec/ffv1dec: Check for 0 quant tables

Fixes assertion failure
Fixes: 
07ec1fc3c1cbf2d3edcd7d9b52ca156c/asan_heap-oob_13624c5_491_ecd4720a03e697ba750b235690656c8f.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5745cf799a4389bc5d14f2b4daf32fe4631c50bc)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=58986f0fa15185e48561dc0da5b278d40a697a51
---

 libavcodec/ffv1dec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 45fb703..6b785a2 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -521,7 +521,7 @@ static int read_extra_header(FFV1Context *f)
 }
 
 f->quant_table_count = get_symbol(c, state, 0);
-if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES)
+if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count)
 return AVERROR_INVALIDDATA;
 
 for (i = 0; i < f->quant_table_count; i++) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec: Check for 0 quant tables

[Michael Niedermayer]

ffmpeg | branch: release/2.1 | Michael Niedermayer  | 
Thu Nov  5 00:36:59 2015 +0100| [fde9b80c17e1f7ac7f8861d43180c94eaf8ee362] | 
committer: Carl Eugen Hoyos

avcodec/ffv1dec: Check for 0 quant tables

Fixes assertion failure
Fixes: 
07ec1fc3c1cbf2d3edcd7d9b52ca156c/asan_heap-oob_13624c5_491_ecd4720a03e697ba750b235690656c8f.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5745cf799a4389bc5d14f2b4daf32fe4631c50bc)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fde9b80c17e1f7ac7f8861d43180c94eaf8ee362
---

 libavcodec/ffv1dec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 48f68c3..168a393 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -533,7 +533,7 @@ static int read_extra_header(FFV1Context *f)
 }
 
 f->quant_table_count = get_symbol(c, state, 0);
-if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES)
+if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count)
 return AVERROR_INVALIDDATA;
 
 for (i = 0; i < f->quant_table_count; i++) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec: Print an error if the quant table count is invalid

[Michael Niedermayer]

ffmpeg | branch: release/2.1 | Michael Niedermayer  | 
Thu Nov  5 01:25:50 2015 +0100| [d9593e075161b321afc639adeff9aca6f7d83da3] | 
committer: Carl Eugen Hoyos

avcodec/ffv1dec: Print an error if the quant table count is invalid

Signed-off-by: Michael Niedermayer 
(cherry picked from commit a8b254e436dce2f5c8c6459108dab4b02cc6b79b)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d9593e075161b321afc639adeff9aca6f7d83da3
---

 libavcodec/ffv1dec.c |4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 168a393..a019f75 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -533,8 +533,10 @@ static int read_extra_header(FFV1Context *f)
 }
 
 f->quant_table_count = get_symbol(c, state, 0);
-if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count)
+if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count) {
+av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", 
f->quant_table_count);
 return AVERROR_INVALIDDATA;
+}
 
 for (i = 0; i < f->quant_table_count; i++) {
 f->context_count[i] = read_quant_tables(c, f->quant_tables[i]);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec: Clear quant_table_count if its invalid

[Michael Niedermayer]

ffmpeg | branch: release/2.1 | Michael Niedermayer  | 
Sat Nov 14 13:21:58 2015 +0100| [65f4425ad58072dcb5fbe6ce5d922de7f50a2c81] | 
committer: Carl Eugen Hoyos

avcodec/ffv1dec: Clear quant_table_count if its invalid

Fixes deallocation of corrupted pointer
Fixes: 
343dfbe142a38b521ed069dc4ea7c03b/signal_sigsegv_421427_4074_ffb11959610278cd40dbc153464aa254.avi
No releases affected

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit e04126072e984f8db5db9da9303c89ae01f7d6bb)

Fixes ticket #5052.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=65f4425ad58072dcb5fbe6ce5d922de7f50a2c81
---

 libavcodec/ffv1dec.c |1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index a019f75..ffba37f 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -535,6 +535,7 @@ static int read_extra_header(FFV1Context *f)
 f->quant_table_count = get_symbol(c, state, 0);
 if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count) {
 av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", 
f->quant_table_count);
+f->quant_table_count = 0;
 return AVERROR_INVALIDDATA;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec: Check for 0 quant tables

[Michael Niedermayer]

ffmpeg | branch: release/2.2 | Michael Niedermayer  | 
Thu Nov  5 00:36:59 2015 +0100| [1aa1f4bbf45e258fb1fb0742d98ebef422fde094] | 
committer: Carl Eugen Hoyos

avcodec/ffv1dec: Check for 0 quant tables

Fixes assertion failure
Fixes: 
07ec1fc3c1cbf2d3edcd7d9b52ca156c/asan_heap-oob_13624c5_491_ecd4720a03e697ba750b235690656c8f.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5745cf799a4389bc5d14f2b4daf32fe4631c50bc)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1aa1f4bbf45e258fb1fb0742d98ebef422fde094
---

 libavcodec/ffv1dec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index c8b396a..22dcfdd 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -550,7 +550,7 @@ static int read_extra_header(FFV1Context *f)
 }
 
 f->quant_table_count = get_symbol(c, state, 0);
-if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES)
+if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count)
 return AVERROR_INVALIDDATA;
 
 for (i = 0; i < f->quant_table_count; i++) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec: Print an error if the quant table count is invalid

[Michael Niedermayer]

ffmpeg | branch: release/2.2 | Michael Niedermayer  | 
Thu Nov  5 01:25:50 2015 +0100| [8a6a619cbeee99cb42207e01bd733422ece1d911] | 
committer: Carl Eugen Hoyos

avcodec/ffv1dec: Print an error if the quant table count is invalid

Signed-off-by: Michael Niedermayer 
(cherry picked from commit a8b254e436dce2f5c8c6459108dab4b02cc6b79b)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8a6a619cbeee99cb42207e01bd733422ece1d911
---

 libavcodec/ffv1dec.c |4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 22dcfdd..60be443 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -550,8 +550,10 @@ static int read_extra_header(FFV1Context *f)
 }
 
 f->quant_table_count = get_symbol(c, state, 0);
-if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count)
+if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count) {
+av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", 
f->quant_table_count);
 return AVERROR_INVALIDDATA;
+}
 
 for (i = 0; i < f->quant_table_count; i++) {
 f->context_count[i] = read_quant_tables(c, f->quant_tables[i]);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec: Clear quant_table_count if its invalid

[Michael Niedermayer]

ffmpeg | branch: release/2.0 | Michael Niedermayer  | 
Sat Nov 14 13:21:58 2015 +0100| [2789b48b4ef5b6548eaffeb9b532b2d8f4729db5] | 
committer: Carl Eugen Hoyos

avcodec/ffv1dec: Clear quant_table_count if its invalid

Fixes deallocation of corrupted pointer
Fixes: 
343dfbe142a38b521ed069dc4ea7c03b/signal_sigsegv_421427_4074_ffb11959610278cd40dbc153464aa254.avi
No releases affected

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit e04126072e984f8db5db9da9303c89ae01f7d6bb)

Fixes ticket #5052.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2789b48b4ef5b6548eaffeb9b532b2d8f4729db5
---

 libavcodec/ffv1dec.c |1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index c64a43e..3ed9650 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -523,6 +523,7 @@ static int read_extra_header(FFV1Context *f)
 f->quant_table_count = get_symbol(c, state, 0);
 if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count) {
 av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", 
f->quant_table_count);
+f->quant_table_count = 0;
 return AVERROR_INVALIDDATA;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] ffprobe: Do not print profile names in -bitexact

[Timothy Gu]

ffmpeg | branch: master | Timothy Gu  | Fri Nov 27 
14:33:02 2015 -0800| [9670165cc2273597cfac0365da6598743e4c6ea2] | committer: 
Michael Niedermayer

ffprobe: Do not print profile names in -bitexact

Instead, print "unknown" if it's unknown, or their numerical values if
they are known.

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9670165cc2273597cfac0365da6598743e4c6ea2
---

 ffprobe.c |   12 +---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/ffprobe.c b/ffprobe.c
index c304a6d..7128083 100644
--- a/ffprobe.c
+++ b/ffprobe.c
@@ -2148,10 +2148,16 @@ static int show_stream(WriterContext *w, 
AVFormatContext *fmt_ctx, int stream_id
 }
 }
 
-if (dec && (profile = av_get_profile_name(dec, dec_ctx->profile)))
+if (!do_bitexact && dec && (profile = av_get_profile_name(dec, 
dec_ctx->profile)))
 print_str("profile", profile);
-else
-print_str_opt("profile", "unknown");
+else {
+if (dec_ctx->profile != FF_PROFILE_UNKNOWN) {
+char profile_num[12];
+snprintf(profile_num, sizeof(profile_num), "%d", 
dec_ctx->profile);
+print_str("profile", profile_num);
+} else
+print_str_opt("profile", "unknown");
+}
 
 s = av_get_media_type_string(dec_ctx->codec_type);
 if (s) print_str("codec_type", s);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] fate/concatdec: Use -bitexact

[Timothy Gu]

ffmpeg | branch: master | Timothy Gu  | Fri Nov 27 
14:33:03 2015 -0800| [b0669e7ccfef5ecaa83a0b5837c343ae198f03fe] | committer: 
Michael Niedermayer

fate/concatdec: Use -bitexact

Fixes FATE failures on --enable-small builds.

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b0669e7ccfef5ecaa83a0b5837c343ae198f03fe
---

 tests/fate-run.sh   |4 ++--
 tests/ref/fate/concat-demuxer-extended-lavf-mxf |2 +-
 tests/ref/fate/concat-demuxer-extended-lavf-mxf_d10 |2 +-
 tests/ref/fate/concat-demuxer-simple1-lavf-mxf  |4 ++--
 tests/ref/fate/concat-demuxer-simple1-lavf-mxf_d10  |4 ++--
 tests/ref/fate/concat-demuxer-simple2-lavf-ts   |4 ++--
 6 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/tests/fate-run.sh b/tests/fate-run.sh
index 03fa898..16087cb 100755
--- a/tests/fate-run.sh
+++ b/tests/fate-run.sh
@@ -262,10 +262,10 @@ concat(){
 awk "{gsub(/%SRCFILE%/, \"$sample\"); print}" $template > $concatfile
 
 if [ "$mode" = "md5" ]; then
-run ffprobe${PROGSUF} -show_streams -show_packets -v 0 -fflags 
keepside -safe 0 $extra_args $concatfile | tr -d '\r' > $packetfile
+run ffprobe${PROGSUF} -bitexact -show_streams -show_packets -v 0 
-fflags keepside -safe 0 $extra_args $concatfile | tr -d '\r' > $packetfile
 do_md5sum $packetfile
 else
-run ffprobe${PROGSUF} -show_streams -show_packets -v 0 -of 
compact=p=0:nk=1 -fflags keepside -safe 0 $extra_args $concatfile
+run ffprobe${PROGSUF} -bitexact -show_streams -show_packets -v 0 -of 
compact=p=0:nk=1 -fflags keepside -safe 0 $extra_args $concatfile
 fi
 }
 
diff --git a/tests/ref/fate/concat-demuxer-extended-lavf-mxf 
b/tests/ref/fate/concat-demuxer-extended-lavf-mxf
index 536fba2..4caec5a 100644
--- a/tests/ref/fate/concat-demuxer-extended-lavf-mxf
+++ b/tests/ref/fate/concat-demuxer-extended-lavf-mxf
@@ -1 +1 @@
-aa6477bcaef182919ac0c08ed74b32a1 
*tests/data/fate/concat-demuxer-extended-lavf-mxf.ffprobe
+37b4a84fce71b3f8b129f8b866c5f55a 
*tests/data/fate/concat-demuxer-extended-lavf-mxf.ffprobe
diff --git a/tests/ref/fate/concat-demuxer-extended-lavf-mxf_d10 
b/tests/ref/fate/concat-demuxer-extended-lavf-mxf_d10
index ce68520..1965050 100644
--- a/tests/ref/fate/concat-demuxer-extended-lavf-mxf_d10
+++ b/tests/ref/fate/concat-demuxer-extended-lavf-mxf_d10
@@ -1 +1 @@
-651eca7722187ff6836f55826bb1d110 
*tests/data/fate/concat-demuxer-extended-lavf-mxf_d10.ffprobe
+2f5e935f86304c843be1454b1354a4b7 
*tests/data/fate/concat-demuxer-extended-lavf-mxf_d10.ffprobe
diff --git a/tests/ref/fate/concat-demuxer-simple1-lavf-mxf 
b/tests/ref/fate/concat-demuxer-simple1-lavf-mxf
index 754080e..c28db28 100644
--- a/tests/ref/fate/concat-demuxer-simple1-lavf-mxf
+++ b/tests/ref/fate/concat-demuxer-simple1-lavf-mxf
@@ -120,5 +120,5 @@ 
audio|1|65280|1.36|65280|1.36|1920|0.04|N/A|N/A|3840|206848|K|1
 Strings Metadata|8
 video|0|37|1.48|34|1.36|1|0.04|N/A|N/A|24786|211456|K|1
 Strings Metadata|8
-0|mpeg2video|MPEG-2 
video|Main|video|1/50|[0][0][0][0]|0x|352|288|0|0|1|1:1|11:9|yuv420p|8|tv|unknown|unknown|unknown|left|00:00:00:00|1|N/A|25/1|25/1|1/25|N/A|N/A|N/A|N/A|N/A|104857200|N/A|N/A|N/A|51|0|0|0|0|0|0|0|0|0|0|0|0x060A2B340101010501010D001301
-1|pcm_s16le|PCM signed 16-bit 
little-endian|unknown|audio|1/48000|[0][0][0][0]|0x|s16|48000|1|unknown|16|N/A|0/0|0/0|1/48000|0|0.00|N/A|N/A|768000|N/A|N/A|N/A|N/A|50|0|0|0|0|0|0|0|0|0|0|0|0x060A2B340101010501010D001301
+0|mpeg2video|4|video|1/50|[0][0][0][0]|0x|352|288|0|0|1|1:1|11:9|yuv420p|8|tv|unknown|unknown|unknown|left|00:00:00:00|1|N/A|25/1|25/1|1/25|N/A|N/A|N/A|N/A|N/A|104857200|N/A|N/A|N/A|51|0|0|0|0|0|0|0|0|0|0|0|0x060A2B340101010501010D001301
+1|pcm_s16le|unknown|audio|1/48000|[0][0][0][0]|0x|s16|48000|1|unknown|16|N/A|0/0|0/0|1/48000|0|0.00|N/A|N/A|768000|N/A|N/A|N/A|N/A|50|0|0|0|0|0|0|0|0|0|0|0|0x060A2B340101010501010D001301
diff --git a/tests/ref/fate/concat-demuxer-simple1-lavf-mxf_d10 
b/tests/ref/fate/concat-demuxer-simple1-lavf-mxf_d10
index f573eae..3b6e3fe 100644
--- a/tests/ref/fate/concat-demuxer-simple1-lavf-mxf_d10
+++ b/tests/ref/fate/concat-demuxer-simple1-lavf-mxf_d10
@@ -78,5 +78,5 @@ 
video|0|34|1.36|34|1.36|1|0.04|N/A|N/A|15|1923072|K|1
 Strings Metadata|8
 audio|1|65280|1.36|65280|1.36|1920|0.04|N/A|N/A|7680|2073600|K|1
 Strings Metadata|8
-0|mpeg2video|MPEG-2 
video|4:2:2|video|1/50|[0][0][0][0]|0x|720|608|0|0|0|1:1|45:38|yuv422p|5|tv|unknown|unknown|unknown|topleft|00:00:00:00|1|N/A|25/1|25/1|1/25|0|0.00|N/A|N/A|3000|3000|N/A|N/A|N/A|35|0|0|0|0|0|0|0|0|0|0|0|0x060A2B340101010501010D001301
-1|pcm_s16le|PCM 

[FFmpeg-cvslog] avcodec/vp3: ensure header is parsed successfully before tables

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Wed Dec  2 22:59:56 2015 +0100| [9ee155c745b528122a5709b52d4a25fff7aea698] | 
committer: Michael Niedermayer

avcodec/vp3: ensure header is parsed successfully before tables

Fixes assertion failure
Fixes: 
266ee543812e934f7b4a72923a2701d4/signal_sigabrt_76ae7cc9_7322_85218d61759d461bdf7387180e8000c9.ogg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 26379d4fddc17cac853ef297ff327b58c44edbad)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9ee155c745b528122a5709b52d4a25fff7aea698
---

 libavcodec/vp3.c |7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index 553681b..b3aaf4e 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -131,7 +131,7 @@ static const uint8_t hilbert_offset[16][2] = {
 
 typedef struct Vp3DecodeContext {
 AVCodecContext *avctx;
-int theora, theora_tables;
+int theora, theora_tables, theora_header;
 int version;
 int width, height;
 int chroma_x_shift, chroma_y_shift;
@@ -2240,6 +2240,7 @@ static int theora_decode_header(AVCodecContext *avctx, 
GetBitContext *gb)
 int ret;
 AVRational fps, aspect;
 
+s->theora_header = 0;
 s->theora = get_bits_long(gb, 24);
 av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora);
 
@@ -2323,6 +2324,7 @@ static int theora_decode_header(AVCodecContext *avctx, 
GetBitContext *gb)
 avctx->color_trc  = AVCOL_TRC_BT709;
 }
 
+s->theora_header = 1;
 return 0;
 }
 
@@ -2331,6 +2333,9 @@ static int theora_decode_tables(AVCodecContext *avctx, 
GetBitContext *gb)
 Vp3DecodeContext *s = avctx->priv_data;
 int i, n, matrices, inter, plane;
 
+if (!s->theora_header)
+return AVERROR_INVALIDDATA;
+
 if (s->theora >= 0x030200) {
 n = get_bits(gb, 3);
 /* loop filter limit values table */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dec: Check bpno in decode_cblk()

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Dec  4 16:23:24 2015 +0100| [311de799a81ed67b62805f9d72684a5405563c93] | 
committer: Michael Niedermayer

avcodec/jpeg2000dec: Check bpno in decode_cblk()

Fixes: undefined shift
Fixes: 
c409ef86f892335a0a164b5871174d5a/asan_heap-oob_1dff564_2159_162b7234616deab02b544410455eb07b.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a85b02dcf70f62a6a433a607143f1f78fa5648bb)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=311de799a81ed67b62805f9d72684a5405563c93
---

 libavcodec/jpeg2000dec.c |4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index ee4f195..67f88d9 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1079,6 +1079,10 @@ static int decode_cblk(Jpeg2000DecoderContext *s, 
Jpeg2000CodingStyle *codsty,
 ff_mqc_initdec(>mqc, cblk->data);
 
 while (passno--) {
+if (bpno < 0) {
+av_log(s->avctx, AV_LOG_ERROR, "bpno became negative\n");
+return AVERROR_INVALIDDATA;
+}
 switch(pass_t) {
 case 0:
 decode_sigpass(t1, width, height, bpno + 1, bandpos,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc: Fix integer overflow of entry_point_offset

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Dec  5 22:08:59 2015 +0100| [bafd5c3c80a4a9ee8f5c0e67320c6e0bf3869101] | 
committer: Michael Niedermayer

avcodec/hevc: Fix integer overflow of entry_point_offset

Fixes out of array read
Fixes: 
d41d8cd98f00b204e9800998ecf8427e/signal_sigsegv_321165b_7641_077dfcd8cbc80b1c0b470c8554cd6ffb.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 214085852491448631dcecb008b5d172c11b8892)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bafd5c3c80a4a9ee8f5c0e67320c6e0bf3869101
---

 libavcodec/hevc.c |4 ++--
 libavcodec/hevc.h |2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index 5c530b7..85a0db8 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -696,7 +696,7 @@ static int hls_slice_header(HEVCContext *s)
 av_freep(>entry_point_offset);
 av_freep(>offset);
 av_freep(>size);
-sh->entry_point_offset = 
av_malloc_array(sh->num_entry_point_offsets, sizeof(int));
+sh->entry_point_offset = 
av_malloc_array(sh->num_entry_point_offsets, sizeof(unsigned));
 sh->offset = av_malloc_array(sh->num_entry_point_offsets, 
sizeof(int));
 sh->size = av_malloc_array(sh->num_entry_point_offsets, 
sizeof(int));
 if (!sh->entry_point_offset || !sh->offset || !sh->size) {
@@ -2410,7 +2410,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const 
uint8_t *nal, int length)
 int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
 int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
 int64_t offset;
-int startheader, cmpt = 0;
+int64_t startheader, cmpt = 0;
 int i, j, res = 0;
 
 ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1);
diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h
index 7efafe1..c71ab550 100644
--- a/libavcodec/hevc.h
+++ b/libavcodec/hevc.h
@@ -607,7 +607,7 @@ typedef struct SliceHeader {
 
 unsigned int max_num_merge_cand; ///< 5 - 5_minus_max_num_merge_cand
 
-int *entry_point_offset;
+unsigned *entry_point_offset;
 int * offset;
 int * size;
 int num_entry_point_offsets;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] swscale/utils: Fix for runtime error: left shift of negative value -1

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Dec  4 21:44:05 2015 +0100| [c02a9f1c6e8c72f0e7cf2d039a06caa66fc668c6] | 
committer: Michael Niedermayer

swscale/utils: Fix for runtime error: left shift of negative value -1

Fixes: 
c106b36fa36db8ff8f3ed0c82be7bea2/asan_heap-oob_32699f0_6321_467b9a1d7e03d7cfd310b7e65dc53bcc.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 325b59368dae3c3f2f5cc39873002b4cf133ccbc)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c02a9f1c6e8c72f0e7cf2d039a06caa66fc668c6
---

 libswscale/utils.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libswscale/utils.c b/libswscale/utils.c
index 84c58ca..66d2831 100644
--- a/libswscale/utils.c
+++ b/libswscale/utils.c
@@ -391,7 +391,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t 
**filterPos,
 
 xDstInSrc = ((dstPos*(int64_t)xInc)>>7) - ((srcPos*0x1LL)>>7);
 for (i = 0; i < dstW; i++) {
-int xx = (xDstInSrc - ((int64_t)(filterSize - 2) << 16)) / (1 << 
17);
+int xx = (xDstInSrc - (filterSize - 2) * (1LL<<16)) / (1 << 17);
 int j;
 (*filterPos)[i] = xx;
 for (j = 0; j < filterSize; j++) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in type int

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Dec  4 21:38:12 2015 +0100| [c676db730e36e07e7f86b590ca14fb1745584891] | 
committer: Michael Niedermayer

avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in 
type int

Fixes: 
b293a6479bb4b5286cff24d356bfd955/asan_generic_225c3c9_7819_cc526b657450c6cdef1371b526499626.mkv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4f2419888ba49245761f4ab343679c38e7880cfe)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c676db730e36e07e7f86b590ca14fb1745584891
---

 libavcodec/pgssubdec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
index 36f1f82..3c39e7a 100644
--- a/libavcodec/pgssubdec.c
+++ b/libavcodec/pgssubdec.c
@@ -33,7 +33,7 @@
 #include "libavutil/imgutils.h"
 #include "libavutil/opt.h"
 
-#define RGBA(r,g,b,a) (((a) << 24) | ((r) << 16) | ((g) << 8) | (b))
+#define RGBA(r,g,b,a) (((unsigned)(a) << 24) | ((r) << 16) | ((g) << 8) | (b))
 #define MAX_EPOCH_PALETTES 8   // Max 8 allowed per PGS epoch
 #define MAX_EPOCH_OBJECTS  64  // Max 64 allowed per PGS epoch
 #define MAX_OBJECT_REFS2   // Max objects per display set

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/common: Add FFNABS()

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Thu Sep  3 02:17:24 2015 +0200| [c09fe0346d9456a47717ebbd48bee1e62cab6818] | 
committer: Michael Niedermayer

avutil/common: Add FFNABS()

This macro avoids the undefined corner case with the *_MIN values

Previous version Reviewed-by: Ganesh Ajjanagadde 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d6cd614dac579850076ae312c29c4188f8659e46)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c09fe0346d9456a47717ebbd48bee1e62cab6818
---

 libavutil/common.h |9 +
 1 file changed, 9 insertions(+)

diff --git a/libavutil/common.h b/libavutil/common.h
index a48959d..526f5c6 100644
--- a/libavutil/common.h
+++ b/libavutil/common.h
@@ -63,10 +63,19 @@
  * Absolute value, Note, INT_MIN / INT64_MIN result in undefined behavior as 
they
  * are not representable as absolute values of their type. This is the same
  * as with *abs()
+ * @see FFNABS()
  */
 #define FFABS(a) ((a) >= 0 ? (a) : (-(a)))
 #define FFSIGN(a) ((a) > 0 ? 1 : -1)
 
+/**
+ * Negative Absolute value.
+ * this works for all integers of all types.
+ * As with many macros, this evaluates its argument twice, it thus must not 
have
+ * a sideeffect, that is FFNABS(x++) has undefined behavior.
+ */
+#define FFNABS(a) ((a) <= 0 ? (a) : (-(a)))
+
 #define FFMAX(a,b) ((a) > (b) ? (a) : (b))
 #define FFMAX3(a,b,c) FFMAX(FFMAX(a,b),c)
 #define FFMIN(a,b) ((a) > (b) ? (b) : (a))

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec: Print an error if the quant table count is invalid

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Thu Nov  5 01:25:50 2015 +0100| [6c83283c3a009a0cd2bf52328f2bb65d286e72ed] | 
committer: Michael Niedermayer

avcodec/ffv1dec: Print an error if the quant table count is invalid

Signed-off-by: Michael Niedermayer 
(cherry picked from commit a8b254e436dce2f5c8c6459108dab4b02cc6b79b)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6c83283c3a009a0cd2bf52328f2bb65d286e72ed
---

 libavcodec/ffv1dec.c |4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 72afa25..70d1185 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -567,8 +567,10 @@ static int read_extra_header(FFV1Context *f)
 }
 
 f->quant_table_count = get_symbol(c, state, 0);
-if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count)
+if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count) {
+av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", 
f->quant_table_count);
 return AVERROR_INVALIDDATA;
+}
 
 for (i = 0; i < f->quant_table_count; i++) {
 f->context_count[i] = read_quant_tables(c, f->quant_tables[i]);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc: Check max ctb addresses for WPP

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Nov 28 13:42:05 2015 +0100| [70720f3e4d9e50e2d0f6d5aed8c9b576e60f802c] | 
committer: Michael Niedermayer

avcodec/hevc: Check max ctb addresses for WPP

Fixes out of array read
Fixes: 
2f95ddd996db8a6281d2e18c184595a7/asan_heap-oob_192fe91_3330_58e4441181e30a66c19f743dcb392347.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit dad354f38ddc9bfc834bc21358a1d0ad41532ca0)

Signed-off-by: Michael Niedermayer 

Conflicts:

libavcodec/hevc.c

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=70720f3e4d9e50e2d0f6d5aed8c9b576e60f802c
---

 libavcodec/hevc.c |9 +
 1 file changed, 9 insertions(+)

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index 85a0db8..d29343b 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -2413,6 +2413,15 @@ static int hls_slice_data_wpp(HEVCContext *s, const 
uint8_t *nal, int length)
 int64_t startheader, cmpt = 0;
 int i, j, res = 0;
 
+if (s->sh.slice_ctb_addr_rs + s->sh.num_entry_point_offsets * 
s->sps->ctb_width >= s->sps->ctb_width * s->sps->ctb_height) {
+av_log(s->avctx, AV_LOG_ERROR, "WPP ctb addresses are wrong (%d %d %d 
%d)\n",
+s->sh.slice_ctb_addr_rs, s->sh.num_entry_point_offsets,
+s->sps->ctb_width, s->sps->ctb_height
+);
+res = AVERROR_INVALIDDATA;
+goto error;
+}
+
 ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1);
 
 if (!s->sList[1]) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] update for 2.4.12

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sun Dec  6 12:59:30 2015 +0100| [9f0e36b1011619121fd646b58ea778fb2553b320] | 
committer: Michael Niedermayer

update for 2.4.12

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9f0e36b1011619121fd646b58ea778fb2553b320
---

 Changelog|  122 ++
 RELEASE  |2 +-
 doc/Doxyfile |2 +-
 3 files changed, 124 insertions(+), 2 deletions(-)

diff --git a/Changelog b/Changelog
index 9914409..39653b7 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,128 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+version 2.4.12:
+- avcodec/ffv1dec: Clear quant_table_count if its invalid
+- avcodec/ffv1dec: Print an error if the quant table count is invalid
+- avcodec/hevc: Check max ctb addresses for WPP
+- avcodec/vp3: ensure header is parsed successfully before tables
+- avcodec/jpeg2000dec: Check bpno in decode_cblk()
+- avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented 
in type int
+- swscale/utils: Fix for runtime error: left shift of negative value -1
+- avcodec/hevc: Fix integer overflow of entry_point_offset
+- avcodec/dirac_parser: Check that there is a previous PU before accessing it
+- avcodec/dirac_parser: Add basic validity checks for next_pu_offset and 
prev_pu_offset
+- avcodec/dirac_parser: Fix potential overflows in pointer checks
+- avcodec/wmaprodec: Check bits per sample to be within the range not causing 
integer overflows
+- avcodec/wmaprodec: Fix overflow of cutoff
+- avformat/smacker: fix integer overflow with pts_inc
+- avcodec/vp3: Fix "runtime error: left shift of negative value"
+- mpegencts: Fix overflow in cbr mode period calculations
+- avutil/timecode: Fix fps check
+- avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() 
for overflows
+- avcodec/apedec: Check length in long_filter_high_3800()
+- avcodec/vp3: always set pix_fmt in theora_decode_header()
+- avcodec/mpeg4videodec: Check available data before reading custom matrix
+- avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd
+- avutil/integer: Fix av_mod_i() with negative dividend
+- avformat/dump: Fix integer overflow in av_dump_format()
+- avcodec/utils: Clear dimensions in ff_get_buffer() on failure
+- avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string()
+- avcodec/vp3: Clear context on reinitialization failure
+- avcodec/hevc: allocate entries unconditionally
+- avcodec/hevc_cabac: Fix multiple integer overflows
+- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*()
+- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*()
+- avcodec/hevc: Check entry_point_offsets
+- avcodec/cabac: Check initial cabac decoder state
+- avcodec/cabac_functions: Fix "left shift of negative value -31767"
+- avcodec/h264_slice: Limit max_contexts when slice_context_count is 
initialized
+- avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup
+- rtmpcrypt: Do the xtea decryption in little endian mode
+- avformat/matroskadec: Check subtitle stream before dereferencing
+- avformat/utils: Do not init parser if probing is unfinished
+- avcodec/jpeg2000dec: Fix potential integer overflow with tile dimensions
+- avcodec/jpeg2000dec: Check SIZ dimensions to be within the supported range
+- avcodec/jpeg2000: Check comp coords to be within the supported size
+- avcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component()
+- avcodec/wmaprodec: Check for overread in decode_packet()
+- avcodec/smacker: Check that the data size is a multiple of a sample vector
+- avcodec/takdec: Skip last p2 sample (which is unused)
+- avcodec/dxtory: Fix input size check in dxtory_decode_v1_410()
+- avcodec/dxtory: Fix input size check in dxtory_decode_v1_420()
+- avcodec/error_resilience: avoid accessing previous or next frames tables 
beyond height
+- avcodec/dpx: Move need_align to act per line
+- avcodec/flashsv: Check size before updating it
+- avcodec/ivi: Check image dimensions
+- avcodec/utils: Better check for channels in av_get_audio_frame_duration()
+- avcodec/jpeg2000dec: Check for duplicate SIZ marker
+- avcodec/jpeg2000dec: Clip all tile coordinates
+- avcodec/microdvddec: Check for string end in 'P' case
+- avcodec/dirac_parser: Fix undefined memcpy() use
+- avformat/xmv: Discard remainder of packet on error
+- avformat/xmv: factor return check out of if/else
+- libavutil/channel_layout: Check strtol*() for failure
+- avcodec/ffv1dec: Check for 0 quant tables
+- avcodec/mjpegdec: Reinitialize IDCT on BPP changes
+- avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it
+- avutil/file_open: avoid file handle inheritance on Windows
+- avcodec/ffv1: Initialize vlc_state on allocation
+- avcodec/ffv1dec: update 

[FFmpeg-cvslog] Update for 2.8.4

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Dec  6 10:42:02 2015 +0100| [913c642c21dd608cc53ea2482e9b4d3141bcd542] | 
committer: Michael Niedermayer

Update for 2.8.4

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=913c642c21dd608cc53ea2482e9b4d3141bcd542
---

 Changelog|   40 
 RELEASE  |2 +-
 doc/Doxyfile |2 +-
 3 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/Changelog b/Changelog
index 7e70b11..2ea0727 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,46 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+version 2.8.4
+- libvpxenc: remove some unused ctrl id mappings
+- avcodec/vp3: ensure header is parsed successfully before tables
+- avcodec/jpeg2000dec: Check bpno in decode_cblk()
+- avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented 
in type int
+- swscale/utils: Fix for runtime error: left shift of negative value -1
+- avcodec/hevc: Fix integer overflow of entry_point_offset
+- avcodec/dirac_parser: Check that there is a previous PU before accessing it
+- avcodec/dirac_parser: Add basic validity checks for next_pu_offset and 
prev_pu_offset
+- avcodec/dirac_parser: Fix potential overflows in pointer checks
+- avcodec/wmaprodec: Check bits per sample to be within the range not causing 
integer overflows
+- avcodec/wmaprodec: Fix overflow of cutoff
+- avformat/smacker: fix integer overflow with pts_inc
+- avcodec/vp3: Fix "runtime error: left shift of negative value"
+- avformat/riffdec: Initialize bitrate
+- mpegencts: Fix overflow in cbr mode period calculations
+- avutil/timecode: Fix fps check
+- avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() 
for overflows
+- avcodec/apedec: Check length in long_filter_high_3800()
+- avcodec/vp3: always set pix_fmt in theora_decode_header()
+- avcodec/mpeg4videodec: Check available data before reading custom matrix
+- avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd
+- avutil/integer: Fix av_mod_i() with negative dividend
+- avformat/dump: Fix integer overflow in av_dump_format()
+- avcodec/h264_refs: Check that long references match before use
+- avcodec/utils: Clear dimensions in ff_get_buffer() on failure
+- avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string()
+- avcodec/hevc: Check max ctb addresses for WPP
+- avcodec/vp3: Clear context on reinitialization failure
+- avcodec/hevc: allocate entries unconditionally
+- avcodec/hevc_cabac: Fix multiple integer overflows
+- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*()
+- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*()
+- avcodec/hevc: Check entry_point_offsets
+- lavf/rtpenc_jpeg: Less strict check for standard Huffman tables.
+- avcodec/ffv1dec: Clear quant_table_count if its invalid
+- avcodec/ffv1dec: Print an error if the quant table count is invalid
+- doc/filters/drawtext: fix centering example
+
+
 version 2.8.3
 - avcodec/cabac: Check initial cabac decoder state
 - avcodec/cabac_functions: Fix "left shift of negative value -31767"
diff --git a/RELEASE b/RELEASE
index 9f8d8a9..2701a22 100644
--- a/RELEASE
+++ b/RELEASE
@@ -1 +1 @@
-2.8.3
+2.8.4
diff --git a/doc/Doxyfile b/doc/Doxyfile
index f4e3ca8..5c4b466 100644
--- a/doc/Doxyfile
+++ b/doc/Doxyfile
@@ -31,7 +31,7 @@ PROJECT_NAME   = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.
 
-PROJECT_NUMBER = 2.8.3
+PROJECT_NUMBER = 2.8.4
 
 # With the PROJECT_LOGO tag one can specify a logo or icon that is included
 # in the documentation. The maximum height of the logo should not exceed 55

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1: Initialize vlc_state on allocation

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Oct 17 02:13:42 2015 +0200| [99dd039d743db91b8d001eb4521c7ce392c195ad] | 
committer: Michael Niedermayer

avcodec/ffv1: Initialize vlc_state on allocation

This ensures that they are always set to valid values
Fixes Ticket4939

Signed-off-by: Michael Niedermayer 
(cherry picked from commit a878dfa4f57d068eb69fb6614f7a4a20f769ee7b)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=99dd039d743db91b8d001eb4521c7ce392c195ad
---

 libavcodec/ffv1.c |   15 ++-
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c
index 6073bc4..89c4e61 100644
--- a/libavcodec/ffv1.c
+++ b/libavcodec/ffv1.c
@@ -66,7 +66,7 @@ av_cold int ffv1_common_init(AVCodecContext *avctx)
 
 av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs)
 {
-int j;
+int j, i;
 
 fs->plane_count  = f->plane_count;
 fs->transparency = f->transparency;
@@ -80,10 +80,15 @@ av_cold int ffv1_init_slice_state(FFV1Context *f, 
FFV1Context *fs)
 if (!p->state)
 return AVERROR(ENOMEM);
 } else {
-if (!p->vlc_state)
-p->vlc_state = av_malloc_array(p->context_count, 
sizeof(VlcState));
-if (!p->vlc_state)
-return AVERROR(ENOMEM);
+if (!p->vlc_state) {
+p->vlc_state = av_mallocz_array(p->context_count, 
sizeof(VlcState));
+if (!p->vlc_state)
+return AVERROR(ENOMEM);
+for (i = 0; i < p->context_count; i++) {
+p->vlc_state[i].error_sum = 4;
+p->vlc_state[i].count = 1;
+}
+}
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/microdvddec: Check for string end in 'P' case

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Nov  6 22:24:23 2015 +0100| [c15f5068ca830ff35787aa3943bc14da474deece] | 
committer: Michael Niedermayer

avcodec/microdvddec: Check for string end in 'P' case

Fixes out of array read
Fixes: 
a9502b60f4cecc19475382aee255f73c/asan_heap-oob_1e87fba_2548_a8ad47f6dde36644fe9cdc444d4632d0.sub

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c719cd6cf79ec21d974b81ba874580f4b8e9eb90)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c15f5068ca830ff35787aa3943bc14da474deece
---

 libavcodec/microdvddec.c |2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/microdvddec.c b/libavcodec/microdvddec.c
index f3c640f..3780fe2 100644
--- a/libavcodec/microdvddec.c
+++ b/libavcodec/microdvddec.c
@@ -148,6 +148,8 @@ static char *microdvd_load_tags(struct microdvd_tag *tags, 
char *s)
 
 /* Position */
 case 'P':
+if (!*s)
+break;
 tag.persistent = MICRODVD_PERSISTENT_ON;
 tag.data1 = (*s++ == '1');
 if (*s != '}')

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec: Clear slice coordinates if they are invalid or slice header decoding fails for other reasons

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Oct 16 20:15:48 2015 +0200| [a3753ba10df1911c971aa01ec80b12f3f4b46ae4] | 
committer: Michael Niedermayer

avcodec/ffv1dec: Clear slice coordinates if they are invalid or slice header 
decoding fails for other reasons

Fixes Ticket4931

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4c2d4e8700cd3db59bc11ab196c0002215cf601f)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a3753ba10df1911c971aa01ec80b12f3f4b46ae4
---

 libavcodec/ffv1dec.c |1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 0ca58f4..ebdafd1 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -409,6 +409,7 @@ static int decode_slice(AVCodecContext *c, void *arg)
 if (ffv1_init_slice_state(f, fs) < 0)
 return AVERROR(ENOMEM);
 if (decode_slice_header(f, fs) < 0) {
+fs->slice_x = fs->slice_y = fs->slice_height = fs->slice_width = 0;
 fs->slice_damaged = 1;
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec: Check for 0 quant tables

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Thu Nov  5 00:36:59 2015 +0100| [fe191124a9cabdd77b22f1a157583f8c7b4b34c8] | 
committer: Michael Niedermayer

avcodec/ffv1dec: Check for 0 quant tables

Fixes assertion failure
Fixes: 
07ec1fc3c1cbf2d3edcd7d9b52ca156c/asan_heap-oob_13624c5_491_ecd4720a03e697ba750b235690656c8f.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5745cf799a4389bc5d14f2b4daf32fe4631c50bc)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fe191124a9cabdd77b22f1a157583f8c7b4b34c8
---

 libavcodec/ffv1dec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 5d065946..72afa25 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -567,7 +567,7 @@ static int read_extra_header(FFV1Context *f)
 }
 
 f->quant_table_count = get_symbol(c, state, 0);
-if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES)
+if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count)
 return AVERROR_INVALIDDATA;
 
 for (i = 0; i < f->quant_table_count; i++) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/xmv: Discard remainder of packet on error

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Nov  6 02:13:36 2015 +0100| [76950e5247334dee45bdc73af7a2f134fea4da02] | 
committer: Michael Niedermayer

avformat/xmv: Discard remainder of packet on error

Fixes infinite loop
Fixes: 
9c48ae2680c5f23bca3d20ff0f325fd8/asan_generic_4c254d_1374_993f1e5967dd6f844b8d72f978ce2a6c.pss

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 79c4a338e4b2bf0bc6f81c9f455994f673a92f78)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=76950e5247334dee45bdc73af7a2f134fea4da02
---

 libavformat/xmv.c |5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavformat/xmv.c b/libavformat/xmv.c
index cee2c80..1410bff 100644
--- a/libavformat/xmv.c
+++ b/libavformat/xmv.c
@@ -552,8 +552,11 @@ static int xmv_read_packet(AVFormatContext *s,
 
 result = xmv_fetch_audio_packet(s, pkt, xmv->current_stream - 1);
 }
-if (result)
+if (result) {
+xmv->current_stream = 0;
+xmv->video.current_frame = xmv->video.frame_count;
 return result;
+}
 
 
 /* Increase our counters */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mjpegdec: Reinitialize IDCT on BPP changes

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Wed Nov  4 21:27:04 2015 +0100| [5d9bee34f9ae5fae996defda0fd9ccd1ca2b1f9c] | 
committer: Michael Niedermayer

avcodec/mjpegdec: Reinitialize IDCT on BPP changes

Fixes misaligned access
Fixes: 
dc9262a469f6f315f74c087a7b3a7f35/signal_sigsegv_2e95bcd_9_9c0f9f4a9ba82aa9b3ab2b91ce4d5277.jpg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit cc35f6f4768ffe57cc4fcfa56ecb89aee409e3d5)

Conflicts:

libavcodec/mjpegdec.c
(cherry picked from commit f82c4777ee7a319fe2aa36f413a61943313b4abc)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5d9bee34f9ae5fae996defda0fd9ccd1ca2b1f9c
---

 libavcodec/mjpegdec.c |   19 +++
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 5cea6a6..59cbd25 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -96,6 +96,15 @@ static void parse_avid(MJpegDecodeContext *s, uint8_t *buf, 
int len)
 av_log(s->avctx, AV_LOG_INFO, "AVID: len:%d %d\n", len, len > 14 ? 
buf[12] : -1);
 }
 
+static void init_idct(AVCodecContext *avctx)
+{
+MJpegDecodeContext *s = avctx->priv_data;
+
+ff_idctdsp_init(>idsp, avctx);
+ff_init_scantable(s->idsp.idct_permutation, >scantable,
+  ff_zigzag_direct);
+}
+
 av_cold int ff_mjpeg_decode_init(AVCodecContext *avctx)
 {
 MJpegDecodeContext *s = avctx->priv_data;
@@ -110,9 +119,7 @@ av_cold int ff_mjpeg_decode_init(AVCodecContext *avctx)
 s->avctx = avctx;
 ff_blockdsp_init(>bdsp, avctx);
 ff_hpeldsp_init(>hdsp, avctx->flags);
-ff_idctdsp_init(>idsp, avctx);
-ff_init_scantable(s->idsp.idct_permutation, >scantable,
-  ff_zigzag_direct);
+init_idct(avctx);
 s->buffer_size   = 0;
 s->buffer= NULL;
 s->start_code= -1;
@@ -254,9 +261,13 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
 
 /* XXX: verify len field validity */
 len = get_bits(>gb, 16);
-s->avctx->bits_per_raw_sample =
 bits= get_bits(>gb, 8);
 
+if (s->avctx->bits_per_raw_sample != bits) {
+av_log(s->avctx, AV_LOG_INFO, "Changeing bps to %d\n", bits);
+s->avctx->bits_per_raw_sample = bits;
+init_idct(s->avctx);
+}
 if (s->pegasus_rct)
 bits = 9;
 if (bits == 9 && !s->pegasus_rct)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/file_open: avoid file handle inheritance on Windows

[Tobias Rapp]

ffmpeg | branch: release/2.4 | Tobias Rapp  | Thu Oct 29 
09:11:37 2015 +0100| [1bb7529ac2eda7d3b7eb20ec477d4440b944] | committer: 
Michael Niedermayer

avutil/file_open: avoid file handle inheritance on Windows

Avoids inheritance of file handles on Windows systems similar to the
O_CLOEXEC/FD_CLOEXEC flag on Linux.

Fixes file lock issues in Windows applications when a child process
is started with handle inheritance enabled (standard input/output
redirection) while a FFmpeg transcoding is running in the parent
process.

Links relevant to the subject:

https://msdn.microsoft.com/en-us/library/w7sa2b22.aspx

Describes the _wsopen() function and the O_NOINHERIT flag. File handles
opened by _wsopen() are inheritable by default.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx

Describes handle inheritance when creating new processes. Handle
inheritance must be enabled (bInheritHandles = TRUE) e.g. when you want
to pass handles for stdin/stdout via lpStartupInfo.

Signed-off-by: Tobias Rapp 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 474665346616e446ecd1407002fdf5f88201bf72)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1bb7529ac2eda7d3b7eb20ec477d4440b944
---

 libavutil/file_open.c |3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavutil/file_open.c b/libavutil/file_open.c
index f3164eb..619dc57 100644
--- a/libavutil/file_open.c
+++ b/libavutil/file_open.c
@@ -82,6 +82,9 @@ int avpriv_open(const char *filename, int flags, ...)
 #ifdef O_CLOEXEC
 flags |= O_CLOEXEC;
 #endif
+#ifdef O_NOINHERIT
+flags |= O_NOINHERIT;
+#endif
 
 fd = open(filename, flags, mode);
 #if HAVE_FCNTL

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dec: Clip all tile coordinates

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Nov  7 02:16:11 2015 +0100| [d73a8ae70f15d4c9145c20db709f4b06b0a8e835] | 
committer: Michael Niedermayer

avcodec/jpeg2000dec: Clip all tile coordinates

Fixes out of array access
Fixes: 
b877a6b788a25c70e8b1d014f8628549/asan_heap-oob_1da2c3f_2324_5a1b329b0b3c4bb6b1d775660ac56717.r3d

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 43492ff3ab68a343c1264801baa1d5a02de10167)

Conflicts:

libavcodec/jpeg2000dec.c

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d73a8ae70f15d4c9145c20db709f4b06b0a8e835
---

 libavcodec/jpeg2000dec.c |8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 30e069e..eac3661 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -684,10 +684,10 @@ static int init_tile(Jpeg2000DecoderContext *s, int 
tileno)
 Jpeg2000QuantStyle  *qntsty = tile->qntsty + compno;
 int ret; // global bandno
 
-comp->coord_o[0][0] = FFMAX(tilex   * s->tile_width  + 
s->tile_offset_x, s->image_offset_x);
-comp->coord_o[0][1] = FFMIN((tilex + 1) * s->tile_width  + 
s->tile_offset_x, s->width);
-comp->coord_o[1][0] = FFMAX(tiley   * s->tile_height + 
s->tile_offset_y, s->image_offset_y);
-comp->coord_o[1][1] = FFMIN((tiley + 1) * s->tile_height + 
s->tile_offset_y, s->height);
+comp->coord_o[0][0] = av_clip(tilex   * s->tile_width  + 
s->tile_offset_x, s->image_offset_x, s->width);
+comp->coord_o[0][1] = av_clip((tilex + 1) * s->tile_width  + 
s->tile_offset_x, s->image_offset_x, s->width);
+comp->coord_o[1][0] = av_clip(tiley   * s->tile_height + 
s->tile_offset_y, s->image_offset_y, s->height);
+comp->coord_o[1][1] = av_clip((tiley + 1) * s->tile_height + 
s->tile_offset_y, s->image_offset_y, s->height);
 
 comp->coord[0][0] = ff_jpeg2000_ceildivpow2(comp->coord_o[0][0], 
s->reduction_factor);
 comp->coord[0][1] = ff_jpeg2000_ceildivpow2(comp->coord_o[0][1], 
s->reduction_factor);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/httpauth: Add space after commas in HTTP/RTSP auth header

[Andrey Utkin]

ffmpeg | branch: release/2.4 | Andrey Utkin  
| Thu Oct  1 13:56:31 2015 +0300| [eaf03fa8304c7a9ace12f203811641efd64c0c0f] | 
committer: Michael Niedermayer

avformat/httpauth: Add space after commas in HTTP/RTSP auth header

This fixes access to Grandstream cameras, which return 401 to ffmpeg
otherwise.
VLC sends Authorization: header with spaces between parameters, and it
is known to work with Grandstream devices and broad range of other HTTP
and RTSP servers, so author considers switching to such behaviour safe.
Just for record - RFC 2617 (HTTP Auth) does not specify the need in
spaces, so this is not a bug of FFmpeg.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit fdb32838723effb4560a345013387ea37b85ff20)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eaf03fa8304c7a9ace12f203811641efd64c0c0f
---

 libavformat/httpauth.c |   18 +-
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c
index dbe3eff..18cf36b 100644
--- a/libavformat/httpauth.c
+++ b/libavformat/httpauth.c
@@ -220,21 +220,21 @@ static char *make_digest_auth(HTTPAuthState *state, const 
char *username,
 
 /* TODO: Escape the quoted strings properly. */
 av_strlcatf(authstr, len, "username=\"%s\"",   username);
-av_strlcatf(authstr, len, ",realm=\"%s\"", state->realm);
-av_strlcatf(authstr, len, ",nonce=\"%s\"", digest->nonce);
-av_strlcatf(authstr, len, ",uri=\"%s\"",   uri);
-av_strlcatf(authstr, len, ",response=\"%s\"",  response);
+av_strlcatf(authstr, len, ", realm=\"%s\"", state->realm);
+av_strlcatf(authstr, len, ", nonce=\"%s\"", digest->nonce);
+av_strlcatf(authstr, len, ", uri=\"%s\"",   uri);
+av_strlcatf(authstr, len, ", response=\"%s\"",  response);
 
 // we are violating the RFC and use "" because all others seem to do that 
too.
 if (digest->algorithm[0])
-av_strlcatf(authstr, len, ",algorithm=\"%s\"",  digest->algorithm);
+av_strlcatf(authstr, len, ", algorithm=\"%s\"",  digest->algorithm);
 
 if (digest->opaque[0])
-av_strlcatf(authstr, len, ",opaque=\"%s\"", digest->opaque);
+av_strlcatf(authstr, len, ", opaque=\"%s\"", digest->opaque);
 if (digest->qop[0]) {
-av_strlcatf(authstr, len, ",qop=\"%s\"",digest->qop);
-av_strlcatf(authstr, len, ",cnonce=\"%s\"", cnonce);
-av_strlcatf(authstr, len, ",nc=%s", nc);
+av_strlcatf(authstr, len, ", qop=\"%s\"",digest->qop);
+av_strlcatf(authstr, len, ", cnonce=\"%s\"", cnonce);
+av_strlcatf(authstr, len, ", nc=%s", nc);
 }
 
 av_strlcatf(authstr, len, "\r\n");

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Fix integer overflow in FFABS

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Thu Sep  3 09:20:23 2015 +0200| [79b16c6e5e2f29b48a562f3829800909b8d398d6] | 
committer: Michael Niedermayer

avformat/mov: Fix integer overflow in FFABS

Fixes: unknown_unknown_19e_414_cov_764838672_bellhamlam.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 053e80f6eaf8d87521fe58ea96886b6ee0bbe59d)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79b16c6e5e2f29b48a562f3829800909b8d398d6
---

 libavformat/mov.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 3973081..6f46dbb 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2083,7 +2083,7 @@ static int mov_read_ctts(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 av_dlog(c->fc, "count=%d, duration=%d\n",
 count, duration);
 
-if (FFABS(duration) > (1<<28) && i+2fc, AV_LOG_WARNING, "CTTS invalid\n");
 av_freep(>ctts_data);
 sc->ctts_count = 0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/g2meet: Fix potential overflow in tile dimensions check

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Sep  4 12:10:02 2015 +0200| [47b6ea314df6df4021690a98616d3fa73e07d0df] | 
committer: Michael Niedermayer

avcodec/g2meet: Fix potential overflow in tile dimensions check

Fixes CID1322351

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 71ec8e1ed6cf4947e204e3e4b5929a44c054f5fb)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=47b6ea314df6df4021690a98616d3fa73e07d0df
---

 libavcodec/g2meet.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c
index d0cb88c..302dc9d 100644
--- a/libavcodec/g2meet.c
+++ b/libavcodec/g2meet.c
@@ -738,7 +738,7 @@ static int g2m_decode_frame(AVCodecContext *avctx, void 
*data,
 c->tile_height = bytestream2_get_be32();
 if (c->tile_width <= 0 || c->tile_height <= 0 ||
 ((c->tile_width | c->tile_height) & 0xF) ||
-c->tile_width * 4LL * c->tile_height >= INT_MAX
+c->tile_width * (uint64_t)c->tile_height >= INT_MAX / 4
 ) {
 av_log(avctx, AV_LOG_ERROR,
"Invalid tile dimensions %dx%d\n",

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/xmv: factor return check out of if/else

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Nov  6 02:11:01 2015 +0100| [a3ff74c872ab7fe1e7a9ad32b2622d4aa18aea50] | 
committer: Michael Niedermayer

avformat/xmv: factor return check out of if/else

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 9b6fac11da470274d4b93d46ef66527aa1824179)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a3ff74c872ab7fe1e7a9ad32b2622d4aa18aea50
---

 libavformat/xmv.c |8 +++-
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/libavformat/xmv.c b/libavformat/xmv.c
index 6eac4d2..cee2c80 100644
--- a/libavformat/xmv.c
+++ b/libavformat/xmv.c
@@ -547,16 +547,14 @@ static int xmv_read_packet(AVFormatContext *s,
 /* Fetch a video frame */
 
 result = xmv_fetch_video_packet(s, pkt);
-if (result)
-return result;
-
 } else {
 /* Fetch an audio frame */
 
 result = xmv_fetch_audio_packet(s, pkt, xmv->current_stream - 1);
-if (result)
-return result;
 }
+if (result)
+return result;
+
 
 /* Increase our counters */
 if (++xmv->current_stream >= xmv->stream_count) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] libavutil/channel_layout: Check strtol*() for failure

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Thu Nov  5 19:24:33 2015 +0100| [51ac1ce9668f6918593b0a937b9b98713f29e2e4] | 
committer: Michael Niedermayer

libavutil/channel_layout: Check strtol*() for failure

Fixes assertion failure
Fixes: 
4f5814bb15d2dda6fc18ef9791b13816/signal_sigabrt_76ae7cc9_65_7209d160d168b76f311be6cd64a548eb.wv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c9bfd6a8c35a2102e730aca12f6e09d1627f76b3)

Conflicts:

libavutil/channel_layout.c

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=51ac1ce9668f6918593b0a937b9b98713f29e2e4
---

 libavutil/channel_layout.c |7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavutil/channel_layout.c b/libavutil/channel_layout.c
index cd5cf42..45249c4 100644
--- a/libavutil/channel_layout.c
+++ b/libavutil/channel_layout.c
@@ -125,6 +125,8 @@ static uint64_t get_channel_layout_single(const char *name, 
int name_len)
 strlen(channel_names[i].name) == name_len &&
 !memcmp(channel_names[i].name, name, name_len))
 return (int64_t)1 << i;
+
+errno = 0;
 i = strtol(name, , 10);
 
 #if FF_API_GET_CHANNEL_LAYOUT_COMPAT
@@ -143,14 +145,15 @@ static uint64_t get_channel_layout_single(const char 
*name, int name_len)
 }
 } else {
 #endif
-if ((end + 1 - name == name_len && *end  == 'c'))
+if (!errno && (end + 1 - name == name_len && *end  == 'c'))
 return av_get_default_channel_layout(i);
 #if FF_API_GET_CHANNEL_LAYOUT_COMPAT
 }
 #endif
 
+errno = 0;
 layout = strtoll(name, , 0);
-if (end - name == name_len)
+if (!errno && end - name == name_len)
 return FFMAX(layout, 0);
 return 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec: Fix off by 1 error in quant_table_count check

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Sep 26 13:20:59 2015 +0200| [a2a93b0a8f5d77e244cbdbac2724855b217c29e6] | 
committer: Michael Niedermayer

avcodec/ffv1dec: Fix off by 1 error in quant_table_count check

Fixes: invalid_read.nut
Found-by: Paul B Mahol 

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2d221d9e069e6269cb41f3678f2734800171d87b)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a2a93b0a8f5d77e244cbdbac2724855b217c29e6
---

 libavcodec/ffv1dec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 475b1ad..0ca58f4 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -306,7 +306,7 @@ static int decode_slice_header(FFV1Context *f, FFV1Context 
*fs)
 for (i = 0; i < f->plane_count; i++) {
 PlaneContext * const p = >plane[i];
 int idx = get_symbol(c, state, 0);
-if (idx > (unsigned)f->quant_table_count) {
+if (idx >= (unsigned)f->quant_table_count) {
 av_log(f->avctx, AV_LOG_ERROR, "quant_table_index out of range\n");
 return -1;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Wed Nov  4 18:08:52 2015 +0100| [2f89546333b53e626d710cde357f0d13ea450474] | 
committer: Michael Niedermayer

avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it

Fixes: 
04715144ba237443010554be0d05343f/asan_heap-oob_1eafc76_1737_c685b48041a563461839e4e7ab97abb8.jpg
Fixes out of array access

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d24888ef19ba38b787b11d1ee091a3d94920c76a)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2f89546333b53e626d710cde357f0d13ea450474
---

 libavcodec/mjpegdec.c |   10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 4a78625..5cea6a6 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1044,7 +1044,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, 
int predictor,
 dc = mjpeg_decode_dc(s, s->dc_index[i]);
 if(dc == 0xF)
 return -1;
-if(bits<=8){
+if (   h * mb_x + x >= s->width
+|| v * mb_y + y >= s->height) {
+// Nothing to do
+} else if (bits<=8) {
 ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y 
+ y)) + (h * mb_x + x); //FIXME optimize this crap
 if(y==0 && toprow){
 if(x==0 && leftcol){
@@ -1112,7 +1115,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, 
int predictor,
 dc = mjpeg_decode_dc(s, s->dc_index[i]);
 if(dc == 0xF)
 return -1;
-if(bits<=8){
+if (   h * mb_x + x >= s->width
+|| v * mb_y + y >= s->height) {
+// Nothing to do
+} else if (bits<=8) {
 ptr = s->picture_ptr->data[c] +
   (linesize * (v * mb_y + y)) +
   (h * mb_x + x); //FIXME optimize this crap

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/utils: Better check for channels in av_get_audio_frame_duration()

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Nov 14 01:35:08 2015 +0100| [00dc345a83b882e3e86b76d37c11d8ad1257609b] | 
committer: Michael Niedermayer

avcodec/utils: Better check for channels in av_get_audio_frame_duration()

Fixes integer overflow
Fixes: 
0c2625f236ced104d402b4a03c0d65c7/asan_generic_274e1ce_5990_9314e7a67c26aecf011b178ade9f217c.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4e16ad2868a1819de6680fc355a8eb20164adaea)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=00dc345a83b882e3e86b76d37c11d8ad1257609b
---

 libavcodec/utils.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 0901e75..d249507 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -3263,7 +3263,7 @@ int av_get_audio_frame_duration(AVCodecContext *avctx, 
int frame_bytes)
 return frame_bytes * 8 / bps;
 }
 
-if (ch > 0) {
+if (ch > 0 && ch < INT_MAX/16) {
 /* calc from frame_bytes and channels */
 switch (id) {
 case AV_CODEC_ID_ADPCM_AFC:

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec: update progress in case of broken pointer chains

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Oct 16 22:25:20 2015 +0200| [f0db50a57f7b0f730f217db3d1bb359696d345f0] | 
committer: Michael Niedermayer

avcodec/ffv1dec: update progress in case of broken pointer chains

Fixes deadlock
Fixes Ticket4932

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5063a18f5635008b2a45ada1f8c1e21e20450029)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f0db50a57f7b0f730f217db3d1bb359696d345f0
---

 libavcodec/ffv1dec.c |1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index ebdafd1..5d065946 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -935,6 +935,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame, AVPac
 else v = buf_p - c->bytestream_start;
 if (buf_p - c->bytestream_start < v) {
 av_log(avctx, AV_LOG_ERROR, "Slice pointer chain broken\n");
+ff_thread_report_progress(>picture, INT_MAX, 0);
 return AVERROR_INVALIDDATA;
 }
 buf_p -= v;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] lavf/webvttenc: Require webvtt file to contain exactly one WebVTT stream.

[Simon Thelen]

ffmpeg | branch: release/2.4 | Simon Thelen  | Fri Sep 11 
21:49:07 2015 +0200| [c6769b6d56bea1548a1c0167fdc322991bd46e50] | committer: 
Michael Niedermayer

lavf/webvttenc: Require webvtt file to contain exactly one WebVTT stream.

Not requiring this can end up producing hilariously broken files
together with -c:s copy (e.g. a webvtt file containing binary subtitle data).

Signed-off-by: Simon Thelen 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b84232694ef0c6897e82b52326c9ea4027c69ec4)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c6769b6d56bea1548a1c0167fdc322991bd46e50
---

 libavformat/webvttenc.c |6 ++
 1 file changed, 6 insertions(+)

diff --git a/libavformat/webvttenc.c b/libavformat/webvttenc.c
index b93993d..c386538 100644
--- a/libavformat/webvttenc.c
+++ b/libavformat/webvttenc.c
@@ -46,8 +46,14 @@ static void webvtt_write_time(AVIOContext *pb, int64_t 
millisec)
 static int webvtt_write_header(AVFormatContext *ctx)
 {
 AVStream *s = ctx->streams[0];
+AVCodecContext *avctx = ctx->streams[0]->codec;
 AVIOContext *pb = ctx->pb;
 
+if (ctx->nb_streams != 1 || avctx->codec_id != AV_CODEC_ID_WEBVTT) {
+av_log(ctx, AV_LOG_ERROR, "Exactly one WebVTT stream is needed.\n");
+return AVERROR(EINVAL);
+}
+
 avpriv_set_pts_info(s, 64, 1, 1000);
 
 avio_printf(pb, "WEBVTT\n");

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vp3: always set pix_fmt in theora_decode_header()

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Mon Nov 30 03:32:36 2015 +0100| [516525a1031b303fdb4b179dc870e83a10927504] | 
committer: Michael Niedermayer

avcodec/vp3: always set pix_fmt in theora_decode_header()

Fixes assertion failure
Fixes: 
d0bb0662da342ec65f8f2a081222e6b9/signal_sigabrt_76ae7cc9_5471_82964f0a9ac2f4d3d59390c15473f6f7.ogg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a814f1d364ba912adf61adef158168c5f7604e93)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=516525a1031b303fdb4b179dc870e83a10927504
---

 libavcodec/vp3.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index c9bc859..70552f4 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -2299,7 +2299,8 @@ static int theora_decode_header(AVCodecContext *avctx, 
GetBitContext *gb)
 return AVERROR_INVALIDDATA;
 }
 skip_bits(gb, 3); /* reserved */
-}
+} else
+avctx->pix_fmt = AV_PIX_FMT_YUV420P;
 
 //align_get_bits(gb);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] rtmpcrypt: Do the xtea decryption in little endian mode

[Martin Storsjö]

ffmpeg | branch: release/2.4 | Martin Storsjö  | Wed Nov 11 
21:42:02 2015 +0200| [65d6748d9e42a868825901473bd228e32faf32ae] | committer: 
Michael Niedermayer

rtmpcrypt: Do the xtea decryption in little endian mode

The XTEA algorithm operates on 32 bit numbers, not on byte sequences.
The XTEA implementation in libavutil is written assuming big endian
numbers, while the rtmpe signature encryption assumes little endian.

This fixes rtmpe communication with rtmpe servers that use signature
type 8 (XTEA), e.g. crunchyroll.

CC: libav-sta...@libav.org
Signed-off-by: Martin Storsjö 
(cherry picked from commit e7728319b92dbb4fb949155e33de7ff5358ddff3)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=65d6748d9e42a868825901473bd228e32faf32ae
---

 libavformat/rtmpcrypt.c |7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavformat/rtmpcrypt.c b/libavformat/rtmpcrypt.c
index 2312527..fb46449 100644
--- a/libavformat/rtmpcrypt.c
+++ b/libavformat/rtmpcrypt.c
@@ -184,9 +184,14 @@ int ff_rtmpe_compute_secret_key(URLContext *h, const 
uint8_t *serverdata,
 static void rtmpe8_sig(const uint8_t *in, uint8_t *out, int key_id)
 {
 struct AVXTEA ctx;
+uint8_t tmpbuf[8];
 
 av_xtea_init(, rtmpe8_keys[key_id]);
-av_xtea_crypt(, out, in, 1, NULL, 0);
+AV_WB32(tmpbuf, AV_RL32(in));
+AV_WB32(tmpbuf + 4, AV_RL32(in + 4));
+av_xtea_crypt(, tmpbuf, tmpbuf, 1, NULL, 0);
+AV_WL32(out, AV_RB32(tmpbuf));
+AV_WL32(out + 4, AV_RB32(tmpbuf + 4));
 }
 
 static void rtmpe9_sig(const uint8_t *in, uint8_t *out, int key_id)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*()

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Nov 27 20:52:39 2015 +0100| [c44ee37cbd05af48523f7099803924dee757709c] | 
committer: Michael Niedermayer

avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*()

Fixes out of array access
Fixes: 
01859c9a9ac6cd60a008274123275574/asan_heap-oob_1dff571_8250_50d3d1611e294c3519fd1fa82198b69b.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 75422280fbcdfbe9dc56bde5525b4d8b280f1bc5)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c44ee37cbd05af48523f7099803924dee757709c
---

 libavcodec/jpeg2000dwt.c |3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c
index ceceda3..015a4fe 100644
--- a/libavcodec/jpeg2000dwt.c
+++ b/libavcodec/jpeg2000dwt.c
@@ -555,6 +555,9 @@ int ff_dwt_encode(DWTContext *s, void *t)
 
 int ff_dwt_decode(DWTContext *s, void *t)
 {
+if (s->ndeclevels == 0)
+return 0;
+
 switch (s->type) {
 case FF_DWT97:
 dwt_decode97_float(s, t);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/matroskadec: Check subtitle stream before dereferencing

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Tue Nov 17 18:19:01 2015 +0100| [75fa9c0b39f1eb3fe12c940dadd0b09d74b38042] | 
committer: Michael Niedermayer

avformat/matroskadec: Check subtitle stream before dereferencing

Unrecognized streams are not allocated
Fixes: flicker-1.color1.vp91447030769.08.webm

Found-by: Chris Cunningham 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a5034b324cad4c29d47ef285a30b0705e6eb0384)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=75fa9c0b39f1eb3fe12c940dadd0b09d74b38042
---

 libavformat/matroskadec.c |1 +
 1 file changed, 1 insertion(+)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 2d64dc0..9917b04 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -2967,6 +2967,7 @@ static int matroska_read_seek(AVFormatContext *s, int 
stream_index,
 tracks[i].audio.buf_timecode   = AV_NOPTS_VALUE;
 tracks[i].end_timecode = 0;
 if (tracks[i].type == MATROSKA_TRACK_TYPE_SUBTITLE &&
+tracks[i].stream &&
 tracks[i].stream->discard != AVDISCARD_ALL) {
 index_sub = av_index_search_timestamp(
 tracks[i].stream, st->index_entries[index].timestamp,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/smacker: fix integer overflow with pts_inc

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Dec  5 13:06:16 2015 +0100| [0819598b008ebf6940a3638f15a96516d99f0099] | 
committer: Michael Niedermayer

avformat/smacker: fix integer overflow with pts_inc

Fixes: 
ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7ed47e97297fd5ef473d0cc93f0455adbadaac83)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0819598b008ebf6940a3638f15a96516d99f0099
---

 libavformat/smacker.c |5 +
 1 file changed, 5 insertions(+)

diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 5dcf4ad..de8bbdb 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -120,6 +120,11 @@ static int smacker_read_header(AVFormatContext *s)
 smk->height = avio_rl32(pb);
 smk->frames = avio_rl32(pb);
 smk->pts_inc = (int32_t)avio_rl32(pb);
+if (smk->pts_inc > INT_MAX / 100) {
+av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", smk->pts_inc);
+return AVERROR_INVALIDDATA;
+}
+
 smk->flags = avio_rl32(pb);
 if(smk->flags & SMACKER_FLAG_RING_FRAME)
 smk->frames++;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/wmaprodec: Fix overflow of cutoff

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Dec  5 13:11:23 2015 +0100| [f19d3fe8e95101f3e06a790d9a274b3e4f73f5b2] | 
committer: Michael Niedermayer

avcodec/wmaprodec: Fix overflow of cutoff

Fixes: 
129ca3e28d73af7b1e24a9d4118e7a2d/signal_sigabrt_76ae7cc9_836_762b310fc3ef6087bd7771e5d8e90b9b.asf

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0c56f8303e676556ea09bfac73d881c6c9057259)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f19d3fe8e95101f3e06a790d9a274b3e4f73f5b2
---

 libavcodec/wmaprodec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c
index f32e4c2..8e026ba 100644
--- a/libavcodec/wmaprodec.c
+++ b/libavcodec/wmaprodec.c
@@ -473,7 +473,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
 /** calculate subwoofer cutoff values */
 for (i = 0; i < num_possible_block_sizes; i++) {
 int block_size = s->samples_per_frame >> i;
-int cutoff = (440*block_size + 3 * (s->avctx->sample_rate >> 1) - 1)
+int cutoff = (440*block_size + 3LL * (s->avctx->sample_rate >> 1) - 1)
  / s->avctx->sample_rate;
 s->subwoofer_cutoffs[i] = av_clip(cutoff, 4, block_size);
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vp3: Fix "runtime error: left shift of negative value"

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Dec  4 12:47:20 2015 +0100| [1aa415ffb152b339997debf489b77878360eed9d] | 
committer: Michael Niedermayer

avcodec/vp3: Fix "runtime error: left shift of negative value"

Fixes: 
5c6129154b356b80bcab86f9e3ee5d29/signal_sigabrt_76ae7cc9_7322_d26ac6d7cb6567db1b8be0159b387d0b.ogg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 18268f761bffb37552f59f87542fef3d5c80618c)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1aa415ffb152b339997debf489b77878360eed9d
---

 libavcodec/vp3.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index 70552f4..553681b 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -206,8 +206,8 @@ typedef struct Vp3DecodeContext {
 int16_t *dct_tokens[3][64];
 int16_t *dct_tokens_base;
 #define TOKEN_EOB(eob_run)  ((eob_run) << 2)
-#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) << 9) + ((zero_run) << 2) + 
1)
-#define TOKEN_COEFF(coeff)  (((coeff) << 2) + 2)
+#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) * 512) + ((zero_run) << 2) + 
1)
+#define TOKEN_COEFF(coeff)  (((coeff) * 4) + 2)
 
 /**
  * number of blocks that contain DCT coefficients at

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/dump: Fix integer overflow in av_dump_format()

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Tue Dec  1 12:40:32 2015 +0100| [a3ec4b307b4f688643b46aefb4b50584236a04d3] | 
committer: Michael Niedermayer

avformat/dump: Fix integer overflow in av_dump_format()

Fixes part of mozilla bug 1229167

Found-by: Tyson Smith
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8e7f4520226d2d9ad6a58ad6c32d1455a8b244b2)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a3ec4b307b4f688643b46aefb4b50584236a04d3
---

 libavformat/dump.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/dump.c b/libavformat/dump.c
index c4434b3..4a88e07 100644
--- a/libavformat/dump.c
+++ b/libavformat/dump.c
@@ -430,7 +430,7 @@ void av_dump_format(AVFormatContext *ic, int index,
 av_log(NULL, AV_LOG_INFO, "  Duration: ");
 if (ic->duration != AV_NOPTS_VALUE) {
 int hours, mins, secs, us;
-int64_t duration = ic->duration + 5000;
+int64_t duration = ic->duration + (ic->duration <= INT64_MAX - 
5000 ? 5000 : 0);
 secs  = duration / AV_TIME_BASE;
 us= duration % AV_TIME_BASE;
 mins  = secs / 60;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] mpegencts: Fix overflow in cbr mode period calculations

[Timo Teräs]

ffmpeg | branch: release/2.4 | Timo Teräs  | Sat Nov 28 
08:27:39 2015 +0200| [ec94195b80d9927ebb169f9cebacd7c8834a587b] | committer: 
Michael Niedermayer

mpegencts: Fix overflow in cbr mode period calculations

ts->mux_rate is int (signed 32-bit) type. The period calculations
will start to overflow when mux_rate > 5mbps. This fixes overflows
by converting first to 64-bit type.

Fixes #5044.

Signed-off-by: Timo Teräs 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 64f7db554ee83846f207e82a08946a6a5a6acfe2)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ec94195b80d9927ebb169f9cebacd7c8834a587b
---

 libavformat/mpegtsenc.c |6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c
index 0184d87..f58b3d3 100644
--- a/libavformat/mpegtsenc.c
+++ b/libavformat/mpegtsenc.c
@@ -738,11 +738,11 @@ static int mpegts_write_header(AVFormatContext *s)
 ts_st = pcr_st->priv_data;
 
 if (ts->mux_rate > 1) {
-service->pcr_packet_period = (ts->mux_rate * ts->pcr_period) /
+service->pcr_packet_period = (int64_t)ts->mux_rate * ts->pcr_period /
  (TS_PACKET_SIZE * 8 * 1000);
-ts->sdt_packet_period  = (ts->mux_rate * SDT_RETRANS_TIME) /
+ts->sdt_packet_period  = (int64_t)ts->mux_rate * SDT_RETRANS_TIME /
  (TS_PACKET_SIZE * 8 * 1000);
-ts->pat_packet_period  = (ts->mux_rate * PAT_RETRANS_TIME) /
+ts->pat_packet_period  = (int64_t)ts->mux_rate * PAT_RETRANS_TIME /
  (TS_PACKET_SIZE * 8 * 1000);
 
 if (ts->copyts < 1)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/timecode: Fix fps check

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Thu Dec  3 03:14:11 2015 +0100| [4ecdd45d24103fc4073687c75a537b77b55b2bf9] | 
committer: Michael Niedermayer

avutil/timecode: Fix fps check

The fps variable is explicitly set to -1 in case of some errors, the check must
thus be signed or the code setting it needs to use 0 as error code
the type of the field could be changed as well but its in an installed header

Fixes: integer overflow
Fixes: 
9982cc157b1ea90429435640a989122f/asan_generic_3ad004a_3799_22cf198d9cd09928e2d9ad250474fa58.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b46dcd5209a77254345ae098b83a872634c5591b)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4ecdd45d24103fc4073687c75a537b77b55b2bf9
---

 libavutil/timecode.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavutil/timecode.c b/libavutil/timecode.c
index 1dfd040..bf463ed 100644
--- a/libavutil/timecode.c
+++ b/libavutil/timecode.c
@@ -151,7 +151,7 @@ static int check_fps(int fps)
 
 static int check_timecode(void *log_ctx, AVTimecode *tc)
 {
-if (tc->fps <= 0) {
+if ((int)tc->fps <= 0) {
 av_log(log_ctx, AV_LOG_ERROR, "Timecode frame rate must be 
specified\n");
 return AVERROR(EINVAL);
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/utils: Clear dimensions in ff_get_buffer() on failure

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Nov 28 20:08:46 2015 +0100| [95bdbfe85159b0b6f576ae23e2b758a169ea409a] | 
committer: Michael Niedermayer

avcodec/utils: Clear dimensions in ff_get_buffer() on failure

Fixes out of array access
Fixes: 
482d8f2fd17c9f532b586458a33f267c/asan_heap-oob_4a52b6_7417_1d08d477736d66cdadd833d146bb8bae.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit abee0a1c60612e8638640a8a3738fffb65e16dbf)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=95bdbfe85159b0b6f576ae23e2b758a169ea409a
---

 libavcodec/utils.c |4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 71308ab..fc03e49 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -1038,8 +1038,10 @@ end:
 int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame, int flags)
 {
 int ret = get_buffer_internal(avctx, frame, flags);
-if (ret < 0)
+if (ret < 0) {
 av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
+frame->width = frame->height = 0;
+}
 return ret;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd () for overflows

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Tue Dec  1 13:32:31 2015 +0100| [f91e71cc68fb1e82de0d1b2e5b437af880f3254b] | 
committer: Michael Niedermayer

avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() 
for overflows

Fixes integer overflow
Fixes: mozilla bug 1229167

Found-by: Tyson Smith
Signed-off-by: Michael Niedermayer 
(cherry picked from commit f03c2ceec174877e03bb302f5971fbe9ffbe4856)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f91e71cc68fb1e82de0d1b2e5b437af880f3254b
---

 libavutil/mathematics.c |   13 ++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c
index b1ffd65..4d8467b 100644
--- a/libavutil/mathematics.c
+++ b/libavutil/mathematics.c
@@ -77,7 +77,7 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum 
AVRounding rnd)
 }
 
 if (a < 0)
-return -av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) 
& 1));
+return -(uint64_t)av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ 
((rnd >> 1) & 1));
 
 if (rnd == AV_ROUND_NEAR_INF)
 r = c / 2;
@@ -87,8 +87,13 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum 
AVRounding rnd)
 if (b <= INT_MAX && c <= INT_MAX) {
 if (a <= INT_MAX)
 return (a * b + r) / c;
-else
-return a / c * b + (a % c * b + r) / c;
+else {
+int64_t ad = a / c;
+int64_t a2 = (a % c * b + r) / c;
+if (ad >= INT32_MAX && ad > (INT64_MAX - a2) / b)
+return INT64_MIN;
+return ad * b + a2;
+}
 } else {
 #if 1
 uint64_t a0  = a & 0x;
@@ -112,6 +117,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, 
enum AVRounding rnd)
 t1++;
 }
 }
+if (t1 > INT64_MAX)
+return INT64_MIN;
 return t1;
 }
 #else

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Tue Dec  1 12:44:23 2015 +0100| [53ddc450c80f082c41732e2fd87346e19ae7f48d] | 
committer: Michael Niedermayer

avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd

The code expects actual positive numbers and gives completely wrong
results if INT64_MIN is treated as positive
Instead clip it into the valid range that is add 1 and treat it as
negative

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 25e37f5ea92d4201976a59ae306ce848d257a7e6)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=53ddc450c80f082c41732e2fd87346e19ae7f48d
---

 libavutil/mathematics.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c
index 126cffc..b1ffd65 100644
--- a/libavutil/mathematics.c
+++ b/libavutil/mathematics.c
@@ -76,8 +76,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum 
AVRounding rnd)
 rnd -= AV_ROUND_PASS_MINMAX;
 }
 
-if (a < 0 && a != INT64_MIN)
-return -av_rescale_rnd(-a, b, c, rnd ^ ((rnd >> 1) & 1));
+if (a < 0)
+return -av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) 
& 1));
 
 if (rnd == AV_ROUND_NEAR_INF)
 r = c / 2;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/apedec: Check length in long_filter_high_3800()

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Wed Dec  2 21:16:27 2015 +0100| [ce15d773d4f7a3f224342b5eb9ccad93c71421e6] | 
committer: Michael Niedermayer

avcodec/apedec: Check length in long_filter_high_3800()

Fixes out of array read
Fixes: 
0a7ff0c1d93da9cef28a315ec91b692a/asan_heap-oob_4a52e5_3604_9c56dbb20e308f4faeef7b35f688521a.ape

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit cd7524fdd13dc8d0cf22e2cfd8300a245542b13a)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ce15d773d4f7a3f224342b5eb9ccad93c71421e6
---

 libavcodec/apedec.c |3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index 577d0aa..7893bc3 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -905,6 +905,9 @@ static void long_filter_high_3800(int32_t *buffer, int 
order, int shift,
 int i, j;
 int32_t dotprod, sign;
 
+if (order >= length)
+return;
+
 memset(coeffs, 0, order * sizeof(*coeffs));
 for (i = 0; i < order; i++)
 delay[i] = buffer[i];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/integer: Fix av_mod_i() with negative dividend

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Tue Dec  1 12:41:43 2015 +0100| [5cc411022e49edad09aa3eb5faef14a2a51492f6] | 
committer: Michael Niedermayer

avutil/integer: Fix av_mod_i() with negative dividend

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3a9cb18855d29c96a5d9d2f5ad30448cae3a2ddf)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5cc411022e49edad09aa3eb5faef14a2a51492f6
---

 libavutil/integer.c |8 
 1 file changed, 8 insertions(+)

diff --git a/libavutil/integer.c b/libavutil/integer.c
index 5bcde0d..6d6855f 100644
--- a/libavutil/integer.c
+++ b/libavutil/integer.c
@@ -29,6 +29,8 @@
 #include "integer.h"
 #include "avassert.h"
 
+static const AVInteger zero_i;
+
 AVInteger av_add_i(AVInteger a, AVInteger b){
 int i, carry=0;
 
@@ -111,6 +113,12 @@ AVInteger av_mod_i(AVInteger *quot, AVInteger a, AVInteger 
b){
 AVInteger quot_temp;
 if(!quot) quot = _temp;
 
+if ((int16_t)a.v[AV_INTEGER_SIZE-1] < 0) {
+a = av_mod_i(quot, av_sub_i(zero_i, a), b);
+*quot = av_sub_i(zero_i, *quot);
+return av_sub_i(zero_i, a);
+}
+
 av_assert2((int16_t)a.v[AV_INTEGER_SIZE-1] >= 0 && 
(int16_t)b.v[AV_INTEGER_SIZE-1] >= 0);
 av_assert2(av_log2_i(b)>=0);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string()

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Nov 28 17:26:05 2015 +0100| [733510fb65833f3d614804aae6ba0d15fc4d65a8] | 
committer: Michael Niedermayer

avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string()

Fixes integer overflow
Fixes: 
3a45b2ae02f2cf12b7bd99543cdcdae5/asan_heap-oob_1dff502_8022_899f75e1e81046ebd7b6c2394a1419f4.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4f03bebc79f76df3a3e5bb9e1bc32baabfb7797c)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=733510fb65833f3d614804aae6ba0d15fc4d65a8
---

 libavcodec/utils.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index d249507..71308ab 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -2960,8 +2960,8 @@ void avcodec_string(char *buf, int buf_size, 
AVCodecContext *enc, int encode)
  enc->width, enc->height);
 if (enc->sample_aspect_ratio.num) {
 av_reduce(_aspect_ratio.num, _aspect_ratio.den,
-  enc->width * enc->sample_aspect_ratio.num,
-  enc->height * enc->sample_aspect_ratio.den,
+  enc->width * (int64_t)enc->sample_aspect_ratio.num,
+  enc->height * (int64_t)enc->sample_aspect_ratio.den,
   1024 * 1024);
 snprintf(buf + strlen(buf), buf_size - strlen(buf),
  " [SAR %d:%d DAR %d:%d]",

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc: allocate entries unconditionally

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Nov 27 23:33:03 2015 +0100| [02764f12a67129ec89c3de5a0b7b2edf1236bee2] | 
committer: Michael Niedermayer

avcodec/hevc: allocate entries unconditionally

Fixes out of array access
Fixes: 
08664a2a7921ef48172f26495c7455be/asan_heap-oob_23036c6_3301_523388ef84285a0270caf67a43247b59.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d85aa76115214183e7e3b7d65e950da61474959a)

Signed-off-by: Michael Niedermayer 

Conflicts:

libavcodec/hevc.c

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=02764f12a67129ec89c3de5a0b7b2edf1236bee2
---

 libavcodec/hevc.c |4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index 960573f..5c530b7 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -2413,11 +2413,9 @@ static int hls_slice_data_wpp(HEVCContext *s, const 
uint8_t *nal, int length)
 int startheader, cmpt = 0;
 int i, j, res = 0;
 
+ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1);
 
 if (!s->sList[1]) {
-ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1);
-
-
 for (i = 1; i < s->threads_number; i++) {
 s->sList[i] = av_malloc(sizeof(HEVCContext));
 memcpy(s->sList[i], s, sizeof(HEVCContext));

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_cabac: Fix multiple integer overflows

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Nov 27 22:45:46 2015 +0100| [453542f14d3c93b24541f25f073fde72d1b42907] | 
committer: Michael Niedermayer

avcodec/hevc_cabac: Fix multiple integer overflows

Fixes: 
04ec80eefa77aecd7a49a442cc02baea/asan_heap-oob_19544fa_3303_1905796cd9d8e15f86d664332caabc00.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d5028f61e44b7607b6a547f218f7d85217490a5b)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=453542f14d3c93b24541f25f073fde72d1b42907
---

 libavcodec/hevc_cabac.c |   10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
index 2b3d8c0..54b1794 100644
--- a/libavcodec/hevc_cabac.c
+++ b/libavcodec/hevc_cabac.c
@@ -883,11 +883,13 @@ static av_always_inline int mvd_decode(HEVCContext *s)
 int k = 1;
 
 while (k < CABAC_MAX_BIN && get_cabac_bypass(>HEVClc->cc)) {
-ret += 1 << k;
+ret += 1U << k;
 k++;
 }
-if (k == CABAC_MAX_BIN)
+if (k == CABAC_MAX_BIN) {
 av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k);
+return 0;
+}
 while (k--)
 ret += get_cabac_bypass(>HEVClc->cc) << k;
 return get_cabac_bypass_sign(>HEVClc->cc, -ret);
@@ -1025,8 +1027,10 @@ static av_always_inline int 
coeff_abs_level_remaining_decode(HEVCContext *s, int
 
 while (prefix < CABAC_MAX_BIN && get_cabac_bypass(>HEVClc->cc))
 prefix++;
-if (prefix == CABAC_MAX_BIN)
+if (prefix == CABAC_MAX_BIN) {
 av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
+return 0;
+}
 if (prefix < 3) {
 for (i = 0; i < rc_rice_param; i++)
 suffix = (suffix << 1) | get_cabac_bypass(>HEVClc->cc);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vp3: Clear context on reinitialization failure

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Nov 28 00:23:54 2015 +0100| [af3e5bdd0d3277bc555cc8026c169d46e1d08ef2] | 
committer: Michael Niedermayer

avcodec/vp3: Clear context on reinitialization failure

Fixes null pointer dereference
Fixes: 
1536b9b096a8f95b742bae9d3d761cc6/signal_sigsegv_294aaed_2039_8d1797aeb823ea43858d0fa45c9eb899.ogv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6105b7219a90438deae71b0dc5a034c71ee30fc0)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=af3e5bdd0d3277bc555cc8026c169d46e1d08ef2
---

 libavcodec/vp3.c |   10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index 4a72d0d..c9bc859 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -2010,17 +2010,19 @@ static int vp3_decode_frame(AVCodecContext *avctx,
 vp3_decode_end(avctx);
 ret = theora_decode_header(avctx, );
 
+if (ret >= 0)
+ret = vp3_decode_init(avctx);
 if (ret < 0) {
 vp3_decode_end(avctx);
-} else
-ret = vp3_decode_init(avctx);
+}
 return ret;
 } else if (type == 2) {
 ret = theora_decode_tables(avctx, );
+if (ret >= 0)
+ret = vp3_decode_init(avctx);
 if (ret < 0) {
 vp3_decode_end(avctx);
-} else
-ret = vp3_decode_init(avctx);
+}
 return ret;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_parser: Fix potential overflows in pointer checks

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Dec  5 17:11:54 2015 +0100| [142f8308a121051c6e2d3531ea4892018ba67ef3] | 
committer: Michael Niedermayer

avcodec/dirac_parser: Fix potential overflows in pointer checks

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 79798f7c57b098c78e0bbc6becd64b9888b013d1)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=142f8308a121051c6e2d3531ea4892018ba67ef3
---

 libavcodec/dirac_parser.c |8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c
index 654f0b4..a481b26 100644
--- a/libavcodec/dirac_parser.c
+++ b/libavcodec/dirac_parser.c
@@ -100,10 +100,12 @@ typedef struct DiracParseUnit {
 static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc,
  int offset)
 {
-uint8_t *start = pc->buffer + offset;
-uint8_t *end   = pc->buffer + pc->index;
-if (start < pc->buffer || (start + 13 > end))
+int8_t *start;
+
+if (offset < 0 || pc->index - 13 < offset)
 return 0;
+
+start = pc->buffer + offset;
 pu->pu_type = start[4];
 
 pu->next_pu_offset = AV_RB32(start + 5);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec: Print an error if the quant table count is invalid

[Michael Niedermayer]

ffmpeg | branch: release/2.0 | Michael Niedermayer  | 
Thu Nov  5 01:25:50 2015 +0100| [5628d6202217b651c6977944a956b094c3174bea] | 
committer: Carl Eugen Hoyos

avcodec/ffv1dec: Print an error if the quant table count is invalid

Signed-off-by: Michael Niedermayer 
(cherry picked from commit a8b254e436dce2f5c8c6459108dab4b02cc6b79b)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5628d6202217b651c6977944a956b094c3174bea
---

 libavcodec/ffv1dec.c |4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 6b785a2..c64a43e 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -521,8 +521,10 @@ static int read_extra_header(FFV1Context *f)
 }
 
 f->quant_table_count = get_symbol(c, state, 0);
-if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count)
+if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count) {
+av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", 
f->quant_table_count);
 return AVERROR_INVALIDDATA;
+}
 
 for (i = 0; i < f->quant_table_count; i++) {
 f->context_count[i] = read_quant_tables(c, f->quant_tables[i]);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec: Clear quant_table_count if its invalid

[Michael Niedermayer]

ffmpeg | branch: release/2.3 | Michael Niedermayer  | 
Sat Nov 14 13:21:58 2015 +0100| [0fde898f16cfbc93bb9b9c96b7f826473d231a25] | 
committer: Carl Eugen Hoyos

avcodec/ffv1dec: Clear quant_table_count if its invalid

Fixes deallocation of corrupted pointer
Fixes: 
343dfbe142a38b521ed069dc4ea7c03b/signal_sigsegv_421427_4074_ffb11959610278cd40dbc153464aa254.avi
No releases affected

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit e04126072e984f8db5db9da9303c89ae01f7d6bb)

Fixes ticket #5052.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0fde898f16cfbc93bb9b9c96b7f826473d231a25
---

 libavcodec/ffv1dec.c |1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 3fc307b..6aece65 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -556,6 +556,7 @@ static int read_extra_header(FFV1Context *f)
 f->quant_table_count = get_symbol(c, state, 0);
 if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || 
!f->quant_table_count) {
 av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", 
f->quant_table_count);
+f->quant_table_count = 0;
 return AVERROR_INVALIDDATA;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter/af_stereotools: fix logic fail

[Paul B Mahol]

ffmpeg | branch: master | Paul B Mahol  | Sun Dec  6 10:09:09 
2015 +0100| [3e1724baf8aaf8bd591acd44f260e9d69cf94fdc] | committer: Paul B Mahol

avfilter/af_stereotools: fix logic fail

Signed-off-by: Paul B Mahol 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3e1724baf8aaf8bd591acd44f260e9d69cf94fdc
---

 libavfilter/af_stereotools.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavfilter/af_stereotools.c b/libavfilter/af_stereotools.c
index 00a0dde..8ab184d 100644
--- a/libavfilter/af_stereotools.c
+++ b/libavfilter/af_stereotools.c
@@ -110,7 +110,7 @@ static int config_input(AVFilterLink *inlink)
 StereoToolsContext *s = ctx->priv;
 
 s->length = 2 * inlink->sample_rate * 0.05;
-if (s->length <= 1 && s->length & 1) {
+if (s->length <= 1 || s->length & 1) {
 av_log(ctx, AV_LOG_ERROR, "sample rate is too small\n");
 return AVERROR(EINVAL);
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] libavutil: add version component accessor macros

[Reynaldo H. Verdejo Pinochet]

ffmpeg | branch: master | Reynaldo H. Verdejo Pinochet 
 | Fri Dec  4 14:07:23 2015 -0800| 
[21c34cb26154a5eadd6e10df86c20e2df3a7bd55] | committer: Reynaldo H. Verdejo 
Pinochet

libavutil: add version component accessor macros

Pretty standard macros, these should help libav*
users avoid repeating ver.si.on parsing code,
which aids in compatibility-checking tasks like
identifying FFmpeg from Libav (_MICRO >= 100 check).
Something many are doing since we are not
intercompatible anymore.

Signed-off-by: Reynaldo H. Verdejo Pinochet 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=21c34cb26154a5eadd6e10df86c20e2df3a7bd55
---

 libavutil/version.h |   10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/libavutil/version.h b/libavutil/version.h
index bf0a929..e7f0488 100644
--- a/libavutil/version.h
+++ b/libavutil/version.h
@@ -37,6 +37,14 @@
 #define AV_VERSION(a, b, c) AV_VERSION_DOT(a, b, c)
 
 /**
+ * Extract version components from the full ::AV_VERSION_INT int as returned
+ * by functions like ::avformat_version() and ::avcodec_version()
+ */
+#define AV_VERSION_MAJOR(a) ((a) >> 16)
+#define AV_VERSION_MINOR(a) (((a) & 0x00FF00) >> 8)
+#define AV_VERSION_MICRO(a) ((a) & 0xFF)
+
+/**
  * @}
  */
 
@@ -56,7 +64,7 @@
  */
 
 #define LIBAVUTIL_VERSION_MAJOR  55
-#define LIBAVUTIL_VERSION_MINOR   9
+#define LIBAVUTIL_VERSION_MINOR  10
 #define LIBAVUTIL_VERSION_MICRO 100
 
 #define LIBAVUTIL_VERSION_INT   AV_VERSION_INT(LIBAVUTIL_VERSION_MAJOR, \

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/truemotion1: Check for even width

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Tue Sep  1 04:57:22 2015 +0200| [6f08086992c3fad68fbaca03b0ca2a42f0ad0d67] | 
committer: Michael Niedermayer

avcodec/truemotion1: Check for even width

Fixes out of array access
Fixes: 
87196d8bbc633629fc9dd851fce73e70/asan_heap-oob_26f6853_862_cov_585961513_sonic3dblast_intro-partial.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 63fb5a6aefb4223334001fd2c0d82a5e22e3b528)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6f08086992c3fad68fbaca03b0ca2a42f0ad0d67
---

 libavcodec/truemotion1.c |4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c
index 660ecf5..b2de889 100644
--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -402,6 +402,10 @@ static int truemotion1_decode_header(TrueMotion1Context *s)
 new_pix_fmt = AV_PIX_FMT_RGB555; // RGB565 is supported as well
 
 s->w >>= width_shift;
+if (s->w & 1) {
+avpriv_request_sample(s->avctx, "Frame with odd width");
+return AVERROR_PATCHWELCOME;
+}
 
 if (s->w != s->avctx->width || s->h != s->avctx->height ||
 new_pix_fmt != s->avctx->pix_fmt) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter/af_asyncts: use llabs for int64_t

[Ganesh Ajjanagadde]

ffmpeg | branch: release/2.4 | Ganesh Ajjanagadde  | 
Sat Sep  5 20:42:02 2015 -0700| [3ea20e60dc5d6362dba02c4fb19e44e4943046ad] | 
committer: Michael Niedermayer

avfilter/af_asyncts: use llabs for int64_t

long may not be 64 bit on all platforms; so labs on int64_t is unsafe.
This fixes a warning reported in:
http://fate.ffmpeg.org/log.cgi?time=20150905071512=compile=i386-darwin-clang-polly-3.7

Signed-off-by: Ganesh Ajjanagadde 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d74123d03eb1047b844bc39fbde26f199c72cbcb)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3ea20e60dc5d6362dba02c4fb19e44e4943046ad
---

 libavfilter/af_asyncts.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavfilter/af_asyncts.c b/libavfilter/af_asyncts.c
index 5f8e1f6..4be093b 100644
--- a/libavfilter/af_asyncts.c
+++ b/libavfilter/af_asyncts.c
@@ -205,7 +205,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *buf)
 delta= pts - s->pts - get_delay(s);
 out_size = avresample_available(s->avr);
 
-if (labs(delta) > s->min_delta ||
+if (llabs(delta) > s->min_delta ||
 (s->first_frame && delta && s->first_pts != AV_NOPTS_VALUE)) {
 av_log(ctx, AV_LOG_VERBOSE, "Discontinuity - %"PRId64" samples.\n", 
delta);
 out_size = av_clipl_int32((int64_t)out_size + delta);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mjpegdec: Fix decoding RGBA RCT LJPEG

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Sep 11 13:28:51 2015 +0200| [7cdd319b01cfacc5ab07744ee3422a46b6f2c754] | 
committer: Michael Niedermayer

avcodec/mjpegdec: Fix decoding RGBA RCT LJPEG

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 055e56e9f76da3298f1b59bf5ea46f570e844600)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7cdd319b01cfacc5ab07744ee3422a46b6f2c754
---

 libavcodec/mjpegdec.c |9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index c2a92fa..4a78625 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -946,7 +946,14 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, 
int nb_components, int p
 skip_bits(>gb, 16); /* skip RSTn */
 }
 }
-if (s->nb_components == 4) {
+if (s->rct && s->nb_components == 4) {
+for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
+ptr[4*mb_x + 2] = buffer[mb_x][0] - ((buffer[mb_x][1] + 
buffer[mb_x][2] - 0x200) >> 2);
+ptr[4*mb_x + 1] = buffer[mb_x][1] + ptr[4*mb_x + 2];
+ptr[4*mb_x + 3] = buffer[mb_x][2] + ptr[4*mb_x + 2];
+ptr[4*mb_x + 0] = buffer[mb_x][3];
+}
+} else if (s->nb_components == 4) {
 for(i=0; icomp_index[i];
 if (s->bits <= 8) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] swresample/swresample: Fix integer overflow in seed calculation

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Thu Sep  3 09:22:31 2015 +0200| [f66787d3452c993ed0285cbb44369a558c733703] | 
committer: Michael Niedermayer

swresample/swresample: Fix integer overflow in seed calculation

Fixes CID1322333

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 32f53958b8f6ed4c3c2a7447c1e47d012796fae2)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f66787d3452c993ed0285cbb44369a558c733703
---

 libswresample/swresample.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libswresample/swresample.c b/libswresample/swresample.c
index 3e23912..e9bc659 100644
--- a/libswresample/swresample.c
+++ b/libswresample/swresample.c
@@ -638,7 +638,7 @@ static int swr_convert_internal(struct SwrContext *s, 
AudioData *out, int out_co
 return ret;
 if(ret)
 for(ch=0; chdither.noise.ch_count; ch++)
-if((ret=swri_get_dither(s, s->dither.noise.ch[ch], 
s->dither.noise.count, 12345678913579<dither.noise.fmt))<0)
+if((ret=swri_get_dither(s, s->dither.noise.ch[ch], 
s->dither.noise.count, (12345678913579ULL*ch + 3141592) % 2718281828U, 
s->dither.noise.fmt))<0)
 return ret;
 av_assert0(s->dither.noise.ch_count == preout->ch_count);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/common: Document FFABS() corner case

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Thu Sep  3 02:00:05 2015 +0200| [7ffe708297e900889f6979eee292b766b1f1872a] | 
committer: Michael Niedermayer

avutil/common: Document FFABS() corner case

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 733511fb53fedd3adaaeabc5db9d0b29e71ea1d3)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7ffe708297e900889f6979eee292b766b1f1872a
---

 libavutil/common.h |6 ++
 1 file changed, 6 insertions(+)

diff --git a/libavutil/common.h b/libavutil/common.h
index c82a3a6..a48959d 100644
--- a/libavutil/common.h
+++ b/libavutil/common.h
@@ -58,6 +58,12 @@
: ((a) + (1<<(b)) - 1) 
>> (b))
 #define FFUDIV(a,b) (((a)>0 ?(a):(a)-(b)+1) / (b))
 #define FFUMOD(a,b) ((a)-(b)*FFUDIV(a,b))
+
+/**
+ * Absolute value, Note, INT_MIN / INT64_MIN result in undefined behavior as 
they
+ * are not representable as absolute values of their type. This is the same
+ * as with *abs()
+ */
 #define FFABS(a) ((a) >= 0 ? (a) : (-(a)))
 #define FFSIGN(a) ((a) > 0 ? 1 : -1)
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/tta: Check init_get_bits8() for failure

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Sep  4 01:18:13 2015 +0200| [ec35bb729cdd36a757f6180fc3c69b76404e773a] | 
committer: Michael Niedermayer

avcodec/tta: Check init_get_bits8() for failure

Fixes: CID1322319

Signed-off-by: Michael Niedermayer 
(cherry picked from commit f1593e4ca564cdb7f3194a9eee1dea16df41142d)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ec35bb729cdd36a757f6180fc3c69b76404e773a
---

 libavcodec/tta.c |6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/tta.c b/libavcodec/tta.c
index 5fdbac8..1c4316b 100644
--- a/libavcodec/tta.c
+++ b/libavcodec/tta.c
@@ -123,6 +123,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx)
 TTAContext *s = avctx->priv_data;
 GetBitContext gb;
 int total_frames;
+int ret;
 
 s->avctx = avctx;
 
@@ -131,7 +132,10 @@ static av_cold int tta_decode_init(AVCodecContext * avctx)
 return AVERROR_INVALIDDATA;
 
 s->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE);
-init_get_bits8(, avctx->extradata, avctx->extradata_size);
+ret = init_get_bits8(, avctx->extradata, avctx->extradata_size);
+if (ret < 0)
+return ret;
+
 if (show_bits_long(, 32) == AV_RL32("TTA1")) {
 /* signature */
 skip_bits_long(, 32);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/dump: Fix integer overflow in aspect ratio calculation

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Thu Sep  3 02:49:44 2015 +0200| [e5c9396a029322b1a43e24b6dbe1cb2ec76bf0f1] | 
committer: Michael Niedermayer

avformat/dump: Fix integer overflow in aspect ratio calculation

Fixes: unknown_unknown_19e_414_cov_764838672_bellhamlam.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d1bdaf3fb2c45020f72a378bb64eab1bf136581c)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e5c9396a029322b1a43e24b6dbe1cb2ec76bf0f1
---

 libavformat/dump.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/dump.c b/libavformat/dump.c
index 3a7adbe..c4434b3 100644
--- a/libavformat/dump.c
+++ b/libavformat/dump.c
@@ -363,8 +363,8 @@ static void dump_stream_format(AVFormatContext *ic, int i,
 av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio)) {
 AVRational display_aspect_ratio;
 av_reduce(_aspect_ratio.num, _aspect_ratio.den,
-  st->codec->width  * st->sample_aspect_ratio.num,
-  st->codec->height * st->sample_aspect_ratio.den,
+  st->codec->width  * (int64_t)st->sample_aspect_ratio.num,
+  st->codec->height * (int64_t)st->sample_aspect_ratio.den,
   1024 * 1024);
 av_log(NULL, AV_LOG_INFO, ", SAR %d:%d DAR %d:%d",
st->sample_aspect_ratio.num, st->sample_aspect_ratio.den,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/rangecoder: Check e

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Sep 25 14:26:14 2015 +0200| [b5b29b22c0f8b49db045edb33254291486cb0db7] | 
committer: Michael Niedermayer

avcodec/rangecoder: Check e

Fixes hang.nut

Found-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b2955b6c5aed11026ec5c7164462899a10cdb937)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b5b29b22c0f8b49db045edb33254291486cb0db7
---

 libavcodec/ffv1dec.c |5 -
 libavcodec/snow.h|2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 760d74f..26ed2ee 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -47,8 +47,11 @@ static inline av_flatten int get_symbol_inline(RangeCoder 
*c, uint8_t *state,
 else {
 int i, e, a;
 e = 0;
-while (get_rac(c, state + 1 + FFMIN(e, 9))) // 1..10
+while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10
 e++;
+if (e > 31)
+return AVERROR_INVALIDDATA;
+}
 
 a = 1;
 for (i = e - 1; i >= 0; i--)
diff --git a/libavcodec/snow.h b/libavcodec/snow.h
index 46df46c..d2fcc7c 100644
--- a/libavcodec/snow.h
+++ b/libavcodec/snow.h
@@ -555,6 +555,8 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state, 
int is_signed){
 e= 0;
 while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10
 e++;
+if (e > 31)
+return AVERROR_INVALIDDATA;
 }
 
 a= 1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/svq1dec: Check init_get_bits8() for failure

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Sep  4 01:18:13 2015 +0200| [45c30d84b6c57b529687096bd7043c6999bd2d14] | 
committer: Michael Niedermayer

avcodec/svq1dec: Check init_get_bits8() for failure

Fixes: CID1322313

Signed-off-by: Michael Niedermayer 
(cherry picked from commit a51d4246d8ac96acee735e7e5dedb9d9ef27a594)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=45c30d84b6c57b529687096bd7043c6999bd2d14
---

 libavcodec/svq1dec.c |5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c
index 2f9ea16..1212522 100644
--- a/libavcodec/svq1dec.c
+++ b/libavcodec/svq1dec.c
@@ -617,9 +617,12 @@ static int svq1_decode_frame(AVCodecContext *avctx, void 
*data,
 uint8_t *current;
 int result, i, x, y, width, height;
 svq1_pmv *pmv;
+int ret;
 
 /* initialize bit buffer */
-init_get_bits8(>gb, buf, buf_size);
+ret = init_get_bits8(>gb, buf, buf_size);
+if (ret < 0)
+return ret;
 
 /* decode frame header */
 s->frame_code = get_bits(>gb, 22);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/libopusenc: Fix infinite loop on flushing after 0 input

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Thu Aug 27 12:44:31 2015 +0200| [ab79e3d1a5f9b2d677273d15970a719b8be039bf] | 
committer: Michael Niedermayer

avcodec/libopusenc: Fix infinite loop on flushing after 0 input

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6701c92fa4269872856c70c3170a9b3291b46247)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ab79e3d1a5f9b2d677273d15970a719b8be039bf
---

 libavcodec/libopusenc.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/libopusenc.c b/libavcodec/libopusenc.c
index 9a1952a..dadd7f0 100644
--- a/libavcodec/libopusenc.c
+++ b/libavcodec/libopusenc.c
@@ -324,7 +324,7 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket 
*avpkt,
 } else
 audio = frame->data[0];
 } else {
-if (!opus->afq.remaining_samples)
+if (!opus->afq.remaining_samples || (!opus->afq.frame_alloc && 
!opus->afq.frame_count))
 return 0;
 audio = opus->samples;
 memset(audio, 0, opus->opts.packet_size * sample_size);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/movenc-test: correct varargs usage

[Ganesh Ajjanagadde]

ffmpeg | branch: master | Ganesh Ajjanagadde  | Fri Dec 
 4 01:03:26 2015 -0500| [f1f323b6de036588e28ee725a26b4084e94b6c57] | committer: 
Ganesh Ajjanagadde

avformat/movenc-test: correct varargs usage

It is required to call va_end for each invocation of va_start within the
same function.

Fixes: CID 1341583.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Ganesh Ajjanagadde 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f1f323b6de036588e28ee725a26b4084e94b6c57
---

 libavformat/movenc-test.c |1 +
 1 file changed, 1 insertion(+)

diff --git a/libavformat/movenc-test.c b/libavformat/movenc-test.c
index d494e41..957ae69 100644
--- a/libavformat/movenc-test.c
+++ b/libavformat/movenc-test.c
@@ -137,6 +137,7 @@ static void check_func(int value, int line, const char 
*msg, ...)
 vprintf(msg, ap);
 printf("\n");
 check_faults++;
+va_end(ap);
 }
 }
 #define check(value, ...) check_func(value, __LINE__, __VA_ARGS__)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dvdsubdec: fix typo in dlog message

[Ganesh Ajjanagadde]

ffmpeg | branch: master | Ganesh Ajjanagadde  | Fri Dec 
 4 02:35:25 2015 -0500| [14886bebfe7a9108c4b557f455fa8af3aefd8a0c] | committer: 
Ganesh Ajjanagadde

avcodec/dvdsubdec: fix typo in dlog message

Likely accidental in 764900d6458a2f79166ff91df4f20ad39cd6acec.

Fixes: CID 1341578.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Ganesh Ajjanagadde 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=14886bebfe7a9108c4b557f455fa8af3aefd8a0c
---

 libavcodec/dvdsubdec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index a03b388..19f25f0 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -318,7 +318,7 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, 
AVSubtitle *sub_header,
 goto fail;
 offset1 = AV_RB16(buf + pos);
 offset2 = AV_RB16(buf + pos + 2);
-ff_dlog(NULL, "offset1=0x%04"PRIx64" 
offset2=0x%04%"PRIx64"\n", offset1, offset2);
+ff_dlog(NULL, "offset1=0x%04"PRIx64" offset2=0x%04"PRIx64"\n", 
offset1, offset2);
 pos += 4;
 break;
 case 0x86:

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/rtsp: free opts dictionary on failure of getnameinfo

[Ganesh Ajjanagadde]

ffmpeg | branch: master | Ganesh Ajjanagadde  | Fri Dec 
 4 01:11:10 2015 -0500| [90409b6da88b0cf17c7161b5bfffe35cb0475eec] | committer: 
Ganesh Ajjanagadde

avformat/rtsp: free opts dictionary on failure of getnameinfo

Fixes: CID 1341579.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Ganesh Ajjanagadde 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=90409b6da88b0cf17c7161b5bfffe35cb0475eec
---

 libavformat/rtsp.c |1 +
 1 file changed, 1 insertion(+)

diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c
index 9a6b2eb..39539e9 100644
--- a/libavformat/rtsp.c
+++ b/libavformat/rtsp.c
@@ -2300,6 +2300,7 @@ static int sdp_read_header(AVFormatContext *s)
 if (err) {
 av_log(s, AV_LOG_ERROR, "getnameinfo: %s\n", 
gai_strerror(err));
 err = AVERROR(EIO);
+av_dict_free();
 goto fail;
 }
 ff_url_join(url, sizeof(url), "rtp", NULL,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: Do not init parser if probing is unfinished

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sun Nov 15 23:41:14 2015 +0100| [3cef69c576c584e9f7ce7183c58276a5c4c9a859] | 
committer: Michael Niedermayer

avformat/utils: Do not init parser if probing is unfinished

Fixes assertion failure
Fixes: 
136f8b8d47af7892306625e597dee655/signal_sigabrt_76ae7cc9_8941_ab11bea57c84796418f481f873dc31ba.dvr_ms

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1ef336e912a7a3a13a9933825a56c421f891e44b)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3cef69c576c584e9f7ce7183c58276a5c4c9a859
---

 libavformat/utils.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index d93f434..4ce97cc 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -2998,7 +2998,7 @@ int avformat_find_stream_info(AVFormatContext *ic, 
AVDictionary **options)
 st->codec->time_base = st->time_base;
 }
 // only for the split stuff
-if (!st->parser && !(ic->flags & AVFMT_FLAG_NOPARSE)) {
+if (!st->parser && !(ic->flags & AVFMT_FLAG_NOPARSE) && 
st->request_probe <= 0) {
 st->parser = av_parser_init(st->codec->codec_id);
 if (st->parser) {
 if (st->need_parsing == AVSTREAM_PARSE_HEADERS) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dec: Fix potential integer overflow with tile dimensions

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sun Nov 15 21:17:05 2015 +0100| [f1058efc8160affedc90abd75245d6d96d9aa0e9] | 
committer: Michael Niedermayer

avcodec/jpeg2000dec: Fix potential integer overflow with tile dimensions

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 65d3359fb366ea265a8468d76a111cb7352f0b55)

Conflicts:

libavcodec/jpeg2000dec.c

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f1058efc8160affedc90abd75245d6d96d9aa0e9
---

 libavcodec/jpeg2000dec.c |8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index ab34df0..ee4f195 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -688,10 +688,10 @@ static int init_tile(Jpeg2000DecoderContext *s, int 
tileno)
 Jpeg2000QuantStyle  *qntsty = tile->qntsty + compno;
 int ret; // global bandno
 
-comp->coord_o[0][0] = av_clip(tilex   * s->tile_width  + 
s->tile_offset_x, s->image_offset_x, s->width);
-comp->coord_o[0][1] = av_clip((tilex + 1) * s->tile_width  + 
s->tile_offset_x, s->image_offset_x, s->width);
-comp->coord_o[1][0] = av_clip(tiley   * s->tile_height + 
s->tile_offset_y, s->image_offset_y, s->height);
-comp->coord_o[1][1] = av_clip((tiley + 1) * s->tile_height + 
s->tile_offset_y, s->image_offset_y, s->height);
+comp->coord_o[0][0] = av_clip(tilex   * (int64_t)s->tile_width  + 
s->tile_offset_x, s->image_offset_x, s->width);
+comp->coord_o[0][1] = av_clip((tilex + 1) * (int64_t)s->tile_width  + 
s->tile_offset_x, s->image_offset_x, s->width);
+comp->coord_o[1][0] = av_clip(tiley   * (int64_t)s->tile_height + 
s->tile_offset_y, s->image_offset_y, s->height);
+comp->coord_o[1][1] = av_clip((tiley + 1) * (int64_t)s->tile_height + 
s->tile_offset_y, s->image_offset_y, s->height);
 
 comp->coord[0][0] = ff_jpeg2000_ceildivpow2(comp->coord_o[0][0], 
s->reduction_factor);
 comp->coord[0][1] = ff_jpeg2000_ceildivpow2(comp->coord_o[0][1], 
s->reduction_factor);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cabac: Check initial cabac decoder state

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Nov 27 13:37:50 2015 +0100| [20de3b007bbdcbcced873aa7a5a38ef61a6d00a0] | 
committer: Michael Niedermayer

avcodec/cabac: Check initial cabac decoder state

Fixes integer overflows
Fixes: 
1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Found-by: xiedingbao (Ticket4727)
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8000d484b83aafa752d84fbdbfb352ffe0dc64f8)

Conflicts:

libavcodec/cabac.h

Conflicts:

libavcodec/h264_cabac.c
libavcodec/h264_slice.c

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=20de3b007bbdcbcced873aa7a5a38ef61a6d00a0
---

 libavcodec/cabac.c   |5 -
 libavcodec/cabac.h   |2 +-
 libavcodec/cabac_functions.h |3 ++-
 libavcodec/h264_cabac.c  |5 -
 libavcodec/h264_slice.c  |5 -
 5 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c
index 81a75dd..48f70ca 100644
--- a/libavcodec/cabac.c
+++ b/libavcodec/cabac.c
@@ -51,7 +51,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int 
buf_size){
  *
  * @param buf_size size of buf in bits
  */
-void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){
+int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){
 c->bytestream_start=
 c->bytestream= buf;
 c->bytestream_end= buf + buf_size;
@@ -64,6 +64,9 @@ void ff_init_cabac_decoder(CABACContext *c, const uint8_t 
*buf, int buf_size){
 #endif
 c->low+= ((*c->bytestream++)<<2) + 2;
 c->range= 0x1FE;
+if ((c->range<<(CABAC_BITS+1)) < c->low)
+return AVERROR_INVALIDDATA;
+return 0;
 }
 
 void ff_init_cabac_states(void)
diff --git a/libavcodec/cabac.h b/libavcodec/cabac.h
index f9eafed..857211c 100644
--- a/libavcodec/cabac.h
+++ b/libavcodec/cabac.h
@@ -56,7 +56,7 @@ typedef struct CABACContext{
 }CABACContext;
 
 void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size);
-void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size);
+int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size);
 void ff_init_cabac_states(void);
 
 #endif /* AVCODEC_CABAC_H */
diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h
index 4e13253..2d1d2a6 100644
--- a/libavcodec/cabac_functions.h
+++ b/libavcodec/cabac_functions.h
@@ -191,7 +191,8 @@ static av_unused const uint8_t* skip_bytes(CABACContext *c, 
int n) {
 #endif
 if ((int) (c->bytestream_end - ptr) < n)
 return NULL;
-ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n);
+if (ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n) < 0)
+return NULL;
 
 return ptr;
 }
diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c
index 1a004a5..09995d8 100644
--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@@ -1999,6 +1999,7 @@ decode_intra_mb:
 const int mb_size = ff_h264_mb_sizes[h->sps.chroma_format_idc] *
 h->sps.bit_depth_luma >> 3;
 const uint8_t *ptr;
+int ret;
 
 // We assume these blocks are very rare so we do not optimize it.
 // FIXME The two following lines get the bitstream position in the 
cabac
@@ -2015,7 +2016,9 @@ decode_intra_mb:
 h->intra_pcm_ptr = ptr;
 ptr += mb_size;
 
-ff_init_cabac_decoder(>cabac, ptr, h->cabac.bytestream_end - ptr);
+ret = ff_init_cabac_decoder(>cabac, ptr, h->cabac.bytestream_end - 
ptr);
+if (ret < 0)
+return ret;
 
 // All blocks are present
 h->cbp_table[mb_xy] = 0xf7ef;
diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index f8b1520..0389094 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -2445,13 +2445,16 @@ static int decode_slice(struct AVCodecContext *avctx, 
void *arg)
 }
 
 if (h->pps.cabac) {
+int ret;
 /* realign */
 align_get_bits(>gb);
 
 /* init cabac */
-ff_init_cabac_decoder(>cabac,
+ret = ff_init_cabac_decoder(>cabac,
   h->gb.buffer + get_bits_count(>gb) / 8,
   (get_bits_left(>gb) + 7) / 8);
+if (ret < 0)
+return ret;
 
 ff_h264_init_cabac_states(h);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000: Check comp coords to be within the supported size

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sun Nov 15 20:49:17 2015 +0100| [9aa4b9c2a3427c5c7893143d319e5cbe3fdd57e4] | 
committer: Michael Niedermayer

avcodec/jpeg2000: Check comp coords to be within the supported size

Fixes assertion failure
Fixes: 
03e0abe721b1174856d41a1eb5d6a896/signal_sigabrt_76ae7cc9_3813_e71bf3541abed3ccba031cd5ba0269a4.avi

This fix is choosen to be simple to backport, better solution
for master is planed

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a1a8cbcb35ef2759a66b4f0875785e4b3f277057)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9aa4b9c2a3427c5c7893143d319e5cbe3fdd57e4
---

 libavcodec/jpeg2000.c |5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c
index 6b60e3d..4312f81 100644
--- a/libavcodec/jpeg2000.c
+++ b/libavcodec/jpeg2000.c
@@ -217,6 +217,11 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
 return AVERROR_INVALIDDATA;
 csize = (comp->coord[0][1] - comp->coord[0][0]) *
 (comp->coord[1][1] - comp->coord[1][0]);
+if (comp->coord[0][1] > 32768 ||
+comp->coord[1][1] > 32768) {
+av_log(avctx, AV_LOG_ERROR, "component size too large\n");
+return AVERROR_PATCHWELCOME;
+}
 
 if (codsty->transform == FF_DWT97) {
 comp->i_data = NULL;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Tue Nov 24 22:12:37 2015 +0100| [e9ec9be1467972be0a8baa3167cf1f70f1a8c097] | 
committer: Michael Niedermayer

avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized

Fixes out of array access
Fixes: 
1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2049_f2192b6829ab6e0eefcb035329c03c60.264

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4ea4d2f438c9a7eba37980c9a87be4b34943e4d5)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e9ec9be1467972be0a8baa3167cf1f70f1a8c097
---

 libavcodec/h264_slice.c |1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 3b50114..f8b1520 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1211,6 +1211,7 @@ static int h264_slice_header_init(H264Context *h, int 
reinit)
 nb_slices = max_slices;
 }
 h->slice_context_count = nb_slices;
+h->max_contexts = FFMIN(h->max_contexts, nb_slices);
 
 if (!HAVE_THREADS || !(h->avctx->active_thread_type & FF_THREAD_SLICE)) {
 ret = ff_h264_context_init(h);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/takdec: Skip last p2 sample (which is unused)

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sun Nov 15 01:22:31 2015 +0100| [9356635e761a17a76f11c4adcfdd504d1e031a2d] | 
committer: Michael Niedermayer

avcodec/takdec: Skip last p2 sample (which is unused)

Fixes out of array read
Fixes: 
cb3f38b08b4541523974667c7d1eee9e/asan_heap-oob_2659e18_9838_021fd5cd635bf76cede6398cd9ecbcdd.tak

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 08b520636e96ba6888b669b9b3f4c414631ea1d2)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9356635e761a17a76f11c4adcfdd504d1e031a2d
---

 libavcodec/takdec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c
index 0e29c62..0b14849 100644
--- a/libavcodec/takdec.c
+++ b/libavcodec/takdec.c
@@ -632,7 +632,7 @@ static int decorrelate(TAKDecContext *s, int c1, int c2, 
int length)
 for (; length2 > 0; length2 -= tmp) {
 tmp = FFMIN(length2, x);
 
-for (i = 0; i < tmp; i++)
+for (i = 0; i < tmp - (tmp == length2); i++)
 s->residues[filter_order + i] = *p2++ >> dshift;
 
 for (i = 0; i < tmp; i++) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/wmaprodec: Check for overread in decode_packet()

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sun Nov 15 18:18:40 2015 +0100| [dccb80dd50eedc4a5d95b56dd30144ee9e576d88] | 
committer: Michael Niedermayer

avcodec/wmaprodec: Check for overread in decode_packet()

Fixes assertion failure
Fixes: 
0256e92df2df7e933b43a2c70e4c8040/signal_sigabrt_76ae7cc9_1358_999ac18684788221490757582ce9af84.wma

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7ad698e24e6b9dde57c4e01c145bcddfe9d6e4a3)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dccb80dd50eedc4a5d95b56dd30144ee9e576d88
---

 libavcodec/wmaprodec.c |5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c
index 56d6d32..f32e4c2 100644
--- a/libavcodec/wmaprodec.c
+++ b/libavcodec/wmaprodec.c
@@ -1619,6 +1619,11 @@ static int decode_packet(AVCodecContext *avctx, void 
*data,
 s->packet_done = 1;
 }
 
+if (remaining_bits(s, gb) < 0) {
+av_log(avctx, AV_LOG_ERROR, "Overread %d\n", -remaining_bits(s, gb));
+s->packet_loss = 1;
+}
+
 if (s->packet_done && !s->packet_loss &&
 remaining_bits(s, gb) > 0) {
 /** save the rest of the data so that it can be decoded

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dxtory: Fix input size check in dxtory_decode_v1_410()

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sun Nov 15 00:25:11 2015 +0100| [6ba69f60ecb6693074bc7abcad67851a17e36c44] | 
committer: Michael Niedermayer

avcodec/dxtory: Fix input size check in dxtory_decode_v1_410()

Fixes potential out of array read

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 76b6f4b7d91901929177cc61d9810dcca0bb40c1)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6ba69f60ecb6693074bc7abcad67851a17e36c44
---

 libavcodec/dxtory.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c
index b89a45f..a103eaa 100644
--- a/libavcodec/dxtory.c
+++ b/libavcodec/dxtory.c
@@ -65,7 +65,7 @@ static int dxtory_decode_v1_410(AVCodecContext *avctx, 
AVFrame *pic,
 uint8_t *Y1, *Y2, *Y3, *Y4, *U, *V;
 int ret;
 
-if (src_size < avctx->width * avctx->height * 9LL / 8) {
+if (src_size < FFALIGN(avctx->width, 4) * FFALIGN(avctx->height, 4) * 9LL 
/ 8) {
 av_log(avctx, AV_LOG_ERROR, "packet too small\n");
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component( )

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sun Nov 15 20:03:39 2015 +0100| [aa780a52717eda9476fcda4a6c68e781974ad7c2] | 
committer: Michael Niedermayer

avcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 016fd413f9168816924f21c0c1ffb578f7226221)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aa780a52717eda9476fcda4a6c68e781974ad7c2
---

 libavcodec/jpeg2000.c |6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c
index ede1a79..6b60e3d 100644
--- a/libavcodec/jpeg2000.c
+++ b/libavcodec/jpeg2000.c
@@ -28,6 +28,7 @@
 #include "libavutil/attributes.h"
 #include "libavutil/avassert.h"
 #include "libavutil/common.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/mem.h"
 #include "avcodec.h"
 #include "jpeg2000.h"
@@ -210,7 +211,10 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
codsty->nreslevels2decode - 1,
codsty->transform))
 return ret;
-// component size comp->coord is uint16_t so ir cannot overflow
+
+if (av_image_check_size(comp->coord[0][1] - comp->coord[0][0],
+comp->coord[1][1] - comp->coord[1][0], 0, avctx))
+return AVERROR_INVALIDDATA;
 csize = (comp->coord[0][1] - comp->coord[0][0]) *
 (comp->coord[1][1] - comp->coord[1][0]);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ivi: Check image dimensions

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Nov 14 02:36:22 2015 +0100| [f68ff799eb00ec7f38e983c7fbe60c7ff948e401] | 
committer: Michael Niedermayer

avcodec/ivi: Check image dimensions

Fixes integer overflow
Fixes: 
1e32c6c591d940337c20b197ec1c4d3d/asan_heap-oob_4a52e5_8946_0bb0d9e863def56005e49f1d89bdc94d.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit df91aa034b82b77a3c4e01791f4a2b2ff6c82066)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f68ff799eb00ec7f38e983c7fbe60c7ff948e401
---

 libavcodec/ivi_common.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index 3795081..80b0676 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -30,6 +30,7 @@
 
 #define BITSTREAM_READER_LE
 #include "libavutil/attributes.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/timer.h"
 #include "avcodec.h"
 #include "get_bits.h"
@@ -310,7 +311,7 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const 
IVIPicConfig *cfg,
 
 ivi_free_buffers(planes);
 
-if (cfg->pic_width < 1 || cfg->pic_height < 1 ||
+if (av_image_check_size(cfg->pic_width, cfg->pic_height, 0, NULL) < 0 ||
 cfg->luma_bands < 1 || cfg->chroma_bands < 1)
 return AVERROR_INVALIDDATA;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/smacker: Check that the data size is a multiple of a sample vector

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sun Nov 15 14:52:08 2015 +0100| [3449b47dc548fdc91ee46c6e3de04ad8b6b3d045] | 
committer: Michael Niedermayer

avcodec/smacker: Check that the data size is a multiple of a sample vector

Fixes out of array access
Fixes: 
ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4a9af07a49295e014b059c1ab624c40345af5892)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3449b47dc548fdc91ee46c6e3de04ad8b6b3d045
---

 libavcodec/smacker.c |4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 518bdad..bdabe7f 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -667,6 +667,10 @@ static int smka_decode_frame(AVCodecContext *avctx, void 
*data,
 
 /* get output buffer */
 frame->nb_samples = unp_size / (avctx->channels * (bits + 1));
+if (unp_size % (avctx->channels * (bits + 1))) {
+av_log(avctx, AV_LOG_ERROR, "unp_size %d is odd\n", unp_size);
+return AVERROR(EINVAL);
+}
 if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
 return ret;
 samples  = (int16_t *)frame->data[0];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dpx: Move need_align to act per line

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Nov 14 14:29:02 2015 +0100| [99e080ec38eec8e8e0ca3b404d86c4526ed57d74] | 
committer: Michael Niedermayer

avcodec/dpx: Move need_align to act per line

Fixes out of array read
Fixes: 
61cf123c081ee2bb774d307c75bdb99e/asan_heap-oob_1224f76_5546_bee833ffae73f752b489b9eeaac52db7.dpx

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c8aaae8e0f1519bc99bd717ea3067c9cfdb68def)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=99e080ec38eec8e8e0ca3b404d86c4526ed57d74
---

 libavcodec/dpx.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
index 5d8c4f3..02aa779 100644
--- a/libavcodec/dpx.c
+++ b/libavcodec/dpx.c
@@ -334,11 +334,11 @@ static int decode_frame(AVCodecContext *avctx,
 // For 12 bit, ignore alpha
 if (elements == 4)
 buf += 2;
-// Jump to next aligned position
-buf += need_align;
 }
 for (i = 0; i < 3; i++)
 ptr[i] += p->linesize[i];
+// Jump to next aligned position
+buf += need_align;
 }
 break;
 case 16:

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/error_resilience: avoid accessing previous or next frames tables beyond height

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Nov 14 21:11:52 2015 +0100| [3879202d68ce327416806f650f3d8bf63a4cd83a] | 
committer: Michael Niedermayer

avcodec/error_resilience: avoid accessing previous or next frames tables beyond 
height

The height of tables can be rounded up for MBAFF but this does not imply that 
is also true
for the previous frames

Fixes out of array reads
Fixes: 
c106b36fa36db8ff8f3ed0c82be7bea2/asan_heap-oob_32699f0_6321_467b9a1d7e03d7cfd310b7e65dc53bcc.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a105f52855d08e4ab1ed7306da8e32fc90d6d647)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3879202d68ce327416806f650f3d8bf63a4cd83a
---

 libavcodec/error_resilience.c |   15 ++-
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c
index 2ba4a68..1210eb0 100644
--- a/libavcodec/error_resilience.c
+++ b/libavcodec/error_resilience.c
@@ -377,14 +377,19 @@ static void guess_mv(ERContext *s)
 #define MV_UNCHANGED 1
 const int mb_stride = s->mb_stride;
 const int mb_width  = s->mb_width;
-const int mb_height = s->mb_height;
+int mb_height = s->mb_height;
 int i, depth, num_avail;
 int mb_x, mb_y, mot_step, mot_stride;
 
+if (s->last_pic.f && s->last_pic.f->data[0])
+mb_height = FFMIN(mb_height, (s->last_pic.f->height+15)>>4);
+if (s->next_pic.f && s->next_pic.f->data[0])
+mb_height = FFMIN(mb_height, (s->next_pic.f->height+15)>>4);
+
 set_mv_strides(s, _step, _stride);
 
 num_avail = 0;
-for (i = 0; i < s->mb_num; i++) {
+for (i = 0; i < mb_width * mb_height; i++) {
 const int mb_xy = s->mb_index2xy[i];
 int f = 0;
 int error = s->error_status_table[mb_xy];
@@ -409,7 +414,7 @@ static void guess_mv(ERContext *s)
 
 if ((!(s->avctx->error_concealment_EC_GUESS_MVS)) ||
 num_avail <= mb_width / 2) {
-for (mb_y = 0; mb_y < s->mb_height; mb_y++) {
+for (mb_y = 0; mb_y < mb_height; mb_y++) {
 for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
 const int mb_xy = mb_x + mb_y * s->mb_stride;
 int mv_dir = (s->last_pic.f && s->last_pic.f->data[0]) ? 
MV_DIR_FORWARD : MV_DIR_BACKWARD;
@@ -438,7 +443,7 @@ static void guess_mv(ERContext *s)
 int score_sum = 0;
 
 changed = 0;
-for (mb_y = 0; mb_y < s->mb_height; mb_y++) {
+for (mb_y = 0; mb_y < mb_height; mb_y++) {
 for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
 const int mb_xy= mb_x + mb_y * s->mb_stride;
 int mv_predictor[8][2] = { { 0 } };
@@ -671,7 +676,7 @@ skip_last_mv:
 if (none_left)
 return;
 
-for (i = 0; i < s->mb_num; i++) {
+for (i = 0; i < mb_width * mb_height; i++) {
 int mb_xy = s->mb_index2xy[i];
 if (fixed[mb_xy])
 fixed[mb_xy] = MV_FROZEN;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/flashsv: Check size before updating it

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Nov 14 13:34:02 2015 +0100| [52d332b044eb5f10a1346fa77964ae331a0ff7d3] | 
committer: Michael Niedermayer

avcodec/flashsv: Check size before updating it

Fixes out of array read
Fixes: 
3c857d4d90365731524716e6d051e43a/signal_sigsegv_7f4f59bcc29e_1386_20abd2c8e655cb9c75b24368e65fe3b1.flv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 17705f5d4f57c15f9b9bb9cfcbbb4621fed2fc70)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=52d332b044eb5f10a1346fa77964ae331a0ff7d3
---

 libavcodec/flashsv.c |8 
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c
index 8791a2d..f777f24 100644
--- a/libavcodec/flashsv.c
+++ b/libavcodec/flashsv.c
@@ -413,6 +413,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, 
void *data,
 }
 
 if (has_diff) {
+if (size < 3) {
+av_log(avctx, AV_LOG_ERROR, "size too small for 
diff\n");
+return AVERROR_INVALIDDATA;
+}
 if (!s->keyframe) {
 av_log(avctx, AV_LOG_ERROR,
"Inter frame without keyframe\n");
@@ -440,6 +444,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, 
void *data,
 int row = get_bits(, 8);
 av_log(avctx, AV_LOG_DEBUG, "%dx%d zlibprime_curr %dx%d\n",
i, j, col, row);
+if (size < 3) {
+av_log(avctx, AV_LOG_ERROR, "size too small for 
zlibprime_curr\n");
+return AVERROR_INVALIDDATA;
+}
 size -= 2;
 avpriv_request_sample(avctx, "zlibprime_curr");
 return AVERROR_PATCHWELCOME;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dec: Check SIZ dimensions to be within the supported range

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sun Nov 15 21:12:50 2015 +0100| [50870dd3de5c69f90a95ca7f5d8eeaffe1b675ac] | 
committer: Michael Niedermayer

avcodec/jpeg2000dec: Check SIZ dimensions to be within the supported range

Fixes potential integer overflows
Fixes: 
03e0abe721b1174856d41a1eb5d6a896/signal_sigabrt_76ae7cc9_3813_e71bf3541abed3ccba031cd5ba0269a4.avi

This fix is choosen to be simple to backport, better solution
for master is planed

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6ef819c40bcc2175edba7ce9e20c3036c01b36b9)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=50870dd3de5c69f90a95ca7f5d8eeaffe1b675ac
---

 libavcodec/jpeg2000dec.c |4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 83154c7..ab34df0 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -250,6 +250,10 @@ static int get_siz(Jpeg2000DecoderContext *s)
 avpriv_request_sample(s->avctx, "Support for image offsets");
 return AVERROR_PATCHWELCOME;
 }
+if (s->width > 32768U || s->height > 32768U) {
+avpriv_request_sample(s->avctx, "Large Dimensions");
+return AVERROR_PATCHWELCOME;
+}
 
 if (ncomponents <= 0) {
 av_log(s->avctx, AV_LOG_ERROR, "Invalid number of components: %d\n",

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cabac_functions: Fix "left shift of negative value -31767"

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Nov 27 12:11:29 2015 +0100| [e8054a9595fe4b4ffa094be192547a98ad85ae2e] | 
committer: Michael Niedermayer

avcodec/cabac_functions: Fix "left shift of negative value -31767"

Fixes: 
1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Found-by: xiedingbao (Ticket4727)
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a1f6b05f5228979dab0e149deca7a30d22e98af5)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e8054a9595fe4b4ffa094be192547a98ad85ae2e
---

 libavcodec/cabac_functions.h |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h
index 15dba29..4e13253 100644
--- a/libavcodec/cabac_functions.h
+++ b/libavcodec/cabac_functions.h
@@ -74,7 +74,8 @@ static inline void renorm_cabac_decoder_once(CABACContext *c){
 
 #ifndef get_cabac_inline
 static void refill2(CABACContext *c){
-int i, x;
+int i;
+unsigned x;
 
 x= c->low ^ (c->low-1);
 i= 7 - ff_h264_norm_shift[x>>(CABAC_BITS-1)];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc: Check entry_point_offsets

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Fri Nov 27 18:30:05 2015 +0100| [961a1f73e39250e91b2f73a5a32b49a292b539ff] | 
committer: Michael Niedermayer

avcodec/hevc: Check entry_point_offsets

Fixes out of array read
Fixes: 
007c4a36608ebdf27ee260ad60a81184/asan_heap-oob_32076b4_2243_116b1cb29d91cc4974d6680e3d10bd91.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit ef9f7bbfa47317f9d46bf46982a394d2be78503c)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=961a1f73e39250e91b2f73a5a32b49a292b539ff
---

 libavcodec/hevc.c |8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index fbfcb95..960573f 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -2409,7 +2409,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const 
uint8_t *nal, int length)
 HEVCLocalContext *lc = s->HEVClc;
 int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
 int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
-int offset;
+int64_t offset;
 int startheader, cmpt = 0;
 int i, j, res = 0;
 
@@ -2450,6 +2450,11 @@ static int hls_slice_data_wpp(HEVCContext *s, const 
uint8_t *nal, int length)
 }
 if (s->sh.num_entry_point_offsets != 0) {
 offset += s->sh.entry_point_offset[s->sh.num_entry_point_offsets - 1] 
- cmpt;
+if (length < offset) {
+av_log(s->avctx, AV_LOG_ERROR, "entry_point_offset table is 
corrupted\n");
+res = AVERROR_INVALIDDATA;
+goto error;
+}
 s->sh.size[s->sh.num_entry_point_offsets - 1] = length - offset;
 s->sh.offset[s->sh.num_entry_point_offsets - 1] = offset;
 
@@ -2476,6 +2481,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const 
uint8_t *nal, int length)
 
 for (i = 0; i <= s->sh.num_entry_point_offsets; i++)
 res += ret[i];
+error:
 av_free(ret);
 av_free(arg);
 return res;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dxtory: Fix input size check in dxtory_decode_v1_420()

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sun Nov 15 00:25:11 2015 +0100| [0814b140b1d7d6d324cb76b863b9cbc8f62abd58] | 
committer: Michael Niedermayer

avcodec/dxtory: Fix input size check in dxtory_decode_v1_420()

Fixes out of array read
Fixes: 
c50c4aa6cefda71b19a31ea12302980c/asan_heap-oob_12be5fd_7011_33ebd015a74976215934add72b9c8352.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 9caa9414ccf2dcf8aee2695377dee830a5024c82)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0814b140b1d7d6d324cb76b863b9cbc8f62abd58
---

 libavcodec/dxtory.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c
index 5e32107..b89a45f 100644
--- a/libavcodec/dxtory.c
+++ b/libavcodec/dxtory.c
@@ -108,7 +108,7 @@ static int dxtory_decode_v1_420(AVCodecContext *avctx, 
AVFrame *pic,
 uint8_t *Y1, *Y2, *U, *V;
 int ret;
 
-if (src_size < avctx->width * avctx->height * 3LL / 2) {
+if (src_size < FFALIGN(avctx->width, 2) * FFALIGN(avctx->height, 2) * 3LL 
/ 2) {
 av_log(avctx, AV_LOG_ERROR, "packet too small\n");
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Wed Sep 30 13:10:48 2015 +0200| [ee5ba259d12d60c4e67fb0d92b46bd4b16d79eac] | 
committer: Michael Niedermayer

avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup

The variable is not a constant and can lead to race conditions

Fixes: repro.webm (not reproducable with FFmpeg alone)

Found-by: Dale Curtis 
Tested-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit dabea74d0e82ea80cd344f630497cafcb3ef872c)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ee5ba259d12d60c4e67fb0d92b46bd4b16d79eac
---

 libavcodec/vp8.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
index 9017ab8..b27e562 100644
--- a/libavcodec/vp8.c
+++ b/libavcodec/vp8.c
@@ -164,7 +164,7 @@ int update_dimensions(VP8Context *s, int width, int height, 
int is_vp7)
 s->mb_height = (s->avctx->coded_height + 15) / 16;
 
 s->mb_layout = is_vp7 || avctx->active_thread_type == FF_THREAD_SLICE &&
-   FFMIN(s->num_coeff_partitions, avctx->thread_count) > 1;
+   avctx->thread_count > 1;
 if (!s->mb_layout) { // Frame threading and one thread
 s->macroblocks_base   = av_mallocz((s->mb_width + s->mb_height * 2 
+ 1) *
sizeof(*s->macroblocks));

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] mjpegdec: consider chroma subsampling in size check

[Andreas Cadhalpun]

ffmpeg | branch: release/2.5 | Andreas Cadhalpun 
 | Wed Dec  2 21:52:23 2015 +0100| 
[d52b5f85f2837b0de9bdefe2a650d8d1b0e02ec1] | committer: Michael Niedermayer

mjpegdec: consider chroma subsampling in size check

If the chroma components are subsampled, smaller buffers are allocated
for them. In that case the maximal block_offset for the chroma
components is not as large as for the luma component.

This fixes out of bounds writes causing segmentation faults or memory
corruption.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 5adb5d9d894aa495e7bf9557b4c78350cbfc9d32)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d52b5f85f2837b0de9bdefe2a650d8d1b0e02ec1
---

 libavcodec/mjpegdec.c |   11 ---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index a1141e7..d2624f0 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1222,7 +1222,7 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int 
nb_components, int Ah,
  int mb_bitmask_size,
  const AVFrame *reference)
 {
-int i, mb_x, mb_y;
+int i, mb_x, mb_y, chroma_h_shift, chroma_v_shift, chroma_width, 
chroma_height;
 uint8_t *data[MAX_COMPONENTS];
 const uint8_t *reference_data[MAX_COMPONENTS];
 int linesize[MAX_COMPONENTS];
@@ -1239,6 +1239,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int 
nb_components, int Ah,
 
 s->restart_count = 0;
 
+av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, _h_shift,
+ _v_shift);
+chroma_width  = FF_CEIL_RSHIFT(s->width,  chroma_h_shift);
+chroma_height = FF_CEIL_RSHIFT(s->height, chroma_v_shift);
+
 for (i = 0; i < nb_components; i++) {
 int c   = s->comp_index[i];
 data[c] = s->picture_ptr->data[c];
@@ -1275,8 +1280,8 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int 
nb_components, int Ah,
 
 if (s->interlaced && s->bottom_field)
 block_offset += linesize[c] >> 1;
-if (   8*(h * mb_x + x) < s->width
-&& 8*(v * mb_y + y) < s->height) {
+if (   8*(h * mb_x + x) < ((c == 1) || (c == 2) ? 
chroma_width  : s->width)
+&& 8*(v * mb_y + y) < ((c == 1) || (c == 2) ? 
chroma_height : s->height)) {
 ptr = data[c] + block_offset;
 } else
 ptr = NULL;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Update Changelog

[Michael Niedermayer]

ffmpeg | branch: release/2.5 | Michael Niedermayer  | 
Sun Dec  6 02:31:14 2015 +0100| [ffe40ef9b4942b4be4e82f1cb31f2b41ab2c1685] | 
committer: Michael Niedermayer

Update Changelog

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ffe40ef9b4942b4be4e82f1cb31f2b41ab2c1685
---

 Changelog |   35 +++
 1 file changed, 35 insertions(+)

diff --git a/Changelog b/Changelog
index 8deb149..e1c1d57 100644
--- a/Changelog
+++ b/Changelog
@@ -2,6 +2,41 @@ Entries are sorted chronologically from oldest to youngest 
within each release,
 releases are sorted from youngest to oldest.
 
 version 2.5.9
+- avcodec/hevc: Check max ctb addresses for WPP
+- avcodec/vp3: ensure header is parsed successfully before tables
+- avcodec/jpeg2000dec: Check bpno in decode_cblk()
+- avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented 
in type int
+- swscale/utils: Fix for runtime error: left shift of negative value -1
+- avcodec/hevc: Fix integer overflow of entry_point_offset
+- avcodec/dirac_parser: Check that there is a previous PU before accessing it
+- avcodec/dirac_parser: Add basic validity checks for next_pu_offset and 
prev_pu_offset
+- avcodec/dirac_parser: Fix potential overflows in pointer checks
+- avcodec/wmaprodec: Check bits per sample to be within the range not causing 
integer overflows
+- avcodec/wmaprodec: Fix overflow of cutoff
+- avformat/smacker: fix integer overflow with pts_inc
+- avcodec/vp3: Fix "runtime error: left shift of negative value"
+- mpegencts: Fix overflow in cbr mode period calculations
+- avutil/timecode: Fix fps check
+- avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() 
for overflows
+- avcodec/apedec: Check length in long_filter_high_3800()
+- avcodec/vp3: always set pix_fmt in theora_decode_header()
+- avcodec/mpeg4videodec: Check available data before reading custom matrix
+- avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd
+- avutil/integer: Fix av_mod_i() with negative dividend
+- avformat/dump: Fix integer overflow in av_dump_format()
+- avcodec/utils: Clear dimensions in ff_get_buffer() on failure
+- avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string()
+- avcodec/vp3: Clear context on reinitialization failure
+- avcodec/hevc: allocate entries unconditionally
+- avcodec/hevc_cabac: Fix multiple integer overflows
+- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*()
+- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*()
+- avcodec/hevc: Check entry_point_offsets
+- avcodec/cabac: Check initial cabac decoder state
+- avcodec/cabac_functions: Fix "left shift of negative value -31767"
+- avcodec/ffv1dec: Clear quant_table_count if its invalid
+- avcodec/ffv1dec: Print an error if the quant table count is invalid
+- doc/filters/drawtext: fix centering example
 - avcodec/h264_slice: Limit max_contexts when slice_context_count is 
initialized
 - avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup
 - rtmpcrypt: Do the xtea decryption in little endian mode

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Tag n2.5.9 : FFmpeg 2.5.9 release

[git]

[ffmpeg] [branch: refs/tags/n2.5.9]
Tag:4e7814511a68927607d3c3d9a1314389019d29bc
> http://git.videolan.org/gitweb.cgi/ffmpeg.git?a=tag;h=4e7814511a68927607d3c3d9a1314389019d29bc

Tagger: Michael Niedermayer 
Date:   Mon Dec  7 02:42:25 2015 +0100

FFmpeg 2.5.9 release
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter/showcqt: BASEFREQ and ENDFREQ cast to double

[Muhammad Faiz]

ffmpeg | branch: master | Muhammad Faiz  | Mon Nov 30 
22:20:30 2015 +0700| [54ed3ebbe491be6b9af37bfb0313594b0973ee40] | committer: 
Michael Niedermayer

avfilter/showcqt: BASEFREQ and ENDFREQ cast to double

fix default basefreq/endfreq comparison
on platform that does not do comparison
in double type

found on zeranoe 32-bit build, where
default freq range is detected as non-default

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=54ed3ebbe491be6b9af37bfb0313594b0973ee40
---

 libavfilter/avf_showcqt.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavfilter/avf_showcqt.c b/libavfilter/avf_showcqt.c
index d6e2928..712a999 100644
--- a/libavfilter/avf_showcqt.c
+++ b/libavfilter/avf_showcqt.c
@@ -466,7 +466,7 @@ static int init_axis_color(ShowCQTContext *s, AVFrame *tmp)
 double *freq = NULL;
 int x, y, ret;
 
-if (s->basefreq != BASEFREQ || s->endfreq != ENDFREQ) {
+if (s->basefreq != (double) BASEFREQ || s->endfreq != (double) ENDFREQ) {
 av_log(s->ctx, AV_LOG_WARNING, "font axis rendering is not implemented 
in non-default frequency range,"
" please use axisfile option instead.\n");
 return AVERROR(EINVAL);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog